WO2010105469A1 - Authentication method and system for mobile multimedia broadcasting conditional access - Google Patents

Authentication method and system for mobile multimedia broadcasting conditional access Download PDF

Info

Publication number
WO2010105469A1
WO2010105469A1 PCT/CN2009/073976 CN2009073976W WO2010105469A1 WO 2010105469 A1 WO2010105469 A1 WO 2010105469A1 CN 2009073976 W CN2009073976 W CN 2009073976W WO 2010105469 A1 WO2010105469 A1 WO 2010105469A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal
channel
module
receiving module
Prior art date
Application number
PCT/CN2009/073976
Other languages
French (fr)
Chinese (zh)
Inventor
宋玉林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to BRPI0923999A priority Critical patent/BRPI0923999A2/en
Publication of WO2010105469A1 publication Critical patent/WO2010105469A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of mobile multimedia broadcasting in China, and in particular, to an authentication method and system for receiving mobile multimedia broadcast conditions.
  • CMMB China Mobile Multimedia Broadcasting
  • the CMMB is a broadcast one-way data transmission channel, so that in addition to audio and video signals that can transmit television programs and broadcast programs, various electronic data can be transmitted through it.
  • CMMB mainly provides broadcast TV services for small-screen portable handheld terminals such as mobile phones and PDAs, as well as terminals such as car TVs.
  • CMMB terminal playback clearing is relatively simple; for playing encrypted stream, CMMB proposes "Mobile multimedia broadcasting-Conditional Access System (MMB-CAS), MMB-CAS can be mobile multimedia broadcasting service. Provides protection during transmission, that is, protection for unidirectional channels and bidirectional channels of services. Mobile multimedia broadcast operators usually add MMB-CAS conditional access control mechanisms for mobile multimedia services during broadcast. MMMMB-CAS, mobile The multimedia broadcast operator can authorize the specified user or user group for the service or service package, so that only authorized users or user groups can receive related services.
  • MMB-CAS Mobile multimedia broadcasting-Conditional Access System
  • MMB-CAS is divided into two parts: the front-end subsystem and the terminal subsystem.
  • the location in the mobile multimedia broadcasting system is shown in Figure 1.
  • the bidirectional channel (such as the short message channel) is optional, and can provide a point-to-point data interaction channel between the front end and the mobile multimedia receiving terminal.
  • the conditional access system defined and specified in this section can be applied to both unidirectional channels (such as broadcast channels) and to the combination of unidirectional channels and bidirectional channels.
  • the MMB-CAS can authorize the user through the front-end authorization information to the terminal, or use the encryption authorization and the electronic wallet function together, and realize the user self-authorization through the terminal local interaction mode.
  • the MMB-CAS can also use the bidirectional channel to communicate with the terminal in a peer-to-peer manner. User authorization.
  • MMB-CAS is based on a four-layer key model. As shown in Figure 2, a key security management and authorization control management and distribution mechanism is established, and the scrambling technology is used to implement conditional reception of services.
  • the entire key model includes the user registration layer, authorization/security management layer, authorization control layer, and service scrambling layer.
  • the model is characterized by key layer protection; each key has its own life cycle; the lower layer key is encrypted by the upper layer key and transmitted.
  • the user registration layer implements the preset of the user key (UK) in the terminal security module, or implements user key distribution in the two-way registration mode.
  • the UK is used to encrypt/decrypt the Service Encryption Key (SEK).
  • the front end uses the UK to encrypt the SEK information, generates an EMM, transmits it to the terminal through a broadcast or two-way channel, and the terminal decrypts to obtain the SEK.
  • the SEK is used to encrypt/decrypt the control word (CW, Control Word).
  • the security management layer implements secure transmission of system signaling data from the front end to the terminal.
  • the system signaling is usually encapsulated in the EMM by using UK encryption, transmitted to the terminal through a broadcast or bidirectional channel, and the terminal decrypts to obtain system signaling.
  • the authorization control layer implements secure transfer of authorization control information (ECM) data from the front end to the terminal.
  • ECM authorization control information
  • the front end uses the SEK to encrypt the CW, generates the ECM, transmits it to the terminal through the broadcast channel, and decrypts the terminal to obtain the CW.
  • CW is used to scramble/descramble the transmitted traffic.
  • the service scrambling layer implements secure transmission of business data from the front end to the terminal.
  • the front end uses CW to scramble the service and transmit it to the terminal through the broadcast channel.
  • the terminal uses CW to descramble the scrambled service.
  • the Entitlement Manager Message (EMM) carrying the service key is distributed through the broadcast channel, and can also be distributed through the bidirectional channel under the condition of an optional bidirectional channel.
  • EMM Entitlement Manager Message
  • the user key can be preset in the security module of the MMB-CAS terminal in Figure 1, and can be distributed through the bidirectional channel in the case of an optional bidirectional channel.
  • the technical problem to be solved by the present invention is to solve the problem of low security of data transmission using a single channel in a mobile multimedia broadcast condition receiving system.
  • the present invention provides an authentication method for mobile multimedia broadcast condition receiving, the method comprising:
  • the front end authenticates the terminal requesting the specific key.
  • the front end group specifies the specific key and sends the specific key to the terminal through the bidirectional channel and the unidirectional channel.
  • the process of authenticating the terminal by the front end is as follows: the front end sends an authentication parameter to the terminal, and the terminal sends the authentication response result after obtaining the authentication parameter And the front end determines, according to the result of the authentication response, whether the authentication is successful.
  • the front end when the front end sends the authentication parameter to the terminal, the front end sends the authentication parameter to the terminal through the bidirectional channel and the unidirectional channel.
  • the method further includes:
  • the front end generates a random value corresponding to the terminal when the terminal opens an account and sends the random value to the terminal;
  • the front end analyzes the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and according to the obtained number of authentication parameters and the number of transmission parameters transmitted by each channel, randomness A specific authentication parameter delivered by the bidirectional channel and delivered through the unidirectional channel is determined.
  • the authentication response result includes an authentication parameter and an authentication response value, and determining whether the authentication succeeds is performed according to the following process: the front end first determines the received authentication parameter and the front end storage Whether the authentication parameters are consistent, if not, the terminal is considered to be illegal, and the authentication fails. If the agreement is consistent, the front end further calculates an authentication response value according to the authentication parameter, and the front end determines the calculated authentication response value. Whether the authentication response value sent by the terminal is consistent. If the authentication is successful, the authentication succeeds. If the authentication is inconsistent, the authentication fails.
  • the front end transmits the authentication parameter, the specific key to the terminal, and the terminal sends an authentication response result to the front end, and one end of the sending information passes
  • the random value is encrypted after the transmitted information is sent, and the received information is received.
  • the terminal decrypts the received information by the random value.
  • the specific key is a user key or a bearer service key.
  • the bidirectional channel is a short message channel, and the unidirectional channel is a broadcast channel.
  • the invention further provides a system for receiving mobile multimedia broadcast conditions, the system comprising: a front end and a terminal, the front end comprising a front end service control module, a first bidirectional channel transmission and reception module and a unidirectional channel transmission module
  • the terminal includes a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, where:
  • the terminal service control module is configured to: after the terminal opens the account, send information that is requested by the specific key to the front end, and after the terminal obtains the authentication parameter from the front end, pass the authentication response result Transmitting and receiving the first bidirectional channel sending and receiving module sent by the second bidirectional channel transmitting and receiving module to the front end;
  • the front-end service control module is configured to send an authentication parameter to the terminal and receive the authentication response result at the front end after the front end receives the information sent by the terminal requesting the specific key. And determining, according to the result of the authentication response, whether the authentication is successful, and if the authentication is successful, sending, by the first bidirectional channel sending and receiving module and the unidirectional channel sending module, the specific key to the corresponding end of the terminal.
  • the front end includes a front end random value generation and maintenance module, and the front end random value generation and maintenance module is configured to generate a random value corresponding to the terminal when the terminal opens an account and pass the first
  • the bidirectional channel transmitting and receiving module sends the random value to the second bidirectional channel transmitting and receiving module of the terminal;
  • the front end service control module is further configured to analyze the random value to obtain the number of authentication parameters and transmit authentication of each channel.
  • the number of parameters and according to the number of the obtained authentication parameters and the number of transmission authentication parameters of each channel, randomly determine the sending and receiving module sent by the first bidirectional channel and the unidirectional channel sending module Specific authentication parameters.
  • the present invention further provides a front end for mobile multimedia broadcast conditional reception, the front end includes a front end service control module, a first bidirectional channel transmission and reception module, and a unidirectional channel transmission module, where The front-end service control module is configured to: after the front end receives the information sent by the terminal requesting the specific key, send the authentication parameter to the terminal; and
  • the front end After the front end receives the authentication response result, it is determined whether the authentication is successful according to the result of the authentication response. If the authentication succeeds, the first bidirectional channel sending and receiving module and the unidirectional channel sending module send the specific secret. The key is sent to the second bidirectional channel transmitting and receiving module and the unidirectional channel receiving module of the terminal.
  • the front end further includes a front end random value generation and maintenance module, where the front end random value generation and maintenance module is configured to generate a random value corresponding to the terminal and send and receive through the first bidirectional channel when the terminal opens an account. Sending, by the module, the generated random value to the second bidirectional channel sending and receiving module of the terminal;
  • the front-end service control module is further configured to analyze the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and transmit the authentication parameters according to the obtained number of authentication parameters and each channel.
  • the number, the specific authentication parameter sent by the first bidirectional channel sending and receiving module and sent by the unidirectional channel sending module is determined.
  • the present invention also provides a mobile multimedia broadcast condition receiving terminal, the terminal includes a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, wherein the terminal service control module is configured to: After the terminal is opened, the information sent by the specific key is sent to the front end, and after the terminal obtains the authentication parameter from the front end, the authentication response result is sent to the second bidirectional channel sending and receiving module.
  • the first bidirectional channel of the front end transmits and receives a module.
  • the present invention implements data transmission in the authentication process by combining a unidirectional channel and a bidirectional channel, thereby improving the security of information transmission.
  • FIG. 1 is a block diagram of a conventional mobile multimedia broadcast condition receiving system
  • FIG. 2 is a schematic diagram of a four-layer key of a conventional mobile multimedia broadcast condition receiving system
  • 3 is a block diagram of a system for receiving mobile multimedia broadcast conditions according to a preferred embodiment of the present invention
  • FIG. 4 is a flow chart showing the operation of the system of FIG.
  • FIG. 5 is a flow chart of an authentication method for mobile multimedia broadcast conditional reception according to a preferred embodiment of the present invention.
  • the invention provides an authentication method and system for mobile multimedia broadcast condition receiving, which realizes data transmission in the authentication process, and performs data transmission than a single broadcast channel or a simple bidirectional channel, and the authentication security is higher.
  • a system for receiving a mobile multimedia broadcast condition includes a
  • the MMB-CAS terminal 31 includes a terminal RAND maintenance module 311, a terminal service control module 312, a second short message transmission and reception module 313, and a broadcast receiving module 314.
  • the front end RAND generation maintenance module 321 is configured to generate and store RAND (random value), and the front end service control module 322 is configured to control the front end business operation.
  • the RAND generation module 321 of the MMB-CAS front end 32 When the MMB-CAS terminal 31 is opened, the RAND generation module 321 of the MMB-CAS front end 32 generates a RAND corresponding to the MMB-CAS terminal 31.
  • RAND has a certain validity period. If the RAND expires, the front end RAND generation maintenance module 321 of the MMB-CAS front end 32 sends a text message to the MMB-CAS terminal 31, and the number of authentication parameters that the RAND knows after analysis and each channel The information of the number of transmission authentication parameters, RAND is used to encrypt or decrypt the transmitted information.
  • the present invention is mainly directed to the security protection performed when the user registration layer and the authorization key of the authorization and security management layer are authenticated.
  • the protection principle applied in the two layers is the same.
  • the authentication process is described in detail below.
  • FIG. 4 is a flow chart showing the operation of a mobile multimedia broadcast conditional receiving system according to a preferred embodiment of the present invention, the process comprising the steps of:
  • the terminal service control module 312 sends the first request to the MMB-CAS front end 32 by using the second short message sending and receiving module 313 by short message. SMS sending and receiving module 323;
  • the front end service control module 322 determines that there are several authentication parameters and the number of each channel transmission authentication parameter according to the RAND analysis, and the first sending of the first short message is performed by the broadcast sending module 324.
  • the sending and receiving module 323 sends the number of the authentication parameters, and the RAND of the maintenance module 321 is used to encrypt the authentication parameters by the RAND of the front end RAND, so that the confidentiality of the information sent by the two channels can be ensured, and the information is not easily captured by the other party. ;
  • the terminal service control module 312 After receiving the broadcast and short message channel information, the broadcast service receiving module 314 and the second short message sending and receiving module 313 of the MMB-CAS terminal 31, the terminal service control module 312 analyzes the number of RAND analysis authentication parameters stored by the terminal RAND maintenance module 311, and The number of identification parameters transmitted by each channel, so that the complete content of the message can be effectively obtained, and after the authentication parameters are completely received, the required original text is obtained by RAND decryption. After obtaining the original text, an authentication response value is calculated by an algorithm negotiated with the MMB-CAS front end 32, and then the authentication response result (all authentication parameters and the authentication response value) is encrypted by RAND and sent through the second short message. The receiving module 313 sends the short message to the first short message sending and receiving module 323 of the MMB-CAS front end 32;
  • the MMB-CAS front end By analyzing RAND, you can know the complete content of the message. For example: The MMB-CAS front end generates a specific five parameters, and the five parameters are different. The analysis RAND can know the number of two channels sent, and the specific allocation is random. The MMB-CAS terminal 31 can obtain all the parameters according to the total number of authentication parameters and the number of transmissions of the two channels;
  • the specific operation is to obtain the authentication response value corresponding to the authentication parameter through some algorithms.
  • the MMB-CAS front end 32 generates five authentication parameters: al, a2, 23, a4, a5.
  • the algorithm uses these parameters as input parameters.
  • the front end service control module 322 After receiving the authentication parameter and the authentication response value from the MMB-CAS terminal 31, the front end service control module 322 decrypts all the authentication parameters according to the RAND and the MMB-CAS front end 32. The authentication response value is compared with the authentication parameter stored by the front-end service control module 322. If the parameters are inconsistent, the MMB-CAS terminal 31 is considered to be illegal, and the request of the MMB-CAS terminal 31 is directly rejected.
  • the front-end service control module 322 calculates an authentication response value according to the same algorithm of the MMB-CAS terminal 31 according to the authentication parameter, if the authentication response value calculated by the MMB-CAS front end 32 and the MMBA-CAS terminal 31 calculate the The weighted response values are equal, indicating that the authentication is successful, and the specific key is grouped by an algorithm.
  • the RAND is encrypted and then sent by the broadcast sending module 324 and sent by the first short message sending and receiving module 323 to deliver the grouped specific key.
  • the terminal service control module 312 reassembles the encrypted specific key by the same algorithm and decrypts the RAND to obtain the original specific key. If the authentication parameters are valid, the authentication response values are not equal, and the request of the MMB-CAS terminal 31 is also rejected.
  • FIG. 5 is a flow chart of an authentication method for mobile multimedia broadcast conditional reception according to a preferred embodiment of the present invention, the method comprising the steps of:
  • S501 MMB-CAS terminal opening account
  • the MMB-CAS front end generates RAND and sends RAND to the MMB-CAS terminal through the short message channel;
  • the MMB-CAS terminal requests a specific key (user key or service key), and sends a request to the MMB-CAS front end through the short message channel;
  • the MMB-CAS front end After receiving the request message, the MMB-CAS front end determines the number of authentication parameters sent by the broadcast channel and sent through the short message channel according to the number of the authentication parameters and the number of the transmission authentication parameters of each channel.
  • the encryption parameter is encrypted by RAND before being sent, so that the confidentiality of the information sent by the two channels can be ensured, and it is not easy to be captured by the other party;
  • the specific operation is to obtain the authentication response value corresponding to the authentication parameter through some algorithms, for example:
  • the MMB-CAS front end 32 generates five authentication parameters: al, a2, 23, a4, a5.
  • the algorithm performs some operations on these parameters as input parameters, such as the function F( );
  • the MMB-CAS front end After receiving the authentication parameter and the authentication response value from the MMB-CAS terminal, the MMB-CAS front end decrypts all the authentication parameters and the authentication response value according to the RAND, and then receives the authentication parameter and the MMB-CAS. Comparison of authentication parameters stored in the front end. If the parameters are inconsistent, the MMB-CAS terminal is considered illegal and directly rejects the request of the MMB-CAS terminal. If consistent, the front end MMB-CAS uses the same algorithm as the MMB-CAS terminal according to the authentication parameters. Calculate an authentication response value. If the authentication response value calculated by the MMB-CAS front end is equal to the authentication response value calculated by the MMB-CAS terminal, the authentication is successful. If the authentication parameters are valid, the authentication response values are not equal. Reject the request from the MMB-CAS terminal.
  • the MMB-CAS front end uses an algorithm to group the specific key, and then uses RAND encryption to deliver the grouped specific key through the broadcast channel and the short message channel, for example: a 200-byte specific key It is divided into several packets, each packet has information about the upper and lower two packets, and then these packets are randomly transmitted through two channels, so that the terminal can be packaged once after receiving the terminal.
  • the MMB-CAS terminal After receiving the specific key, the MMB-CAS terminal reassembles the encrypted specific key and decrypts it by RAND to obtain the original specific key.
  • the use of the broadcast channel and the short message channel authentication makes the UK and the SEK are issued safely and effectively improves the security of information transmission.
  • the present invention realizes data transmission in an authentication process by combining a unidirectional channel and a bidirectional channel, thereby improving the security of information transmission.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an authentication method and a system for mobile multimedia broadcasting conditional access, and the authentication method includes the following steps: a front end authenticates a terminal which requests a special key, and when the authentication is successful, the front end groups the special key and transmits the special key to the terminal through a two-way channel and a one-way channel. The system includes the front end and the terminal. The invention enables the data transmission in the authentication process through the method of combining the two-way channel with the one-way channel, and improves the security of the information transmission.

Description

一种移动多媒体广播条件接收的鉴权方法及系统  Authentication method and system for mobile multimedia broadcast conditional reception
技术领域 Technical field
本发明涉及中国移动多媒体广播领域, 尤其涉及一种移动多媒体广播条 件接收的鉴权方法及系统。  The present invention relates to the field of mobile multimedia broadcasting in China, and in particular, to an authentication method and system for receiving mobile multimedia broadcast conditions.
背景技术 Background technique
中国移动多媒体广播 ( CMMB, China Mobile multimedia broadcasting )是 广电总局主导并推荐的行业标准。 CMMB 是一个广播式的单向数据传输通 道, 因此除了可以传输电视节目、 广播节目的音视频信号之外, 各种电子数 据都可以通过它来发送。 CMMB主要面向手机、 PDA等小屏幕便携手持终端 以及车载电视等终端提供广播电视服务。  China Mobile Multimedia Broadcasting (CMMB) is the industry standard led and recommended by the State Administration of Radio, Film and Television. The CMMB is a broadcast one-way data transmission channel, so that in addition to audio and video signals that can transmit television programs and broadcast programs, various electronic data can be transmitted through it. CMMB mainly provides broadcast TV services for small-screen portable handheld terminals such as mobile phones and PDAs, as well as terminals such as car TVs.
目前 CMMB终端播放清流实现比较简单; 对于播放加密流, CMMB提 出了"移动多媒体广播条件接收 ( Mobile multimedia broadcasting-Conditional Access System,简写为 MMB-CAS ),,。 MMB-CAS可为移动多媒体广播业务提 供传输过程中的保护, 即针对业务的单向信道以及双向信道提供保护。 移动 多媒体广播运营商通常在播出时针对移动多媒体业务加入 MMB-CAS条件接 收控制机制。 釆用 MMB-CAS, 移动多媒体广播运营商可针对业务或业务包 向指定用户或用户组授权, 使得只有授权用户或用户组才能接收相关业务。  At present, CMMB terminal playback clearing is relatively simple; for playing encrypted stream, CMMB proposes "Mobile multimedia broadcasting-Conditional Access System (MMB-CAS), MMB-CAS can be mobile multimedia broadcasting service. Provides protection during transmission, that is, protection for unidirectional channels and bidirectional channels of services. Mobile multimedia broadcast operators usually add MMB-CAS conditional access control mechanisms for mobile multimedia services during broadcast. MMMMB-CAS, mobile The multimedia broadcast operator can authorize the specified user or user group for the service or service package, so that only authorized users or user groups can receive related services.
MMB-CAS分为前端子系统和终端子系统两部分, 在移动多媒体广播系 统中的位置如图 1所示。 其中, 双向信道(如短信信道)是可选的, 可以为 前端与移动多媒体接收终端之间提供点对点的数据交互通道。 本部分所定义 和规定的条件接收系统既可适用于单向信道(如广播信道) , 也可适用于单 向信道和双向信道相结合的场景。  MMB-CAS is divided into two parts: the front-end subsystem and the terminal subsystem. The location in the mobile multimedia broadcasting system is shown in Figure 1. Among them, the bidirectional channel (such as the short message channel) is optional, and can provide a point-to-point data interaction channel between the front end and the mobile multimedia receiving terminal. The conditional access system defined and specified in this section can be applied to both unidirectional channels (such as broadcast channels) and to the combination of unidirectional channels and bidirectional channels.
在仅有单向信道或单向终端的情况下, MMB-CAS可通过前端向终端单 向授权信息方式向用户授权, 或结合使用加密授权与电子钱包功能, 通过终 端本地交互方式实现用户自授权。 在单向信道与双向信道和双向终端均可用 的情况下, MMB-CAS还可通过双向信道以前端与终端点对点交互方式向用 户授权。 In the case of a unidirectional channel or a unidirectional terminal, the MMB-CAS can authorize the user through the front-end authorization information to the terminal, or use the encryption authorization and the electronic wallet function together, and realize the user self-authorization through the terminal local interaction mode. . In the case that both the unidirectional channel and the bidirectional channel and the bidirectional terminal are available, the MMB-CAS can also use the bidirectional channel to communicate with the terminal in a peer-to-peer manner. User authorization.
MMB-CAS以四层密钥模型为基础, 如图 2所示, 建立密钥安全管理与 授权控制管理及分发机制, 利用加扰技术, 实现对业务的条件接收。 整个密 钥模型包含用户注册层、 授权 /安全管理层、 授权控制层和业务加扰层。 该模 型的特点是密钥分层保护; 每个密钥都有各自的生命周期; 下层密钥由上层 密钥加密后传输。  MMB-CAS is based on a four-layer key model. As shown in Figure 2, a key security management and authorization control management and distribution mechanism is established, and the scrambling technology is used to implement conditional reception of services. The entire key model includes the user registration layer, authorization/security management layer, authorization control layer, and service scrambling layer. The model is characterized by key layer protection; each key has its own life cycle; the lower layer key is encrypted by the upper layer key and transmitted.
用户注册层实现用户密钥(UK )在终端安全模块中的预置, 或实现按双 向注册方式的用户密钥分发。 UK用来对业务密钥 (SEK, Service Encryption Key )进行加密 /解密。  The user registration layer implements the preset of the user key (UK) in the terminal security module, or implements user key distribution in the two-way registration mode. The UK is used to encrypt/decrypt the Service Encryption Key (SEK).
授权管理层实现授权管理信息( EMM , Entitlement Management Message , 授权管理信息 )数据从前端到终端的安全传递。 前端利用 UK对 SEK信息加 密, 生成 EMM, 通过广播或双向信道传输给终端, 终端进行解密获得 SEK。  Authorize the management layer to implement the secure transfer of data from the front-end to the terminal. The front end uses the UK to encrypt the SEK information, generates an EMM, transmits it to the terminal through a broadcast or two-way channel, and the terminal decrypts to obtain the SEK.
SEK用来对控制字 (CW, Control Word )进行加密 /解密。 The SEK is used to encrypt/decrypt the control word (CW, Control Word).
安全管理层实现系统信令数据从前端到终端的安全传递。 通常将系统信 令利用 UK加密后封装 EMM中, 通过广播或双向信道传输给终端, 终端进 行解密获得系统信令。 利用系统信令进行系统的安全控制、 密钥管理、 功能 管理等。  The security management layer implements secure transmission of system signaling data from the front end to the terminal. The system signaling is usually encapsulated in the EMM by using UK encryption, transmitted to the terminal through a broadcast or bidirectional channel, and the terminal decrypts to obtain system signaling. Use system signaling for system security control, key management, function management, and more.
授权控制层实现授权控制信息 (ECM )数据从前端到终端的安全传递。 前端利用 SEK对 CW进行加密, 生成 ECM, 通过广播信道传输给终端, 终 端进行解密获得 CW。 CW用来对传输的业务进行加扰 /解扰。  The authorization control layer implements secure transfer of authorization control information (ECM) data from the front end to the terminal. The front end uses the SEK to encrypt the CW, generates the ECM, transmits it to the terminal through the broadcast channel, and decrypts the terminal to obtain the CW. CW is used to scramble/descramble the transmitted traffic.
业务加扰层实现业务数据从前端到终端的安全传递。 前端利用 CW对业 务进行加扰,通过广播信道传送给终端,终端利用 CW对加扰业务进行解扰。  The service scrambling layer implements secure transmission of business data from the front end to the terminal. The front end uses CW to scramble the service and transmit it to the terminal through the broadcast channel. The terminal uses CW to descramble the scrambled service.
承载业务密钥的授权管理信息( Entitlement Manager Message,简称 EMM ) 通过广播信道分发, 在有可选双向信道的条件下, 也可通过双向信道分发。  The Entitlement Manager Message (EMM) carrying the service key is distributed through the broadcast channel, and can also be distributed through the bidirectional channel under the condition of an optional bidirectional channel.
用户密钥可预置在图 1中的 MMB-CAS终端的安全模块中, 在有可选双 向信道的条件下, 也可以双向认证的方式通过双向信道分发。  The user key can be preset in the security module of the MMB-CAS terminal in Figure 1, and can be distributed through the bidirectional channel in the case of an optional bidirectional channel.
从图 2中可以看出, UK以及 SEK是可以单向或双向发下去的, 而单一 信道传送在传送过程中容易被窃听, 从而影响信息传送的安全性。 发明内容 As can be seen from Figure 2, UK and SEK can be sent in one direction or two directions, and single channel transmission is easy to be eavesdropped during transmission, thus affecting the security of information transmission. Summary of the invention
本发明要解决的技术问题是, 在移动多媒体广播条件接收系统中, 利用 单一信道传输数据安全性不高的问题。  The technical problem to be solved by the present invention is to solve the problem of low security of data transmission using a single channel in a mobile multimedia broadcast condition receiving system.
为解决上述技术问题, 本发明提供一种移动多媒体广播条件接收的鉴权 方法, 所述方法包括:  To solve the above technical problem, the present invention provides an authentication method for mobile multimedia broadcast condition receiving, the method comprising:
前端对请求特定密钥的终端进行鉴权, 当鉴权成功时, 所述前端分组特 定密钥并通过双向信道及单向信道发送所述特定密钥给所述终端。  The front end authenticates the terminal requesting the specific key. When the authentication succeeds, the front end group specifies the specific key and sends the specific key to the terminal through the bidirectional channel and the unidirectional channel.
进一步地, 在上述方法中, 所述前端对所述终端进行鉴权的过程如下: 所述前端下发鉴权参数给所述终端, 所述终端获取到鉴权参数后将鉴权响应 结果发送给所述前端, 所述前端根据所述鉴权响应结果判断鉴权是否成功。  Further, in the above method, the process of authenticating the terminal by the front end is as follows: the front end sends an authentication parameter to the terminal, and the terminal sends the authentication response result after obtaining the authentication parameter And the front end determines, according to the result of the authentication response, whether the authentication is successful.
进一步地, 在上述方法中, 所述前端下发鉴权参数给所述终端时, 所述 前端通过双向信道及单向信道下发鉴权参数给所述终端。  Further, in the above method, when the front end sends the authentication parameter to the terminal, the front end sends the authentication parameter to the terminal through the bidirectional channel and the unidirectional channel.
进一步地, 在上述方法在所述前端下发鉴权参数给所述终端的步骤之前 还包括:  Further, before the step of sending the authentication parameter to the terminal at the front end, the method further includes:
所述前端在所述终端开户时生成一对应所述终端的随机值并发送所述随 机值给所述终端;  The front end generates a random value corresponding to the terminal when the terminal opens an account and sends the random value to the terminal;
所述前端分析所述随机值得到鉴权参数的个数及各信道传送鉴权参数的 个数, 并根据所得到的鉴权参数的个数及各信道传送鉴权参数的个数, 随机 性地确定通过所述双向信道下发和通过所述单向信道下发的具体鉴权参数。  The front end analyzes the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and according to the obtained number of authentication parameters and the number of transmission parameters transmitted by each channel, randomness A specific authentication parameter delivered by the bidirectional channel and delivered through the unidirectional channel is determined.
进一步地, 在上述方法中, 所述鉴权响应结果包括鉴权参数和鉴权响应 值, 判断鉴权是否成功按如下过程进行: 所述前端先判断收到的鉴权参数与 所述前端储存的鉴权参数是否一致, 若不一致, 认为所述终端是非法的, 鉴 权失败, 若一致, 所述前端再根据鉴权参数算出一鉴权响应值, 所述前端判 断算出的鉴权响应值与所述终端发送的鉴权响应值是否一致, 若一致, 鉴权 成功, 若不一致, 鉴权失败。  Further, in the above method, the authentication response result includes an authentication parameter and an authentication response value, and determining whether the authentication succeeds is performed according to the following process: the front end first determines the received authentication parameter and the front end storage Whether the authentication parameters are consistent, if not, the terminal is considered to be illegal, and the authentication fails. If the agreement is consistent, the front end further calculates an authentication response value according to the authentication parameter, and the front end determines the calculated authentication response value. Whether the authentication response value sent by the terminal is consistent. If the authentication is successful, the authentication succeeds. If the authentication is inconsistent, the authentication fails.
进一步地, 在上述方法中, 所述前端在发送所述鉴权参数、 所述特定密 钥给所述终端及所述终端发送鉴权响应结果给所述前端的过程中, 发送信息 的一端通过所述随机值对发送的信息进行加密处理后再发送, 接收信息的一 端通过所述随机值对接收到的信息进行解密处理。 Further, in the above method, the front end transmits the authentication parameter, the specific key to the terminal, and the terminal sends an authentication response result to the front end, and one end of the sending information passes The random value is encrypted after the transmitted information is sent, and the received information is received. The terminal decrypts the received information by the random value.
进一步地, 在上述方法中, 所述特定密钥为用户密钥或承载业务密钥。 进一步地, 在上述方法中, 所述双向信道为短信信道, 所述单向信道为 广播信道。  Further, in the above method, the specific key is a user key or a bearer service key. Further, in the above method, the bidirectional channel is a short message channel, and the unidirectional channel is a broadcast channel.
本发明还提供一种移动多媒体广播条件接收的系统, 所述系统包括: 一 前端及一终端, 所述前端包括一前端业务控制模块、 一第一双向信道发送接 收模块及一单向信道发送模块, 所述终端包括一终端业务控制模块、 一第二 双向信道发送接收模块及一单向信道接收模块, 其中:  The invention further provides a system for receiving mobile multimedia broadcast conditions, the system comprising: a front end and a terminal, the front end comprising a front end service control module, a first bidirectional channel transmission and reception module and a unidirectional channel transmission module The terminal includes a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, where:
所述终端业务控制模块设置成在所述终端开户后将请求特定密钥下发的 信息发送给所述前端及在所述终端获取到来自所述前端的鉴权参数后将鉴权 响应结果通过所述第二双向信道发送接收模块发送给所述前端的第一双向信 道发送接收模块;  The terminal service control module is configured to: after the terminal opens the account, send information that is requested by the specific key to the front end, and after the terminal obtains the authentication parameter from the front end, pass the authentication response result Transmitting and receiving the first bidirectional channel sending and receiving module sent by the second bidirectional channel transmitting and receiving module to the front end;
所述前端业务控制模块设置成在所述前端收到所述来自终端的请求特定 密钥下发的信息后下发鉴权参数给所述终端及在所述前端收到所述鉴权响应 结果后根据所述鉴权响应结果判断鉴权是否成功, 若鉴权成功, 通过所述第 一双向信道发送接收模块及所述单向信道发送模块发送所述特定密钥给所述 终端的对应的第二双向信道发送接收模块及所述单向信道接收模块。  The front-end service control module is configured to send an authentication parameter to the terminal and receive the authentication response result at the front end after the front end receives the information sent by the terminal requesting the specific key. And determining, according to the result of the authentication response, whether the authentication is successful, and if the authentication is successful, sending, by the first bidirectional channel sending and receiving module and the unidirectional channel sending module, the specific key to the corresponding end of the terminal. The second bidirectional channel transmitting and receiving module and the unidirectional channel receiving module.
进一步地, 在上述系统中, 所述前端包括一前端随机值生成维护模块, 所述前端随机值生成维护模块设置成在所述终端开户时对应所述终端生成一 随机值并通过所述第一双向信道发送接收模块发送所述随机值给所述终端的 第二双向信道发送接收模块; 所述前端业务控制模块还设置成分析所述随机值得到鉴权参数的个数及 各信道传送鉴权参数的个数, 并根据所得到的鉴权参数的个数及各信道传送 鉴权参数的个数, 随机性地确定通过第一双向信道发送接收模块及所述单向 信道发送模块下发的具体鉴权参数。  Further, in the above system, the front end includes a front end random value generation and maintenance module, and the front end random value generation and maintenance module is configured to generate a random value corresponding to the terminal when the terminal opens an account and pass the first The bidirectional channel transmitting and receiving module sends the random value to the second bidirectional channel transmitting and receiving module of the terminal; the front end service control module is further configured to analyze the random value to obtain the number of authentication parameters and transmit authentication of each channel. The number of parameters, and according to the number of the obtained authentication parameters and the number of transmission authentication parameters of each channel, randomly determine the sending and receiving module sent by the first bidirectional channel and the unidirectional channel sending module Specific authentication parameters.
本发明还提供一种移动多媒体广播条件接收的前端, 所述前端包括一前 端业务控制模块、 一第一双向信道发送接收模块及一单向信道发送模块, 其 中, 所述前端业务控制模块设置成: 在所述前端收到所述来自终端的请求特 定密钥下发的信息后, 下发鉴权参数给所述终端; 及 The present invention further provides a front end for mobile multimedia broadcast conditional reception, the front end includes a front end service control module, a first bidirectional channel transmission and reception module, and a unidirectional channel transmission module, where The front-end service control module is configured to: after the front end receives the information sent by the terminal requesting the specific key, send the authentication parameter to the terminal; and
在所述前端收到鉴权响应结果后根据所述鉴权响应结果判断鉴权是否成 功, 若鉴权成功, 通过所述第一双向信道发送接收模块及所述单向信道发送 模块发送特定密钥给所述终端的第二双向信道发送接收模块及单向信道接收 模块。  After the front end receives the authentication response result, it is determined whether the authentication is successful according to the result of the authentication response. If the authentication succeeds, the first bidirectional channel sending and receiving module and the unidirectional channel sending module send the specific secret. The key is sent to the second bidirectional channel transmitting and receiving module and the unidirectional channel receiving module of the terminal.
进一步地, 在上述前端中还包括一前端随机值生成维护模块, 所述前端随机值生成维护模块设置成在终端开户时, 对应所述终端生成 一随机值并通过所述第一双向信道发送接收模块发送所生成的随机值给所述 终端的第二双向信道发送接收模块;  Further, the front end further includes a front end random value generation and maintenance module, where the front end random value generation and maintenance module is configured to generate a random value corresponding to the terminal and send and receive through the first bidirectional channel when the terminal opens an account. Sending, by the module, the generated random value to the second bidirectional channel sending and receiving module of the terminal;
所述前端业务控制模块还设置成分析所述随机值得到鉴权参数的个数及 各信道传送鉴权参数的个数, 根据所得到的鉴权参数的个数及各信道传送鉴 权参数的个数, 随机确定通过所述第一双向信道发送接收模块及通过所述单 向信道发送模块下发的具体鉴权参数。  The front-end service control module is further configured to analyze the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and transmit the authentication parameters according to the obtained number of authentication parameters and each channel. The number, the specific authentication parameter sent by the first bidirectional channel sending and receiving module and sent by the unidirectional channel sending module is determined.
本发明还一种移动多媒体广播条件接收的终端, 所述终端包括一终端业 务控制模块、 一第二双向信道发送接收模块及一单向信道接收模块, 其中, 所述终端业务控制模块设置成: 在所述终端开户后将请求特定密钥下发 的信息发送给前端, 及在所述终端获取到来自前端的鉴权参数后将鉴权响应 结果通过所述第二双向信道发送接收模块发送给所述前端的第一双向信道发 送接收模块。  The present invention also provides a mobile multimedia broadcast condition receiving terminal, the terminal includes a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, wherein the terminal service control module is configured to: After the terminal is opened, the information sent by the specific key is sent to the front end, and after the terminal obtains the authentication parameter from the front end, the authentication response result is sent to the second bidirectional channel sending and receiving module. The first bidirectional channel of the front end transmits and receives a module.
相较于现有技术, 本发明通过单向信道和双向信道结合的方法实现在鉴 权过程中的数据传输, 从而提高了信息传输的安全性。 Compared with the prior art, the present invention implements data transmission in the authentication process by combining a unidirectional channel and a bidirectional channel, thereby improving the security of information transmission.
附图概述 BRIEF abstract
图 1为传统的移动多媒体广播条件接收系统框图;  1 is a block diagram of a conventional mobile multimedia broadcast condition receiving system;
图 2为传统的移动多媒体广播条件接收系统四层密钥示意图; 图 3为本发明较佳实施例移动多媒体广播条件接收的系统框图; 图 4为图 3中的系统的工作原理流程图; 2 is a schematic diagram of a four-layer key of a conventional mobile multimedia broadcast condition receiving system; 3 is a block diagram of a system for receiving mobile multimedia broadcast conditions according to a preferred embodiment of the present invention; FIG. 4 is a flow chart showing the operation of the system of FIG.
图 5 为本发明较佳实施例移动多媒体广播条件接收的鉴权方法的流程 图。  FIG. 5 is a flow chart of an authentication method for mobile multimedia broadcast conditional reception according to a preferred embodiment of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
本发明提供了一种移动多媒体广播条件接收的鉴权方法及系统实现在鉴 权过程中的数据传输,比单一的广播信道或者简单的双向信道进行数据传输, 认证安全性更高。 下面结合附图和实施例对本发明进行详细的说明。  The invention provides an authentication method and system for mobile multimedia broadcast condition receiving, which realizes data transmission in the authentication process, and performs data transmission than a single broadcast channel or a simple bidirectional channel, and the authentication security is higher. The invention will now be described in detail in conjunction with the drawings and embodiments.
请参阅图 3 , 本发明较佳实施例移动多媒体广播条件接收的系统包括一 Referring to FIG. 3, a system for receiving a mobile multimedia broadcast condition according to a preferred embodiment of the present invention includes a
MMB-CAS前端 32及一 MMB-CAS终端 31 ,所述 MMB-CAS前端 32包括一 前端 RAND生成维护模块 321、 一前端业务控制模块 322、 一第一短信发送 接收模块 323及一广播发送模块 324。 所述 MMB-CAS终端 31 包括一终端 RAND维护模块 311、 一终端业务控制模块 312、 一第二短信发送接收模块 313及一广播接收模块 314。 所述前端 RAND生成维护模块 321用于生成并 储存 RAND (随机值) , 所述前端业务控制模块 322用于控制前端的业务操 作。 MMB-CAS终端 31开户时, MMB-CAS前端 32的 RAND生成模块 321 对应该 MMB-CAS终端 31生成一 RAND。 The MMB-CAS front end 32 and an MMB-CAS terminal 31, the MMB-CAS front end 32 includes a front end RAND generation maintenance module 321, a front end service control module 322, a first short message transmission and reception module 323, and a broadcast transmission module 324. . The MMB-CAS terminal 31 includes a terminal RAND maintenance module 311, a terminal service control module 312, a second short message transmission and reception module 313, and a broadcast receiving module 314. The front end RAND generation maintenance module 321 is configured to generate and store RAND (random value), and the front end service control module 322 is configured to control the front end business operation. When the MMB-CAS terminal 31 is opened, the RAND generation module 321 of the MMB-CAS front end 32 generates a RAND corresponding to the MMB-CAS terminal 31.
RAND有一定的有效期, 如果 RAND过期后, MMB-CAS前端 32的前 端 RAND生成维护模块 321会发短信给 MMB-CAS终端 31 , RAND经过被 分析就知道的鉴权参数的个数以及每个信道传输鉴权参数的个数的信息, RAND用于加密或解密传输的信息。  RAND has a certain validity period. If the RAND expires, the front end RAND generation maintenance module 321 of the MMB-CAS front end 32 sends a text message to the MMB-CAS terminal 31, and the number of authentication parameters that the RAND knows after analysis and each channel The information of the number of transmission authentication parameters, RAND is used to encrypt or decrypt the transmitted information.
本发明主要是针对用户注册层以及授权、 安全管理层的特定密钥请求进 行鉴权时做的安全保护。 两层所釆用的保护原理是一样的, 下面对鉴权过程 进行详细说明。  The present invention is mainly directed to the security protection performed when the user registration layer and the authorization key of the authorization and security management layer are authenticated. The protection principle applied in the two layers is the same. The authentication process is described in detail below.
图 4是本发明较佳实施例移动多媒体广播条件接收的系统的工作原理流 程图, 该流程包括步骤:  4 is a flow chart showing the operation of a mobile multimedia broadcast conditional receiving system according to a preferred embodiment of the present invention, the process comprising the steps of:
S401 : MMB-CAS终端 31开户时, MMB-CAS前端 32的前端 RAND生 成维护模块 321生成 RAND并通过第一短信发送接收模块 323以短信方式发 送 RAND给 MMB-CAS终端 31的第二短信发送接收模块 313; S401: When the MMB-CAS terminal 31 is opened, the front end of the MMB-CAS front end 32 is RAND The maintenance module 321 generates the RAND and sends the RAND to the second short message sending and receiving module 313 of the MMB-CAS terminal 31 by the first short message sending and receiving module 323 by SMS;
S402: MMB-CAS终端 31如果要请求特定密钥(用户密钥或业务密钥) , 终端业务控制模块 312通过第二短信发送接收模块 313以短信方式发送请求 给 MMB-CAS前端 32的第一短信发送接收模块 323;  S402: If the MMB-CAS terminal 31 is to request a specific key (user key or service key), the terminal service control module 312 sends the first request to the MMB-CAS front end 32 by using the second short message sending and receiving module 313 by short message. SMS sending and receiving module 323;
S403: MMB-CAS前端 32收到短信后,前端业务控制模块 322根据 RAND 分析有几个鉴权参数及每个信道传输鉴权参数的个数确定通过广播发送模块 324下发和通过第一短信发送接收模块 323下发鉴权参数的个数, 下发前通 过前端 RAND生成维护模块 321的 RAND对鉴权参数进行加密,这样就可以 保证两个信道下发信息的保密, 不容易被对方捕获;  S403: After the MMB-CAS front end 32 receives the short message, the front end service control module 322 determines that there are several authentication parameters and the number of each channel transmission authentication parameter according to the RAND analysis, and the first sending of the first short message is performed by the broadcast sending module 324. The sending and receiving module 323 sends the number of the authentication parameters, and the RAND of the maintenance module 321 is used to encrypt the authentication parameters by the RAND of the front end RAND, so that the confidentiality of the information sent by the two channels can be ensured, and the information is not easily captured by the other party. ;
S404: MMB-CAS终端 31的广播接收模块 314及第二短信发送接收模块 313收到广播、 短信信道信息后, 终端业务控制模块 312根据终端 RAND维 护模块 311储存的 RAND分析鉴权参数个数以及各信道传输的鉴定参数的个 数,这样可以有效的得到消息完整内容,等完全接收鉴权参数后,通过 RAND 解密得到所需要的原文。得到原文后,通过和 MMB-CAS前端 32协商的算法, 算出一个鉴权响应值, 然后把鉴权响应结果(所有的鉴权参数以及鉴权响应 值 )通过 RAND进行加密并通过第二短信发送接收模块 313以短信方式发送 给 MMB-CAS前端 32的第一短信发送接收模块 323;  S404: After receiving the broadcast and short message channel information, the broadcast service receiving module 314 and the second short message sending and receiving module 313 of the MMB-CAS terminal 31, the terminal service control module 312 analyzes the number of RAND analysis authentication parameters stored by the terminal RAND maintenance module 311, and The number of identification parameters transmitted by each channel, so that the complete content of the message can be effectively obtained, and after the authentication parameters are completely received, the required original text is obtained by RAND decryption. After obtaining the original text, an authentication response value is calculated by an algorithm negotiated with the MMB-CAS front end 32, and then the authentication response result (all authentication parameters and the authentication response value) is encrypted by RAND and sent through the second short message. The receiving module 313 sends the short message to the first short message sending and receiving module 323 of the MMB-CAS front end 32;
通过分析 RAND可以知道消息的完整内容, 例如: MMB-CAS前端生成 特定的 5个参数, 这个 5个参数是不一样的; 分析 RAND可以知道 2个信道 发送的个数, 具体分配是随机的, MMB-CAS终端 31只要根据鉴权参数总数 以及 2个信道各传输的个数就能得到所有参数;  By analyzing RAND, you can know the complete content of the message. For example: The MMB-CAS front end generates a specific five parameters, and the five parameters are different. The analysis RAND can know the number of two channels sent, and the specific allocation is random. The MMB-CAS terminal 31 can obtain all the parameters according to the total number of authentication parameters and the number of transmissions of the two channels;
具体的运算就是通过一些算法得到鉴权参数对应的鉴权响应值, 例如: MMB-CAS前端 32生成 5个鉴权参数: al,a2,23,a4,a5 , 算法就是把这些参数作 为入参进行一些运算, 例如函数 F( );  The specific operation is to obtain the authentication response value corresponding to the authentication parameter through some algorithms. For example: The MMB-CAS front end 32 generates five authentication parameters: al, a2, 23, a4, a5. The algorithm uses these parameters as input parameters. Do some operations, such as the function F( );
al,a2,23,a4,a5—— >F(al,a2,23,a4,a5)—— >responce值;  Al, a2, 23, a4, a5 -> F(al, a2, 23, a4, a5) - >responce value;
S405: MMB-CAS前端 32收到来自 MMB-CAS终端 31的鉴权参数以及 鉴权响应值后, 前端业务控制模块 322根据 RAND解密所有的鉴权参数以及 鉴权响应值, 然后将收到的鉴权参数与前端业务控制模块 322储存的鉴权参 数对比, 如果参数不一致, 就认为 MMB-CAS终端 31是非法的, 直接拒绝 MMB-CAS终端 31的请求; 如果一致, 前端业务控制模块 322根据鉴权参数 以 MMB-CAS终端 31同样的算法算出一鉴权响应值,如果 MMB-CAS前端 32 算出的鉴权响应值与 MMB-CAS终端 31算出的鉴权响应值相等,表明鉴权成 功,利用一算法来分组特定密钥, 釆用 RAND加密然后通过广播发送模块 324 下发和通过第一短信发送接收模块 323 下发已分组的特定密钥。 MMB-CAS 终端收到特定密钥后, 终端业务控制模块 312通过同样的算法重组加密的特 定密钥,并通过 RAND解密得到原始的特定密钥。如果鉴权参数合法,鉴权响 应值不等, 也拒绝 MMB-CAS终端 31的请求。 S405: After receiving the authentication parameter and the authentication response value from the MMB-CAS terminal 31, the front end service control module 322 decrypts all the authentication parameters according to the RAND and the MMB-CAS front end 32. The authentication response value is compared with the authentication parameter stored by the front-end service control module 322. If the parameters are inconsistent, the MMB-CAS terminal 31 is considered to be illegal, and the request of the MMB-CAS terminal 31 is directly rejected. If consistent, the front-end service control module 322 calculates an authentication response value according to the same algorithm of the MMB-CAS terminal 31 according to the authentication parameter, if the authentication response value calculated by the MMB-CAS front end 32 and the MMBA-CAS terminal 31 calculate the The weighted response values are equal, indicating that the authentication is successful, and the specific key is grouped by an algorithm. The RAND is encrypted and then sent by the broadcast sending module 324 and sent by the first short message sending and receiving module 323 to deliver the grouped specific key. After the MMB-CAS terminal receives the specific key, the terminal service control module 312 reassembles the encrypted specific key by the same algorithm and decrypts the RAND to obtain the original specific key. If the authentication parameters are valid, the authentication response values are not equal, and the request of the MMB-CAS terminal 31 is also rejected.
图 5 是本发明较佳实施例移动多媒体广播条件接收的鉴权方法的流程 图, 该方法包括步骤:  FIG. 5 is a flow chart of an authentication method for mobile multimedia broadcast conditional reception according to a preferred embodiment of the present invention, the method comprising the steps of:
S501 : MMB-CAS终端开户;  S501: MMB-CAS terminal opening account;
S502 : MMB-CAS 前端生成 RAND 并通过短信信道发送 RAND 给 MMB-CAS终端;  S502: The MMB-CAS front end generates RAND and sends RAND to the MMB-CAS terminal through the short message channel;
S503: MMB-CAS终端请求特定密钥 (用户密钥或业务密钥) , 通过短 信信道发送请求给 MMB-CAS前端;  S503: The MMB-CAS terminal requests a specific key (user key or service key), and sends a request to the MMB-CAS front end through the short message channel;
S504: MMB-CAS前端收到请求短信后, 根据 RAND分析有几个鉴权参 数及每个信道传输鉴权参数的个数确定通过广播信道下发和通过短信信道下 发鉴权参数的个数, 下发前通过 RAND对鉴权参数进行加密, 这样就可以保 证两个信道下发信息的保密, 不容易被对方捕获;  S504: After receiving the request message, the MMB-CAS front end determines the number of authentication parameters sent by the broadcast channel and sent through the short message channel according to the number of the authentication parameters and the number of the transmission authentication parameters of each channel. The encryption parameter is encrypted by RAND before being sent, so that the confidentiality of the information sent by the two channels can be ensured, and it is not easy to be captured by the other party;
S505: MMB-CAS终端接收到鉴权参数时, 根据 RAND分析鉴权参数个 数以及各信道传输的鉴定参数的个数, 这样可以有效的得到消息完整内容, 等完全接收鉴权参数后, 通过 RAND解密得到所需要的原文。  S505: When the MMB-CAS terminal receives the authentication parameter, the number of the authentication parameter is analyzed according to the RAND and the number of the authentication parameters transmitted by each channel, so that the complete content of the message can be effectively obtained, and after the authentication parameter is completely received, RAND decrypts to get the original text you need.
S506: 得到原文后, 通过和 MMB-CAS前端协商的算法, 算出一个鉴权 响应值,然后把鉴权响应结果(所有的鉴权参数以及鉴权响应值)通过 RAND 进行加密并通过短信信道发送给 MMB-CAS前端;  S506: After obtaining the original text, calculate an authentication response value by using an algorithm negotiated with the MMB-CAS front end, and then encrypt the authentication response result (all authentication parameters and the authentication response value) by RAND and send through the short message channel. Give the MMB-CAS front end;
具体的运算就是通过一些算法得到鉴权参数对应的鉴权响应值, 例如: MMB-CAS前端 32生成 5个鉴权参数: al,a2,23,a4,a5, 算法就是把这些参数作 为入参进行一些运算, 例如函数 F( ); The specific operation is to obtain the authentication response value corresponding to the authentication parameter through some algorithms, for example: The MMB-CAS front end 32 generates five authentication parameters: al, a2, 23, a4, a5. The algorithm performs some operations on these parameters as input parameters, such as the function F( );
al,a2,23,a4,a5—— >F(al,a2,23,a4,a5)—— >response值;  Al, a2, 23, a4, a5 -> F(al, a2, 23, a4, a5) - >response value;
S507: MMB-CAS前端收到来自 MMB-CAS终端的鉴权参数以及鉴权响 应值后, 根据 RAND解密所有的鉴权参数以及鉴权响应值, 然后将收到的鉴 权参数与 MMB-CAS 前端储存的鉴权参数对比, 如果参数不一致, 就认为 MMB-CAS终端是非法的, 直接拒绝 MMB-CAS终端的请求; 如果一致, 前 端 MMB-CAS根据鉴权参数以 MMB-CAS终端同样的算法算出一鉴权响应值, 如果 MMB-CAS前端算出的鉴权响应值与 MMB-CAS终端算出的鉴权响应值 相等,表明鉴权成功,如果鉴权参数合法,鉴权响应值不等,也拒绝 MMB-CAS 终端的请求。  S507: After receiving the authentication parameter and the authentication response value from the MMB-CAS terminal, the MMB-CAS front end decrypts all the authentication parameters and the authentication response value according to the RAND, and then receives the authentication parameter and the MMB-CAS. Comparison of authentication parameters stored in the front end. If the parameters are inconsistent, the MMB-CAS terminal is considered illegal and directly rejects the request of the MMB-CAS terminal. If consistent, the front end MMB-CAS uses the same algorithm as the MMB-CAS terminal according to the authentication parameters. Calculate an authentication response value. If the authentication response value calculated by the MMB-CAS front end is equal to the authentication response value calculated by the MMB-CAS terminal, the authentication is successful. If the authentication parameters are valid, the authentication response values are not equal. Reject the request from the MMB-CAS terminal.
S508: 鉴权成功后, MMB-CAS 前端利用一算法来分组特定密钥, 釆用 RAND加密然后通过广播信道和短信信道下发已分组的特定密钥, 例如: 一 个 200字节的特定密钥分割为几个包,每个包都会有关联上下 2个包的信息, 然后随机把这些包通过 2个信道传输, 这样终端接收到后, 可以一次组包。  S508: After the authentication succeeds, the MMB-CAS front end uses an algorithm to group the specific key, and then uses RAND encryption to deliver the grouped specific key through the broadcast channel and the short message channel, for example: a 200-byte specific key It is divided into several packets, each packet has information about the upper and lower two packets, and then these packets are randomly transmitted through two channels, so that the terminal can be packaged once after receiving the terminal.
S509: MMB-CAS终端收到特定密钥后, 通过重组加密的特定密钥,并通 过 RAND解密得到原始的特定密钥。  S509: After receiving the specific key, the MMB-CAS terminal reassembles the encrypted specific key and decrypts it by RAND to obtain the original specific key.
通过本发明的技术方案,运用广播信道以及短信信道鉴权使得 UK、 SEK 下发很安全, 有效的提高了信息传输的安全性。  Through the technical solution of the present invention, the use of the broadcast channel and the short message channel authentication makes the UK and the SEK are issued safely and effectively improves the security of information transmission.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡在本 发明的精神和原则之内所作的任何修改、 等同替换和改进等, 均应包含在本 发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
工业实用性 Industrial applicability
相较于现有技术,本发明通过单向信道和双向信道结合的方法实现在鉴权 过程中的数据传输, 从而提高了信息传输的安全性。  Compared with the prior art, the present invention realizes data transmission in an authentication process by combining a unidirectional channel and a bidirectional channel, thereby improving the security of information transmission.

Claims

权 利 要 求 书 Claim
1、 一种移动多媒体广播条件接收的鉴权方法, 包括:  1. An authentication method for mobile multimedia broadcast condition receiving, comprising:
前端对请求特定密钥的终端进行鉴权, 当鉴权成功时, 所述前端分组特 定密钥并通过双向信道及单向信道发送所述特定密钥给所述终端。  The front end authenticates the terminal requesting the specific key. When the authentication succeeds, the front end group specifies the specific key and sends the specific key to the terminal through the bidirectional channel and the unidirectional channel.
2、 如权利要求 1所述的移动多媒体广播条件接收的鉴权方法, 其中, 进 行鉴权的所述步骤包括:  2. The authentication method for mobile multimedia broadcast conditional reception according to claim 1, wherein said step of performing authentication comprises:
所述前端下发鉴权参数给所述终端, 所述终端获取到鉴权参数后将鉴权 响应结果发送给所述前端, 所述前端根据所述鉴权响应结果判断鉴权是否成 功。  The front end sends the authentication parameter to the terminal, and the terminal sends the authentication response result to the front end after the terminal obtains the authentication parameter, and the front end determines whether the authentication is successful according to the result of the authentication response.
3、 如权利要求 2所述的移动多媒体广播条件接收的鉴权方法, 其中, 所 述前端下发鉴权参数给所述终端时, 是通过双向信道及单向信道下发的。  The method for authenticating mobile multimedia broadcast conditional access according to claim 2, wherein when the front end sends the authentication parameter to the terminal, the terminal sends the authentication parameter to the terminal through the bidirectional channel and the unidirectional channel.
4、 如权利要求 3所述的移动多媒体广播条件接收的鉴权方法, 其中, 所述方法在所述前端下发鉴权参数给所述终端的步骤之前还包括: 所述前端在所述终端开户时生成一对应所述终端的随机值并发送所述随 机值给所述终端;  The authentication method for mobile multimedia broadcast conditional reception according to claim 3, wherein the method further comprises: before the step of sending the authentication parameter to the terminal by the front end, the front end is at the terminal Generating a random value corresponding to the terminal when the account is opened and transmitting the random value to the terminal;
所述前端分析所述随机值得到鉴权参数的个数及各信道传送鉴权参数的 个数, 根据所得到的鉴权参数的个数及各信道传送鉴权参数的个数随机确定 通过所述双向信道下发和通过所述单向信道下发的具体鉴权参数。  The front end analyzes the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and randomly determines the number of the authentication parameters according to the number of the obtained authentication parameters and the number of transmission authentication parameters of each channel. The specific authentication parameters delivered by the bidirectional channel and delivered by the unidirectional channel are described.
5、 如权利要求 2所述的移动多媒体广播条件接收的鉴权方法, 其中, 所 述鉴权响应结果包括鉴权参数和鉴权响应值;  The authentication method for mobile multimedia broadcast conditional reception according to claim 2, wherein the authentication response result comprises an authentication parameter and an authentication response value;
判断鉴权是否成功的所述步骤包括: 所述前端先判断收到的鉴权参数与 所述前端储存的鉴权参数是否一致, 若不一致, 认为所述终端是非法的, 鉴 权失败, 若一致, 所述前端再根据鉴权参数算出一鉴权响应值, 判断算出的 鉴权响应值与所述终端发送的鉴权响应值是否一致, 若一致, 鉴权成功, 若 不一致, 鉴权失败。  The step of determining whether the authentication is successful includes: determining, by the front end, whether the received authentication parameter is consistent with the authentication parameter stored by the front end, and if not, the terminal is considered to be illegal, and the authentication fails. Consistently, the front end further calculates an authentication response value according to the authentication parameter, and determines whether the calculated authentication response value is consistent with the authentication response value sent by the terminal. If the authentication is consistent, the authentication succeeds, and if the authentication is inconsistent, the authentication fails. .
6、 如权利要求 5所述的移动多媒体广播条件接收的鉴权方法, 其中, 所 述前端在发送鉴权参数和特定密钥给所述终端及所述终端发送鉴权响应结果 给所述前端的过程中, 发送信息的一端通过所述随机值对发送的信息进行加 密处理后再发送, 接收信息的一端通过所述随机值对接收到的信息进行解密 处理。 The authentication method for mobile multimedia broadcast conditional reception according to claim 5, wherein the front end sends an authentication response result to the terminal and the terminal by transmitting an authentication parameter and a specific key. In the process of the front end, one end of the sending information encrypts the sent information by using the random value, and then sends the information, and one end of the received information decrypts the received information by using the random value.
7、 如权利要求 1所述的移动多媒体广播条件接收的鉴权方法, 其中, 所 述特定密钥为用户密钥或承载业务密钥。  The authentication method for mobile multimedia broadcast conditional reception according to claim 1, wherein the specific key is a user key or a bearer service key.
8、 如权利要求 1所述的移动多媒体广播条件接收的鉴权方法, 其中, 所 述双向信道为短信信道, 所述单向信道为广播信道。  The authentication method for mobile multimedia broadcast conditional reception according to claim 1, wherein the bidirectional channel is a short message channel, and the unidirectional channel is a broadcast channel.
9、 一种移动多媒体广播条件接收的系统, 包括一前端及一终端, 所述前 端包括一前端业务控制模块、 一第一双向信道发送接收模块及一单向信道发 送模块, 所述终端包括一终端业务控制模块、 一第二双向信道发送接收模块 及一单向信道接收模块, 其中: 所述终端业务控制模块设置成: 在所述终端开户后将请求特定密钥下发 的信息发送给所述前端, 及在所述终端获取到来自所述前端的鉴权参数后将 鉴权响应结果通过所述第二双向信道发送接收模块发送给所述前端的第一双 向信道发送接收模块;  A mobile multimedia broadcast condition receiving system, comprising a front end and a terminal, the front end comprising a front end service control module, a first bidirectional channel transmitting and receiving module and a unidirectional channel sending module, wherein the terminal comprises a a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, where: the terminal service control module is configured to: send the information requested by the specific key to the terminal after the terminal is opened a front end, and after the terminal obtains an authentication parameter from the front end, sending an authentication response result to the first bidirectional channel transmitting and receiving module sent by the second bidirectional channel sending and receiving module to the front end;
所述前端业务控制模块设置成: 在所述前端收到所述来自终端的请求特 定密钥下发的信息后下发鉴权参数给所述终端, 及在所述前端收到鉴权响应 结果后根据所述鉴权响应结果判断鉴权是否成功, 若鉴权成功, 通过所述第 一双向信道发送接收模块及所述单向信道发送模块发送特定密钥给所述终端 的第二双向信道发送接收模块及所述单向信道接收模块。  The front-end service control module is configured to: after the front end receives the information sent by the terminal requesting the specific key, send the authentication parameter to the terminal, and receive the authentication response result at the front end And determining, according to the result of the authentication response, whether the authentication is successful, and if the authentication is successful, sending, by the first bidirectional channel sending and receiving module and the unidirectional channel sending module, a specific key to the second bidirectional channel of the terminal. a transmitting and receiving module and the unidirectional channel receiving module.
10、 如权利要求 9所述的系统, 其中, 所述前端还包括一前端随机值生 成维护模块, 所述前端随机值生成维护模块设置成在所述终端开户时, 对应 所述终端生成一随机值并通过所述第一双向信道发送接收模块发送所述随机 值给所述终端的第二双向信道发送接收模块;  The system of claim 9, wherein the front end further comprises a front end random value generation and maintenance module, and the front end random value generation and maintenance module is configured to generate a random corresponding to the terminal when the terminal opens an account And transmitting, by the first bidirectional channel sending and receiving module, the random value to the second bidirectional channel transmitting and receiving module of the terminal;
所述前端业务控制模块还设置成分析所述随机值得到鉴权参数的个数及 各信道传送鉴权参数的个数, 并根据所得到的鉴权参数的个数及各信道传送 鉴权参数的个数随机确定通过第一双向信道发送接收模块及所述单向信道发 送模块下发的具体鉴权参数。 The front-end service control module is further configured to analyze the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and transmit the authentication parameters according to the obtained number of authentication parameters and each channel. The number of the packets is determined by the first bidirectional channel transmitting and receiving module and the specific authentication parameter sent by the unidirectional channel sending module.
11、 一种移动多媒体广播条件接收的前端, 所述前端包括一前端业务控 制模块、 一第一双向信道发送接收模块及一单向信道发送模块, 其中, A front end for mobile multimedia broadcast conditional reception, the front end includes a front end service control module, a first bidirectional channel transmission and reception module, and a unidirectional channel transmission module, where
所述前端业务控制模块设置成: 在所述前端收到所述来自终端的请求特 定密钥下发的信息后, 下发鉴权参数给所述终端; 及  The front-end service control module is configured to: after the front end receives the information sent by the terminal requesting the specific key, send the authentication parameter to the terminal; and
在所述前端收到鉴权响应结果后根据所述鉴权响应结果判断鉴权是否成 功, 若鉴权成功, 通过所述第一双向信道发送接收模块及所述单向信道发送 模块发送特定密钥给所述终端的第二双向信道发送接收模块及单向信道接收 模块。  After the front end receives the authentication response result, it is determined whether the authentication is successful according to the result of the authentication response. If the authentication succeeds, the first bidirectional channel sending and receiving module and the unidirectional channel sending module send the specific secret. The key is sent to the second bidirectional channel transmitting and receiving module and the unidirectional channel receiving module of the terminal.
12、 如权利要求 9所述的前端, 其中, 所述前端还包括一前端随机值生 成维护模块,  The front end according to claim 9, wherein the front end further comprises a front end random value generation maintenance module.
所述前端随机值生成维护模块设置成在终端开户时, 对应所述终端生成 一随机值并通过所述第一双向信道发送接收模块发送所生成的随机值给所述 终端的第二双向信道发送接收模块;  The front-end random value generation and maintenance module is configured to generate a random value corresponding to the terminal when the terminal opens an account, and send the generated random value to the second bidirectional channel of the terminal by using the first bidirectional channel transmission and reception module to send the generated random value. Receiving module
所述前端业务控制模块还设置成分析所述随机值得到鉴权参数的个数及 各信道传送鉴权参数的个数, 根据所得到的鉴权参数的个数及各信道传送鉴 权参数的个数, 随机确定通过所述第一双向信道发送接收模块及通过所述单 向信道发送模块下发的具体鉴权参数。  The front-end service control module is further configured to analyze the random value to obtain the number of authentication parameters and the number of transmission authentication parameters of each channel, and transmit the authentication parameters according to the obtained number of authentication parameters and each channel. The number, the specific authentication parameter sent by the first bidirectional channel sending and receiving module and sent by the unidirectional channel sending module is determined.
13、 一种移动多媒体广播条件接收的终端, 所述终端包括一终端业务控 制模块、 一第二双向信道发送接收模块及一单向信道接收模块, 其中,  A terminal for receiving a mobile multimedia broadcast condition, the terminal comprising a terminal service control module, a second bidirectional channel transmission and reception module, and a unidirectional channel receiving module, wherein
所述终端业务控制模块设置成: 在所述终端开户后将请求特定密钥下发 的信息发送给前端, 及在所述终端获取到来自前端的鉴权参数后将鉴权响应 结果通过所述第二双向信道发送接收模块发送给所述前端的第一双向信道发 送接收模块。  The terminal service control module is configured to: after the terminal opens the account, send the information that is requested by the specific key to the front end, and after the terminal obtains the authentication parameter from the front end, pass the authentication response result through the The second bidirectional channel transmitting and receiving module sends the first bidirectional channel transmitting and receiving module to the front end.
PCT/CN2009/073976 2009-03-17 2009-09-16 Authentication method and system for mobile multimedia broadcasting conditional access WO2010105469A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
BRPI0923999A BRPI0923999A2 (en) 2009-03-17 2009-09-16 A method for authenticating mobile multimedia streaming conditional access, mobile multimedia streaming conditional access system, mobile multimedia streaming conditional access front end, and mobile multimedia streaming conditional access terminal.

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910105782.4 2009-03-17
CN2009101057824A CN101505462B (en) 2009-03-17 2009-03-17 Authentication method and system for mobile multimedia broadcast conditional reception

Publications (1)

Publication Number Publication Date
WO2010105469A1 true WO2010105469A1 (en) 2010-09-23

Family

ID=40977479

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073976 WO2010105469A1 (en) 2009-03-17 2009-09-16 Authentication method and system for mobile multimedia broadcasting conditional access

Country Status (3)

Country Link
CN (1) CN101505462B (en)
BR (1) BRPI0923999A2 (en)
WO (1) WO2010105469A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505462B (en) * 2009-03-17 2011-08-24 中兴通讯股份有限公司 Authentication method and system for mobile multimedia broadcast conditional reception
CN102045639B (en) * 2009-10-10 2015-06-10 中兴通讯股份有限公司 Order relation authentication method, system and receiving system of mobile multimedia broadcasting condition
CN101860406B (en) * 2010-04-09 2014-05-21 北京创毅视讯科技有限公司 Central processor and mobile multimedia broadcasting device, system and method
CN101917671B (en) * 2010-08-06 2014-07-16 中兴通讯股份有限公司 Method for managing authentication parameters and terminal
CN102075704A (en) * 2010-12-30 2011-05-25 北京牡丹电子集团有限责任公司 Transmitting equipment combined concrete rectangular open caisson basin of CMMB (China Mobile Multimedia Broadcasting) mobile video transmission system and construction method thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1104496A1 (en) * 1998-08-13 2001-06-06 La Poste Device for access control between electronic key and lock
CN1631038A (en) * 2002-02-07 2005-06-22 诺基亚公司 A hybrid network encrypt/decrypt scheme
CN1980121A (en) * 2005-11-29 2007-06-13 北京书生国际信息技术有限公司 Electronic signing mobile terminal, system and method
KR20080000950A (en) * 2006-06-28 2008-01-03 주식회사 케이티프리텔 Decryption method of encryption broadcasting using ic chip performed by mobile and the mobile thereof
CN101262335A (en) * 2008-04-23 2008-09-10 中兴通讯股份有限公司 Method and system for secret key distribution in mobile phone TV service
CN101505462A (en) * 2009-03-17 2009-08-12 中兴通讯股份有限公司 Authentication method and system for mobile multimedia broadcast conditional reception

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1104496A1 (en) * 1998-08-13 2001-06-06 La Poste Device for access control between electronic key and lock
CN1631038A (en) * 2002-02-07 2005-06-22 诺基亚公司 A hybrid network encrypt/decrypt scheme
CN1980121A (en) * 2005-11-29 2007-06-13 北京书生国际信息技术有限公司 Electronic signing mobile terminal, system and method
KR20080000950A (en) * 2006-06-28 2008-01-03 주식회사 케이티프리텔 Decryption method of encryption broadcasting using ic chip performed by mobile and the mobile thereof
CN101262335A (en) * 2008-04-23 2008-09-10 中兴通讯股份有限公司 Method and system for secret key distribution in mobile phone TV service
CN101505462A (en) * 2009-03-17 2009-08-12 中兴通讯股份有限公司 Authentication method and system for mobile multimedia broadcast conditional reception

Also Published As

Publication number Publication date
CN101505462B (en) 2011-08-24
BRPI0923999A2 (en) 2019-12-17
CN101505462A (en) 2009-08-12

Similar Documents

Publication Publication Date Title
CN101431415B (en) Bidirectional authentication method
CN109218825B (en) Video encryption system
KR100724935B1 (en) Apparatus and method of interlock between entities for protecting contents, and the system thereof
KR100747755B1 (en) Process and streaming server for encrypting a data stream to a virtual smart card client system
CN101103630B (en) Method and system for authorizing multimedia multicasting
CN109151508B (en) Video encryption method
EP2426873B1 (en) Method for implementing the real time data service and real time data service system
US20120148044A1 (en) Method and device for negotiating encryption information
JP2005510184A (en) Key management protocol and authentication system for secure Internet protocol rights management architecture
WO2008046323A1 (en) Mobile telephone television service protect method, system and apparatus
CN101076109A (en) Two-way CA system of digital TV-set and method for ordering and cancelling programm based on it
WO2011071423A1 (en) Method and arrangement for enabling play-out of media
CN102724568A (en) Authentication certificates
WO2007109999A1 (en) Method, system, subscriber equipment and multi-media server for digital copyright protection
US20060104442A1 (en) Method and apparatus for receiving broadcast content
WO2010105469A1 (en) Authentication method and system for mobile multimedia broadcasting conditional access
WO2009024071A1 (en) System, method and device for realizing iptv media content security
US8417933B2 (en) Inter-entity coupling method, apparatus and system for service protection
CN1946018B (en) Encrypting and de-encrypting method for medium flow
CN102340702A (en) IPTV (Internet protocol television) network playing system and rights management and descrambling method based on USB (Universal serial bus) Key
CN103237011A (en) Digital-content encryption transmission method and server side
CN100521771C (en) A conditional reception system merging Internet and cable television network environments
US8745382B2 (en) Method, apparatus, computer program, data storage medium and computer program product for preventing reception of media data from a multicast service by an unauthorized apparatus
CN102843335B (en) The processing method of streaming medium content and equipment
WO2009094812A1 (en) Method and apparatus for implementing the security of point to point media stream

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09841752

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09841752

Country of ref document: EP

Kind code of ref document: A1

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: PI0923999

Country of ref document: BR

ENP Entry into the national phase

Ref document number: PI0923999

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20110913