CN1794128A - Method and system of adding region and obtaining authority object of mobile terminal - Google Patents
Method and system of adding region and obtaining authority object of mobile terminal Download PDFInfo
- Publication number
- CN1794128A CN1794128A CN200510090296.1A CN200510090296A CN1794128A CN 1794128 A CN1794128 A CN 1794128A CN 200510090296 A CN200510090296 A CN 200510090296A CN 1794128 A CN1794128 A CN 1794128A
- Authority
- CN
- China
- Prior art keywords
- ocsp
- certificate
- drm agent
- message
- digital signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 101000759879 Homo sapiens Tetraspanin-10 Proteins 0.000 claims abstract description 180
- 102100024990 Tetraspanin-10 Human genes 0.000 claims abstract description 180
- 238000010295 mobile communication Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 24
- 238000012795 verification Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000008929 regeneration Effects 0.000 description 2
- 238000011069 regeneration method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
Abstract
A method for adding domain in and obtaining right object from mobile terminal includes requesting identification of RI certificate by distributor RI to OCSP responser and containing valid identification OCSP responser digital signature in RO response message confirming that OCSP responser is legal by mobile terminal according said digital signature, obtaining RO object or adding domain cipher to ensure safety and reliability of coming source of RO object or adding domain cipher after RI certificate validity is confirmed.
Description
Technical field
The present invention relates to DRM (the Digital Rights Management in the mobile communication system, digital copyright management) technology, particularly portable terminal adds adding territory of being set by the content publisher of numerical information product and the method for obtaining permission object from publisher.
Background technology
DRM realizes having the precondition of the numerical information product of copyright by network selling, adopts digital copyright protection technology can prevent effectively by network and computing machine bootlegging, copy, transmission numerical information product.The content publisher of numerical information product (Rights Issuer, RI) will upload to network after the numerical information encryption, the user downloads to the numerical information of encrypting in the copyright agent server (DRMAgent) on the terminal device, the user is if use the numerical information of downloading, ask permission object (the Rights Object of this numerical information product again to RI by network, RO), the key that comprises data decryption among the RO, if the product of disposable paying, after DRM Agent utilizes this secret key decryption numerical information, the user just can use, if desired user's operating right is controlled, the authorization administration information that also comprises this numerical information among the RO, DRM Agent is according to the concrete use of these restrictive condition leading subscribers to numerical information, in the prior art, the restriction of digital product control is generally comprised: the number of times of use, the preview number of times, the limiting time of each preview and term of life etc.
Because the development of mobile communication technology, increasing user brings into use portable terminal from network download numerical information, in the existing mobile communications system in the relevant agreement of DRM, although the terminal of 4-pass log-in protocol regulation open an account and register flow path in, for preventing illegal terminal and illegal RI, require portable terminal and RI must carry out two-way certificate verification, be that DRMAgent and RI provide our certificate mutually, also authenticate the correctness and the validity of the other side's certificate simultaneously, and (Online Certificate StatusProtocol OCSP) differentiates the validity of RI certificate to use the certificate status poll.But obtain in the 2-pass agreement flow process and 1-pass agreement flow process of RO to RI in terminal, and add in the 2-pass agreement flow process in territory, do not relate to checking, be described in detail as follows both sides' certificate validity (being the certificate retransmission state):
As shown in Figure 1, for portable terminal initiatively obtains the 2-pass agreement flow process of RO to RI, comprise the steps:
S11, DRM Agent send RO request (RO Request) message to RI;
The identification information and the use-pattern of mobile phone users selection numerical information have been carried in the RO request message.
S12, RI return RO response (RO Response) message to the DRMAgent of portable terminal;
Carried the corresponding RO of use-pattern generation that RI selects according to mobile phone users in the RO response message, after DRM Agent receives RO, according to the use of the corresponding numerical information of this RO control.
Sometimes, RI carries out preferential activity or when giving according to terminal user's use accumulative total situation, RI wishes initiatively to distribute RO to portable terminal, point out the specific address of the corresponding numerical information of user's download simultaneously, the 1-pass agreement has been stipulated corresponding flow process, as shown in Figure 2, this flow process only comprises as next procedure:
S21, RI send the RO response message to the DRM of portable terminal Agent, have carried the RO that is distributed in this response message; RI generally sends the specific address of downloading corresponding numerical information by short message mode to the user, also can adopt other any communication modes to notify the user.
Mobile phone users can also join in the territory by the flow process request of 2-pass agreement regulation, this territory is that RI is member's group that certain similar behavior that purchases by group is set up, has unique domain identifier, mobile phone users is if the group member of this member group, then can obtain the RO of optional network specific digit information by adding the territory, as shown in Figure 3, portable terminal asks to join in the territory as follows:
S31, DRM Agent send to RI and add territory request (Join Domain Request) message;
Mobile phone users selects to add the operation in territory by DRM Agent and according to pointing out the input domain sign, DRM Agent sends to RI and adds the territory request message, has carried the identification information of mobile phone users and the domain identifier in adding territory in this request message.
S32, RI return to the DRM of portable terminal Agent and add domain response (Join Domain Response) message;
RI verifies according to the identification information of mobile phone users whether this user is the member who adds the territory, if, this member is designated the member who successfully adds the territory, and in adding domain response message, carry this territory password, if this user is not the member in adding territory then carries refusal information in adding domain response message.The territory password generates and preserves by RI is corresponding when setting up the territory, after the user receives the territory password, again by the 2-pass agreement flow process initiated to the RO that RI obtains corresponding numerical information, specifically comprise the steps:
S33, DRM Agent send the RO request message to RI, have carried domain identifier in this request message;
S34, RI return to the DRMAgent of portable terminal and add territory RO response message;
RI judges whether this terminal user successfully adds in the territory, if then in the RO response message, carry the adding territory RO that utilizes the territory password encryption, after DRM Agent receives RO, utilize the territory password to decipher to add territory RO, and add the numerical information that territory RO control mobile phone users uses correspondence according to this; Otherwise in adding territory RO response message, carry refusal information.
In above-mentioned three flow processs, portable terminal and RI can not verify the validity of the other side's certificate, cause the certificate validity validating incomplete, can't realize the complete safe system, cause the security of system leak, and exist discarded certificate to insert the possibility that RI obtains RO.
Summary of the invention
The invention provides the method and system that a kind of portable terminal obtains permission object and adds the territory, to solve the relatively poor problem of security in the existing DRM system.
A kind of portable terminal obtains the method for permission object, comprises the steps:
A1, publisher (RI) send the authentication request message that comprises the RI certificate to online certificate status inquiry (OCSP) responsor;
A2, OCSP responsor return the authentication response message that comprises RI certificate validity authentication result and OCSP responsor digital signature to RI;
A3, RI comprise permission object (RO object) and carry the RO response message of whole described authentication response message to copyright agent module (DRMAgent) transmission of portable terminal;
A4, DRM Agent receive described RO response message, confirm that according to OCSP responsor digital signature the OCSP responsor is legal, and after confirming that according to described RI certificate validity authentication result the RI certificate effectively, obtain described RO object.
Described method comprises that also step: A0, DRM Agent send the RO request message that comprises DRM Agent certificate to RI.
In the described method, can also authenticate DRM Agent certificate by following steps:
Comprise described DRM Agent certificate in described steps A 1, the described authentication request message simultaneously;
The validity authentication result that comprises described DRM Agent certificate in described steps A 2, the described authentication response message simultaneously; And
Described steps A 3, RI send described RO response message after confirming that according to the validity authentication result of described DRM Agent certificate the DRMAgent certificate effectively again.
Perhaps, by the authentication of the following steps between described steps A 0 and A1 DRM Agent certificate:
RI sends the authentication request message that comprises DRM Agent certificate to the OCSP responsor;
The OCSP responsor returns the authentication response message that comprises DRM Agent certificate validity authentication result to RI;
After RI confirms that according to described DRM Agent certificate validity authentication result terminal is legal, execution in step A1.
In the described method, between DRM Agent and the RI and/or between RI and the OCSP responsor when mutual each message, transmit leg generates the transmit leg digital signature and writes described message and sends to the take over party together, the take over party according to described transmit leg digital signature authentication transmit leg legal after, carry out subsequent treatment again.
The present invention also provides a kind of mobile phone users based on same design to add the method in territory, comprises the steps:
The DRMAgent of B1, portable terminal sends the adding territory request message that comprises the mobile phone users sign and add domain identifier to RI;
B2, RI are according to described user ID and add after domain identifier confirms the member of this user for this addings territory, send the authentication request message that comprises the RI certificate to the OCSP responsor, and are the adding member with this user ID;
B3, OCSP responsor return the authentication response message that comprises RI certificate validity authentication result and OCSP responsor digital signature to RI;
B4, RI send the adding domain response message that comprises the territory password in described adding territory and carry whole described authentication response message to DRMAgent;
B5, DRM Agent receive described adding domain response message, confirm that according to OCSP responsor digital signature the OCSP responsor is legal, and after confirming that according to described RI certificate validity authentication result the RI certificate effectively, obtain described territory password.
Comprise described DRMAgent certificate simultaneously in the request message of described adding territory.And
The validity authentication result that comprises described DRM Agent certificate in described step B2, the described authentication response message simultaneously; And
Described step B3, RI send described adding domain response message after confirming that according to the validity authentication result of described DRM Agent certificate the DRMAgent certificate effectively again.
Perhaps, also comprise the steps: between described step B1 and the B2
RI sends the authentication request message that comprises the DRMAgent certificate to the OCSP responsor;
The OCSP responsor returns the authentication response message that comprises DRM Agent certificate validity authentication result to RI;
After RI confirms that according to described DRM Agent certificate validity authentication result terminal is legal, execution in step B2.
Also comprise the steps: after the step B5
DRM Agent sends the adding territory RO request message that comprises domain identifier and user ID to RI;
RI confirms this user for after adding the member, returns to DRM Agent to add territory RO response message, and this adding territory RO response message comprises the adding territory RO that utilizes the territory password to encrypt;
DRM Agent receives described adding territory RO response message, obtains described adding territory RO and utilizes described territory password to decipher.
Perhaps, obtain the adding territory RO of needs from RI according to RO acquisition methods provided by the invention.
For realizing the method for the invention, the present invention also provides a kind of numerical information copyright management system, comprises copyright agent (DRM Agent) server that is arranged on the portable terminal, connects the RI server of described DRM Agent server and the OCSP responsor that is connected described RI server by mobile communications network by mobile communications network;
Described DRM Agent comprises the agent security module, is used to the message that sends to described RI server to carry out digital signature; Perhaps, checking is from described RI server and have the legitimacy of the message of digital signature;
Described RI server comprises the RI security module, is used to the message that sends to described DRM Agent server or described OCSP responsor to carry out digital signature; Perhaps, checking is from described DRM Agent server or described OCSP responsor and have the legitimacy of the message of digital signature;
Described OCSP responsor comprises the OCSP security module; Be used to the message that sends to described RI server to carry out digital signature; Perhaps, checking comes from described RI server and has the legitimacy of the message of digital signature.
Described DRM Agent also comprises the control module of acting on behalf of of the proxy interface module that is used for messaging and the management of combine digital copyright in information, connects described agent security module respectively; Described act on behalf of control module and will issue the message of described RI server and send into described agent security module and carry out digital signature after, send by described proxy interface module; Perhaps, described proxy interface module will be sent into described agent security module from the message that has digital signature that described RI server receives, described agent security power module is sent described message into the described control module of acting on behalf of and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal; And/or
Described RI server also comprises the RI interface module that is used for messaging and carries out RO or add the RI control module that the territory is managed, connects described RI security module respectively; After the message that described RI control module will be issued described RI server or described OCSP responsor is sent into described RI security module and carried out digital signature, send by described RI interface module; Perhaps, described RI interface module will be sent into described RI security module from the message that has digital signature of described RI server or the reception of described OCSP responsor, described RI safety right module is sent described message into described RI control module and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal; And/or
Described OCSP responsor also comprises OCSP interface module that is used for messaging and the OCSP authentication module that authenticates RI certificate and/or DRM Agent certificate validity, connects described OCSP security module respectively; After the message that described OCSP control module will be issued described RI server is sent into described OCSP security module and carried out digital signature, send by described OCSP interface module; Perhaps, described OCSP interface module will be sent into described OCSP security module from the message that has digital signature that described RI server receives, described OCSP safety right module is sent described message into described OCSP control module and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal.Also comprise the RI certificate revocation list and/or the DRM Agent certificate revocation list that authenticate usefulness in the described OCSP authentication module.
Beneficial effect of the present invention is as follows:
The present invention is directed in the DRM system, 2-pass at application RO, in the flow process of the 2-pass agreement regulation in 1-pass and adding territory, increase the identifying procedure of RI certificate, and further increased DRM Agent certificate validity identifying procedure, the security breaches of DRM system have been eliminated, perfect whole security system.
Description of drawings
Fig. 1 is the existing 2-pass agreement flow process of being initiated by portable terminal to RI request RO;
Fig. 2 distributes the 1-pass agreement flow process of RO by what RI initiatively initiated to portable terminal for existing;
Fig. 3 is the existing 2-pass agreement flow process of being initiated by portable terminal to RI request adding territory;
Fig. 4 is the method flow to RI request RO of being initiated by portable terminal of the present invention, and wherein, RI asked the validity of OCSP responsor requests verification RI certificate before portable terminal sends RO;
Fig. 5 distributes the method flow of RO by what RI initiatively initiated to portable terminal for of the present invention, wherein, RI before portable terminal is distributed RO, the validity of request OCSP responsor requests verification RI certificate;
Fig. 6 is the method flow to RI request adding territory of being initiated by portable terminal of the present invention, and wherein, RI asked the validity of OCSP responsor requests verification RI certificate before portable terminal sends the territory password;
Fig. 7 is embodiment four described a kind of DRM system architecture synoptic diagram.
Embodiment
The purpose of the method for the invention is to optimize in the DRM system, portable terminal initiates to distribute the 1-pass of RO and the 2-pass agreement flow process in the adding territory of being initiated by portable terminal to the 2-pass agreement flow process of RI application RO, by what RI initiatively initiated to portable terminal, increases the validity authentication of RI certificate and/or DRM Agent certificate in these three flow processs.
For realizing this method, the present invention uses the OCSP authentication mode, adds the step of RI request OCSP responsor (Responder) checking RI certificate validity in above-mentioned three flow processs, to guarantee the legal row of RI.Further, also increased RI and asked the OCSP responsor to verify the step of mobile DRM Agent certificate validity,, thereby in above-mentioned three flow processs, realized complete certification authentication system with the legitimacy of assurance portable terminal.
At first, several notions that the method for the invention relates to are described:
1, DRM Agent certificate
DRM Agent certificate is also referred to as terminal certificate, end-user certificate etc., is unique proof of mobile phone users legal identity, comprising a unique private key for user, and the corresponding disclosed client public key of this private key for user.
2, RI certificate
The RI certificate is unique proof of each RI legal identity, comprising a unique RI private key and certificates identified, and the corresponding disclosed RI PKI of this RI private key.
3, OCSP responsor certificate
OCSP responsor certificate is the proof of OCSP responsor legal identity, comprising a unique responsor private key, and the corresponding disclosed responsor PKI of this responsor private key.
4, OCSP authentication method
Be meant the method for utilizing OCSP responsor authentication RI certificate validity, establishing the RI certificate revocation list on the OCSP responsor also in time upgrades, the RI certificate revocation list is used to register the RI certificates identified of being cancelled and losing efficacy, and the current RI certificate revocation list of OCSP responsor inquiry is verified the validity of RI certificate.
5, utilize digital signature to carry out authentication
Digital signature can be used for the receiving party identity of information sender is carried out the legitimacy authentication, for example: the private key of information sender utilization oneself and the complete information that will send generate digital signature, digital signature and information are sent to the take over party together, the take over party utilizes disclosed PKI decrypted digital signature, therefrom be verified information, if authorization information is identical with the information that receives, the transmit leg that then shows information is legal believable.
Below with specific embodiment and be described with reference to the accompanying drawings the present invention.
Embodiment one:
As shown in Figure 4, embodiment one has increased the step of RI request OCSP responsor checking RI certificate validity based on the existing 2-pass agreement flow process of being initiated by portable terminal to RI request RO:
S41, DRM Agent send the RO request message to RI;
Carried the identification information and the use-pattern of the numerical information that DRM Agent certificate, mobile phone users select in the RO request message, and DRM Agent utilizes private key for user and complete RO request message to generate the number signature.
S42, RI send the validity of OCSP request (OCSP Request) message request checking RI certificate to the OCSP responsor;
After RI receives the RO request message of portable terminal transmission, utilize client public key and number signature verification terminal identity whether legal earlier, verification method is: utilize the client public key decrypted digital signature, the full message that is verified, and with actual reception to message compare, if it is inequality then think that this RO request message from illegal terminal, will not reply.If instead identically then think the RO request message from legal terminal, send the OCSP request message to the OCSP responsor then, carry the RI certificate in this message and utilized the RI private key and RI digital signature that complete OCSP request message generates.
S43, OCSP responsor return OCSP authentication response (OCSP Response) message to RI;
The OCSP responsor still at first utilizes RI public key verifications RI digital signature, judges the legitimacy of RI, and refusal is replied illegal RI, and legal RI is then authenticated according to the validity of RI certificate revocation list to this RI certificate again.
OCSP writes OCSP Response authentication response message with authentication result, utilize responsor private key and complete OCSP authentication response message to generate the OCSP digital signature again and write in this OCSP authentication response message, the OCSP authentication response message that will carry authentication result and OCSP digital signature then sends to RI.
S44, RI return the RO response message to the DRM of portable terminal Agent;
After RI receives the OCSP authentication response message, finish following operation:
1), generates the RO of DRM Agent request and write the RO response message;
2), the OCSP authentication response message that will carry the OCSP digital signature is as the parameter RO response message that writes direct;
3), utilize RI private key and complete RO response message regeneration RI digital signature, and the RI digital signature is write the RO response message, then the RO response message is sent to DRM Agent.
After DRM Agent receives the RO response message, finish following operation:
1), utilize RI PKI and RI digital signature authentication RI identity, if legal then continue, otherwise finish;
2), utilize the legitimacy of responsor PKI and OCSP digital signature authentication OCSP responsor identity, if legal then continue, otherwise finish;
3), judge whether the authentication result of RI certificate is effectively, if certificate is effective, then obtains RO from the RO response message, otherwise finishes.
From above-mentioned steps, the DRM Agent of mobile terminal side has only and has confirmed that the RO response message is from legal RI, and the effective authentication result of RI certificate is from legal OCSP responsor, just allow the terminal user to use the numerical information of download, guaranteed the legitimacy and the security in numerical information source.
Further in step S42, RI sends in the authentication request message of OCSP responsor can also the carried terminal certificate, request OCSP responsor authenticates DRM Agent certificate, equally, the OCSP responsor is carried at the authentication result of DRM Agent certificate in the OCSP authentication response message and returns to RI, and whether RI sends the RO response message to this terminal according to the authentication result decision of DRM Agent certificate again.
Perhaps, RI is before completing steps S42, send the authentication request message of carried terminal certificate earlier to the OCSP responsor, request OCSP responsor authenticates DRM Agent certificate, the OCSP responsor is carried at the authentication result of DRMAgent certificate in the OCSP authentication response message and returns to RI, if the authentication result of DRM Agent certificate is that effectively RI carries out the authentication that step S42 carries out the RI certificate again.
For realizing the authentication of above-mentioned DRM Agent certificate, OCSP responsor side need be set up DRM Agent certificate revocation list and in time upgrade.
Embodiment two
As shown in Figure 5, embodiment two distributes the 1-pass agreement flow process of RO based on existing RI to portable terminal, has increased the step of verifying RI validity, compare with embodiment one, do not need DRM Agent to send the RO request message to RI, identical among other step and the embodiment one, be specially:
S51, RI send the validity of OCSP request message requests checking RI certificate to the OCSP responsor;
RI sends the OCSP request message to the OCSP responsor, has carried the RI certificate in this message, and the RI digital signature of utilizing the RI private key to generate.
S52, OCSP responsor return OCSP Response authentication response message to RI;
The OCSP responsor at first utilizes RI PKI and RI digital signature that the RI identity is carried out the legitimacy authentication, if the legal validity of judging this RI certificate again according to the RI certificate revocation list, on the contrary will not reply.
The OCSP responsor writes OCSP Response authentication response message with authentication result, utilize the responsor private key to generate the OCSP digital signature again and write in this OCSP authentication response message, the OCSP authentication response message that will carry authentication result and OCSP digital signature then sends to RI.
S44, RI send the RO response message to DRM Agent;
RI finishes following operation after receiving the OCSP authentication response message of carrying the OCSP digital signature:
1), the RO that will distribute writes the RO response message;
2), the OCSP authentication response message that will carry the OCSP digital signature is as the parameter RO response message that writes direct;
3), the RI digital signature of utilizing RI private key and complete RO response message to generate writes the RO response message, then the RO response message sent to the DRM Agent of portable terminal.
After DRM Agent receives the RO response message, finish following operation:
1), utilize RI PKI and RI digital signature authentication RI identity, if legal then continue, otherwise finish;
2), utilize the legitimacy of responsor PKI and OCSP digital signature authentication OCSP responsor identity, if legal then continue, otherwise finish;
3), judge whether the authentication result of RI certificate is effectively, if certificate is effective, then obtains the RO that distributes from the RO response message, otherwise finishes.
In the present embodiment,, do not need to increase whether effectively step of checking DRMAgent certificate owing to be that RI initiatively distributes RO to portable terminal.
Embodiment three
As shown in Figure 6, embodiment three increases the authenticating step of RI certificate based on the 2-pass agreement flow process of existing portable terminal to RI request adding territory, specifically comprises:
S61, DRM Agent send to RI and add the territory request message;
Mobile phone users is selected to add the operation in territory and is added domain identifier according to the prompting input by DRM Agent, DRM Agent then send to add the territory request message to RI, carried in this request message mobile phone users identification information, add domain identifier and utilize private key for user and number signature that complete adding territory request message generates.
S62, RI send OCSP request message, the validity of requests verification RI certificate to the OCSP responsor;
After RI receives the adding territory request message of portable terminal transmission, utilize the legitimacy of client public key and number signature verification terminal user ID, refusal is replied illegal terminal, for legal terminal user by checking, RI verifies the whether member in corresponding adding territory of this user according to the identification information of mobile phone users, if, this member is designated the member who successfully adds the territory, send the OCSP request message to the OCSP responsor then, carried the RI digital signature of RI certificate and generation in this message.
S63, OCSP responsor return OCSP Response authentication response message to RI;
After the OCSP responsor at first utilizes RI PKI and RI digital signature authentication RI legal, judge the validity of this RI certificate again according to the RI list of cert, and authentication result write the OCSP authentication response message, will send to RI in this OCSP authentication response message after the OCSP digital signature.
S64, RI return to the DRMAgent of portable terminal and add domain response message;
RI finishes following operation after receiving the adding domain response message of carrying the 3rd digital signature:
1), will write adding domain response message by the territory password;
2), the OCSP authentication response message that will carry the OCSP digital signature is write direct as parameter and is added domain response message;
3), utilizing RI private key and this adding domain response message regeneration RI digital signature to write adds domain response message, will add domain response message then and send to DRM Agent.
DRM Agent finishes following operation after receiving and adding domain response message:
1), utilize RI PKI and RI digital signature authentication RI identity, if legal then continue, otherwise finish;
2), utilize the legitimacy of responsor PKI and OCSP digital signature authentication OCSP responsor identity, if legal then continue, otherwise finish;
3), judge whether the authentication result of RI certificate is effectively, if certificate is effective, then obtains the territory password from the RO response message, otherwise finishes.
So far, when DRMAgent confirms the effective authentication result of RI certificate from legal OCSP responsor, just from the RO response message, obtain the territory password, guaranteed the legitimacy and the security in password source, territory.
After DRM Agent receives the territory password, obtain corresponding adding territory RO by initiating 2-pass agreement flow process to RI again, specifically comprise the steps:
S65, DRMAgent send the RO request message to RI, have carried domain identifier in this request message;
S66, RI return the RO response message to the DRM of portable terminal Agent;
RI judges whether this mobile phone users has been identified as the adding member of corresponding domain, if then in the RO response message, carry the adding territory RO that has utilized with password encryption, after DRM Agent receives RO, utilize with password to decipher and obtain adding territory RO, be used for controlling the use of user numerical information; If RI judges this mobile phone users and does not also successfully add, then carry refusal information in the RO response message.
Above-mentioned steps S65 and step S66 utilize existing 2-pass agreement flow process, for further increasing security, can also utilize embodiment one of the present invention, increase the step of RI certificate and/or DRM Agent certificate being carried out validation verification once more, identical among specific implementation details and the embodiment one, repeat no more here.
The present invention is directed in the DRM system, 2-pass at application RO, in the flow process of the 2-pass agreement regulation in 1-pass and adding territory, increase the identifying procedure of RI certificate, replenished the integrality of certificate validity authentication, eliminated the security breaches of DRM system, and further increased DRMAgent certificate validity identifying procedure, perfect whole security system.
Embodiment four
For realizing the inventive method, the present invention also discloses a kind of DRM system, as shown in Figure 7, the DRM system of existing moving communicating field comprises: be arranged on copyright agent server (DRMAgent) on the portable terminal, connect the RI server and the OCSP responsor that is connected the RI server by mobile communications network of DRM Agent by mobile communications network; Wherein: DRM Agent comprises agency's (Agent) interface module and agency (Agent) control module that is used for messaging; The RI server comprises RI interface module and the RI control module that is used for messaging; The OCSP responsor comprises OCSP interface module and the OCSP authentication module that is used for messaging;
For realizing the method for the invention, need on DRM Agent, RI server and OCSP responsor, be provided for generating the security module of digital signature or certifying digital signature respectively, store the private key and the corresponding PKI of encryption and decryption digital signature in the security module, when interface module sends message, for sending to interface module after the message generation digital signature; When interface module receives message, be responsible for the legitimacy of checking RI and/or OCSP responsor identity, to guarantee the reliability and the security of informed source.Be described below respectively:
The Agent security module of DRM Agent is connected between Agent interface module and the Agent control module; After the message that the Agent control module will be issued the RI server is sent into the Agent security module and carried out digital signature, send by the Agent interface module; Perhaps, the Agent interface module will be sent into the Agent security module from the message that has digital signature that the RI server receives, the Agent security module is sent message into the Agent control module and is handled after confirming that according to digital signature generation side's identity of this digital signature is legal; The Agent control module is connected to the display module of portable terminal, in order to operation display interface.
The RI security module of RI server is connected between RI interface module and the RI control module; After the message that the RI control module will be issued RI server or OCSP responsor is sent into the RI security module and carried out digital signature, send by the RI interface module; Perhaps, the RI interface module will be sent into the RI security module from the message that has digital signature of RI server or the reception of OCSP responsor, RI safety right module is sent message into the RI control module and is handled after confirming that according to digital signature generation side's identity of this digital signature is legal;
The OCSP security module of OCSP responsor is connected between OCSP interface module and the OCSP authentication module; After the message that the OCSP control module will be issued the RI server is sent into the OCSP security module and carried out digital signature, send by the OCSP interface module; Perhaps, the OCSP interface module will be sent into the OCSP security module from the message that has digital signature that the RI server receives, OCSP safety right module is sent message into the OCSP control module and is handled after confirming that according to digital signature generation side's identity of this digital signature is legal.Also comprise the RI certificate revocation list and the DRM Agent certificate revocation list that authenticate usefulness in the OCSP authentication module.
The specific implementation details all has a detailed description in embodiment one, embodiment two and embodiment three, and this repeats no more.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (17)
1, a kind of portable terminal obtains the method for permission object, it is characterized in that, comprises the steps:
A1, publisher (RI) send the authentication request message that comprises the RI certificate to online certificate status inquiry (OCSP) responsor;
A2, OCSP responsor return the authentication response message that comprises RI certificate validity authentication result and OCSP responsor digital signature to RI;
A3, RI comprise authority (RO) object and carry the RO response message of whole described authentication response message to copyright agent module (DRM Agent) transmission of portable terminal;
A4, DRM Agent receive described RO response message, confirm that according to OCSP responsor digital signature the OCSP responsor is legal, and after confirming that according to described RI certificate validity authentication result the RI certificate effectively, obtain described RO object.
2, the method for claim 1 is characterized in that, described method also comprises step:
A0, DRM Agent send the RO request message that comprises DRM Agent certificate to RI.
3, method as claimed in claim 2 is characterized in that,
Comprise described DRM Agent certificate in described steps A 1, the described authentication request message simultaneously;
The validity authentication result that comprises described DRM Agent certificate in described steps A 2, the described authentication response message simultaneously; And
Described steps A 3, RI send described RO response message after confirming that according to the validity authentication result of described DRM Agent certificate the DRMAgent certificate effectively again.
4, method as claimed in claim 2 is characterized in that, also comprises the steps: between described steps A 0 and the A1
RI sends the authentication request message that comprises DRM Agent certificate to the OCSP responsor;
The OCSP responsor returns the authentication response message that comprises DRM Agent certificate validity authentication result to RI;
After RI confirms that according to described DRM Agent certificate validity authentication result terminal is legal, execution in step A1.
5, as claim 3 or 4 described methods, it is characterized in that, between DRM Agent and the RI and/or between RI and the OCSP responsor when mutual each message, transmit leg generates the transmit leg digital signature and writes described message and sends to the take over party together, the take over party according to described transmit leg digital signature authentication transmit leg legal after, carry out subsequent treatment again.
6, a kind of mobile phone users adds the method in territory, it is characterized in that, comprises the steps:
The DRM Agent of B1, portable terminal sends the adding territory request message that comprises the mobile phone users sign and add domain identifier to RI;
B2, RI are according to described user ID and add after domain identifier confirms the member of this user for this addings territory, send the authentication request message that comprises the RI certificate to the OCSP responsor, and are the adding member with this user ID;
B3, OCSP responsor return the authentication response message that comprises RI certificate validity authentication result and OCSP responsor digital signature to RI;
B4, RI send the adding domain response message that comprises the territory password in described adding territory and carry whole described authentication response message to DRMAgent;
B5, DRM Agent receive described adding domain response message, confirm that according to OCSP responsor digital signature the OCSP responsor is legal, and after confirming that according to described RI certificate validity authentication result the RI certificate effectively, obtain described territory password.
7, method as claimed in claim 6 is characterized in that, comprises described DRM Agent certificate simultaneously in described step B1, the described adding territory request message.
8, method as claimed in claim 7 is characterized in that,
The validity authentication result that comprises described DRM Agent certificate in described step B2, the described authentication response message simultaneously; And
Described step B3, RI send described adding domain response message after confirming that according to the validity authentication result of described DRM Agent certificate the DRMAgent certificate effectively again.
9, method as claimed in claim 7 is characterized in that, also comprises the steps: between described step B1 and the B2
RI sends the authentication request message that comprises DRM Agent certificate to the OCSP responsor;
The OCSP responsor returns the authentication response message that comprises DRM Agent certificate validity authentication result to RI;
After RI confirms that according to described DRM Agent certificate validity authentication result DRM Agent is legal, execution in step B2.
10, as claim 7,8 or 9 described methods, it is characterized in that, also comprise the steps: after the step B5
DRM Agent sends the adding territory RO request message that comprises domain identifier and user ID to RI;
RI confirms this user for after adding the member, return to DRM Agent to add territory RO response message, this adding territory RO response message comprise utilize the territory password encryption adding territory RO;
DRM Agent receives described adding territory RO response message, obtains described adding territory RO and utilizes described territory password to decipher.
11, as claim 7,8 or 9 described methods, it is characterized in that, also comprise the steps: after the step B5
B6, DRM Agent send the adding territory RO request message that comprises domain identifier, user ID and DRM Agent certificate to RI;
B7, RI confirm that this user for after adding the member, sends the authentication request message that comprises the RI certificate to the OCSP responsor;
B8, OCSP responsor return the validity authentication result that comprises the RI certificate and the authentication response message of OCSP responsor digital signature to RI;
B9, RI return to DRM Agent and add territory RO response message, and this RO response message comprises and utilizes the adding territory RO that the territory password encrypts and carry complete described authentication response message;
B10, DRM Agent receive described adding territory RO response message, confirm that according to OCSP responsor digital signature the OCSP responsor is legal, and after confirming that according to described RI certificate validity authentication result the RI certificate effectively, obtain described adding territory RO and utilize described territory password to decipher.
12, method as claimed in claim 11 is characterized in that,
Comprise described DRM Agent certificate in described step B7, the described authentication request message simultaneously;
The validity authentication result that comprises described DRM Agent certificate in described step B8, the described authentication response message simultaneously; And
Described step B9, RI send described RO response message after confirming that according to the validity authentication result of described DRM Agent certificate the DRMAgent certificate effectively again.
13, method as claimed in claim 11 is characterized in that, also comprises step between described step B6 and the step B7:
RI sends the authentication request message that comprises DRM Agent certificate to the OCSP responsor;
The OCSP responsor returns the authentication response message that comprises DRM Agent certificate validity authentication result to RI;
After RI confirms that according to described DRM Agent certificate validity authentication result terminal is legal, execution in step B7.
14, as claim 12 or 13 described methods, it is characterized in that, between DRM Agent and the RI, between RI and the OCSP responsor when mutual each message, transmit leg generates digital signature and writes described message and sends to the take over party together, the take over party according to described digital signature authentication transmit leg legal after, carry out subsequent treatment again.
15, a kind of numerical information copyright management system comprises copyright agent (DRMAgent) server that is arranged on the portable terminal, connects the RI server of described DRM Agent server and the OCSP responsor that is connected described RI server by mobile communications network by mobile communications network; It is characterized in that,
Described DRM Agent comprises the agent security module, is used to the message that sends to described RI server to carry out digital signature; Perhaps, checking is from described RI server and have the legitimacy of the message of digital signature;
Described RI server comprises the RI security module, is used to the message that sends to described DRM Agent server or described OCSP responsor to carry out digital signature; Perhaps, checking is from described DRM Agent server or described OCSP responsor and have the legitimacy of the message of digital signature;
Described OCSP responsor comprises the OCSP security module; Be used to the message that sends to described RI server to carry out digital signature; Perhaps, checking comes from described RI server and has the legitimacy of the message of digital signature.
16, system as claimed in claim 15 is characterized in that, described DRM Agent also comprises the control module of acting on behalf of of the proxy interface module that is used for messaging and the management of combine digital copyright in information, connects described agent security module respectively; Described act on behalf of control module and will issue the message of described RI server and send into described agent security module and carry out digital signature after, send by described proxy interface module; Perhaps, described proxy interface module will be sent into described agent security module from the message that has digital signature that described RI server receives, described agent security power module is sent described message into the described control module of acting on behalf of and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal; And/or
Described RI server also comprises the RI interface module that is used for messaging and carries out RO or add the RI control module that the territory is managed, connects described RI security module respectively; After the message that described RI control module will be issued described RI server or described OCSP responsor is sent into described RI security module and carried out digital signature, send by described RI interface module; Perhaps, described RI interface module will be sent into described RI security module from the message that has digital signature of described RI server or the reception of described OCSP responsor, described RI safety right module is sent described message into described RI control module and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal; And/or
Described OCSP responsor also comprises OCSP interface module that is used for messaging and the OCSP authentication module that authenticates RI certificate and/or DRM Agent certificate validity, connects described OCSP security module respectively; After the message that described OCSP control module will be issued described RI server is sent into described OCSP security module and carried out digital signature, send by described OCSP interface module; Perhaps, described OCSP interface module will be sent into described OCSP security module from the message that has digital signature that described RI server receives, described OCSP safety right module is sent described message into described OCSP control module and is handled after confirming that according to described digital signature generation side's identity of this digital signature is legal.
17, system as claimed in claim 16 is characterized in that, also comprises the RI certificate revocation list and/or the DRM Agent certificate revocation list that authenticate usefulness in the described OCSP authentication module.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100902961A CN100337175C (en) | 2005-08-12 | 2005-08-12 | Method and system of adding region and obtaining authority object of mobile terminal |
| PCT/CN2006/001343 WO2007019760A1 (en) | 2005-08-12 | 2006-06-15 | A method and a system for a mobile terminal joining in a domain and obtaining a rights object |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100902961A CN100337175C (en) | 2005-08-12 | 2005-08-12 | Method and system of adding region and obtaining authority object of mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1794128A true CN1794128A (en) | 2006-06-28 |
| CN100337175C CN100337175C (en) | 2007-09-12 |
Family
ID=36805628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100902961A Active CN100337175C (en) | 2005-08-12 | 2005-08-12 | Method and system of adding region and obtaining authority object of mobile terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100337175C (en) |
| WO (1) | WO2007019760A1 (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007019760A1 (en) * | 2005-08-12 | 2007-02-22 | Huawei Technologies Co., Ltd. | A method and a system for a mobile terminal joining in a domain and obtaining a rights object |
| WO2008034379A1 (en) * | 2006-09-15 | 2008-03-27 | Huawei Technologies Co., Ltd. | Method, system and device for replacing copyright object in digital copyright management system |
| CN101682511A (en) * | 2007-05-28 | 2010-03-24 | 三星电子株式会社 | Apparatus and method of verifying online certificate for offline device |
| CN101140602B (en) * | 2006-09-04 | 2010-05-26 | 三星电子株式会社 | Method and apparatus for generating rights object by reauthorization |
| US7930250B2 (en) | 2006-06-09 | 2011-04-19 | Lg Electronics Inc. | Method for managing user domain in digital rights management and system thereof |
| CN102236753A (en) * | 2010-05-07 | 2011-11-09 | 中兴通讯股份有限公司 | Rights management method and system |
| CN101420430B (en) * | 2008-11-28 | 2011-12-07 | 华为终端有限公司 | Methods and apparatus for information security protection |
| CN101364871B (en) * | 2007-08-10 | 2011-12-21 | 华为技术有限公司 | Method, system and apparatus for domain manager to carry out domain management to user equipment |
| CN101681413B (en) * | 2007-03-12 | 2012-07-18 | 索尼在线娱乐有限公司 | Secure transfer of digital objects |
| CN101542972B (en) * | 2006-11-29 | 2013-01-02 | 三星电子株式会社 | Device and portable storage device which are capable of transferring rights object, and a method of transferring rights object |
| CN101458745B (en) * | 2007-12-12 | 2013-02-06 | 上海爱信诺航芯电子科技有限公司 | Tracing subsystem of digital copyright management proxy system and working method thereof |
| CN101315654B (en) * | 2007-06-01 | 2013-02-27 | 华为技术有限公司 | Method and system for validating permission |
| CN102945532A (en) * | 2012-11-20 | 2013-02-27 | 南京邮电大学 | Digital rights realizing method for supporting rights assignment |
| CN102026161B (en) * | 2009-09-21 | 2014-11-05 | 中兴通讯股份有限公司 | System and method for validity verification of certificate in mobile backhaul net |
| CN104462874A (en) * | 2013-09-16 | 2015-03-25 | 北大方正集团有限公司 | DRM (digital rights management) method and system supporting offline sharing of digital resources |
| CN101340278B (en) * | 2007-07-03 | 2015-05-27 | 三星电子株式会社 | License management system and method |
| CN107786515A (en) * | 2016-08-29 | 2018-03-09 | 中国移动通信有限公司研究院 | A kind of method and apparatus of certificate verification |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7340600B1 (en) * | 2000-01-14 | 2008-03-04 | Hewlett-Packard Development Company, L.P. | Authorization infrastructure based on public key cryptography |
| US20050021467A1 (en) * | 2001-09-07 | 2005-01-27 | Robert Franzdonk | Distributed digital rights network (drn), and methods to access operate and implement the same |
| US7318155B2 (en) * | 2002-12-06 | 2008-01-08 | International Business Machines Corporation | Method and system for configuring highly available online certificate status protocol responders |
| US7577999B2 (en) * | 2003-02-11 | 2009-08-18 | Microsoft Corporation | Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system |
| TWI234979B (en) * | 2003-12-19 | 2005-06-21 | Inst Information Industry | Digital content protection method |
| KR20050064119A (en) * | 2003-12-23 | 2005-06-29 | 한국전자통신연구원 | Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal |
| CA2872032A1 (en) * | 2004-01-09 | 2005-08-04 | Corestreet, Ltd. | Signature-efficient real time credentials for ocsp and distributed ocsp |
| CN100338905C (en) * | 2004-03-03 | 2007-09-19 | 北京北大方正电子有限公司 | Method of binding digital contents and hardware with hardward adaptive |
| CN100337175C (en) * | 2005-08-12 | 2007-09-12 | 华为技术有限公司 | Method and system of adding region and obtaining authority object of mobile terminal |
-
2005
- 2005-08-12 CN CNB2005100902961A patent/CN100337175C/en active Active
-
2006
- 2006-06-15 WO PCT/CN2006/001343 patent/WO2007019760A1/en active Application Filing
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007019760A1 (en) * | 2005-08-12 | 2007-02-22 | Huawei Technologies Co., Ltd. | A method and a system for a mobile terminal joining in a domain and obtaining a rights object |
| US7930250B2 (en) | 2006-06-09 | 2011-04-19 | Lg Electronics Inc. | Method for managing user domain in digital rights management and system thereof |
| CN101140602B (en) * | 2006-09-04 | 2010-05-26 | 三星电子株式会社 | Method and apparatus for generating rights object by reauthorization |
| WO2008034379A1 (en) * | 2006-09-15 | 2008-03-27 | Huawei Technologies Co., Ltd. | Method, system and device for replacing copyright object in digital copyright management system |
| CN101542972B (en) * | 2006-11-29 | 2013-01-02 | 三星电子株式会社 | Device and portable storage device which are capable of transferring rights object, and a method of transferring rights object |
| CN101681413B (en) * | 2007-03-12 | 2012-07-18 | 索尼在线娱乐有限公司 | Secure transfer of digital objects |
| CN101682511A (en) * | 2007-05-28 | 2010-03-24 | 三星电子株式会社 | Apparatus and method of verifying online certificate for offline device |
| CN101315654B (en) * | 2007-06-01 | 2013-02-27 | 华为技术有限公司 | Method and system for validating permission |
| CN101340278B (en) * | 2007-07-03 | 2015-05-27 | 三星电子株式会社 | License management system and method |
| CN101364871B (en) * | 2007-08-10 | 2011-12-21 | 华为技术有限公司 | Method, system and apparatus for domain manager to carry out domain management to user equipment |
| CN101458745B (en) * | 2007-12-12 | 2013-02-06 | 上海爱信诺航芯电子科技有限公司 | Tracing subsystem of digital copyright management proxy system and working method thereof |
| CN101420430B (en) * | 2008-11-28 | 2011-12-07 | 华为终端有限公司 | Methods and apparatus for information security protection |
| CN102026161B (en) * | 2009-09-21 | 2014-11-05 | 中兴通讯股份有限公司 | System and method for validity verification of certificate in mobile backhaul net |
| CN102236753A (en) * | 2010-05-07 | 2011-11-09 | 中兴通讯股份有限公司 | Rights management method and system |
| CN102236753B (en) * | 2010-05-07 | 2016-06-08 | 中兴通讯股份有限公司 | Copyright managing method and system |
| CN102945532A (en) * | 2012-11-20 | 2013-02-27 | 南京邮电大学 | Digital rights realizing method for supporting rights assignment |
| CN104462874A (en) * | 2013-09-16 | 2015-03-25 | 北大方正集团有限公司 | DRM (digital rights management) method and system supporting offline sharing of digital resources |
| CN107786515A (en) * | 2016-08-29 | 2018-03-09 | 中国移动通信有限公司研究院 | A kind of method and apparatus of certificate verification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100337175C (en) | 2007-09-12 |
| WO2007019760A1 (en) | 2007-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100337175C (en) | Method and system of adding region and obtaining authority object of mobile terminal | |
| JP5680548B2 (en) | Apparatus and method for granting access rights to apparatus | |
| US9137017B2 (en) | Key recovery mechanism | |
| KR101530809B1 (en) | Dynamic platform reconfiguration by multi-tenant service providers | |
| CN1268088C (en) | PKI-based VPN cipher key exchange implementing method | |
| CN1758595A (en) | The method of using broadcast cryptography that device is authenticated | |
| CN1315268C (en) | Method for authenticating users | |
| JP2008516476A (en) | Method and system for allowing multimedia group broadcast | |
| CN1829144A (en) | Cryptographic communication system and method | |
| CN101052033A (en) | Certifying and key consulting method and its device based on TTP | |
| CN1631000A (en) | Key management protocol and authentication system for securecontent delivery over the internet | |
| CN1689367A (en) | Security and privacy enhancements for security devices | |
| KR20090089472A (en) | Method and apparatus for creating licenses in a mobile digital rights management network | |
| CN1659922A (en) | Method and system for challenge-response user authentication | |
| CN1468488A (en) | Method and system for authentification of a mobile user via a gateway | |
| CN1547142A (en) | A dynamic identity certification method and system | |
| US20130047264A1 (en) | Method and Device for Communicating Digital Content | |
| CN1642082A (en) | Content transmission apparatus, content reception apparatus and content transmission method | |
| CN1812416A (en) | Method for managing consumption of digital contents within a client domain and devices implementing this method | |
| CN1921395A (en) | Method and system for improving security of network software | |
| CN1977559A (en) | Method and system for protecting information exchanged during communication between users | |
| CN1568447A (en) | Server device and program management system | |
| US20100211772A1 (en) | Collaborative Reconciliation of Application Trustworthiness | |
| CN101047505A (en) | Method and system for setting safety connection in network application PUSH service | |
| CN1841998A (en) | Method for terminal user safety access soft handoff network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |