KR20130050715A - Method and apparatus for encryption of entitlement control message - Google Patents

Method and apparatus for encryption of entitlement control message Download PDF

Info

Publication number
KR20130050715A
KR20130050715A KR1020110115932A KR20110115932A KR20130050715A KR 20130050715 A KR20130050715 A KR 20130050715A KR 1020110115932 A KR1020110115932 A KR 1020110115932A KR 20110115932 A KR20110115932 A KR 20110115932A KR 20130050715 A KR20130050715 A KR 20130050715A
Authority
KR
South Korea
Prior art keywords
control message
encryption key
entitlement control
subscriber
entitlement
Prior art date
Application number
KR1020110115932A
Other languages
Korean (ko)
Inventor
최영우
강민정
이승탁
임동혁
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to KR1020110115932A priority Critical patent/KR20130050715A/en
Publication of KR20130050715A publication Critical patent/KR20130050715A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs
    • H04N21/4408Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream, rendering scenes according to MPEG-4 scene graphs involving video stream encryption, e.g. re-encrypting a decrypted video stream for redistribution in a home network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/441Acquiring end-user identification, e.g. using personal code sent by the remote control or by inserting a card
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]

Abstract

The present invention relates to a method and apparatus for encrypting entitlement control message.
The entitlement control message encryption method according to an embodiment of the present invention includes receiving entitlement control message request information transmitted from a subscriber station, and transmitting a claim control message encryption key for encrypting a claim control message requested by the subscriber station. Requesting the subscriber encryption key database, if the subscriber encryption key database cannot transmit the entitlement control message encryption key, generating the entitlement control message encryption key, requested by the subscriber station using the generated entitlement control message encryption key Encrypting the entitlement control message, and transmitting the encrypted entitlement control message.
According to the present invention, even if a failure occurs in the subscriber encryption key database, the encryption key can be quickly provided through an emergency encryption method.

Figure P1020110115932

Description

METHOD AND APPARATUS FOR ENCRYPTION OF ENTITLEMENT CONTROL MESSAGE}

The present invention relates to a method and apparatus for encrypting a message, in particular a credential control message in a security system of an Internet Protocol Television (IPTV) based on a Conditional Access System.

IPTV service is an interactive TV service based on the Internet Protocol, and provides a VOD service so that subscribers can selectively use desired content at a desired time. On the other hand, IPTV service allows subscribers to pay the content usage fee in order to provide high quality and stable VOD service, and introduces a cryptographic system to control such limited use. That is, when the content is transmitted in an encrypted state, only the subscriber having the right to use the corresponding content can decrypt and use the encrypted content, thereby providing a service that can use the paid content only to a subscriber having the right to use the right. .

The reception restriction system, which is one of the encryption systems of the IPTV service, is a system that enables the contents to be used by decrypting the encrypted contents using a content encryption key provided separately when the subscriber terminal executes the provided encrypted contents. In this case, the content encryption key provided to the subscriber terminal is included in the Entitlement Control Message, and the entitlement control message is also encrypted to prevent the encryption key from being exposed. The layered encryption key is stored, maintained and managed for each subscriber in a subscriber encryption key database.

However, if the encryption key is not provided due to a failure in the subscriber encryption key database, the requested entitlement control message cannot be encrypted until the failure is recovered, and thus, a seamless VOD service cannot be provided to the subscriber.

It is an object of the present invention to provide a seamless VOD service to a subscriber by generating an encryption key and encrypting an entitlement control message even when a failure occurs in a database storing the subscriber encryption key.

An object of the present invention is to generate an encryption key using the entitlement control message request information received from the subscriber station, so that the entitlement control message can be encrypted more quickly without additional information exchange between the cryptographic system and the subscriber station.

The objects of the present invention are not limited to the above-mentioned objects, and other objects and advantages of the present invention which are not mentioned can be understood by the following description and more clearly understood by the embodiments of the present invention. It will also be readily apparent that the objects and advantages of the invention may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims.

In accordance with an aspect of the present invention, there is provided a method for encrypting a credential control message, the method comprising: receiving credential control message request information transmitted from a subscriber station; Requesting transmission to the subscriber encryption key database, generating a credential control message encryption key if the subscriber encryption key database cannot send the requested credential control message encryption key, using the generated credential control message encryption key And encrypting the entitlement control message requested by the subscriber station and transmitting the encrypted entitlement control message.

In addition, the present invention provides an apparatus for entitlement control message encryption, comprising: a receiver for receiving entitlement control message request information transmitted from a subscriber station, and transmission of an entitlement control message encryption key for encrypting an entitlement control message requested by the subscriber station; An encryption key generation unit for requesting a key database and generating a credential control message encryption key when the subscriber encryption key database cannot transmit the requested credential control message encryption key. The subscriber terminal using the generated credential control message encryption key. And an encryption unit for encrypting the requesting entitlement control message and a transmitting unit for transmitting the encrypted entitlement control message.

According to the present invention as described above, even if a failure occurs in the database in which the subscriber encryption key is stored, the encryption key can be generated directly to provide a seamless VOD service to the subscriber by encrypting the entitlement control message.

In addition, according to the present invention, by generating an encryption key using the entitlement control message request information received from the subscriber station, there is an advantage that the entitlement control message can be more quickly encrypted without additional information exchange between the encryption system and the subscriber station.

1 is a block diagram of a credential control message encryption apparatus according to an embodiment of the present invention.
2 is a diagram for explaining a credential control message encryption method according to one embodiment of the present invention;
3 is a flowchart illustrating a method for encrypting entitlement control message according to an embodiment of the present invention.

The above and other objects, features, and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, which are not intended to limit the scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the drawings, the same reference numerals are used to denote the same or similar elements.

1 is a block diagram of a credential control message encryption apparatus according to an embodiment of the present invention.

Referring to FIG. 1, the entitlement control message encryption apparatus 102 includes a receiver 104, an encryption key generator 106, an encryption unit 108, and a transmitter 110.

The receiving unit 104 receives the entitlement control message request information transmitted from the subscriber station.

The encryption key generation unit 106 requests transmission of the entitlement control message encryption key for encrypting the entitlement control message requested by the subscriber station to the subscriber encryption key database. In this case, when the subscriber encryption key database cannot transmit the requested entitlement control message encryption key, the encryption key generation unit 106 directly generates the entitlement control message encryption key.

In this case, the encryption key generation unit 106 may generate the entitlement control message encryption key using a specific bit extracted from the subscriber authentication hash value included in the entitlement control message request information. As a result, since the entitlement control message encryption device 102 and the subscriber station do not need to exchange separate information for generating the entitlement control message encryption key, the encryption key generation unit 106 encrypts the entitlement control message more quickly. It can transmit to the terminal.

The encryption unit 108 encrypts the entitlement control message requested by the subscriber station using the generated entitlement control message encryption key.

The transmitter 110 transmits the entitlement control message encrypted by the encryption unit 108. Meanwhile, the encrypted entitlement control message may include failure occurrence information indicating a failure of the subscriber encryption key database. As a result, the subscriber station receiving the encrypted credential control message can recognize the failure of the subscriber encryption key database and can provide the VOD service in a quick and simple manner by decrypting the credential control message accordingly.

2 is a diagram illustrating a method for encrypting a qualification control message according to an embodiment of the present invention.

Referring to FIG. 2, the subscriber station 200 requests a credential control message (ECM) from the cryptographic system 202, and the cryptographic system 202 transmits the requested credential control message in response thereto. The cryptographic system 202 may include a VOD service system 204, a content encryption key storage 206, a credential control message generator 208, and a subscriber encryption key database 210.

In the present embodiment, the content encryption key is stored separately from the content, and delivered to the subscriber when the subscriber requests. That is, when the user wants to use the encrypted content, the subscriber station 200 must separately receive a content encryption key for decrypting the encrypted content. The encryption system 202 encrypts the entitlement control message including the content encryption key and transmits it to the requesting subscriber terminal 200 for security.

The VOD service system 204 of the encryption system 202 may receive the entitlement control message request information including the content ID and the subscriber authentication hash value from the subscriber terminal 200. The content ID is for specifying a credential control message that is a target of a request from the subscriber terminal, and the subscriber authentication hash value is for checking whether the subscriber has a right to request a content encryption key.

The VOD service system 204 may transmit the entitlement control message request information to the entitlement control message generator 208. Here, the VOD service system 204 extracts a content encryption key corresponding to the content ID from the content encryption key storage unit 206, and then includes a content encryption key and a subscriber authentication hash value transmitted from the subscriber terminal 200. Control message request information can be transmitted.

The entitlement control message generating unit 208 may decrypt the content encryption key included in the entitlement control message request information, and then generate an entitlement control message corresponding thereto. In addition, the entitlement control message generator 208 may encrypt the entitlement control message for security. At this time, since the encryption key is required to encrypt the entitlement control message, the entitlement control message generator 208 encrypts the subscriber authentication and entitlement control message in the subscriber encryption key database 210 that stores and manages the hierarchical encryption key for each subscriber. You can request a key.

However, when a failure occurs in the subscriber encryption key database 210, the subscriber encryption key database 210 cannot transmit the entitlement control message encryption key despite the request of the entitlement control message generator 208. In this case, if the subscriber terminal 200 does not send the entitlement control message requested until the failure of the subscriber encryption key database 210 is restored, the subscriber terminal 200 cannot use the content for a long time. In order to provide the subscriber with a seamless VOD service in such a situation, in the present invention, the entitlement control message generator 208 generates the entitlement control message encryption key to encrypt the entitlement control message, and then transmits it to the subscriber station 200. can do.

In one embodiment of the present invention, the entitlement control message generator 208 may generate a entitlement control message encryption key by extracting a specific bit from the subscriber authentication hash value transmitted from the subscriber station 200. For example, the total number of bits of the subscriber authentication hash value is 160 bits, and the total number of bits of the credential control message encryption key is larger than the total number of bits of the subscriber authentication hash value, such as 64 or 128 bits. If the number of bits is small, even if the subscriber authentication hash value is exposed to the outside, the algorithm for extracting the entitlement control message encryption key from it is not known, so the security can be enhanced. Here, the total number of bits of the entitlement control message encryption key is not necessarily less than the total number of bits of the subscriber authentication hash value.

The entitlement control message generator 208 may encrypt the entitlement control message by using the entitlement control message encryption key generated from the subscriber authentication hash value.

Subsequently, the entitlement control message generator 208 transmits an encrypted entitlement control message to the VOD service system 204. The VOD service system 204 may transmit an encrypted credential control message transmitted from the credential control message generator 208 to the subscriber station 200. At this time, the encryption system 202 may notify the subscriber station 200 of the failure state of the subscriber encryption key database 210 by setting an emergency parameter in the header of the encrypted entitlement control message. In other words, instead of sending an encrypted credential control message followed by an additional failure message, the cryptographic system 202 fails information indicating the failure of the subscriber encryption key database 210 in the form of a header inside the encrypted credential control message. It can be transmitted to the subscriber station 200, including. In this case, the encryption system 202 may inform the subscriber station 200 that the encryption key for encrypting the entitlement control message was generated by the entitlement control message generator 208 rather than transmitted from the subscriber encryption key database 210. have.

When the subscriber station 200 receives the encrypted entitlement control message, the subscriber terminal 200 may parse the header to recognize the failure of the subscriber encryption key database 210. That is, the subscriber station 200 may receive a failure state of the subscriber encryption key database 210 in response to the information requested by the security system. As a result, the subscriber station 200 can use the encryption method according to the present embodiment as a decryption key to extract a specific bit from its subscriber authentication hash value according to a preset rule and to decrypt the entitlement control message. As described above, in the present invention, since all the information already transmitted from the subscriber terminal 200 is used when encrypting or decrypting the entitlement control message, it is not necessary to transmit and receive separate information for encryption or decryption, so that rapid encryption is possible. . Therefore, according to the present invention, even when a failure occurs in the subscriber encryption key database 210, it is possible to provide a seamless VOD service to the subscriber terminal 200.

3 is a flowchart illustrating a credential control message encryption method according to an embodiment of the present invention.

Referring to FIG. 3, first, a qualification control message request information transmitted from a subscriber station is received (302).

Subsequently, the request for transmission of the entitlement control message encryption key for encrypting the entitlement control message requested by the subscriber station to the subscriber encryption key database (304).

If the subscriber encryption key database is unable to send the entitlement control message encryption key, the entitlement control message encryption key is generated directly (306). In this case, the entitlement control message encryption key may be generated using a specific bit extracted from the subscriber authentication hash value included in the entitlement control message request information.

Thereafter, the entitlement control message requested by the subscriber station may be encrypted using the generated entitlement control message encryption key (308).

Subsequently, an encrypted entitlement control message may be transmitted to the subscriber station (310). In this case, the encrypted entitlement control message may include failure occurrence information indicating a failure of the subscriber encryption key database.

As described above, the present invention may be variously deformed, modified, and changed without departing from the technical spirit of the present invention by those skilled in the art. It is not limited by.

Claims (6)

Receiving entitlement control message request information transmitted from the subscriber station;
Requesting a subscriber encryption key database to transmit a credential control message encryption key for encrypting a credential control message requested by the subscriber station;
Generating the entitlement control message encryption key if the subscriber encryption key database is unable to transmit the entitlement control message encryption key;
Encrypting a credential control message requested by the subscriber station using the generated credential control message encryption key; And
Transmitting the encrypted entitlement control message
Entitlement control message encryption method that includes.
The method according to claim 1,
Generating the entitlement control message encryption key,
Generating the entitlement control message encryption key using a specific bit extracted from the subscriber authentication hash value included in the entitlement control message request information;
Entitlement control message encryption method that includes.
The method according to claim 1,
The encrypted entitlement control message is
A failure occurrence information indicating a failure of the subscriber encryption key database;
Entitlement Control Message Encryption Method.
A receiving unit which receives the entitlement control message request information transmitted from the subscriber station;
Requesting transmission of a credential control message encryption key for encrypting a credential control message requested by the subscriber station, and if the subscriber encryption key database cannot transmit the credential control message encryption key, the credential An encryption key generator for generating a control message encryption key;
An encryption unit for encrypting the entitlement control message requested by the subscriber station using the generated entitlement control message encryption key; And
A transmitter for transmitting the encrypted entitlement control message
Entitlement control message encryption device comprising.
5. The method of claim 4,
The encryption key generation unit
Generating the entitlement control message encryption key using a specific bit extracted from the subscriber authentication hash value included in the entitlement control message request information;
Entitlement Control Message Encryption Device.
5. The method of claim 4,
The encrypted entitlement control message is
A failure occurrence information indicating a failure of the subscriber encryption key database;
Entitlement Control Message Encryption Device.
KR1020110115932A 2011-11-08 2011-11-08 Method and apparatus for encryption of entitlement control message KR20130050715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020110115932A KR20130050715A (en) 2011-11-08 2011-11-08 Method and apparatus for encryption of entitlement control message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110115932A KR20130050715A (en) 2011-11-08 2011-11-08 Method and apparatus for encryption of entitlement control message

Publications (1)

Publication Number Publication Date
KR20130050715A true KR20130050715A (en) 2013-05-16

Family

ID=48661000

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020110115932A KR20130050715A (en) 2011-11-08 2011-11-08 Method and apparatus for encryption of entitlement control message

Country Status (1)

Country Link
KR (1) KR20130050715A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180037815A (en) * 2016-10-05 2018-04-13 에스케이텔레콤 주식회사 Networlk device and terminal device, control method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180037815A (en) * 2016-10-05 2018-04-13 에스케이텔레콤 주식회사 Networlk device and terminal device, control method thereof

Similar Documents

Publication Publication Date Title
EP2595082B1 (en) Method and authentication server for verifying access identity of set-top box
CN101448130B (en) Method, system and device for protecting data encryption in monitoring system
CN109218825B (en) Video encryption system
JP6452205B2 (en) Key distribution in satellite systems
CN109151508B (en) Video encryption method
US20100098249A1 (en) Method and apparatus for encrypting data and method and apparatus for decrypting data
JP4519935B2 (en) Information communication method, communication terminal device, and information communication system
KR20110004333A (en) Processing recordable content in a stream
US8176331B2 (en) Method to secure data exchange between a multimedia processing unit and a security module
CN104735484A (en) Method and device for playing video
KR20110004332A (en) Processing recordable content in a stream
US20060104442A1 (en) Method and apparatus for receiving broadcast content
US11308242B2 (en) Method for protecting encrypted control word, hardware security module, main chip and terminal
CN101626484A (en) Method for protecting control word in condition access system, front end and terminal
CN105191332A (en) Method and device to embed watermark in uncompressed video data
CN101202883A (en) System for numeral copyright management of IPTV system
KR101005844B1 (en) Conditional access system for ts packet processing based on memory card
US10411900B2 (en) Control word protection method for conditional access system
KR20130050715A (en) Method and apparatus for encryption of entitlement control message
CN201830399U (en) Front end and client of conditional access system
CN105959738B (en) A kind of bidirectional conditional reception system and method
US20160165279A1 (en) Method of transmitting messages between distributed authorization server and conditional access module authentication sub-system in renewable conditional access system, and renewable conditional access system headend
KR102516004B1 (en) System for security key managing of video file and method for key generating thereof
KR101609095B1 (en) Apparatus and method for data security in content delivery network
KR101703489B1 (en) Broadcast scrambling system based on file

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination