WO2007085186A1 - Media stream key management method, system and application server - Google Patents

Media stream key management method, system and application server Download PDF

Info

Publication number
WO2007085186A1
WO2007085186A1 PCT/CN2007/000241 CN2007000241W WO2007085186A1 WO 2007085186 A1 WO2007085186 A1 WO 2007085186A1 CN 2007000241 W CN2007000241 W CN 2007000241W WO 2007085186 A1 WO2007085186 A1 WO 2007085186A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
media stream
terminal
encryption key
application server
Prior art date
Application number
PCT/CN2007/000241
Other languages
French (fr)
Chinese (zh)
Inventor
Jun Yan
Jincheng Li
Xiangyang Wu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007085186A1 publication Critical patent/WO2007085186A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/61Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
    • H04L65/611Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio for multicast or broadcast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]

Definitions

  • the present invention relates to a communication medium, and more particularly to a media stream key management method and system, and an application server.
  • the streaming media service is a new service that has developed rapidly in recent years. It uses streaming technology to transmit multimedia files, including video and audio files, on a packet-switched network. These multimedia files can be played immediately without having to download them completely.
  • the key technology for streaming media service implementation is streaming technology.
  • the IP Multimedia Subsystem uses the IP packet domain as the bearer channel for its control signaling and media transmission. It uses the Session Initiation Protocol (SIP) as the call control signaling to implement service management. Separation of session control and bearer access.
  • SIP Session Initiation Protocol
  • Streaming media services based on IMS can make full use of the existing features of the IMS network and reuse functions in the IMS network architecture, such as authentication and billing, so that streaming media services can be efficiently and quickly developed.
  • the security of media streams is an important aspect to consider in streaming media business. How to effectively ensure the security of media stream transmission, so that the media stream is not illegally copied during the transmission process, which involves the legitimate interests of the content provider; at the same time, the security protection of the media stream also protects the user's personal privacy from being illegal. Stealing.
  • the media stream is protected by directly negotiating a key for media stream protection between the streaming server and the terminal, and the streaming server and the terminal share the key and encrypt the media content with the key. details as follows: 1.
  • the streaming media server and the terminal are based on a symmetric key architecture, and share the key K with each other;
  • the streaming media server and the terminal negotiate a media stream encryption key Kt;
  • the streaming media server uses the key encryption key Kt to encrypt the media stream and transmit it to the terminal.
  • the terminal uses Kt to decrypt the received media stream and play the program.
  • the basic idea of the above solution is to directly negotiate the key between the streaming server and the terminal based on the symmetric key K shared in advance.
  • this key management method requires the streaming server and the terminal to share certain information in advance, such as a symmetric key, based on which they can initiate negotiation of the media stream encryption key.
  • a symmetric key based on which they can initiate negotiation of the media stream encryption key.
  • the same streaming server may serve many users at the same time.
  • the streaming server needs to save the initial symmetric key for each user.
  • This key management method imposes a relatively large burden on the streaming server.
  • the streaming media server needs to be the same.
  • a content is encrypted multiple times. This is not necessary for certain applications where security is relatively low, such as television broadcasting. Broadcast programs generally only need to be encrypted once on the streaming server, while providing multiple users with monthly services, and multiple users use the same key. For such applications, if different users are separately encrypted, the computing overhead and storage requirements of the streaming server are greatly increased, and the efficiency of the streaming server is reduced.
  • the embodiment of the invention provides a media stream key management method and system, and an application server, which can reduce the key management overhead of the streaming media server and improve the efficiency of the streaming media server.
  • a media stream key management method includes: an application server obtains a media stream encryption key; and sends the media stream encryption key to a terminal and a streaming media server; and the terminal and the streaming media server The media stream encryption key encrypts/decrypts the streamed media content.
  • a media stream key management method includes: a terminal and an application server negotiate a media stream encryption key;
  • the application server sends the media stream encryption key to the streaming media server
  • a media stream key management method provided by another embodiment of the present invention includes:
  • the application server acquires a media stream encryption key from a streaming media server
  • the application server sends the media stream encryption key to the terminal
  • the terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
  • a media stream key management method includes: an application server sends a key encryption key to a streaming media server; a streaming media server obtains a media stream encryption key, and uses the key encryption key pair
  • the media stream encryption key is encrypted and sent to the terminal; the terminal decrypts using the previously obtained key encryption key to obtain a media stream encryption key; and the terminal and the streaming media server encrypt/decrypt the transmission using the media stream encryption key.
  • a media stream key management method includes: an application server sends a key encryption key to a streaming media server; and the streaming media server uses the key encryption key to negotiate with the terminal to determine a media stream encryption key.
  • the terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
  • a media stream key management system includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server generates a service request according to the received service request.
  • the media stream encryption key transmits the media stream encryption key to the terminal and the streaming media server; the streaming media server and the terminal encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
  • a media stream key management system includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server receives the terminal Generating a key encryption key and transmitting it to the streaming server; the streaming server is configured to generate a media stream encryption key, and encrypt and send the media stream encryption key by using the key encryption key To the terminal; the terminal decrypts using the key encryption key to obtain a media stream encryption key, and encrypts/decrypts the transmitted streaming media content with the media stream encryption key with the streaming media server.
  • a media stream key management system includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server receives the terminal Generate a key encryption key after the business request and send it to the streaming media a server; the streaming media server uses the key encryption key to negotiate with the terminal to determine a media stream encryption key; and the streaming media server and the terminal encrypt/decrypt the transmitted streaming media content by using the media stream encryption key .
  • An application server includes: a receiving unit, a key obtaining unit, and a transmitting unit; the receiving unit is configured to receive a service request from the terminal, and notify the key obtaining unit; the key obtaining unit is After receiving the notification, the key is acquired according to the preset key acquisition manner and sent to the transmission unit; the transmission unit transmits the acquired key to the terminal and/or the streaming media server.
  • the embodiment of the present invention performs the key acquisition and delivery control through the application server and the streaming media server, that is, the unified management of the key through the application server on the service level, not only on the streaming media server. Therefore, the key management function is simplified and clear; in addition, the streaming media server does not need to store key information between the terminal and the terminal, and the keys are obtained through interaction with the application server, thereby reducing the key of the streaming media server. Manage overhead and increase the efficiency of streaming media servers.
  • FIG. 1 is a schematic diagram of a key management system for an IMS-based media stream according to the present invention
  • FIG. 2 is a schematic flowchart of a method for managing a key of an IMS-based media stream according to a first embodiment of the present invention
  • FIG. 3 is a schematic diagram of a process of a key management method for an IMS-based media stream according to a second embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for managing a key of an IMS-based media stream according to a third embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an embodiment of an application server of the present invention.
  • the IMS network realizes the separation of service management, session control and service bearer, and the execution level of the entire service is very clear.
  • the streaming media service in the IMS can control the acquisition and distribution of keys through the application server, thereby uniformly managing the keys.
  • the key management function can be simplified and simplified.
  • the streaming media server does not need to save the key information between the terminal and the terminal, and the keys are obtained through interaction with the application server, thereby Reduced key management overhead for streaming media servers.
  • the application server When the application server is responsible for distributing the keys of the encrypted media stream for the terminal and the streaming server, the application server can distribute the same media stream encryption key for different terminals requesting the same service, for example, when multiple users simultaneously watch the same TV channel. The application server can issue the same media stream encryption key for these users, so only one content encryption process is performed on the streaming media server.
  • the streaming media server When the streaming media server is responsible for distributing the media stream encryption key for different terminals, the streaming media server can distribute the same media stream encryption key for the terminal requesting the same content, thereby ensuring that the streaming media server only needs to encrypt the content once.
  • an embodiment of a key management system for an IMS-based media stream includes: a terminal 101, a proxy CSCF 105, a service CSCF 104, an application server 102, and a streaming server 103, wherein the proxy CSCF 105 is used.
  • the streaming service request sent by the terminal 101 to the application server 102 is forwarded to the serving CSCF 104, and the key forwarded by the serving CSCF 104 is received and forwarded to the terminal 101; the service CSCF 104 is used to trigger the request to the application
  • the server 102 performs a streaming media service request, and receives a key sent by the application server 102, and forwards the key to the proxy CSCF 105 or the streaming media server 103.
  • the application server 102 is configured to receive the streaming media service request sent by the terminal 101, and generate a secret.
  • the key is sent to the terminal 101 and the streaming server 103; the streaming server 103 is configured to transmit the encrypted media content encrypted/decrypted with the terminal 101.
  • the application server 102 and the terminal 101 can be connected via a Ut interface.
  • TEK Traffic Encryption Key
  • KEK Key Encryption Key
  • KEK has a long life cycle. For example, for users who pay for it, KEK can remain unchanged during the streaming service. For subscribers, KEK can remain unchanged for the entire subscription period, thus ensuring KEK. Protection frequently The efficiency of the TEK sent.
  • the application server can directly deliver the TEK to the terminal and the streaming media server.
  • the media stream encryption key is directly used to encrypt the streaming media content between the streaming media server and the terminal; the application server can also adopt a layered key management mode.
  • the KEK can be delivered to the terminal and the streaming server, and the TEK can be distributed through the protection of the KEK.
  • KMC Key Management Center
  • the application server After receiving the service request sent by the terminal, the application server obtains the key (KEK and/or TEK) through a certain key extraction method;
  • the key management method of the present invention may have the following embodiments according to different types of keys issued by the application server and different entities to be delivered:
  • the first embodiment is: After receiving the service request sent by the terminal, the application server obtains a key in one of several ways of obtaining the key, and sends the key as a TEK to the terminal and the streaming server. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
  • the second embodiment is: After receiving the service request sent by the terminal, the application server obtains a key in one of several ways of obtaining the key, and sends the key as a KEK to the terminal and the streaming media server.
  • the streaming server obtains a key in one of several ways of obtaining a key, and uses the key as a TEK to transmit the TEK to the terminal through the protection of the KEK.
  • the terminal and the streaming server encrypt/decrypt the TEK with the TEK.
  • the application server delivers the KEK to the terminal and the streaming server
  • the terminal and the streaming server negotiate the TEK with the KEK.
  • the advantage of using delivery instead of negotiation is that you can control the streaming server to be used by different users who use the same service. The same TEK, which reduces the load on the streaming server encryption.
  • the process of delivering the TEK to the terminal by the MRFP through the protection of the KEK can be performed by using a multicast key stream.
  • the streaming server can generate the TEK itself or obtain the TEK from the application server.
  • Third Embodiment After receiving the service request sent by the terminal, the application server obtains two keys in one of several ways of obtaining a key, one as KEK and one as TEK:.
  • the application server delivers the KEK to the terminal and sends the TEK to the terminal through the KEK protection.
  • the application server sends the TEK to the streaming server.
  • the terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
  • the KEK is sent to the streaming server, and the TEK is sent to the streaming server through the protection of the KEK.
  • the application server sends the TEK to the terminal.
  • the TEK encrypts/decrypts the streaming media content transmitted between the terminal and the streaming server.
  • the fourth embodiment is as follows: After the application server receives the service request sent by the terminal, the application server and the terminal can also obtain the key shared by the two through the GB A (General Bootstrapping Architecture) or other methods as the TEK. The key is sent to the streaming server as a TEK. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming content transferred between the two.
  • GB A General Bootstrapping Architecture
  • the fifth embodiment is: After the application server receives the service request sent by the terminal, the application server obtains the TEK generated by the streaming server. The key is sent to the terminal as a TEK. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
  • the application server and the terminal can also obtain the key shared by both by the GBA (General Bootstrapping Architecture) or other methods as KEK.
  • GBA General Bootstrapping Architecture
  • the network side entity may save the KEK during the validity period of the service, so that when the terminal requests the service again, the same KEK is used to deliver the TEK, thereby reducing the application server to obtain the KEK. frequency.
  • the network side entity that holds the KEK may be an application server or a separate key management center, depending on how the KEK is generated.
  • KEK can be packaged in the copyright object and sent to Terminal.
  • the reason for choosing to do this is that KEK can have a relatively long life cycle, and the key protected by the copyright object can also be valid for the period specified by the copyright object.
  • the terminal generally supports the acquisition of copyright objects.
  • the copyright object can be sent to the terminal when the user orders the business.
  • the KEK is stored in the copyright distribution center or the key management center, depending on the implementation of copyright management.
  • the application server requests the key from the copyright issuing center or the key management center; the application server can also send the KEK to the terminal in the real-time manner when the user requests the service, and the application server can
  • the KEK is passed to a copyright distribution center, and the copyright distribution center issues the KEK in the form of a copyright object.
  • a method for key management of an IMS-based media stream includes the following steps:
  • the terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
  • the application server determines whether the service request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the service request is a flow If the media service request is performed, step a3 is performed; if not, the process is processed according to other service definitions;
  • the application server obtains the media stream encryption key TEK in one of several ways of obtaining a key, and the figure illustrates the manner in which the key is obtained through the KMC;
  • the application server delivers the media stream encryption key TEK to the terminal and the streaming server.
  • the TEK delivers the TEK to the terminal through the serving CSCF and the proxy CSCF;
  • the terminal and streaming server use the media stream encryption key TEK to encrypt/decrypt the streaming media content transmitted between the two.
  • the terminal and the media server can subscribe to the application server.
  • the application server may select to distribute the same media stream encryption key for the terminal requesting the same service, so that the streaming media server only needs to encrypt the content once. and, 00241 one 9 one
  • the streaming media server and the terminal do not need to share the key information in advance, which reduces the key management burden of the streaming media server.
  • a method for key management of an IMS-based media stream includes the following steps:
  • the terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
  • the application server determines whether the request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the request is a streaming media service If the request is yes, step b3 is performed, and if not, the process is processed according to other services;
  • the application server obtains the media stream encryption key KEK in one of several ways of obtaining a key, and the figure illustrates the manner of obtaining the key through the KMC;
  • the application server issues a key encryption key KEK to the terminal, and the KEK issuing method shown in the figure is to directly deliver the KEK to the terminal by the application server, and the KEK can also be sent to the terminal in the manner of a copyright object;
  • the terminal After receiving the KEK, the terminal sends an acknowledgement message to the application server.
  • the purpose of this step is to ensure that the terminal has received the KEK before receiving the TEK, so that the TEK can be successfully decrypted.
  • the application server sends a key encryption key KEK to the streaming media server;
  • the streaming server obtains a key in one of several ways to obtain a key, and uses the key as a TEK to be sent to the terminal through the protection of the KEK.
  • the figure shows that the streaming server directly delivers the TEK to the terminal.
  • the streaming media server can also deliver the TEK to the application server, and the application server sends the TEK to the terminal.
  • the terminal sends a subscription (SUBSCRIBE) message, subscribes to the change of the TEK; because the TEK changes frequently, the streaming server needs to notify the terminal in time after updating the TEK.
  • the terminal sends a SUBSCRIBE message to the streaming server to subscribe to the change of the TEK. If the TEK is delivered to the terminal through the application server, the application server sends a SUBSCRIBE message to the streaming server to subscribe to the change of the TEK.
  • the terminal and the streaming server encrypt/decrypt the streaming media content transmitted between the two by using the media stream encryption key TEK;
  • the streaming server After the blO. TEK is updated, the streaming server notifies the terminal by a NOTIFY message. If the TEK is sent to the terminal through the application server, after the TEK is updated, the streaming server notifies the application server of the changed TEK through the NOTIFY message, and the application server sends the TEK to the terminal.
  • the established connection channel may be used, for example, if there is an RTSP (Real-Time Streaming Protocol) channel, or between the terminal and the streaming server.
  • RTSP Real-Time Streaming Protocol
  • a separate delivery channel is set up, which can carry related address parameters in the SDP (Session Description Protocol) signaling for establishing a media stream.
  • the streaming media server may select to distribute the same media stream encryption key for the terminal requesting the same content, so that the streaming media server only needs to encrypt the content once, and the terminals may be different applications.
  • the services provided by the server may be different applications.
  • the dynamic distribution of the EK by the streaming server eliminates the need to share key information between the streaming server and the terminal, thereby reducing the key management burden of the streaming server.
  • a method for key management of an IMS-based media stream includes the following steps:
  • the terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
  • the application server determines whether the request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the request is a streaming media service If the request is yes, step c3 is performed; if not, the process is processed according to other services;
  • the application server obtains the media stream encryption key KEK and the media stream encryption key TEK in one of several ways of obtaining the key, and the figure illustrates the manner of obtaining the key through the KMC;
  • the application server sends the key encryption key KEK to the terminal.
  • the KEK delivery mode shown in the figure is that the application server directly delivers the KEK to the terminal, and the KEK can also be issued in the form of a copyright object.
  • the application server protects the KEK by the key encryption key, and delivers the media stream encryption key TEK to the terminal and the streaming server;
  • the terminal sends a subscription (SUBSCRIBE) message to the application server, and subscribes to the change of the TEK; since the change of the TEK is frequent, the application server needs to notify the terminal in time after updating the TEK; c7.
  • the media stream encryption key TEK for the terminal and the streaming media server Encrypting/decrypting streaming media content transmitted between the two;
  • the application server After the TEK is updated, the application server notifies the terminal by means of a notification message;
  • the application server simultaneously transmits the updated TEK to the streaming server.
  • the application server may choose to distribute the same media stream encryption key for the terminal requesting the same service, so that the streaming media server only needs to encrypt the content once. Moreover, through the dynamic key distribution of the application server, the streaming media server and the terminal do not need to share the key information in advance, thereby reducing the key management burden of the streaming media server.
  • the application server 102 delivers the media stream encryption key:
  • the terminal 101 is configured to send a service request to the application server 102.
  • the application server 102 generates a media stream encryption key according to the received service request and sends the media stream encryption key to the terminal 101 and the streaming server 103;
  • streaming media server and the terminal encrypt/decrypt the transmitted streaming media content by using the media stream encryption key
  • the proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101;
  • the service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
  • the streaming media server 103 sends a media stream encryption key:
  • the terminal 101 is configured to send a service request to the application server 102.
  • the application server 102 generates a key encryption key after receiving the service request of the terminal 101 and sends it to the streaming server 102;
  • the streaming media server 103 is configured to generate a media stream encryption key, and encrypt the media stream encryption key by using the key encryption key and send it to the terminal 101;
  • the terminal 101 decrypts using the key encryption key to obtain a media stream encryption key, and encrypts/decrypts the transmitted streaming media content with the media stream encryption key with the streaming media server 103;
  • the proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101 ;
  • the service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
  • the streaming server 103 negotiates the media stream encryption key with the terminal 102:
  • the terminal 101 is configured to send a service request to the application server 102.
  • the application server 102 generates a key encryption key after receiving the service request of the terminal 101 and sends it to the streaming server 103;
  • the streaming media server 103 negotiates with the terminal 101 to determine a media stream encryption key by using the key encryption key;
  • the streaming server 103 and the terminal 101 encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
  • the proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101;
  • the service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
  • an application server embodiment of the present invention includes:
  • the receiving unit 501 is configured to receive a service request from the terminal, and notify the key obtaining unit 502;
  • the key obtaining unit 502 acquires the key according to the preset key acquisition manner after receiving the notification, and sends the key to the transmission unit 503;
  • the transmission unit 503 transmits the acquired key to the terminal and/or the streaming server.
  • the method for obtaining the key by the key obtaining unit 502 includes at least: generating a key by itself, generating a key by negotiating with the terminal, obtaining a key from other network entities, and the like.
  • the key includes a key encryption key and/or a media stream encryption key.
  • the application server further includes: a key storage unit 504;
  • the key acquisition unit 502 acquires a key encryption key, it is stored in the key storage unit 504 during the lifetime of the key encryption key.
  • the embodiment of the present invention performs key management by combining the application server and the streaming media server, thereby effectively reducing the burden of key management of the streaming media server.
  • the application server and the streaming media server can choose to distribute the same media stream encryption key for different users according to different service types and different security requirements, so that when different users consume the same content, only the streaming media server The content is encrypted once to reduce the processing power of the streaming server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

A media stream key management method based on IP multimedia subsystem, media stream key management system and application server, wherein the application server and a multi-media streaming server acquire a key and send control unitedly, the application server can send a media stream encryption key TEK to a terminal and the multi-media streaming server directly, the media stream encryption key can be used for multi-media streaming content between the encryption multi-media streaming server and the terminal directly; the application server also can adopt a layered key management style, which can send the key and an encryption key KEK to the terminal and the multi-media streaming server, then distribute TEK through KEK. The present invention can reduce key management overhead of multi-media streaming server, improve efficiency of multi-media streaming server.

Description

媒体流密钥管理方法及系统以及应用服务器 本申请要求于 2006 年 1 月 24 日提交中国专利局、 申请号为 20061003380.4、发明名称为"基于 IP多媒体子系统的媒体流的密钥管理系统和 方法"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Media stream key management method and system and application server The present application claims a key management system and method for media stream based on IP multimedia subsystem submitted to Chinese Patent Office on January 24, 2006, application number 20061003380.4 The priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field
本发明涉及通信领 尤其涉及一种媒体流密钥管理方法及系统以及应用 服务器。  The present invention relates to a communication medium, and more particularly to a media stream key management method and system, and an application server.
背景技术 Background technique
流媒体业务是近几年迅速发展起来的一种新业务, 其利用流式传输技术, 在包交换网络上传输多媒体文件, 包括视频、 音频等文件内容。 这些多媒体文 件在访问时无需完全下载就可以立即播放。流媒体业务实现的关键技术就是流 式传输技术。  The streaming media service is a new service that has developed rapidly in recent years. It uses streaming technology to transmit multimedia files, including video and audio files, on a packet-switched network. These multimedia files can be played immediately without having to download them completely. The key technology for streaming media service implementation is streaming technology.
IP多媒体子系统 ( IMS, IP Multimedia Subsystem )采用 IP分组域作为其控 制信令和媒体传输的承载通道, 其采用会话初始协议(SIP, Session Initiation Protocol, )作为呼叫控制信令, 实现了业务管理、 会话控制及承载接入的三 者分离。  The IP Multimedia Subsystem (IMS) uses the IP packet domain as the bearer channel for its control signaling and media transmission. It uses the Session Initiation Protocol (SIP) as the call control signaling to implement service management. Separation of session control and bearer access.
基于 IMS开展流媒体业务, 可以充分利用 IMS网络的现有特点, 重用 IMS 网络架构中的功能, 如认证, 计费等, 从而使得流媒体业务可以高效快速地开 展。  Streaming media services based on IMS can make full use of the existing features of the IMS network and reuse functions in the IMS network architecture, such as authentication and billing, so that streaming media services can be efficiently and quickly developed.
媒体流的安全是流媒体业务中需要考虑的一个很重要的方面。如何有效地 保证媒体流的传输安全,使得媒体流在传输过程中不被非法拷贝 , 涉及到内容 提供商的合法利益; 同时, 对媒体流进行安全保护, 也保护了用户的个人隐私 不被非法的窃取。  The security of media streams is an important aspect to consider in streaming media business. How to effectively ensure the security of media stream transmission, so that the media stream is not illegally copied during the transmission process, which involves the legitimate interests of the content provider; at the same time, the security protection of the media stream also protects the user's personal privacy from being illegal. Stealing.
现有技术中 ,对媒体流进行保护是通过流媒体服务器和终端之间直接协商 用于媒体流保护的密钥,流媒体服务器和终端共享该密钥并用该密钥加密媒体 内容。 具体如下: 1. 流媒体服务器和终端之间基于对称密钥架构, 相互之间共享密钥 K;In the prior art, the media stream is protected by directly negotiating a key for media stream protection between the streaming server and the terminal, and the streaming server and the terminal share the key and encrypt the media content with the key. details as follows: 1. The streaming media server and the terminal are based on a symmetric key architecture, and share the key K with each other;
2.基于该共享的密钥 K, 流媒体服务器和终端协商媒体流加密密钥 Kt;2. Based on the shared key K, the streaming media server and the terminal negotiate a media stream encryption key Kt;
3. 流媒体服务器用密钥加密密钥 Kt加密媒体流, 并传送给终端, 终端用 Kt解密收到的媒体流, 播放节目。 3. The streaming media server uses the key encryption key Kt to encrypt the media stream and transmit it to the terminal. The terminal uses Kt to decrypt the received media stream and play the program.
上述方案的基本思想是基于事先共享的对称密钥 K, 在流媒体服务器和终 端之间直接进行密钥的协商。  The basic idea of the above solution is to directly negotiate the key between the streaming server and the terminal based on the symmetric key K shared in advance.
一般来说, 这种密钥管理方式需要流媒体服务器和终端事先共享某些信 息, 如对称密钥, 以此为基础, 它们才可以启动媒体流加密密钥的协商。 但流 媒体业务中, 同一个流媒体服务器可能同时为许多用户服务, 在这种架构下, 流媒体服务器需要为每一个用户保存初始的对称密钥。这种密钥管理方式给流 媒体服务器造成了比较大的负担。  In general, this key management method requires the streaming server and the terminal to share certain information in advance, such as a symmetric key, based on which they can initiate negotiation of the media stream encryption key. However, in a streaming media service, the same streaming server may serve many users at the same time. Under this architecture, the streaming server needs to save the initial symmetric key for each user. This key management method imposes a relatively large burden on the streaming server.
当不同的终端请求同一个媒体内容时 ,由于协商过程中不同的终端传送的 协商密钥所使用的信息不同, 所以不同的用户会获得不同的媒体流加密密钥, 从而流媒体服务器需要对同一个内容进行多次的加密处理。这对某些安全性要 求相对较低的应用, 如电视广播, 是没有必要的。 广播节目一般只需在流媒体 月艮务器上经过一次加密处理, 同时为多个用户提供月良务, 多个用户使用相同的 密钥。 对这类应用, 如果对不同的用户分别加密, 会极大地增加流媒体服务器 的运算开销和存储要求, 降低流媒体服务器的效率。  When different terminals request the same media content, different users use different media stream encryption keys because the information used by different terminals in the negotiation process is different. Therefore, the streaming media server needs to be the same. A content is encrypted multiple times. This is not necessary for certain applications where security is relatively low, such as television broadcasting. Broadcast programs generally only need to be encrypted once on the streaming server, while providing multiple users with monthly services, and multiple users use the same key. For such applications, if different users are separately encrypted, the computing overhead and storage requirements of the streaming server are greatly increased, and the efficiency of the streaming server is reduced.
发明内容 Summary of the invention
本发明实施例提供一种媒体流密钥管理方法及系统以及应用服务器,能够 减少流媒体服务器的密钥管理开销 , 提高流媒体服务器效率。  The embodiment of the invention provides a media stream key management method and system, and an application server, which can reduce the key management overhead of the streaming media server and improve the efficiency of the streaming media server.
本发明一个实施例提供的媒体流密钥管理方法, 包括: 应用服务器获得媒 体流加密密钥; 将所述媒体流加密密钥发送给终端以及流媒体服务器; 所述终 端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体内容。  A media stream key management method according to an embodiment of the present invention includes: an application server obtains a media stream encryption key; and sends the media stream encryption key to a terminal and a streaming media server; and the terminal and the streaming media server The media stream encryption key encrypts/decrypts the streamed media content.
本发明另一个实施例提供的媒体流密钥管理方法, 包括: 终端和应用服务 器协商媒体流加密密钥;  A media stream key management method according to another embodiment of the present invention includes: a terminal and an application server negotiate a media stream encryption key;
应用服务器将所述媒体流加密密钥发送给流媒体服务器;  The application server sends the media stream encryption key to the streaming media server;
所述终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体 内容。 本发明另外一个实施例提供的媒体流密钥管理方法, 包括: The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key. A media stream key management method provided by another embodiment of the present invention includes:
所述应用服务器从流媒体服务器获取媒体流加密密钥;  The application server acquires a media stream encryption key from a streaming media server;
应用服务器将所述媒体流加密密钥发送给终端;  The application server sends the media stream encryption key to the terminal;
所述终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体 内容。  The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
本发明又一个实施例提供的媒体流密钥管理方法, 包括:应用服务器向流 媒体服务器发送密钥加密密钥; 流媒体服务器获取媒体流加密密钥, 利用所述 密钥加密密钥对所述媒体流加密密钥进行加密并发送至终端;终端利用预先获 得的密钥加密密钥进行解密得到媒体流加密密钥;终端和流媒体服务器用所述 媒体流加密密钥加密 /解密传输的流媒体内容。  A media stream key management method according to another embodiment of the present invention includes: an application server sends a key encryption key to a streaming media server; a streaming media server obtains a media stream encryption key, and uses the key encryption key pair The media stream encryption key is encrypted and sent to the terminal; the terminal decrypts using the previously obtained key encryption key to obtain a media stream encryption key; and the terminal and the streaming media server encrypt/decrypt the transmission using the media stream encryption key. Streaming content.
本发明再一个实施例提供的媒体流密钥管理方法, 包括:应用服务器向流 媒体服务器发送密钥加密密钥;流媒体服务器利用所述密钥加密密钥与终端协 商确定媒体流加密密钥; 终端和流媒体服务器用所述媒体流加密密钥加密 /解 密传输的流媒体内容。  A media stream key management method according to another embodiment of the present invention includes: an application server sends a key encryption key to a streaming media server; and the streaming media server uses the key encryption key to negotiate with the terminal to determine a media stream encryption key. The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
本发明一个实施例提供的媒体流密钥管理系统, 包括: 应用服务器, 终端 以及流媒体服务器; 所述终端用于向所述应用服务器发送业务请求; 所述应用 服务器根据接收到的业务请求生成媒体流加密密钥并将所述媒体流加密密钥 发送至终端以及流媒体服务器;所述流媒体服务器与终端用所述媒体流加密密 钥加密 /解密传输的流媒体内容。  A media stream key management system according to an embodiment of the present invention includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server generates a service request according to the received service request. The media stream encryption key transmits the media stream encryption key to the terminal and the streaming media server; the streaming media server and the terminal encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
本发明另一个实施例提供的媒体流密钥管理系统, 包括: 应用服务器, 终 端以及流媒体服务器; 所述终端用于向所述应用服务器发送业务请求; 所述应 用服务器在接收到所述终端的业务请求后生成密钥加密密钥并发送至流媒体 服务器; 所述流媒体服务器用于生成媒体流加密密钥, 并利用所述密钥加密密 钥对媒体流加密密钥进行加密并发送至终端;所述终端利用密钥加密密钥进行 解密得到媒体流加密密钥, 并与流媒体服务器用所述媒体流加密密钥加密 /解 密传输的流媒体内容。  A media stream key management system according to another embodiment of the present invention includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server receives the terminal Generating a key encryption key and transmitting it to the streaming server; the streaming server is configured to generate a media stream encryption key, and encrypt and send the media stream encryption key by using the key encryption key To the terminal; the terminal decrypts using the key encryption key to obtain a media stream encryption key, and encrypts/decrypts the transmitted streaming media content with the media stream encryption key with the streaming media server.
本发明又一个实施例提供的媒体流密钥管理系统, 包括: 应用服务器, 终 端以及流媒体服务器; 所述终端用于向所述应用服务器发送业务请求; 所述应 用服务器在接收到所述终端的业务请求后生成密钥加密密钥并发送至流媒体 服务器;所述流媒体服务器利用所述密钥加密密钥与所述终端协商确定媒体流 加密密钥; 所述流媒体服务器与终端用所述媒体流加密密钥加密 /解密传输的 流媒体内容。 A media stream key management system according to another embodiment of the present invention includes: an application server, a terminal, and a streaming media server; the terminal is configured to send a service request to the application server; and the application server receives the terminal Generate a key encryption key after the business request and send it to the streaming media a server; the streaming media server uses the key encryption key to negotiate with the terminal to determine a media stream encryption key; and the streaming media server and the terminal encrypt/decrypt the transmitted streaming media content by using the media stream encryption key .
本发明一个实施例提供的应用服务器, 包括: 接收单元, 密钥获取单元以 及传输单元; 所述接收单元用于接收来自终端的业务请求, 并通知密钥获取单 元;所述密钥获取单元在接到通知之后根据预置的密钥获取方式获取密钥并发 送至传输单元; 所述传输单元将获取的密钥传输至终端和 /或流媒体服务器。  An application server according to an embodiment of the present invention includes: a receiving unit, a key obtaining unit, and a transmitting unit; the receiving unit is configured to receive a service request from the terminal, and notify the key obtaining unit; the key obtaining unit is After receiving the notification, the key is acquired according to the preset key acquisition manner and sent to the transmission unit; the transmission unit transmits the acquired key to the terminal and/or the streaming media server.
由于本发明的实施例通过应用服务器和流媒体服务器统一进行密钥的获 取和下发控制, 即通过在业务层面的应用服务器上, 而不是仅仅在流媒体服务 器上,对密钥进行的统一管理, 因此使得密钥管理功能简单化, 清晰化; 另外, 流媒体服务器不需要保存和终端之间的密钥信息 ,这些密钥通过和应用服务器 的交互获得,从而减少了流媒体服务器的密钥管理开销,提高流媒体服务器效 率。  The embodiment of the present invention performs the key acquisition and delivery control through the application server and the streaming media server, that is, the unified management of the key through the application server on the service level, not only on the streaming media server. Therefore, the key management function is simplified and clear; in addition, the streaming media server does not need to store key information between the terminal and the terminal, and the keys are obtained through interaction with the application server, thereby reducing the key of the streaming media server. Manage overhead and increase the efficiency of streaming media servers.
附图说明 DRAWINGS
图 1是本发明基于 IMS的媒体流的密钥管理系统的示意图;  1 is a schematic diagram of a key management system for an IMS-based media stream according to the present invention;
图 2是本发明第一实施例基于 IMS的媒体流的密钥管理方法的过程示意 图;  2 is a schematic flowchart of a method for managing a key of an IMS-based media stream according to a first embodiment of the present invention;
图 3是本发明第二实施例基于 IMS的媒体流的密钥管理方法的过程示意 图;  3 is a schematic diagram of a process of a key management method for an IMS-based media stream according to a second embodiment of the present invention;
图 4是本发明第三实施例基于 IMS的媒体流的密钥管理方法的过程示意 图;  4 is a schematic flowchart of a method for managing a key of an IMS-based media stream according to a third embodiment of the present invention;
图 5是本发明应用服务器实施例示意图。  FIG. 5 is a schematic diagram of an embodiment of an application server of the present invention.
具体实施方式 detailed description
IMS网络实现了业务管理、 会话控制和业务承载的分离, 整个业务的执行 层次十分清晰。 在 IMS中开展流媒体业务, 可以通过应用服务器对密钥的获取 和分发进行控制, 从而对密钥进行统一管理。  The IMS network realizes the separation of service management, session control and service bearer, and the execution level of the entire service is very clear. The streaming media service in the IMS can control the acquisition and distribution of keys through the application server, thereby uniformly managing the keys.
通过在业务层面的应用服务器上, 而不是仅仅在流媒体服务器上,对密钥 进行的统一管理, 可以使得密钥管理功能筒单化, 清晰化。 流媒体服务器不需 要保存和终端之间的密钥信息,这些密钥通过和应用服务器的交互获得,从而 减少了流媒体服务器的密钥管理开销。 Through the unified management of the keys on the application server at the service level, rather than just on the streaming server, the key management function can be simplified and simplified. The streaming media server does not need to save the key information between the terminal and the terminal, and the keys are obtained through interaction with the application server, thereby Reduced key management overhead for streaming media servers.
当应用服务器负责为终端和流媒体服务器分发加密媒体流的密钥时,应用 服务器可以为请求同一业务的不同终端分发相同的媒体流加密密钥, 例如, 多 个用户同时观看同一个电视频道时,应用服务器可以为这些用户下发相同的媒 体流加密密钥, 所以在流媒体服务器上只需对内容进行一次加密处理。 当流媒 体服务器负责为不同的终端分发媒体流加密密钥时,流媒体服务器可以为请求 同一内容的终端分发相同的媒体流加密密钥,从而保证流媒体服务器只需对内 容进行一次加密处理。  When the application server is responsible for distributing the keys of the encrypted media stream for the terminal and the streaming server, the application server can distribute the same media stream encryption key for different terminals requesting the same service, for example, when multiple users simultaneously watch the same TV channel. The application server can issue the same media stream encryption key for these users, so only one content encryption process is performed on the streaming media server. When the streaming media server is responsible for distributing the media stream encryption key for different terminals, the streaming media server can distribute the same media stream encryption key for the terminal requesting the same content, thereby ensuring that the streaming media server only needs to encrypt the content once.
请参阅图 1, 本发明基于 IMS的媒体流的密钥管理系统的实施例包括: 终端 101、 代理 CSCF 105、 服务 CSCF 104、 应用服务器 102和流媒体服 务器 103, 其中, 该代理 CSCF 105用于接收终端 101向应用服务器 102发出 的流媒体业务请求, 并转送到服务 CSCF 104, 以及接收由服务 CSCF 104转 发的密钥, 并转送到终端 101; 该服务 CSCF 104用于把该请求触发到应用服 务器 102进行流媒体业务请求, 以及接收应用服务器 102下发的密钥, 并转送 到代理 CSCF 105或流媒体服务器 103; 该应用服务器 102用于接收终端 101 发出的流媒体业务请求, 并生成密钥,将该密钥下发给终端 101和流媒体服务 器 103;该流媒体服务器 103用于与终端 101之间传输通过加密 /解密的流媒体 内容。 该应用服务器 102和终端 101之间可经过 Ut接口相连。  Referring to FIG. 1, an embodiment of a key management system for an IMS-based media stream according to the present invention includes: a terminal 101, a proxy CSCF 105, a service CSCF 104, an application server 102, and a streaming server 103, wherein the proxy CSCF 105 is used. The streaming service request sent by the terminal 101 to the application server 102 is forwarded to the serving CSCF 104, and the key forwarded by the serving CSCF 104 is received and forwarded to the terminal 101; the service CSCF 104 is used to trigger the request to the application The server 102 performs a streaming media service request, and receives a key sent by the application server 102, and forwards the key to the proxy CSCF 105 or the streaming media server 103. The application server 102 is configured to receive the streaming media service request sent by the terminal 101, and generate a secret. The key is sent to the terminal 101 and the streaming server 103; the streaming server 103 is configured to transmit the encrypted media content encrypted/decrypted with the terminal 101. The application server 102 and the terminal 101 can be connected via a Ut interface.
由图 1中可以看出, 所有的流媒体业务请求经过应用服务器处理。终端经 过认证后接入 IMS网络, 同时, 经过认证和密钥协商过程, 终端和代理 CSCF 之间已经建立安全联盟,从而可以保证应用服务器和终端之间密钥下发的安全 性。  As can be seen from Figure 1, all streaming media service requests are processed by the application server. After the terminal is authenticated, it is connected to the IMS network. At the same time, after the authentication and key agreement process, the security association is established between the terminal and the proxy CSCF, so that the security of the key is delivered between the application server and the terminal.
一般来讲,存在两种密钥,一种是加密终端和流媒体服务器之间实时传输 的媒体流的密钥, 称为媒体流加密密钥(Traffic Encryption Key, TEK ); 为了 保证实时传输媒体流的安全, TEK 的生存周期比较短, 变化比较频繁, 比如 10s更新一次。 另外一种是密钥加密密钥 (Key Encryption Key, KEK ), KEK 用于加密 TEK, 从而保护 TEK的下发安全。 KEK的生存周期比较长, 比如对 按此付费的用户, 在该次流媒体服务的过程中 KEK可以保持不变; 对订阅用 户, KEK可以在整个订阅期限内保持不变, 这样可以保证用 KEK保护频繁下 发的 TEK的效率。 Generally, there are two kinds of keys, one is a key of a media stream that is transmitted in real time between an encryption terminal and a streaming media server, and is called a Traffic Encryption Key (TEK); The security of the flow, TEK's life cycle is relatively short, and the changes are more frequent, such as 10s update. The other is the Key Encryption Key (KEK), which is used to encrypt the TEK to protect the security of the TEK. KEK has a long life cycle. For example, for users who pay for it, KEK can remain unchanged during the streaming service. For subscribers, KEK can remain unchanged for the entire subscription period, thus ensuring KEK. Protection frequently The efficiency of the TEK sent.
应用服务器可以直接下发 TEK给终端和流媒体服务器, 该媒体流加密密 钥直接用于加密流媒体服务器和终端之间的流媒体内容;应用服务器也可以采 用分层的密钥管理方式, 它可以下发 KEK给终端和流媒体服务器, 通过 KEK 的保护, 再进行 TEK的分发。  The application server can directly deliver the TEK to the terminal and the streaming media server. The media stream encryption key is directly used to encrypt the streaming media content between the streaming media server and the terminal; the application server can also adopt a layered key management mode. The KEK can be delivered to the terminal and the streaming server, and the TEK can be distributed through the protection of the KEK.
应用服务器和流媒体服务器获取密钥有几种方式, 它们可以自己生成密 钥, 也可以向其他实体, 如一个独立的密钥管理中心(KMC )请求获得密钥。 本发明中应用服务器和流媒体服务器获取密钥的方式包括但不限于上述的方 式。  There are several ways for application servers and streaming servers to obtain keys. They can generate keys themselves, or they can request keys from other entities, such as a separate Key Management Center (KMC). The manner in which the application server and the streaming server obtain keys in the present invention includes, but is not limited to, the above.
本发明的基于 IMS的媒体流的密钥管理系统的应用服务器的实施例需要 在原来的基础上实现下述功能:  The embodiment of the application server of the key management system of the IMS-based media stream of the present invention needs to implement the following functions on the original basis:
1. 应用服务器收到终端发出的业务请求后, 通过某一种密钥菽取方式, 获 得密钥 ( KEK和 /或 TEK );  1. After receiving the service request sent by the terminal, the application server obtains the key (KEK and/or TEK) through a certain key extraction method;
2. 应用服务器获得密钥后, 需要将该密钥下发给终端和 /或流媒体服务器; 3.如果应用服务器获得的密钥为 KEK,则应用服务器在 KEK的生存期内, 需要保存该密钥。 如果网络相关实体保存了该 KEK, 则应用服务器不需保 存, 在生存期内需要使用该密钥时, 需要到保存该 KEK的实体请求。 根据应用服务器下发的密钥的不同类型和所下发到的不同的实体,本发明 的密钥管理方法可以有以下几种实施例:  2. After the application server obtains the key, it needs to send the key to the terminal and/or the streaming server. 3. If the key obtained by the application server is KEK, the application server needs to save the KEK during the lifetime. Key. If the network related entity saves the KEK, the application server does not need to save. When the key needs to be used during the lifetime, it needs to save the KEK entity request. The key management method of the present invention may have the following embodiments according to different types of keys issued by the application server and different entities to be delivered:
第一实施例: 应用服务器收到终端发出的业务请求后, 以几种获取密钥 的方式之一获得一个密钥, 并把该密钥作为 TEK下发给终端和流媒体服务 器。 终端和流媒体服务器用该 TEK加密 /解密两者之间传输的流媒体内容。  The first embodiment is: After receiving the service request sent by the terminal, the application server obtains a key in one of several ways of obtaining the key, and sends the key as a TEK to the terminal and the streaming server. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
第二实施例: 应用服务器收到终端发出的业务请求后, 以几种获取密钥 的方式之一获得一个密钥, 并把该密钥作为 KEK下发给终端和流媒体服务 器。 流媒体服务器以几种获取密钥的方式之一获得一个密钥, 把该密钥作为 TEK, 通过 KEK的保护, 把 TEK下发给终端, 该终端和流媒体服务器用该 TEK加密 /解密两者之间传输的流媒体内容; 或者应用服务器下发 KEK给终 端和流媒体服务器后, 终端和流媒体服务器用 KEK协商 TEK。 采用下发而 不是协商的好处是可以控制流媒体服务器为使用同一个业务的不同用户使用 相同的 TEK, 从而减少流媒体服务器加密的负荷。 The second embodiment is: After receiving the service request sent by the terminal, the application server obtains a key in one of several ways of obtaining the key, and sends the key as a KEK to the terminal and the streaming media server. The streaming server obtains a key in one of several ways of obtaining a key, and uses the key as a TEK to transmit the TEK to the terminal through the protection of the KEK. The terminal and the streaming server encrypt/decrypt the TEK with the TEK. After the application server delivers the KEK to the terminal and the streaming server, the terminal and the streaming server negotiate the TEK with the KEK. The advantage of using delivery instead of negotiation is that you can control the streaming server to be used by different users who use the same service. The same TEK, which reduces the load on the streaming server encryption.
其中, MRFP通过 KEK的保护, 把 TEK下发给终端的过程可以采用組 播密钥流的方式进行。  The process of delivering the TEK to the terminal by the MRFP through the protection of the KEK can be performed by using a multicast key stream.
其中。流媒体服务器可以自行生成 TEK,也可以从应用服务器获得 TEK。 第三实施例: 应用服务器收到终端发出的业务请求后, 以几种获取密钥 的方式之一获得两个密钥, 一个作为 KEK, 一个作为 TEK:。 应用服务器把 KEK下发给终端, 并通过 KEK的保护, 下发 TEK给终端, 同时, 应用服务 器下发 TEK给流媒体服务器。 终端和流媒体服务器用该 TEK加密 /解密两者 之间传输的流媒体内容。  among them. The streaming server can generate the TEK itself or obtain the TEK from the application server. Third Embodiment: After receiving the service request sent by the terminal, the application server obtains two keys in one of several ways of obtaining a key, one as KEK and one as TEK:. The application server delivers the KEK to the terminal and sends the TEK to the terminal through the KEK protection. At the same time, the application server sends the TEK to the streaming server. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
此外, 在第三实施例中, 也可以是应用服务器获得 KEK和 TEK后, 把 In addition, in the third embodiment, after the application server obtains KEK and TEK,
KEK下发给流媒体服务器,并通过 KEK的保护,下发 TEK给流媒体服务器, 同时, 应用服务器下发 TEK给终端。 终端和流媒体服务器用该 TEK加密 /解 密两者之间传输的流媒体内容。 The KEK is sent to the streaming server, and the TEK is sent to the streaming server through the protection of the KEK. At the same time, the application server sends the TEK to the terminal. The TEK encrypts/decrypts the streaming media content transmitted between the terminal and the streaming server.
第四实施例: 应用服务器收到终端发出的业务请求后,应用服务器和终端 也可以通过 GB A ( General Bootstrapping Architecture, 通用引导架构)或者其 他的方式获得两者共享的密钥并作为 TEK。 并把该密钥作为 TEK下发给流媒 体服务器。 终端和流媒体服务器用该 TEK加密 /解密两者之间传输的流媒体内 容。  The fourth embodiment is as follows: After the application server receives the service request sent by the terminal, the application server and the terminal can also obtain the key shared by the two through the GB A (General Bootstrapping Architecture) or other methods as the TEK. The key is sent to the streaming server as a TEK. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming content transferred between the two.
第五实施例: 应用服务器收到终端发出的业务请求后,应用服务器获得流 媒体服务器产生的 TEK。 并把该密钥作为 TEK下发给终端。 终端和流媒体服 务器用该 TEK加密 /解密两者之间传输的流媒体内容。  The fifth embodiment is: After the application server receives the service request sent by the terminal, the application server obtains the TEK generated by the streaming server. The key is sent to the terminal as a TEK. The terminal and the streaming server use the TEK to encrypt/decrypt the streaming media content transmitted between the two.
在上述的第二实施例和第三实施例中, 应用服务器和终端也可以通过 GBA ( General Bootstrapping Architecture, 通用引导架构 )或者其他的方式获 得两者共享的密钥并作为 KEK。  In the second embodiment and the third embodiment described above, the application server and the terminal can also obtain the key shared by both by the GBA (General Bootstrapping Architecture) or other methods as KEK.
在上述的第二实施例和第三实施例中,网络侧实体可以在该业务的有效期 内保存 KEK, 以便终端再次请求该业务时, 使用同样的 KEK下发 TEK, 从而 减少应用服务器获取 KEK的次数。所述保存该 KEK的网络侧实体可能为应用 服务器或者单独的密钥管理中心, 取决于 KEK的生成方式。  In the foregoing second embodiment and the third embodiment, the network side entity may save the KEK during the validity period of the service, so that when the terminal requests the service again, the same KEK is used to deliver the TEK, thereby reducing the application server to obtain the KEK. frequency. The network side entity that holds the KEK may be an application server or a separate key management center, depending on how the KEK is generated.
针对 KEK的有效期比较长的特性。可以把 KEK封装在版权对象中下发给 终端。 选择这样做的原因是 KEK可以有一个相对较长的生存周期, 而经过版 权对象保护的密钥也同样可以在版权对象规定的期限内有效。而且终端一般支 持版权对象的获取。 A long-lived feature for KEK. KEK can be packaged in the copyright object and sent to Terminal. The reason for choosing to do this is that KEK can have a relatively long life cycle, and the key protected by the copyright object can also be valid for the period specified by the copyright object. Moreover, the terminal generally supports the acquisition of copyright objects.
版权对象可以在用户定购业务时下发给终端, 此时 KEK保存在版权发布 中心或密钥管理中心, 取决于版权管理的实现。 当用户请求业务时, 应用服务 器向版权发布中心或密钥管理中心请求该密钥;应用服务器也可以在用户请求 业务时实时地把 KEK以版权对象的方式下发给终端 , 此时应用服务器可以把 KEK传递给一个版权发布中心,版权发布中心再以版权对象的形式下发 KEK。  The copyright object can be sent to the terminal when the user orders the business. At this time, the KEK is stored in the copyright distribution center or the key management center, depending on the implementation of copyright management. When the user requests the service, the application server requests the key from the copyright issuing center or the key management center; the application server can also send the KEK to the terminal in the real-time manner when the user requests the service, and the application server can The KEK is passed to a copyright distribution center, and the copyright distribution center issues the KEK in the form of a copyright object.
请参阅图 2,本发明第一实施例基于 IMS的媒体流的密钥管理方法包括以 下步骤:  Referring to FIG. 2, a method for key management of an IMS-based media stream according to a first embodiment of the present invention includes the following steps:
al. 终端向应用服务器发出流媒体业务请求, 该请求可能通过 Ut接口进 行,也可能通过代理 CSCF和服务 CSCF触发到应用服务器进行流媒体业务请 求, 请求前, 终端已经通过认证和密钥协商过程, 建立了终端和代理 CSCF之 间的安全联盟;  The terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
a2. 应用服务器收到该业务请求后, 判断该业务请求是否为一个流媒体业 务请求,该判断可以基于用户所请求的具体内容,或者基于请求中的某些特殊 标识; 如果该业务请求是流媒体业务请求, 则执行步骤 a3 , 若不是, 则按其 他业务定义的过程处理;  A2. After receiving the service request, the application server determines whether the service request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the service request is a flow If the media service request is performed, step a3 is performed; if not, the process is processed according to other service definitions;
23. 应用服务器以几种获取密钥的方式之一获得媒体流加密密钥 TEK, 图中示意了通过 KMC获取密钥的方式;  23. The application server obtains the media stream encryption key TEK in one of several ways of obtaining a key, and the figure illustrates the manner in which the key is obtained through the KMC;
a4. 应用服务器下发媒体流加密密钥 TEK给终端和流媒体服务器。 一般 来说, 该 TEK经过服务 CSCF和代理 CSCF下发 TEK给终端;  A4. The application server delivers the media stream encryption key TEK to the terminal and the streaming server. Generally, the TEK delivers the TEK to the terminal through the serving CSCF and the proxy CSCF;
a5. 终端和流媒体服务器用媒体流加密密钥 TEK加密 /解密两者之间传输 的流媒体内容。  A5. The terminal and streaming server use the media stream encryption key TEK to encrypt/decrypt the streaming media content transmitted between the two.
本发明第一实施例中, 终端和媒体服务器可以向应用服务器订阅 In the first embodiment of the present invention, the terminal and the media server can subscribe to the application server.
( Subscribe ) TEK的变化, TEK发生变化后应用服务器通过通知(Notify )消 息给终端和媒体服务器。 ( Subscribe ) Changes in the TEK. After the TEK changes, the application server sends a message to the terminal and the media server via Notify.
本发明第一实施例中,应用服务器可以选择为请求同一业务的终端分发相 同的媒体流加密密钥,从而流媒体服务器只需对内容进行一次加密处理。而且, 00241 一 9一 In the first embodiment of the present invention, the application server may select to distribute the same media stream encryption key for the terminal requesting the same service, so that the streaming media server only needs to encrypt the content once. and, 00241 one 9 one
通过应用服务器的动态的密钥分发,流媒体服务器和终端之间无需事先共享密 钥信息, 减少了流媒体服务器的密钥管理负担。 Through the dynamic key distribution of the application server, the streaming media server and the terminal do not need to share the key information in advance, which reduces the key management burden of the streaming media server.
请参阅图 3 , 本发明第二实施例基于 IMS的媒体流的密钥管理方法包括以 下步骤:  Referring to FIG. 3, a method for key management of an IMS-based media stream according to a second embodiment of the present invention includes the following steps:
bl. 终端向应用服务器发出流媒体业务请求, 该请求可能通过 Ut接口进 行,也可能通过代理 CSCF和服务 CSCF触发到应用服务器进行流媒体业务请 求, 请求前, 终端已经通过认证和密钥协商过程, 建立了终端和代理 CSCF之 间的安全联盟;  The terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
bl. 应用服务器收到该业务请求后,判断该请求是否为一个流媒体业务请 求,该判断可以基于用户所请求的具体内容,或者基于请求中的某些特殊标识; 如果该请求是流媒体业务请求, 则执行步骤 b3, 若不是, 则按其他业务定义 的过程处理;  After receiving the service request, the application server determines whether the request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the request is a streaming media service If the request is yes, step b3 is performed, and if not, the process is processed according to other services;
b3. 应用服务器以几种获取密钥的方式之一获得媒体流加密密钥 KEK, 图中示意了通过 KMC获取密钥的方式;  B3. The application server obtains the media stream encryption key KEK in one of several ways of obtaining a key, and the figure illustrates the manner of obtaining the key through the KMC;
b4.应用服务器下发密钥加密密钥 KEK给终端, 图中示意的 KEK下发方 式为应用服务器直接下发 KEK给终端的, KEK也可以以版权对象的方式下发 给终端;  B4. The application server issues a key encryption key KEK to the terminal, and the KEK issuing method shown in the figure is to directly deliver the KEK to the terminal by the application server, and the KEK can also be sent to the terminal in the manner of a copyright object;
b5. 终端收到 KEK后, 发送确认消息给应用服务器, 该步驟的目的是为 了保证终端在收到 TEK之前, 已经收到 KEK, 从而可以成功解密 TEK;  B5. After receiving the KEK, the terminal sends an acknowledgement message to the application server. The purpose of this step is to ensure that the terminal has received the KEK before receiving the TEK, so that the TEK can be successfully decrypted.
b6. 应用服务器下发密钥加密密钥 KEK给流媒体服务器;  B6. The application server sends a key encryption key KEK to the streaming media server;
bl. 流媒体服务器以几种获取密钥的方式之一获得一个密钥, 并把该密钥 作为 TEK, 通过 KEK的保护下发给终端; 图中示意了流媒体服务器直接下发 TEK给终端。 流媒体服务器也可以先传递 TEK给应用服务器, 应用服务器再 下发 TEK给终端;  Bl. The streaming server obtains a key in one of several ways to obtain a key, and uses the key as a TEK to be sent to the terminal through the protection of the KEK. The figure shows that the streaming server directly delivers the TEK to the terminal. . The streaming media server can also deliver the TEK to the application server, and the application server sends the TEK to the terminal.
b8. 终端发送订阅 (SUBSCRIBE ) 消息, 订阅 TEK的变化; 由于 TEK 的变化比较频繁, 流媒体服务器对 TEK更新后需要及时通知终端。 终端向流 媒体服务器发送 SUBSCRIBE消息订阅 TEK的变化。如果 TEK通过应用服务 器下发给终端,则应用服务器向流媒体服务器发送 SUBSCRIBE消息订阅 TEK 的变化。 b9. 终端和流媒体服务器用媒体流加密密钥 TEK加密 /解密两者之间传输 的流媒体内容; B8. The terminal sends a subscription (SUBSCRIBE) message, subscribes to the change of the TEK; because the TEK changes frequently, the streaming server needs to notify the terminal in time after updating the TEK. The terminal sends a SUBSCRIBE message to the streaming server to subscribe to the change of the TEK. If the TEK is delivered to the terminal through the application server, the application server sends a SUBSCRIBE message to the streaming server to subscribe to the change of the TEK. B9. The terminal and the streaming server encrypt/decrypt the streaming media content transmitted between the two by using the media stream encryption key TEK;
blO. TEK更新后, 流媒体服务器通过通报(NOTIFY )消息通知给终端。 如果 TEK通过应用服务器下发给终端, 则 TEK更新后, 流媒体服务器通过 NOTIFY消息通知应用服务器变化后的 TEK,应用服务器再下发 TEK给终端。  After the blO. TEK is updated, the streaming server notifies the terminal by a NOTIFY message. If the TEK is sent to the terminal through the application server, after the TEK is updated, the streaming server notifies the application server of the changed TEK through the NOTIFY message, and the application server sends the TEK to the terminal.
在步驟 b7中, 流媒体服务器向终端下发 TEK时, 可以使用已经建立的 连接通道,例如如果存在 RTSP ( Real-Time Streaming Protocol, 实时流协议 ) 通道; 也可以在终端和流媒体服务器之间建立单独的下发通道,该通道可以 在建立媒体流的 SDP ( Session Description Protocol, 会话描述协议)信令中 携带相关的地址参数。  In the step b7, when the streaming server sends the TEK to the terminal, the established connection channel may be used, for example, if there is an RTSP (Real-Time Streaming Protocol) channel, or between the terminal and the streaming server. A separate delivery channel is set up, which can carry related address parameters in the SDP (Session Description Protocol) signaling for establishing a media stream.
本发明第二实施例中,流媒体服务器可以选择为请求同一内容的终端分发 相同的媒体流加密密钥,从而流媒体服务器只需对内容进行一次加密处理, 并 且这些终端可能是经过不同的应用服务器提供的业务。 而且, 通过流媒体服务 器动态的分发 EK,流媒体服务器和终端之间无需事先共享密钥信息,减少了 流媒体服务器的密钥管理负担。  In the second embodiment of the present invention, the streaming media server may select to distribute the same media stream encryption key for the terminal requesting the same content, so that the streaming media server only needs to encrypt the content once, and the terminals may be different applications. The services provided by the server. Moreover, the dynamic distribution of the EK by the streaming server eliminates the need to share key information between the streaming server and the terminal, thereby reducing the key management burden of the streaming server.
请参阅图 4,本发明第三实施例基于 IMS的媒体流的密钥管理方法包括以 下步骤:  Referring to FIG. 4, a method for key management of an IMS-based media stream according to a third embodiment of the present invention includes the following steps:
cl. 终端向应用服务器发出流媒体业务请求, 该请求可能通过 Ut接口进 行,也可能通过代理 CSCF和服务 CSCF触发到应用服务器进行流媒体业务请 求, 请求前, 终端已经通过认证和密钥协商过程, 建立了终端和代理 CSCF之 间的安全联盟;  The terminal sends a streaming service request to the application server, and the request may be performed through the Ut interface, or may be triggered by the proxy CSCF and the serving CSCF to the application server to perform a streaming service request. Before the request, the terminal has passed the authentication and key agreement process. Establishing a security alliance between the terminal and the proxy CSCF;
c2. 应用服务器收到该业务请求后, 判断该请求是否为一个流媒体业务请 求,该判断可以基于用户所请求的具体内容,或者基于请求中的某些特殊标识; 如果该请求是流媒体业务请求, 则执行步骤 c3 , 若不是, 则按其他业务定义 的过程处理;  C2. After receiving the service request, the application server determines whether the request is a streaming media service request, and the determination may be based on specific content requested by the user, or based on some special identifier in the request; if the request is a streaming media service If the request is yes, step c3 is performed; if not, the process is processed according to other services;
c3.应用服务器以几种获取密钥的方式之一获得媒体流加密密钥 KEK和 媒体流加密密钥 TEK, 图中示意了通过 KMC获取密钥的方式;  C3. The application server obtains the media stream encryption key KEK and the media stream encryption key TEK in one of several ways of obtaining the key, and the figure illustrates the manner of obtaining the key through the KMC;
c4.应用服务器下发密钥加密密钥 KEK给终端, 图中示意的 KEK下发方 式为应用服务器直接下发 KEK给终端的, KEK也可以以版权对象的方式下发 给终端; C4. The application server sends the key encryption key KEK to the terminal. The KEK delivery mode shown in the figure is that the application server directly delivers the KEK to the terminal, and the KEK can also be issued in the form of a copyright object. Give the terminal
c5. 应用服务器通过密钥加密密钥 KEK的保护,下发媒体流加密密钥 TEK 给终端和流媒体服务器;  C5. The application server protects the KEK by the key encryption key, and delivers the media stream encryption key TEK to the terminal and the streaming server;
c6. 终端向应用服务器发送订阅(SUBSCRIBE )消息, 订阅 TEK的变化; 由于 TEK的变化比较频繁, 应用服务器对 TEK更新后需要及时通知终端; c7. 终端和流媒体服务器用媒体流加密密钥 TEK加密 /解密两者之间传输 的流媒体内容;  C6. The terminal sends a subscription (SUBSCRIBE) message to the application server, and subscribes to the change of the TEK; since the change of the TEK is frequent, the application server needs to notify the terminal in time after updating the TEK; c7. The media stream encryption key TEK for the terminal and the streaming media server Encrypting/decrypting streaming media content transmitted between the two;
c8. TEK更新后, 应用服务器通过通报消息通知给终端;  C8. After the TEK is updated, the application server notifies the terminal by means of a notification message;
c9. 应用服务器同时传送更新后的 TEK给流媒体服务器。  C9. The application server simultaneously transmits the updated TEK to the streaming server.
本发明第三实施例中,应用服务器可以选择为请求同一业务的终端分发相 同的媒体流加密密钥,从而流媒体服务器只需对内容进行一次加密处理。而且, 通过应用服务器的动态的密钥分发,流媒体服务器和终端之间无需事先共享密 钥信息, 减少了流媒体服务器的密钥管理负担。  In the third embodiment of the present invention, the application server may choose to distribute the same media stream encryption key for the terminal requesting the same service, so that the streaming media server only needs to encrypt the content once. Moreover, through the dynamic key distribution of the application server, the streaming media server and the terminal do not need to share the key information in advance, thereby reducing the key management burden of the streaming media server.
请再次参阅图 1 ,本发明的基于 IMS的媒体流的密钥管理系统中,具体的 单元功能分为以下几种场景进行描述:  Referring to FIG. 1 again, in the key management system of the IMS-based media stream of the present invention, the specific unit functions are described in the following scenarios:
一、 应用服务器 102下发媒体流加密密钥:  1. The application server 102 delivers the media stream encryption key:
所述终端 101用于向所述应用服务器 102发送业务请求;  The terminal 101 is configured to send a service request to the application server 102.
所述应用服务器 102根据接收到的业务请求生成媒体流加密密钥并将所 述媒体流加密密钥发送至终端 101以及流媒体服务器 103;  The application server 102 generates a media stream encryption key according to the received service request and sends the media stream encryption key to the terminal 101 and the streaming server 103;
所述流媒体服务器与终端用所述媒体流加密密钥加密 /解密传输的流媒体 内容;  And the streaming media server and the terminal encrypt/decrypt the transmitted streaming media content by using the media stream encryption key;
所述代理呼叫控制功能实体 105用于接收终端 101向应用服务器 102发出 的业务请求, 并转送到服务呼叫控制功能实体 104, 以及接收由服务呼叫控制 功能实体 104转发的密钥, 并转送到终端 101;  The proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101;
该服务呼叫控制功能实体 104用于把业务请求触发至应用服务器 102进行 流媒体业务请求, 以及接收应用服务器 102下发的密钥, 并转送到代理呼叫控 制功能实体 105或流媒体服务器 103。  The service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
二、 流媒体服务器 103下发媒体流加密密钥:  Second, the streaming media server 103 sends a media stream encryption key:
所述终端 101用于向所述应用服务器 102发送业务请求; 所述应用 良务器 102在接收到所述终端 101的业务请求后生成密钥加密密 钥并发送至流媒体服务器 102; The terminal 101 is configured to send a service request to the application server 102. The application server 102 generates a key encryption key after receiving the service request of the terminal 101 and sends it to the streaming server 102;
所述流媒体服务器 103用于生成媒体流加密密钥,并利用所述密钥加密密 钥对媒体流加密密钥进行加密并发送至终端 101 ;  The streaming media server 103 is configured to generate a media stream encryption key, and encrypt the media stream encryption key by using the key encryption key and send it to the terminal 101;
所述终端 101利用密钥加密密钥进行解密得到媒体流加密密钥,并与流媒 体服务器 103用所述媒体流加密密钥加密 /解密传输的流媒体内容;  The terminal 101 decrypts using the key encryption key to obtain a media stream encryption key, and encrypts/decrypts the transmitted streaming media content with the media stream encryption key with the streaming media server 103;
所述代理呼叫控制功能实体 105用于接收终端 101向应用服务器 102发出 的业务请求, 并转送到服务呼叫控制功能实体 104, 以及接收由服务呼叫控制 功能实体 104转发的密钥, 并转送到终端 101 ;  The proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101 ;
该服务呼叫控制功能实体 104用于把业务请求触发至应用服务器 102进行 流媒体业务请求, 以及接收应用服务器 102下发的密钥, 并转送到代理呼叫控 制功能实体 105或流媒体服务器 103。  The service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
三、 流媒体服务器 103与终端 102协商媒体流加密密钥:  3. The streaming server 103 negotiates the media stream encryption key with the terminal 102:
所述终端 101用于向所述应用服务器 102发送业务请求;  The terminal 101 is configured to send a service request to the application server 102.
所述应用服务器 102在接收到所述终端 101的业务请求后生成密钥加密密 钥并发送至流媒体服务器 103;  The application server 102 generates a key encryption key after receiving the service request of the terminal 101 and sends it to the streaming server 103;
所述流媒体服务器 103利用所述密钥加密密钥与所述终端 101协商确定媒 体流加密密钥;  The streaming media server 103 negotiates with the terminal 101 to determine a media stream encryption key by using the key encryption key;
所述流媒体服务器 103与终端 101用所述媒体流加密密钥加密 /解密传输 的流媒体内容。  The streaming server 103 and the terminal 101 encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
所述代理呼叫控制功能实体 105用于接收终端 101向应用服务器 102发出 的业务请求, 并转送到服务呼叫控制功能实体 104, 以及接收由服务呼叫控制 功能实体 104转发的密钥, 并转送到终端 101;  The proxy call control function entity 105 is configured to receive a service request sent by the terminal 101 to the application server 102, forward it to the service call control function entity 104, and receive the key forwarded by the service call control function entity 104, and forward it to the terminal. 101;
该服务呼叫控制功能实体 104用于把业务请求触发至应用服务器 102进行 流媒体业务请求, 以及接收应用服务器 102下发的密钥, 并转送到代理呼叫控 制功能实体 105或流媒体服务器 103  The service call control function entity 104 is configured to trigger a service request to the application server 102 to perform a streaming service request, and receive a key issued by the application server 102, and forward it to the proxy call control function entity 105 or the streaming server 103.
请参阅图 5, 本发明应用服务器实施例包括:  Referring to FIG. 5, an application server embodiment of the present invention includes:
接收单元 501 , 密钥获取单元 502以及传输单元 503;  Receiving unit 501, key obtaining unit 502 and transmitting unit 503;
所述接收单元 501 用于接收来自终端的业务请求, 并通知密钥获取单元 502; The receiving unit 501 is configured to receive a service request from the terminal, and notify the key obtaining unit 502;
所述密钥获取单元 502在接到通知之后根据预置的密钥获取方式获取密 钥并发送至传输单元 503;  The key obtaining unit 502 acquires the key according to the preset key acquisition manner after receiving the notification, and sends the key to the transmission unit 503;
所述传输单元 503将获取的密钥传输至终端和 /或流媒体服务器。  The transmission unit 503 transmits the acquired key to the terminal and/or the streaming server.
其中, 密钥获取单元 502获取密钥的方式至少包括: 自行生成密钥, 与终 端协商生成密钥, 从其他网络实体获得密钥等。  The method for obtaining the key by the key obtaining unit 502 includes at least: generating a key by itself, generating a key by negotiating with the terminal, obtaining a key from other network entities, and the like.
其中, 所述密钥包括密钥加密密钥和 /或媒体流加密密钥。  The key includes a key encryption key and/or a media stream encryption key.
其中, 所述应用服务器还包括: 密钥存储单元 504;  The application server further includes: a key storage unit 504;
若所述密钥获取单元 502获取的为密钥加密密钥, 则在所述密钥加密密钥 的生存周期内将其存储于所述密钥存储单元 504。  If the key acquisition unit 502 acquires a key encryption key, it is stored in the key storage unit 504 during the lifetime of the key encryption key.
本发明的实施例通过应用服务器和流媒体服务器结合来进行密钥的管理, 有效地降低了流媒体服务器的密钥管理的负担。应用服务器和流媒体服务器可 以根据不同的业务类型和不同的安全要求,选择为不同的用户分发相同的媒体 流加密密钥,从而当不同的用户消费相同的内容时,在流媒体服务器上只对内 容进行一次加密处理, 降低对流媒体服务器的处理能力的要求。  The embodiment of the present invention performs key management by combining the application server and the streaming media server, thereby effectively reducing the burden of key management of the streaming media server. The application server and the streaming media server can choose to distribute the same media stream encryption key for different users according to different service types and different security requirements, so that when different users consume the same content, only the streaming media server The content is encrypted once to reduce the processing power of the streaming server.

Claims

权 利 要 求 Rights request
1、 一种媒体流密钥管理方法, 其特征在于, 包括: A media stream key management method, comprising:
应用服务器获得媒体流加密密钥;  The application server obtains a media stream encryption key;
将所述媒体流加密密钥发送给终端以及流媒体服务器;  Transmitting the media stream encryption key to the terminal and the streaming media server;
所述终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体 内容。  The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
2、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 所述应用 服务器获得媒体流加密密钥的步骤为:  2. The media stream key management method according to claim 1, wherein the step of the application server obtaining the media stream encryption key is:
所述应用服务器生成媒体流加密密钥。  The application server generates a media stream encryption key.
3、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 所述将媒 体流加密密钥发送给终端以及流媒体服务器的步骤之前包括:  The media stream key management method according to claim 1, wherein the step of transmitting the media stream encryption key to the terminal and the streaming media server comprises:
应用服务器生成密钥加密密钥, 并将所述密钥加密密钥发送至终端。 The application server generates a key encryption key and transmits the key encryption key to the terminal.
4、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 所述将媒 体流加密密钥发送给终端以及流媒体服务器的步骤之前包括: The media stream key management method according to claim 1, wherein the step of transmitting the media stream encryption key to the terminal and the streaming media server comprises:
应用服务器与终端协商确定密钥加密密钥。  The application server negotiates with the terminal to determine a key encryption key.
5、 根据权利要求 3或 4所述的媒体流密钥管理方法, 其特征在于, 所述 将媒体流加密密钥发送至终端的步骤包括:  The media stream key management method according to claim 3 or 4, wherein the step of transmitting the media stream encryption key to the terminal comprises:
应用服务器利用所述密钥加密密钥对媒体流加密密钥进行加密; 将加密后的媒体流加密密钥发送至终端;  The application server encrypts the media stream encryption key by using the key encryption key; and sends the encrypted media stream encryption key to the terminal;
终端利用密钥加密密钥对接收到的经过加密的媒体流加密密钥进行解密 获得媒体流加密密钥。  The terminal decrypts the received encrypted media stream encryption key using the key encryption key to obtain a media stream encryption key.
6、 根据权利要求 3所述的媒体流密钥管理方法, 其特征在于, 所述 用 服务器生成媒体流加密密钥或应用服务器生成密钥加密密钥的步骤包括: 应用服务器自身生成媒体流加密密钥或密钥加密密钥。  The media stream key management method according to claim 3, wherein the step of generating a media stream encryption key by the server or the application server generating a key encryption key comprises: the application server itself generating the media stream encryption Key or key encryption key.
7、 根据权利要求 3所述的媒体流密钥管理方法, 其特征在于, 所述应用 服务器生成媒体流加密密钥或应用服务器生成密钥加密密钥的步骤包括: 应用服务器向密钥管理中心发起密钥请求;  The media stream key management method according to claim 3, wherein the step of the application server generating the media stream encryption key or the application server generating the key encryption key comprises: applying the server to the key management center Initiate a key request;
密钥管理中心生成对应的媒体流加密密钥或密钥加密密钥。 The key management center generates a corresponding media stream encryption key or key encryption key.
8、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 所述应用 服务器获得媒体流加密密钥的步骤包括: The media stream key management method according to claim 1, wherein the step of the application server obtaining the media stream encryption key comprises:
终端向应用服务器发出业务请求;  The terminal sends a service request to the application server;
应用服务器判断该业务请求是否为流媒体业务请求, 若是, 则生成媒体流 加密密钥。  The application server determines whether the service request is a streaming service request, and if so, generates a media stream encryption key.
9、 根据权利要求 8所述的媒体流密钥管理方法, 其特征在于, 所述终端 向应用服务器发出业务请求的步骤包括:  The media stream key management method according to claim 8, wherein the step of the terminal sending a service request to the application server comprises:
终端通过 Ut接口向应用服务器发送业务请求;  The terminal sends a service request to the application server through the Ut interface;
 Or
终端通过代理呼叫会话控制功能实体和服务呼叫会话控制功能实体将业 务请求触发至应用服务器。  The terminal triggers the service request to the application server through the proxy call session control function entity and the service call session control function entity.
10、根据权利要求 8所述的媒体流密钥管理方法, 其特征在于, 所述将所 述媒体流加密密钥发送给终端的步骤包括:  The media stream key management method according to claim 8, wherein the step of transmitting the media stream encryption key to the terminal comprises:
应用服务器经过代理呼叫会话控制功能实体和服务呼叫会话控制功能实 体将媒体流加密密钥发送至终端。  The application server sends the media stream encryption key to the terminal via the proxy call session control function entity and the service call session control function entity.
11、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 所述获得 媒体流加密密钥的步骤包括:  The media stream key management method according to claim 1, wherein the step of obtaining a media stream encryption key comprises:
根据来自终端的业务请求判断之前是否有其它用户申请过该业务, 若有, 则生成与之前用户的媒体流加密密钥相同的媒体流加密密钥。  It is judged according to the service request from the terminal whether another user has applied for the service before, and if so, generates the same media stream encryption key as the previous user's media stream encryption key.
12、 根据权利要求 1所述的媒体流密钥管理方法, 其特征在于, 还包括: 所述终端和流媒体服务器向应用服务器订阅媒体流加密密钥的变化; 媒体流加密密钥发生变化时, 应用服务器通知终端和流媒体服务器。 The media stream key management method according to claim 1, further comprising: the terminal and the streaming media server subscribe to the application server for a change of the media stream encryption key; when the media stream encryption key changes The application server notifies the terminal and the streaming server.
13、 一种媒体流密钥管理方法, 其特征在于, 包括: 13. A media stream key management method, comprising:
终端和应用服务器协商媒体流加密密钥;  The terminal and the application server negotiate a media stream encryption key;
应用服务器将所述媒体流加密密钥发送给流媒体服务器;  The application server sends the media stream encryption key to the streaming media server;
所述终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体 内容。  The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
14、 根据权利要求 13所述的媒体流密钥管理方法, 其特征在于, 所述终 端和应用服务器协商媒体流加密密钥的步骤为: 终端和应用服务器通过通用引导架构获得共享密钥; The media stream key management method according to claim 13, wherein the step of the terminal and the application server negotiating the media stream encryption key is: The terminal and the application server obtain the shared key through the universal booting architecture;
将所述共享密钥作为媒体流加密密钥。  The shared key is used as a media stream encryption key.
15、 一种媒体流密钥管理方法, 其特征在于, 包括:  A media stream key management method, comprising:
所述应用服务器从流媒体服务器获取媒体流加密密钥;  The application server acquires a media stream encryption key from a streaming media server;
应用服务器将所述媒体流加密密钥发送给终端;  The application server sends the media stream encryption key to the terminal;
所述终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体 内容。  The terminal and the streaming server encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
16、 一种媒体流密钥管理方法, 其特征在于, 包括:  A media stream key management method, comprising:
应用服务器向流媒体服务器发送密钥加密密钥;  The application server sends a key encryption key to the streaming server;
流媒体服务器获取媒体流加密密钥,利用所述密钥加密密钥对所述媒体流 加密密钥进行加密并发送至终端;  The streaming server obtains a media stream encryption key, and encrypts the media stream encryption key by using the key encryption key and sends the encryption key to the terminal;
终端利用预先获得的密钥加密密钥进行解密得到媒体流加密密钥; 终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体内 容。  The terminal decrypts using the previously obtained key encryption key to obtain a media stream encryption key; the terminal and the streaming server encrypt/decrypt the transmitted streaming content with the media stream encryption key.
17、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述流 媒体服务器获取媒体流加密密钥的步骤为:  The media stream key management method according to claim 16, wherein the step of the streaming media server acquiring the media stream encryption key is:
流媒体服务器生成媒体流加密密钥;  The streaming server generates a media stream encryption key;
或者接收来自应用服务器的媒体流加密密钥。  Or receive a media stream encryption key from the application server.
18、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向流媒体服务器发送密钥加密密钥的步骤之前包括:  The media stream key management method according to claim 16, wherein the step of the application server transmitting the key encryption key to the streaming server comprises:
应用服务器生成密钥加密密钥;  The application server generates a key encryption key;
所述流媒体服务器生成媒体流加密密钥之前进一步包括:  Before the streaming media server generates the media stream encryption key, the method further includes:
所述应用服务器向终端发送所述密钥加密密钥。  The application server sends the key encryption key to the terminal.
19、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向流媒体服务器发送密钥加密密钥的步骤之前包括:  The media stream key management method according to claim 16, wherein the step of the application server transmitting the key encryption key to the streaming server comprises:
应用服务器与终端协商确定密钥加密密钥。  The application server negotiates with the terminal to determine a key encryption key.
20、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述应 用 ^^务器向流媒体服务器发送密钥加密密钥的步骤之前包括:  The media stream key management method according to claim 16, wherein the step of the server transmitting the key encryption key to the streaming server comprises:
终端和应用服务器通过通用引导架构获得共享密钥; 将所述共享密钥作为密钥加密密钥。 The terminal and the application server obtain the shared key through the universal booting architecture; The shared key is used as a key encryption key.
21、 根据权利要求 18所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向终端发送所述密钥加密密钥的步驟包括:  The media stream key management method according to claim 18, wherein the step of the application server transmitting the key encryption key to the terminal comprises:
应用服务器直接将所述密钥加密密钥发送至终端; 应用服务器将所述密钥加密密钥以版权对象形式发送至终端。  The application server directly sends the key encryption key to the terminal; the application server sends the key encryption key to the terminal in the form of a copyright object.
22、根据权利要求 16至 21中任一项所述的媒体流密钥管理方法, 其特征 在于, 所述流媒体服务器将媒体流加密密钥发送至终端的步骤包括:  The media stream key management method according to any one of claims 16 to 21, wherein the step of the streaming media server transmitting the media stream encryption key to the terminal comprises:
流媒体服务器使用已建立的连接通道将所述媒体流加密密钥发送至终端; 或  The streaming server sends the media stream encryption key to the terminal using the established connection channel; or
建立流媒体服务器与终端间的单独下发通道;  Establish a separate delivery channel between the streaming media server and the terminal;
使用所述通道将媒体流加密密钥发送至终端。  The media stream encryption key is sent to the terminal using the channel.
23、 根据权利要求 22所述的媒体流密钥管理方法, 其特征在于, 所述单 独下发通道是 UDP通道, 或者 RTP通道。  The media stream key management method according to claim 22, wherein the single delivery channel is a UDP channel or an RTP channel.
24、根据权利要求 16至 21中任一项所述的媒体流密钥管理方法,其特征 在于, 所述流媒体服务器将媒体流加密密钥发送至终端的步驟包括:  The media stream key management method according to any one of claims 16 to 21, wherein the step of the streaming media server transmitting the media stream encryption key to the terminal comprises:
流媒体服务器直接将媒体流加密密钥发送至终端。  The streaming server directly sends the media stream encryption key to the terminal.
25、根据权利要求 16至 21中任一项所述的媒体流密钥管理方法, 其特征 在于, 所述流媒体服务器将媒体流加密密钥发送至终端的步骤为:  The media stream key management method according to any one of claims 16 to 21, wherein the step of the streaming media server transmitting the media stream encryption key to the terminal is:
通过组播密钥流将经过密钥加密密钥加密后的媒体流加密密钥发送给终 端。  The media stream encryption key encrypted by the key encryption key is sent to the terminal through the multicast key stream.
26、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述流 媒体服务器将媒体流加密密钥发送至终端之后包括:  The media stream key management method according to claim 16, wherein after the streaming media server sends the media stream encryption key to the terminal, the method includes:
媒体流加密密钥更新后, 流媒体服务器通过通报消息通知终端。  After the media stream encryption key is updated, the streaming media server notifies the terminal by the notification message.
27、根据权利要求 16至 21中任一项所述的媒体流密钥管理方法, 其特征 在于, 所述流媒体服务器将媒体流加密密钥发送至终端的步骤包括:  The media stream key management method according to any one of claims 16 to 21, wherein the step of the streaming media server transmitting the media stream encryption key to the terminal comprises:
流媒体服务器将媒体流加密密钥发送至应用服务器;  The streaming server sends the media stream encryption key to the application server;
应用服务器将媒体流加密密钥转发至终端。  The application server forwards the media stream encryption key to the terminal.
28、 根据权利要求 27所述的媒体流密钥管理方法, 其特征在于, 所述流 媒体服务器将媒体流加密密钥发送至应用服务器的步骤之后包括: The media stream key management method according to claim 27, wherein the stream is After the media server sends the media stream encryption key to the application server, the steps include:
应用服务器向流媒体服务器发送订阅消息。  The application server sends a subscription message to the streaming server.
29、 根据权利要求 27所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器将媒体流加密密钥转发至终端之后包括:  The media stream key management method according to claim 27, wherein after the application server forwards the media stream encryption key to the terminal, the method includes:
媒体流加密密钥更新后,流媒体服务器通过通报消息将变化后的媒体流加 密密钥发送至应用服务器;  After the media stream encryption key is updated, the streaming media server sends the changed media stream encryption key to the application server by using the notification message;
所述应用服务器将媒体流加密密钥转发至终端。  The application server forwards the media stream encryption key to the terminal.
30、 根据权利要求 16所述的媒体流密钥管理方法, 其特征在于, 所述密 钥加密密钥被保存于应用服务器, 或者密钥管理中心。  The media stream key management method according to claim 16, wherein the key encryption key is stored in an application server or a key management center.
31、 根据权利要求 21所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器将所述密钥加密密钥以版权对象形式发送至终端的步骤包括:  The media stream key management method according to claim 21, wherein the step of the application server transmitting the key encryption key to the terminal in the form of a copyright object comprises:
应用服务器将密钥加密密钥传递给版权发布中心;  The application server passes the key encryption key to the copyright publishing center;
版权发布中心再以版权对象的形式下发密钥加密密钥至终端。  The copyright distribution center then issues the key encryption key to the terminal in the form of a copyright object.
32、 一种媒体流密钥管理方法, 其特征在于, 包括:  32. A media stream key management method, comprising:
应用服务器向流媒体服务器发送密钥加密密钥;  The application server sends a key encryption key to the streaming server;
流媒体服务器利用所述密钥加密密钥与终端协商确定媒体流加密密钥; 终端和流媒体服务器用所述媒体流加密密钥加密 /解密传输的流媒体内 谷。  The streaming server determines the media stream encryption key by negotiating with the terminal using the key encryption key; and the terminal and the streaming server encrypt/decrypt the transmitted streaming media valley with the media stream encryption key.
33、 根据权利要求 32所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向流媒体服务器发送密钥加密密钥的步骤之前包括:  The media stream key management method according to claim 32, wherein the step of the application server transmitting the key encryption key to the streaming server comprises:
应用服务器生成密钥加密密钥;  The application server generates a key encryption key;
所述流媒体服务器利用所述密钥加密密钥与终端协商确定媒体流加密密 钥之前, 进一步包括:  Before the streaming media server determines the media stream encryption key by using the key encryption key to negotiate with the terminal, the streaming media server further includes:
所述应用服务器向终端发送所述密钥加密密钥。  The application server sends the key encryption key to the terminal.
34、 根据权利要求 32所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向流媒体服务器发送密钥加密密钥的步骤之前包括:  The media stream key management method according to claim 32, wherein the step of the application server transmitting the key encryption key to the streaming server comprises:
应用服务器与终端协商确定密钥加密密钥。  The application server negotiates with the terminal to determine a key encryption key.
35、 根据权利要求 32所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向流媒体^ ^务器发送密钥加密密钥的步驟之前包括: 终端和应用服务器通过通用引导架构获得共享密钥; The media stream key management method according to claim 32, wherein the step of the application server transmitting the key encryption key to the streaming server comprises: The terminal and the application server obtain the shared key through the universal booting architecture;
将所述共享密钥作为密钥加密密钥。  The shared key is used as a key encryption key.
36、 根据权利要求 33所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器向终端发送所述密钥加密密钥的步驟包括:  The media stream key management method according to claim 33, wherein the step of the application server transmitting the key encryption key to the terminal comprises:
应用服务器直接将所述密钥加密密钥发送至终端;  The application server directly sends the key encryption key to the terminal;
 Or
应用服务器将所述密钥加密密钥以版权对象形式发送至终端。  The application server sends the key encryption key to the terminal in the form of a copyright object.
37、 根据权利要求 36所述的媒体流密钥管理方法, 其特征在于, 所述应 用服务器将所述密钥加密密钥以版权对象形式发送至终端的步骤包括:  The media stream key management method according to claim 36, wherein the step of the application server transmitting the key encryption key to the terminal in the form of a copyright object comprises:
应用服务器将密钥加密密钥传递给版权发布中心;  The application server passes the key encryption key to the copyright publishing center;
版权发布中心再以版权对象的形式下发密钥加密密钥至终端。  The copyright distribution center then issues the key encryption key to the terminal in the form of a copyright object.
38、 一种媒体流密钥管理系统, 其特征在于, 包括:  38. A media stream key management system, comprising:
应用服务器, 终端以及流媒体服务器;  Application server, terminal and streaming server;
所述终端用于向所述应用服务器发送业务请求;  The terminal is configured to send a service request to the application server;
所述应用服务器根据接收到的业务请求生成媒体流加密密钥并将所述媒 体流加密密钥发送至终端以及流媒体服务器;  The application server generates a media stream encryption key according to the received service request, and sends the media stream encryption key to the terminal and the streaming media server;
所述流媒体服务器与终端用所述媒体流加密密钥加密 /解密传输的流媒体 内容。  The streaming server and the terminal encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
39、 根据权利要求 38所述的媒体流密钥管理系统, 其特征在于, 所述系 统还包括:  The media stream key management system according to claim 38, wherein the system further comprises:
代理呼叫控制功能实体以及服务呼叫控制功能实体;  a proxy call control function entity and a service call control function entity;
所述代理呼叫控制功能实体用于接收终端向应用服务器发出的业务请求, 并转送到服务呼叫控制功能实体,以及接收由服务呼叫控制功能实体转发的密 钥, 并转送到终端;  The proxy call control function entity is configured to receive a service request sent by the terminal to the application server, forward it to the service call control function entity, and receive the key forwarded by the service call control function entity, and forward the key to the terminal;
该服务呼叫控制功能实体用于把业务请求触发至应用服务器进行流媒体 业务请求, 以及接收应用服务器下发的密钥, 并转送到代理呼叫控制功能实体 或流媒体服务器。  The service call control function entity is configured to trigger a service request to the application server to perform a streaming service request, and receive a key delivered by the application server, and forward the key to the proxy call control function entity or the streaming media server.
40、根据权利要求 38或 39所述的媒体流密钥管理系统, 其特征在于, 所 述应用服务器与所述终端通过 Ut接口相连。 The media stream key management system according to claim 38 or 39, wherein the application server is connected to the terminal through a Ut interface.
41、 一种媒体流密钥管理系统, 其特征在于, 包括: 41. A media stream key management system, comprising:
应用服务器, 终端以及流媒体服务器;  Application server, terminal and streaming server;
所述终端用于向所述应用服务器发送业务请求;  The terminal is configured to send a service request to the application server;
所述应用服务器在接收到所述终端的业务请求后生成密钥加密密钥并发 送至流媒体服务器;  After receiving the service request of the terminal, the application server generates a key encryption key and sends the key encryption key to the streaming media server;
所述流媒体服务器用于生成媒体流加密密钥,并利用所述密钥加密密钥对 媒体流加密密钥进行加密并发送至终端;  The streaming media server is configured to generate a media stream encryption key, and encrypt the media stream encryption key by using the key encryption key and send the data to the terminal;
所述终端利用密钥加密密钥进行解密得到媒体流加密密钥,并与流媒体服 务器用所述媒体流加密密钥加密 /解密传输的流媒体内容。  The terminal decrypts using the key encryption key to obtain a media stream encryption key, and encrypts/decrypts the transmitted streaming media content with the media stream encryption key with the streaming media server.
42、 根据权利要求 41所述的媒体流密钥管理系统, 其特征在于, 所述系 统还包括:  The media stream key management system according to claim 41, wherein the system further comprises:
代理呼叫控制功能实体以及服务呼叫控制功能实体;  a proxy call control function entity and a service call control function entity;
所述代理呼叫控制功能实体用于接收终端向应用服务器发出的业务请求, 并转送到服务呼叫控制功能实体,以及接收由服务呼叫控制功能实体转发的密 钥, 并转送到终端;  The proxy call control function entity is configured to receive a service request sent by the terminal to the application server, forward it to the service call control function entity, and receive the key forwarded by the service call control function entity, and forward the key to the terminal;
该服务呼叫控制功能实体用于把业务请求触发至应用服务器进行流媒体 业务奇求, 以及接收应用服务器下发的密钥, 并转送到代理呼叫控制功能实体 或流媒体服务器。  The service call control function entity is configured to trigger a service request to the application server to perform a streaming service request, and receive a key delivered by the application server, and forward the key to the proxy call control function entity or the streaming media server.
43、根据权利要求 41或 42所述的媒体流密钥管理系统, 其特征在于, 所 述应用服务器与所述终端通过 Ut接口相连。  The media stream key management system according to claim 41 or 42, wherein the application server is connected to the terminal through a Ut interface.
44、 一种媒体流密钥管理系统, 其特征在于, 包括:  44. A media stream key management system, comprising:
应用服务器, 终端以及流媒体服务器;  Application server, terminal and streaming server;
所述终端用于向所述应用服务器发送业务请求;  The terminal is configured to send a service request to the application server;
所述应用服务器在接收到所述终端的业务请求后生成密钥加密密钥并发 送至流媒体服务器;  After receiving the service request of the terminal, the application server generates a key encryption key and sends the key encryption key to the streaming media server;
所述流媒体服务器利用所述密钥加密密钥与所述终端协商确定媒体流加 密密钥;  Determining, by the streaming media server, the media stream encryption key by using the key encryption key to negotiate with the terminal;
所述流媒体服务器与终端用所述媒体流加密密钥加密 /解密传输的流媒体 内容。 The streaming server and the terminal encrypt/decrypt the transmitted streaming media content with the media stream encryption key.
45、 根据权利要求 44所迷的媒体流密钥管理系统, 其特征在于, 所述系 统还包括: The media stream key management system according to claim 44, wherein the system further comprises:
代理呼叫控制功能实体以及服务呼叫控制功能实体;  a proxy call control function entity and a service call control function entity;
所述代理呼叫控制功能实体用于接收终端向应用服务器发出的业务请求, 并转送到服务呼叫控制功能实体,以及接收由服务呼叫控制功能实体转发的密 钥, 并转送到终端;  The proxy call control function entity is configured to receive a service request sent by the terminal to the application server, forward it to the service call control function entity, and receive the key forwarded by the service call control function entity, and forward the key to the terminal;
该服务呼叫控制功能实体用于把业务请求触发至应用服务器进行流媒体 业务请求, 以及接收应用服务器下发的密钥, 并转送到代理呼叫控制功能实体 或流媒体服务器。  The service call control function entity is configured to trigger a service request to the application server to perform a streaming service request, and receive a key delivered by the application server, and forward the key to the proxy call control function entity or the streaming media server.
46、根据权利要求 44或 45所述的媒体流密钥管理系统, 其特征在于, 所 述应用服务器与所述终端通过 Ut接口相连。  The media stream key management system according to claim 44 or 45, wherein the application server is connected to the terminal through a Ut interface.
47、 一种应用服务器, 其特征在于, 包括:  47. An application server, comprising:
接收单元, 密钥获取单元以及传输单元;  a receiving unit, a key obtaining unit, and a transmitting unit;
所述接收单元用于接收来自终端的业务请求, 并通知密钥获取单元; 所述密钥获取单元在接到通知之后根据预置的密钥获取方式获取密钥并 发送至传输单元;  The receiving unit is configured to receive a service request from the terminal, and notify the key obtaining unit; after receiving the notification, the key obtaining unit acquires a key according to a preset key acquisition manner and sends the key to the transmission unit;
所述传输单元将获取的密钥传输至终端和 /或流媒体服务器。  The transmission unit transmits the acquired key to the terminal and/or the streaming server.
48、 根据权利要求 47所述的应用服务器, 其特征在于, 所述密钥包括密 钥加密密钥和 /或媒体流加密密钥。  48. The application server of claim 47, wherein the key comprises a key encryption key and/or a media stream encryption key.
49、 根据权利要求 48所述的应用服务器, 其特征在于, 所述应用服务器 还包括: 密钥存储单元;  The application server according to claim 48, wherein the application server further comprises: a key storage unit;
若所述密钥获取单元获取的为密钥加密密钥,则在所述密钥加密密钥的生 存周期内将其存储于所述密钥存储单元。  If the key acquisition unit acquires a key encryption key, it is stored in the key storage unit during the lifetime of the key encryption key.
PCT/CN2007/000241 2006-01-24 2007-01-23 Media stream key management method, system and application server WO2007085186A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610033380.4A CN101009551B (en) 2006-01-24 2006-01-24 Secret key management system and method of media stream based on IP multi-media sub-system
CN200610033380.4 2006-01-24

Publications (1)

Publication Number Publication Date
WO2007085186A1 true WO2007085186A1 (en) 2007-08-02

Family

ID=38308856

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000241 WO2007085186A1 (en) 2006-01-24 2007-01-23 Media stream key management method, system and application server

Country Status (2)

Country Link
CN (2) CN101009551B (en)
WO (1) WO2007085186A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009132551A1 (en) * 2008-04-29 2009-11-05 华为技术有限公司 Obtaining method of the meida stream key, session equipment and key management function entity
WO2009143891A1 (en) 2008-05-29 2009-12-03 Telefonaktiebolaget Lm Ericsson (Publ) Iptv security in a communication network
WO2010027309A1 (en) * 2008-09-05 2010-03-11 Telefonaktiebolaget L M Ericsson (Publ) Application server, control method thereof, program, and computer-readable storage medium
EP2232748A1 (en) * 2008-01-10 2010-09-29 General Instrument Corporation Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
WO2010114475A3 (en) * 2009-04-01 2010-12-23 Telefonaktiebolaget L M Ericsson (Publ) Security key management in ims-based multimedia broadcast and multicast services (mbms)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483808B (en) * 2008-01-07 2011-01-05 中兴通讯股份有限公司 Method for ensuring safety of multimedia broadcast service
CN101521570B (en) * 2008-02-27 2012-09-19 华为技术有限公司 Method, system and device for realizing IPTV multicast service media safety
CN101729535B (en) * 2009-06-30 2013-03-20 中兴通讯股份有限公司 Implementation method of media on-demand business
CN102055747B (en) * 2009-11-06 2014-09-10 中兴通讯股份有限公司 Method for acquiring key management server information, and monitoring method, system and equipment
EP2487856B1 (en) 2010-02-11 2016-04-20 Huawei Technologies Co., Ltd. Media stream transmission key operating method, apparatus and system
CN103188222B (en) * 2011-12-28 2016-03-30 北大方正集团有限公司 A kind of method, system and device of data message distribution
CN103987037A (en) 2014-05-28 2014-08-13 大唐移动通信设备有限公司 Secret communication implementation method and device
CN106921827A (en) * 2015-12-25 2017-07-04 北京计算机技术及应用研究所 Secure network high-definition camera
CN111132147A (en) * 2019-12-11 2020-05-08 上海欣方智能系统有限公司 Method for realizing encrypted call on mobile terminal
CN115811625A (en) * 2021-09-14 2023-03-17 果核数位股份有限公司 Streaming media service method and system for customizing information security level

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1492335A (en) * 2002-10-25 2004-04-28 �Ҵ���˾ Safety system and method for medium content data file network distribution
US20050108519A1 (en) * 2000-03-02 2005-05-19 Tivo Inc. Secure multimedia transfer system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050108519A1 (en) * 2000-03-02 2005-05-19 Tivo Inc. Secure multimedia transfer system
CN1492335A (en) * 2002-10-25 2004-04-28 �Ҵ���˾ Safety system and method for medium content data file network distribution

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2232748A1 (en) * 2008-01-10 2010-09-29 General Instrument Corporation Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
EP2232748A4 (en) * 2008-01-10 2013-10-02 Motorola Mobility Llc Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
WO2009132551A1 (en) * 2008-04-29 2009-11-05 华为技术有限公司 Obtaining method of the meida stream key, session equipment and key management function entity
WO2009143891A1 (en) 2008-05-29 2009-12-03 Telefonaktiebolaget Lm Ericsson (Publ) Iptv security in a communication network
US8433907B2 (en) 2008-09-05 2013-04-30 Telefonaktiebolaget L M Ericsson (Publ) Application server, control method thereof, program, and computer-readable storage medium
WO2010027309A1 (en) * 2008-09-05 2010-03-11 Telefonaktiebolaget L M Ericsson (Publ) Application server, control method thereof, program, and computer-readable storage medium
JP2012502547A (en) * 2008-09-05 2012-01-26 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Application server, control method therefor, program, and computer-readable storage medium
CN102379114A (en) * 2009-04-01 2012-03-14 瑞典爱立信有限公司 Security key management in ims-based multimedia broadcast and multicast services (mbms)
WO2010114475A3 (en) * 2009-04-01 2010-12-23 Telefonaktiebolaget L M Ericsson (Publ) Security key management in ims-based multimedia broadcast and multicast services (mbms)
RU2527730C2 (en) * 2009-04-01 2014-09-10 Телефонактиеболагет Л М Эрикссон (Пабл) Security key management in ims-based multimedia broadcast and multicast services (mbms)
CN104980434A (en) * 2009-04-01 2015-10-14 瑞典爱立信有限公司 Security Key Management In IMS-based Multimedia Broadcast And Multicast Services (MBMS)
US9344412B2 (en) 2009-04-01 2016-05-17 Telefonaktiebolaget L M Ericsson (Publ) Security key management in IMS-based multimedia broadcast and multicast services (MBMS)
EP3107258A1 (en) * 2009-04-01 2016-12-21 Telefonaktiebolaget LM Ericsson (publ) Security key management in ims-based multimedia broadcast and multicast services (mbms)
CN104980434B (en) * 2009-04-01 2018-10-30 瑞典爱立信有限公司 Safety key managing method in multimedia broadcasting and multicast service based on IMS

Also Published As

Publication number Publication date
CN101009551B (en) 2010-12-08
CN101009551A (en) 2007-08-01
CN101313510A (en) 2008-11-26

Similar Documents

Publication Publication Date Title
WO2007085186A1 (en) Media stream key management method, system and application server
RU2391783C2 (en) Method for control of digital rights in broadcasting/multiple-address servicing
KR101203266B1 (en) Carrying protected content using a control protocol for streaming and a transport protocol
RU2417532C2 (en) Delivering policy updates for protected content
US20090183211A1 (en) System, method and device for enabling ims terminals to access existing iptv services
EP2319224B1 (en) Application server, media distribution system, control method thereof, program, and computer-readable storage medium
CA2621091C (en) Method and apparatus for distribution and synchronization of cryptographic context information
JP5153938B2 (en) IPTV security in communication networks
WO2007109999A1 (en) Method, system, subscriber equipment and multi-media server for digital copyright protection
JP2005510184A (en) Key management protocol and authentication system for secure Internet protocol rights management architecture
WO2009088761A1 (en) Content protection of internet protocol (ip)-based television and video content delivered over an ip multimedia subsystem (ims)-based network
JP2007082191A (en) Entity relating method, device, and system for protecting content
WO2008040201A1 (en) A method for obtaining ltk and a subscribe management server
WO2008125023A1 (en) A system, protecting method and server of realizing virtual channel service
WO2011071423A1 (en) Method and arrangement for enabling play-out of media
WO2009010005A1 (en) A method, system and device for realizing the media content conversion
JP2005526294A (en) Integration of security parameters for related streaming protocols
GB2417652A (en) Generating a content decryption key using a nonce and channel key data in an endpoint device
WO2009024071A1 (en) System, method and device for realizing iptv media content security
KR20060105934A (en) Apparatus and method jointing digital rights management contents between service provider supported broadcast service and terminal, and the system thereof
WO2007036155A1 (en) A method for realizing preview of iptv programs, an encryption apparatus, a right center system and a user terminal
EP1978707B1 (en) A method and system for generating and acquiring the rights object and the rights issuing center
CN101521570B (en) Method, system and device for realizing IPTV multicast service media safety
Chang et al. A cost-effective key distribution of P2P IPTV DRM over opportunistic multicast overlay for e-commerce systems
Yeung et al. Secure Real-Time Streaming Protocol (RTSP) for Hierarchical Proxy Caching.

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780000180.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702170

Country of ref document: EP

Kind code of ref document: A1