CN1914679A - Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium - Google Patents

Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium Download PDF

Info

Publication number
CN1914679A
CN1914679A CNA2005800040116A CN200580004011A CN1914679A CN 1914679 A CN1914679 A CN 1914679A CN A2005800040116 A CNA2005800040116 A CN A2005800040116A CN 200580004011 A CN200580004011 A CN 200580004011A CN 1914679 A CN1914679 A CN 1914679A
Authority
CN
China
Prior art keywords
user
identifier
network
key
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2005800040116A
Other languages
Chinese (zh)
Inventor
D·P·凯利
S·B·卢特鲁斯
W·F·J·方蒂恩
F·L·A·J·坎帕曼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Publication of CN1914679A publication Critical patent/CN1914679A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/414Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance
    • H04N21/41407Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance embedded in a portable device, e.g. video client on a mobile phone, PDA, laptop

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Graphics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a device and a method for authorizing a user to get access to content stored in encrypted form on a storage medium(10), said storage medium storing a machine-readable medium identifier(id) and at least one key table(KL) encrypted by use of a key table key(KLK) and storing at least one asset key(AK) for decrypting encrypted content(C). In order to allow a user to provide access to the content to other users in a simple but secure way, a device is proposed comprising: - a connection means(6) for connecting said device to a network(3), - a drive(5) for accessing said storage medium(10), in particular for reading content(C) and said medium identifier(id) from said storage medium(l0), and - a transmitter(7) for transmitting said medium identifier(id) and a user identifier(ui) of a user, who shall be authorized to get access to said content(C) and who is identified to said network(3) by said user indentifier(ui), to an authentication unit(AuC) within said network(3), said medium identifier(id) and said user identifier(ui) being used by said authentication unit(AuC) for generating a key table key(KLK) for said user enabling said user to decrypt at least one predetermined key table(KL).

Description

Authorized user obtains equipment and the method to the access right that is stored in the content on the storage medium with encrypted form
The present invention relates to a kind of authorized user that is used for and obtain equipment and corresponding method the access right of the content of on storage medium, storing with encrypted form, machine-readable medium identifier of described storage medium stores and at least one pass through to use cipher key table keys encrypted secret key table, and store the asset key that at least one is used to decipher the content of having encrypted.The invention further relates to a kind of network and a kind of computer program that is used to realize described method of using said method therein.
European patent application 02078437.7 (PHNL020775) has been described the method that content that a kind of protection stores is not subjected to unauthorized visit on storage medium, described storage medium is that the driver of portable set of connectable to network is addressable.For the high-caliber protection at unauthorized access is provided, the proof procedure of network be used to generate a kind of encryption key-below be called asset key, to be used for encryption and decryption to the content of on described storage medium, storing.Especially, this application has been described the use of this method in mobile telephone network, and in mobile telephone network, authentication secret is stored in the SIM card of mobile phone use.Therefore, it is mainly conceived and is, storage medium contains the medium identifier of a uniqueness, adopts the mobile communications network proof procedure to convert this medium identifier to actual asset key.This conversion is to carry out when being used in mobile telephone network by user's SIM card, therefore, does not have this SIM card, just can not read the content of storage medium.This provides a kind of method of simple safety for the user protects their private contents, hereinafter also it is called the SIM encryption method.
A shortcoming of this method is, the visit of content is subject to the sole user, more particularly, is subject to sole user's SIM card.Therefore, an object of the present invention is to provide a kind of user of permission and provide equipment and method to other users the access right of content in the mode of simple safety again.In addition, also will make it possible to carry out transparent access, for example carry out transparent access from various mobile radio with different SIM card from the distinct device that same subscriber has.A kind of network and the computer program that is used to realize described method of correspondence also will be provided.
According to the present invention, this purpose realizes that by equipment as claimed in claim 1 this equipment comprises:
-coupling arrangement is used for described equipment is connected to network;
-driver is used to visit described storage medium, especially for from described storage medium reading of content and described medium identifier; With
-transmitter, be used for a described medium identifier and a user's user identifier is sent to an interior authentication unit of described network, this user will be granted access to the visit of described content and described network will be discerned this user by described user identifier, described medium identifier and described user identifier are used to described user to generate a cipher key table keys by described authentication unit, make described user can decipher at least one predetermined key list.
In claim 9, defined the method for a correspondence.In claim 11, defined a computer program that is used to realize described method.Defined one and wherein use network of the present invention in claim 10, this network comprises:
-the first subscriber equipment, be used to authorize a user's second subscriber equipment to obtain access right to the content of on storage medium, storing with encrypted form, machine-readable medium identifier of described storage medium stores and at least one are by using cipher key table keys encrypted secret key table, and store the asset key that at least one is used for the enabling decryption of encrypted content, described first subscriber equipment comprises:
-coupling arrangement is used for described equipment is connected to network;
-driver is used to visit described storage medium, especially for from described storage medium reading of content and described medium identifier; With
-transmitter, be used for a described medium identifier and a user's user identifier is sent to an interior authentication unit of described network, this user will be granted access to the visit of described content and described network will be discerned this user by described user identifier;
-authentication unit comprises:
-receiver is used to receive described medium identifier and described user identifier;
-key generating device, being used for described medium identifier and described user identifier is that described user generates a cipher key table keys, described cipher key table keys makes described user can decipher described at least one key list; With
-transmitter is used for described cipher key table keys is sent to described first and/or described second subscriber equipment; With
-will be granted access to second subscriber equipment to the user of the access right of the content of on storage medium, storing with encrypted form, comprise:
-coupling arrangement is used for described equipment is connected to described network;
-receiver is used for receiving described cipher key table keys from described authentication unit or from described first subscriber equipment;
-driver is used to visit described storage medium, especially for from described storage medium reading of content, and uses the cipher key table keys that is received to decipher at least one predetermined key list.
The design of institute of the present invention basis is, with the proof procedure of a network, makes one can authorize other users to obtain access right to identical content to the user who has access right on storage medium in storing.By the working medium identifier with the user identifier of authorized users, the authentication unit of network generates also provides a cipher key table keys.This cipher key table keys can be wanted then authorized users be used for deciphering provide for this " newly " user that be assigned with the key list of being scheduled to, in this key list, storing an asset key that is used for to obtain the contents decryption of access right to the user.Like this, just " newly " user can be added in the grant column list, and need not their direct intervention.This method is simple, but high-caliber security is provided, and this is because use the proof procedure as safe as a house of network to generate cipher key table keys, to allow the access key table and then to allow visit to be used for the asset key of decryption content.
According to network proposed by the invention, preferably such as the communication network of GSM or UMTS network, comprise at least two subscriber equipmenies and an authentication unit that is used for checking user when the user is connected to network, described subscriber equipment can all belong to identical user, perhaps can adhere to different users separately.Being used to verify that user's proof procedure is as safe as a house, is because if destroyed the verification algorithm in the mobile communications network, will make what the user can make a call by other user charges.Therefore, the protection level of such verification algorithm is very high, and when generating the cipher key table keys of advising according to the present invention with this verification algorithm, this algorithm is considered to be enough to protect user's data.In addition, described authentication unit also is used to generate the asset key described in above-mentioned european patent application 02 078 437.7 (PHNL020775).Be incorporated herein in this document description, with for referencial use to this method.
The preferred embodiments of the present invention limit in the dependent claims.According to an embodiment, this equipment further comprises one and is used for being the receiver of wanting authorized users reception cipher key table keys and the transmitter that can be used for the cipher key table keys that is received is sent to described user from network.Therefore, want to authorize another user to have the user of the access right of content and network service so that obtain described another user's new cipher key table keys, this user receives described cipher key table keys and it for example is transmitted to described another user by SMS or any other form of electronic information then.Thereby in the process that generates new key table key, do not relate to the described authorized users of wanting.
According to another embodiment, also can be directly from network to wanting authorized users that new cipher key table keys is provided.For identifying this user, network can use and connect the user identifier that is used to generate cipher key table keys that same medium identifier provides to authentication unit together by first user.
According to another embodiment, memory storage is not only stored a single key list, and stores a plurality of key lists, for example key list of each user.In addition, can distribute a user check identifier to each key list, this equipment was checked user check identifier earlier before deciphering, to find to distribute to described user's correct key list.This has just been avoided deciphering a plurality of (even whole) key list could find correct key list for the user.User check identifier for example can be identical with the user identifier to identifying customer by network, for example, as described in another dependent claims, in the time of in being applied to mobile communications network, user check identifier is described user's international mobile subscriber identity (IMSI) or a telephone number.
Hide user's identity if desired, also can (for example with very simple mode by with the XOR function of user's cipher key table keys) this user check identifier is encrypted.These user check identifier needs that mean this encryption again are decrypted, and are close in particular for a plurality of or whole tabulations.Yet this operation is very simple, and not too time-consuming.Because each user check identifier is encrypted with different key (cipher key table keys of different user), determine potential user check identifier and be not easy, for example using the such simple algorithm of symbol XOR function even therefore connect, also is safe enough.
Whether decrypted whether correctly carry out in order to watch and the deciphering of correct key list, each key list can further contain a decryption check identifier that proposes according to the present invention.For described inspection, can in subscriber equipment, provide a suitable deciphering testing fixture.In addition, the filling field that can provide some to generate at random is so that make assault difficulty more.In a preferred embodiment, user check identifier also is used as decryption check identifier, for example, once externally do not encrypt, belong to this key list so that differentiate described user, and (promptly encrypt) in key list inside for twice, whether correct to check deciphering.
In a simple embodiment, on storage medium, only provide a key list, and first user who wants to authorize second user offers second user with its oneself cipher key table keys, make him can decipher identical key list.Perhaps, can be for each user provide an independent key list on storage medium, each was all encrypted by different cipher key table keys.In order to generate such key list, provide suitable key list generating apparatus according to another embodiment.Therefore first user comes cryptographic assets key (content that this asset key allows to obtain access right to other users is decrypted) with a cipher key table keys, and therefore generates a key list, and key list is stored on the storage medium by described access means then.
Therefore, according to a preferred aspect of the present invention, each content is all encrypted with its oneself asset key, and asset key can be any key at random; These asset key are stored in the key list.First user obtains his cipher key table keys with known SIM encryption method (for example using his SIM card), and this is the key that is used to encryption key table.Encrypted asset key and key list are stored on the medium.If first user wishes to visit asset key, he need reuse the SIM encryption method and obtain his cipher key table keys.Other users obtain other key with the SIM encryption method, and this is because their SIM is different.If first user wishes that second user can accessed content, then the asset key in first user key (SIM derived key) of deriving with second user's SIM is come encryption key table.Now, on medium, stored second encrypted secret key table, rather than the SIM key of deriving itself.
Preferably, as mentioned above, the present invention is applied to mobile communications network, and subscriber equipment is a mobile phone.Be used for then generating cipher key table keys, and preferably also generate asset key (in fact any random key is all right) to the verification algorithm of network verification mobile communication equipment.
When network is mobile communications network, want the authentication unit of the attaching position register (HLR-home location register) of authorized users, be used for described user and generate cipher key table keys, so that to authentication unit transmission medium identifier and user identifier.And also can implement an escape way for the cipher key table keys that is generated being sent to subscriber equipment.Preferably, be that this escape way generates key also to come with proof procedure with the similar mode of generation cipher key table keys.
Mobile network network operator preferably also provides said process with a kind of form of service.Also can treat roamer's same way as with network, authorize user from heterogeneous networks.In addition, by this service is provided but do not support user from other network, this network also can encourage the user of heterogeneous networks to subscribe this network.
Description of drawings
Explain the present invention in more detail now with reference to the following drawings:
Fig. 1 represents the embodiment according to a record carrier of the present invention;
Fig. 2 represents the embodiment according to a network of the present invention;
Fig. 3 represents the process flow diagram according to method of the present invention;
Fig. 4 represents the embodiment according to a subscriber equipment of the present invention.
Embodiment
Fig. 1 represents according to a storage medium 10 of the present invention and is illustrated on such record carrier what has been stored.For the following description, the specific user who supposes one first subscriber equipment can visit with the form of encrypting and be stored in content on the record carrier 10, record carrier for example is an optical record carrier, such as CD, DVD or BD, described record carrier is that subscriber equipment is readable, and subscriber equipment for example can be to have a portable mobile phone that is used for the driver of Visitor Logs carrier 10.Suppose that further record carrier 10 is also stored machine-readable medium identifier id and at least one key list KL except the content of storage encryption, key list KL is encrypted by using cipher key table keys KLK, and stores at least one asset key AK.Described asset key AK has been used to encrypted content C, therefore is that the content C of user's enabling decryption of encrypted is required.
Also can have the key list KL more than to be stored on the record carrier 10, especially, each individual consumer has a key list KL, and each key list KL can be encrypted by different cipher key table keys KLK.In addition, each key list KL can store the asset key AK more than, is used to decipher the different piece of the content C of storage on record carrier 10.In addition, can distribute a user check identifier UC who is used to seek correct key list KL to each key list, and/or whether correctly decrypted each key list can comprise one and be used to watch a key list KL decryption check identifier DC, these two kinds of identifiers will be done more detailed explanation hereinafter.
Fig. 2 represents the embodiment according to a network of the present invention, illustration general service of the present invention.Fig. 3 represents the step according to method of the present invention in a flowchart.In the network shown in Fig. 2, shown a mobile telephone network as an example, particularly the GSM network 3, here are that two subscriber equipmenies 1,2 of two mobile phones can be connected to this network, and can by the network mutual communication and with other telex networks.Each comprises a SIM card card reader 4 mobile phone 1,2, is used for reading SIM card 20.Authentication secret of storage on SIM card 20, this is a privacy key shared with the authentication center AuC of GSM network 3, is used for checking mobile phone 1,2 when mobile phone 1,2 is connected to network 3. Mobile phone 1,2 further comprises a driver 5, is used for reading of data and/or storage data on movable storage medium 10, and driver for example is the compact disk driver.Subscriber equipment 1,2 further comprises the coupling arrangement 6 that is used to be connected to network 3, and it comprises the transmitter 7 and the receiver 8 that is used to receive data that are used to send data.
Described in the european patent application 02 078 437.7 as mentioned above (PHNL020775), the mobile communications network proof procedure is used to convert the unique identifier of record carrier 10 (for example sequence number of storing in the specific region on record carrier 10) to be used for content C (or part of the content C) encryption of storage on record carrier 10 asset key AK.This conversion is carried out by SIM card 2, is perhaps carried out by authentication center AuC, therefore, does not have this SIM card, content just can not be decrypted with read.This provides a kind of method of simple safety for the user protects their private contents.If the user wishes to allow his interior perhaps can conducting interviews from his own other all equipment pellucidly of other user captures now, then carry out following process.
At first step S1, read unique identifier id from record carrier.(S2) then with this medium identifier id with will be obtained user identifier ui to one second user of the access right of the specific part of first user's content by first subscriber authorisation, send to the authentication center AuC of network 3.Wherein (S3), generate a cipher key table keys KLK by a key generator 31 from this medium identifier id and user identifier ui, for example the form at key list is under the situation of cipher key locker (key lockers), and cipher key table keys KLK is a cipher key-locker cipher key (key lockerkey).Then, the cipher key table keys KLK that is generated can only be sent it back first subscriber equipment 1 (S4), perhaps not only sends to first subscriber equipment 1 but also send to second subscriber equipment 2 (S8).
In first kind of situation, first subscriber equipment 1 is that second subscriber equipment 2 generates a key list KL2 (S5) by using the cipher key table keys KLK that is received now, promptly will give asset key second user, that be used to visit the content of being encrypted by described cipher key table keys KLK.Second user 2 is granted access to this cipher key table keys KLK then, is used to decipher the newly-generated key list KL2 (S6) from first user.By using cipher key table keys KLK, he just can decruption key table KL2, from wherein reading asset key, and comes decryption content with asset key.Like this, user 2 need not direct intervention, just is added in the grant column list.
In second kind of situation, cipher key table keys KLK also directly is passed to second user (S8), and first subscriber equipment 1 is that second user 2 generates a key list KL2 (S9) (S5 is identical with step) by using the cipher key table keys KLK that is received also now.But, just can directly decipher new key list KL2 (S10) immediately after second user 2 by using this cipher key table keys KLK.
Further possibility is, one second user have one he do not have the record carrier of access right.But it can please have the user of access right also to give him access right by network.Therefore, first user can offer second user with his cipher key table keys by network, authorizes second user to visit the key list of oneself by using identical cipher key table keys thus.In this case, only needing a single key list, to be stored in record carrier just much of that, and this record carrier is used by all users that authorized by first user 1.
As indicated above, each key list KL preferably also comprises a decryption check identifier DC (referring to Fig. 1), and it is correct being used to indicate the decryption work to key list.In order to check this, subscriber equipment comprise shown in the embodiment of deciphering inspection unit 9-subscriber equipment 1 as shown in Figure 4 like that.In addition, key list can also comprise the filling field that some generate at random, so that add to the difficulties to assault.When the user attempts the Visitor Logs carrier, should convert unique identifier ui to an asset key with the SIM mapping, this is a potential key that is used to decipher a key list.Decipher the key list that on record carrier, occurs with this potential key, produce the asset key of a reality.Yet if the user is not authorized to, his SIM will generate a cipher key table keys, yet this cipher key table keys can not correctly be deciphered any key list, and this just can easily find out from decryption check identifier.
Preferably, as mentioned above, key list is a cipher key locker, so that can be the different right of each user storage, and some content is stashed to some users.Key list also can be that all (concerning each user) is positioned at a cipher key locker.So cipher key-locker cipher key is a secrete key on the record carrier.
In addition, also as shown in the embodiment of Fig. 4, subscriber equipment can comprise a customer inspection unit 11, is used to check the user check identifier uc that preferably is stored on the record carrier and distributes to the correspondence of each key list.This user check identifier uc is utilized for a user and seeks correct key list, so just can avoid in order to seek correct key list each obtainable key list deciphering.For example, user's SIM card contains an identifier that is used for to mobile network's identifying user, and this is referred to as international mobile subscriber identity (IMSI) in GSM, and it can be utilized.Perhaps, can use user's telephone number.In addition, if wish to hide user identity, also can encrypt this user check identifier uc with very simple mode the XOR (XOR) of a key (for example with).It is decrypted by better simply XOR computing once more to this means that each user check identifier needs.Because each user check identifier preferably carries out XOR (XORed) with a different key, determine potential user check identifier and be not easy, so this method can safe enough ground be hidden user's identity.
Preferably, wish to authorize other users' user also to generate a new key table for each new user.Therefore, in each subscriber equipment 1, also provide a key list generation unit 12, as shown in Figure 4.
As described in the above-mentioned european patent application 02 078 437.7 (PHNL020775), the user of content creating will be authorized to.Increase other user to grant column list, can finish by network.Therefore, be preferably between the network (particularly attaching position register HLR) among subscriber equipment and the GSM that wants authorized users safe being connected is provided.Equally, user's telephone number or user's IMSI can both be used as user identifier.Certainly, also can use user's uniqueness ground other user identifier to network identity.
Above-mentioned proof procedure also can be used to generate key for the escape way between subscriber equipment and the network in a similar fashion.
Mobile network network operator preferably also provides said process with a kind of form of service.Also can treat roamer's same way as with network, authorize user from heterogeneous networks.Yet by this service is provided but do not support user from other network, this network also can be encouraged active user's friend or the network that the household subscribes them.
The invention provides a kind of simple method, be used on the grant column list that obtains the access right of the content that belongs to the specific user, increasing other user.In having the process of tight security, this has used the network verification process.

Claims (11)

1. being used for authorized user obtains go up the equipment of the access right of the content of storing at storage medium (10) with encrypted form, a machine-readable medium identifier of described storage medium stores (id) and at least one are by using cipher key table keys (KLK) encrypted secret key table (KL), and store at least one asset key that is used for enabling decryption of encrypted content (C) (AK), described equipment comprises:
Coupling arrangement (6) is used for described equipment is connected to network (3);
Driver (5) is used to visit described storage medium (10), especially for from described storage medium (10) reading of content (C) and described medium identifier (id); With
Transmitter (7), be used for a described medium identifier (id) and a user's user identifier (ui) is sent to the interior authentication unit (AuC) of described network (3), this user will be granted access to the access right of described content (C) and described network (3) will be discerned this user by described user identifier (ui), described medium identifier (id) and described user identifier (ui) are used to described user to generate a cipher key table keys (KLK) by described authentication unit (AuC), so that described user can decipher at least one predetermined key list (KL).
2. the equipment described in the claim 1, further comprise receiver (8), be used for receiving described cipher key table keys (KLK) for described user, and wherein, described transmitter (7) can be used for the described cipher key table keys that receives (KLK) is sent to described user from described network (3).
3. the equipment described in the claim 1, wherein, described memory storage (10) is stored a plurality of key lists (KL), one of each user's key list particularly, wherein, distribute a user check identifier (uc) to each key list, and, wherein said equipment further comprises a customer inspection device (11), is used for checking that according to described user check identifier (uc) which key list (KL) is assigned to described user.
4. the equipment described in the claim 1, wherein said at least one key list (KL) further comprises a decryption check identifier (DC), and, wherein said equipment further comprises a deciphering testing fixture (9), is used for whether a key list (KL) is correctly deciphered according to described decryption check identifier (DC) inspection.
5. the equipment described in the claim 1, further comprise key list generating apparatus (12), be used for generating a key list (KL) by with a cipher key table keys (KLK) one or more asset key (AK) being encrypted, wherein said driver (5) is used in described storage medium (10) and goes up storage described key list (KL).
6. the equipment described in the claim 1, wherein said equipment is mobile communication equipment, mobile phone particularly, wherein said network is a mobile communications network, and wherein said authentication unit (AuC) is used to verify that with one the verification algorithm of mobile communication equipment generates described cipher key table keys (KLK).
7. the equipment described in the claim 6, wherein said user identifier (id) is described user's international mobile subscriber identity or a telephone number.
8. the equipment described in the claim 6, wherein said transmitter (7) can be used for utilizing described network (3) described medium identifier (id) and described user identifier (ui) to be sent to the authentication unit (Auc) of described user's attaching position register.
9. being used for authorized user obtains go up the method for the access right of the content of storing at storage medium (10) with encrypted form, a machine-readable medium identifier of described storage medium stores (id) and at least one are by using cipher key table keys (KLK) encrypted secret key table (KL), and store at least one asset key that is used for enabling decryption of encrypted content (C) (AK), described method comprises following steps:
Described equipment is connected to network (3);
A described medium identifier (id) and a user's user identifier (ui) is sent to the interior authentication unit (AuC) of described network (3), this user will be granted access to the access right of described content (C) and described network (3) will be discerned this user by described user identifier (ui), described medium identifier (id) and described user identifier (ui) are used to described user to generate a cipher key table keys (KLK) by described authentication unit (AuC), so that described user can decipher at least one predetermined key list (KL).
10. network comprises:
-the first subscriber equipment (1), be used to authorize a user's second subscriber equipment to obtain to go up the access right of the content of storage at storage medium (10) with encrypted form, a machine-readable medium identifier of described storage medium stores (id) and at least one are by using cipher key table keys (KLK) encrypted secret key table (KL), and store at least one asset key that is used for enabling decryption of encrypted content (C) (AK), described first subscriber equipment comprises:
-coupling arrangement (6) is used for described equipment is connected to network (3);
-driver (5) is used to visit described storage medium (10), especially for from described storage medium (10) reading of content (C) and described medium identifier (id); With
-transmitter (7), be used for a described medium identifier (id) and a user's user identifier (ui) is sent to the interior authentication unit (AuC) of described network (3), this user will be granted access to the access right of described content (c) and described network (3) will be discerned this user by described user identifier (ui);
-authentication unit (AuC) comprises:
-receiver (30) is used to receive described medium identifier (id) and described user identifier (ui);
-key generating device (31) is used for generating a cipher key table keys with described medium identifier (id) and described user identifier (ui) for described user, and described cipher key table keys makes described user can decipher described at least one key list; With
-transmitter (32) is used for described cipher key table keys is sent to described first and/or described second subscriber equipment; With
-will be granted access to second subscriber equipment (2) to the user of the access right of the content of on storage medium, storing with encrypted form, comprise:
-coupling arrangement (6) is used for described equipment is connected to described network;
-receiver (8) is used for receiving described cipher key table keys from described authentication unit or from described first subscriber equipment;
-driver (5) is used to visit described storage medium, especially for from described storage medium reading of content, and uses the cipher key table keys that is received to decipher at least one predetermined key list.
11. computer program comprises program code devices, is used for making when described computer program moves on computers computing machine to carry out the step of the method described in claim 9.
CNA2005800040116A 2004-02-04 2005-01-26 Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium Pending CN1914679A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP04100409.4 2004-02-04
EP04100409 2004-02-04

Publications (1)

Publication Number Publication Date
CN1914679A true CN1914679A (en) 2007-02-14

Family

ID=34833726

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2005800040116A Pending CN1914679A (en) 2004-02-04 2005-01-26 Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium

Country Status (5)

Country Link
EP (1) EP1714280A1 (en)
JP (1) JP2007525123A (en)
KR (1) KR20060122906A (en)
CN (1) CN1914679A (en)
WO (1) WO2005076270A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105493436A (en) * 2013-08-29 2016-04-13 瑞典爱立信有限公司 Method, content owner device, computer program, and computer program product for distributing content items to authorized users

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2550560C (en) 2005-06-17 2015-07-21 Kabushiki Kaisha Toshiba Information provision system, provision information copying device, user terminal device and user management device
AU2008341026C1 (en) * 2007-12-21 2012-10-04 Cocoon Data Holdings Limited System and method for securing data

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0823315A (en) * 1994-07-08 1996-01-23 Sony Corp Information presetting system
JPH0934841A (en) * 1995-07-21 1997-02-07 Fujitsu Ltd On-line ciphering releasing system of storage medium and its method
CN1277364C (en) * 1999-12-02 2006-09-27 三洋电机株式会社 Memory card and data distribution system using it
TWI226776B (en) * 2000-12-18 2005-01-11 Koninkl Philips Electronics Nv Secure super distribution of user data
JP2002328846A (en) * 2001-02-20 2002-11-15 Sony Computer Entertainment Inc Copy management system, computer readable storage medium in which information processing program of client terminal is stored, computer readable storage medium in which information processing program of management server is stored, information processing program of client terminal, information processing program of management server, copy managing method, information processing method of client terminal and information processing method of managing server
JP2003085084A (en) * 2001-09-12 2003-03-20 Sony Corp Contents delivery system and method, portable terminal, delivery server, and recording medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105493436A (en) * 2013-08-29 2016-04-13 瑞典爱立信有限公司 Method, content owner device, computer program, and computer program product for distributing content items to authorized users
CN105493436B (en) * 2013-08-29 2019-09-10 瑞典爱立信有限公司 For distributing method, the Content owner's equipment of content item to authorized user

Also Published As

Publication number Publication date
JP2007525123A (en) 2007-08-30
KR20060122906A (en) 2006-11-30
EP1714280A1 (en) 2006-10-25
WO2005076270A1 (en) 2005-08-18

Similar Documents

Publication Publication Date Title
CN1218598C (en) Mobile communication apparatus and data implicit method
US20050235143A1 (en) Mobile network authentication for protection stored content
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
CN105450395A (en) Information encryption and decryption processing method and system
CN103812871A (en) Development method and system based on mobile terminal application program security application
CN103533539A (en) Virtual SIM (subscriber identity module) card parameter management method and device
KR100826522B1 (en) Apparatus and method for dynamic ciphering in mobile communication system
CN101720071A (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
CN112632593B (en) Data storage method, data processing method, device and storage medium
CN101621794A (en) Method for realizing safe authentication of wireless application service system
CN103888938A (en) PKI private key protection method of dynamically generated key based on parameters
CN106452770A (en) Data encryption method and apparatus, data decryption method and apparatus, and system
CN104244237A (en) Data transmitting and receiving method, receiving and transmitting terminal and data transmitter-receiver set
CN101711028B (en) Method for automatically protecting user data on mobile terminal
CN104468937A (en) Data encryption and decryption methods and devices for mobile terminal and protection system
JP2008535427A (en) Secure communication between data processing device and security module
US11128455B2 (en) Data encryption method and system using device authentication key
CN104796262A (en) Data encryption method and terminal system
CN103458101B (en) The hardware encryption storage method of a kind of mobile phone privacy contact person and system
CN1914679A (en) Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium
CN101159542B (en) Method and system for saving and/or obtaining authentication parameter on terminal network appliance
KR100505481B1 (en) Certification system for WEB service access using a mobile terminal
CN112804195A (en) Data security storage method and system
JP2023506791A (en) Privacy information transmission method, device, computer equipment and computer readable medium
KR20170092992A (en) User authentication apparatus and method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication