WO2018001193A1 - Method, device and system for secure playback on internet protocol television channel - Google Patents

Method, device and system for secure playback on internet protocol television channel Download PDF

Info

Publication number
WO2018001193A1
WO2018001193A1 PCT/CN2017/089940 CN2017089940W WO2018001193A1 WO 2018001193 A1 WO2018001193 A1 WO 2018001193A1 CN 2017089940 W CN2017089940 W CN 2017089940W WO 2018001193 A1 WO2018001193 A1 WO 2018001193A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
public key
transmission
code stream
verification
Prior art date
Application number
PCT/CN2017/089940
Other languages
French (fr)
Chinese (zh)
Inventor
刘小斌
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018001193A1 publication Critical patent/WO2018001193A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Abstract

Disclosed in the present invention are a method, a device and a system for secure playback on an Internet protocol television channel. The method comprises: digitally signing a received Internet protocol television (IPTV) code stream by using a transmission private key according to a predetermined algorithm, to generate a signature information stream; and transmitting the IPTV code stream and the signature information stream to a signature detection server, such that the signature detection server performs a detection check using a transmission public key. The signature information of the present invention uses a strong secure transmission with secret keys of two stages in an IPTV network, namely, the digital signature of the IPTV code stream and the digital signature of a public key certificate are generated using the secret keys of two different stages, achieving the secure and anti-tampering effects of IPTV live broadcasting as well as improved content security.

Description

一种交互式网络电视频道安全播放的方法、装置和系统Method, device and system for safely playing interactive network television channel 技术领域Technical field
本发明涉及信息安全技术领域,尤指一种交互式网络电视频道安全播放的方法、装置和系统。The present invention relates to the field of information security technologies, and in particular, to a method, device and system for securely playing an interactive network television channel.
背景技术Background technique
IPTV(Internet Protocol Television)即交互式网络电视,是一种利用宽带网,集互联网、多媒体、通讯等技术于一体,向家庭用户提供包括数字电视在内的多种交互式服务的崭新技术。它能够很好地适应当今网络飞速发展的趋势,充分有效地利用网络资源。IPTV (Internet Protocol Television) is an innovative technology that uses broadband networks to integrate Internet, multimedia, and communication technologies to provide home users with a variety of interactive services, including digital TV. It can adapt well to the rapid development of today's networks and make full and effective use of network resources.
目前,IPTV在集成播控平台、技术标准和运营模式建设以及用户与市场拓展等方面取得新进展,行业逐渐步入有序、稳健发展的新阶段。IPTV集成播控平台体系日益完善,技术不断进步,业务内容更加丰富,用户已经达到相当规模。所以IPTV的安全问题越来越成为迫切需要解决的问题。在IPTV码流的传输过程中,存在多处风险,码流的内容容易被篡改或者给被替换,可能导致非认证的内容在终端播放,不符合国家安全政策。At present, IPTV has made new progress in integrating broadcast control platform, technical standards and operation mode construction, and user and market expansion. The industry has gradually entered a new stage of orderly and steady development. The IPTV integrated broadcast control platform system is increasingly perfect, the technology is continuously improved, the business content is more abundant, and the users have reached a considerable scale. Therefore, the security problem of IPTV has become an urgent problem to be solved. In the transmission process of the IPTV code stream, there are many risks, and the content of the code stream is easily falsified or replaced, which may cause non-authenticated content to be played at the terminal, which is not in conformity with the national security policy.
在相关技术中,主要有DRM(Digital Rights Management)数字版权管理以及MD5(Message Digest 5,消息摘要算法第五版)安全检测技术保护流媒体传输,目前DRM技术还没有在国内的IPTV得到广泛应用且成本太高。MD5安全检测主要原理是:源端通过对媒体数据和安全密钥计算MD5值,对端采用相同算法计算接收到的媒体数据和安全密钥的MD5,通过比对MD5值检测媒体流是否被篡改。但是单一的安全密钥不能保证加密的安全,安全密钥在传输或者其它过程中都存在被篡改的风险,密钥不安全就很可能会影响到媒体流的安全性。In the related art, DRM (Digital Rights Management) digital rights management and MD5 (Message Digest 5, message digest algorithm fifth edition) security detection technology are mainly used to protect streaming media transmission. Currently, DRM technology has not been widely used in domestic IPTV. And the cost is too high. The main principle of MD5 security detection is: the source end calculates the MD5 value by using the media data and the security key, and the peer end uses the same algorithm to calculate the received media data and the MD5 of the security key, and detects whether the media stream has been tampered by comparing the MD5 value. . However, a single security key cannot guarantee the security of encryption. The security key has the risk of being tampered with during transmission or other processes. The insecure key is likely to affect the security of the media stream.
发明内容Summary of the invention
本发明提供了一种交互式网络电视频道安全播放的方法、装置和系统, 在不需要修改媒体数据的情况下,能保证媒体流在两端的传输过程中安全性。The invention provides a method, device and system for safely playing interactive network television channels, In the case that the media data does not need to be modified, the security of the media stream in the transmission process at both ends can be ensured.
一种交互式网络电视频道安全播放的方法,应用于签名服务器,所述方法包括:A method for securely playing an interactive network television channel is applied to a signature server, the method comprising:
对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;Performing digital signature on the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。And transmitting the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
优选地,所述方法之前还包括:获得传输私钥。Preferably, the method further comprises: obtaining a transmission private key.
优选地,获得传输私钥包括:Preferably, obtaining the transmission private key comprises:
接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥。The receiving private key transmitted by the key management server after being symmetrically encrypted by the data encryption standard DES.
优选地,所述预定算法包括:Preferably, the predetermined algorithm comprises:
椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA算法、DH算法。Elliptic curve ECC algorithm, RSA algorithm, digital signal algorithm DSA algorithm, DH algorithm.
优选地,对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流包括:Preferably, the received interactive network television IPTV code stream is digitally signed according to a predetermined algorithm by using a transmission private key, and generating the signature information stream includes:
通过DES对称解密算法得到传输私钥;The transmission private key is obtained by the DES symmetric decryption algorithm;
计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
采用预定算法和所述传输私钥对所述摘要进行加密;Encrypting the digest using a predetermined algorithm and the transport private key;
封装所述IPTV码流的摘要加密信息,生成所述签名信息流。Encapsulating the digest encryption information of the IPTV code stream to generate the signature information stream.
本发明实施例还提供一种交互式网络电视频道安全播放的方法,应用于签名检测服务器,所述方法包括:The embodiment of the invention further provides a method for securely playing an interactive network television channel, which is applied to a signature detection server, and the method includes:
利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证; The validity of the transmission public key is verified by a predetermined algorithm by using a digital signature of the transmission public key;
利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;Performing signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted public key passed through verification;
将经过验证的所述IPTV码流传输到终端待播放。The verified IPTV code stream is transmitted to the terminal to be played.
优选地,所述方法之前还包括:获得传输公钥。Preferably, the method further comprises: obtaining a transmission public key.
优选地,获得传输公钥包括:Preferably, obtaining the transmission public key comprises:
接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Receiving a transport public key delivered by the key management server through the certificate, where the certificate includes a signature of the transport public key and the root private key to transmit the public key.
优选地,所述预定算法包括:Preferably, the predetermined algorithm comprises:
椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA算法、DH算法。Elliptic curve ECC algorithm, RSA algorithm, digital signal algorithm DSA algorithm, DH algorithm.
优选地,所述的方法还包括:当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码流进行告警。Preferably, the method further includes: when the transmission public key verification fails and/or the legality verification fails, the IPTV code stream is alerted.
优选地,利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证包括:Preferably, the validity verification of the transmission public key by a predetermined algorithm by using a digital signature of the transmission public key comprises:
通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
优选地,利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证包括:Preferably, performing signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted transmission public key comprises:
从所述IPTV码流的签名结构中提取加密数据;Extracting encrypted data from a signature structure of the IPTV code stream;
计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;Decrypting the digest value by using a predetermined algorithm and a transmission public key passed by the verification to obtain a digest value of the original IPTV code stream;
将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The calculated digest value is compared with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
本发明还提供一种交互式网络电视频道安全播放的装置,设置于签名服务器,包括: The present invention also provides an apparatus for securely playing an interactive network television channel, which is disposed on a signature server and includes:
签名模块,设置为对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature module is configured to digitally sign the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
第一传输模块,设置为将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。The first transmission module is configured to transmit the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
优选地,所述的装置还包括:第一获取模块,设置为获得传输私钥。Preferably, the device further comprises: a first obtaining module, configured to obtain a transmission private key.
优选地,所述第一获取模块获得传输私钥是指:Preferably, the obtaining, by the first obtaining module, the transmission private key refers to:
接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥。The receiving private key transmitted by the key management server after being symmetrically encrypted by the data encryption standard DES.
优选地,所述签名模块包括:Preferably, the signature module comprises:
私钥单元,设置为通过DES对称解密算法得到传输私钥;a private key unit, configured to obtain a transport private key by using a DES symmetric decryption algorithm;
摘要单元,设置为计算所述IPTV码流的摘要值;a digest unit, configured to calculate a digest value of the IPTV code stream;
加密单元,设置为采用预定算法和所述传输私钥对所述摘要进行加密;An encryption unit configured to encrypt the digest using a predetermined algorithm and the transport private key;
封装单元,设置为封装所述IPTV码流的摘要加密信息,生成所述签名信息流。And an encapsulating unit, configured to encapsulate digest encryption information of the IPTV code stream, to generate the signature information stream.
本发明实施例还提供一种交互式网络电视频道安全播放的装置,设置于签名检测服务器,包括:The embodiment of the present invention further provides an apparatus for securely playing an interactive network television channel, which is disposed on the signature detection server, and includes:
第一验证模块,设置为利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;a first verification module, configured to perform validity verification on the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
第二验证模块,设置为利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;a second verification module, configured to perform signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted transmission public key;
第二传输模块,设置为传输将经过验证的所述IPTV码流传输到终端待播放。The second transmission module is configured to transmit the verified IPTV code stream to the terminal to be played.
优选地,所述的装置还包括:第二获取模块,设置为获得传输公钥。Preferably, the device further comprises: a second obtaining module, configured to obtain a transmission public key.
优选地,所述第二获取模块获得传输公钥是指:Preferably, the obtaining, by the second obtaining module, the transmission public key refers to:
接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公 钥和根私钥对传输公钥的签名。Receiving a transmission public key delivered by the key management server through the certificate, where the certificate includes a transmission public The signature of the key and root private key pair to transmit the public key.
优选地,所述的装置还包括:告警模块,设置为当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码流进行告警。Preferably, the apparatus further includes: an alarm module, configured to alert the IPTV code stream when the transmission public key verification fails and/or the legality verification fails.
优选地,所述第一验证模块利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证是指:Preferably, the first verification module uses the digital signature of the transmission public key to verify the legality of the transmission public key according to a predetermined algorithm:
通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
优选地,第二验证模块包括:Preferably, the second verification module comprises:
提取单元,设置为从所述IPTV码流的签名结构中提取加密数据;An extracting unit configured to extract encrypted data from a signature structure of the IPTV code stream;
计算单元,设置为计算所述IPTV码流的摘要值;a calculating unit, configured to calculate a digest value of the IPTV code stream;
解密单元,设置为采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;a decryption unit, configured to decrypt the digest value by using a predetermined algorithm and a transmission public key that is verified to obtain a digest value of the original IPTV code stream;
比较单元,设置为将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The comparison unit is configured to compare the calculated digest value with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
本发明实施例还提供一种交互式网络电视频道安全播放的系统,包括:签名服务器、签名检测服务器。The embodiment of the invention further provides a system for securely playing an interactive network television channel, comprising: a signature server and a signature detection server.
签名服务器对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature server digitally signs the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
签名服务器将所述IPTV码流和签名信息流传输到签名检测服务器;The signature server transmits the IPTV code stream and the signature information stream to the signature detection server;
签名检测服务器利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;The signature detection server validates the validity of the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
签名检测服务器利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;The signature detection server uses the received signature information stream and the transmitted public key to verify the signature verification of the interactive network television IPTV code stream;
签名检测服务器将经过验证的所述IPTV码流传输到终端待播放。The signature detection server transmits the verified IPTV code stream to the terminal to be played.
优选地,所述的系统还包括:密钥管理服务器,所述签名服务器接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥,所 述签名检测服务器接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Preferably, the system further includes: a key management server, the signature server receives a transmission private key issued by the key management server after being symmetrically encrypted by the data encryption standard DES, The signature detection server receives the transmission public key delivered by the key management server through the certificate, and the certificate includes a signature of the transmission public key and the root private key to transmit the public key.
本发明实施例还提供了一种存储介质,存储介质包括存储的程序,其中,所述程序运行时执行上述应用于签名服务器侧交互式网络电视频道安全播放方法。The embodiment of the invention further provides a storage medium, wherein the storage medium comprises a stored program, wherein the program is executed to perform the above-mentioned method for securely playing the interactive network television channel on the signature server side.
本发明实施例还提供了一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行上述应用于签名检测服务器侧的交互式网络电视频道安全播放方法。The embodiment of the present invention further provides a storage medium, where the storage medium includes a stored program, wherein the program is executed to perform the above-mentioned interactive network television channel secure playing method applied to the signature detecting server side.
与现有技术相比,本发明提供的方案克服现有IPTV码流安全传输技术中存在的安全性不足的问题,签名信息在IPTV网络中采用两级密钥的强安全传输,即IPTV码流的数字签名和公钥证书的数字签名使用两级不同的密钥生成,达到了IPTV直播安全防篡改效果,且内容安全性得到有效提高。Compared with the prior art, the solution provided by the present invention overcomes the problem of insufficient security in the existing IPTV code stream security transmission technology, and the signature information uses a strong security transmission of a two-level key in the IPTV network, that is, an IPTV code stream. The digital signature of the digital signature and the public key certificate are generated using two different levels of keys, which achieves the IPTV live broadcast security tamper-proof effect, and the content security is effectively improved.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the invention will be set forth in the description which follows, The objectives and other advantages of the invention may be realized and obtained by means of the structure particularly pointed in the appended claims.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1为本发明提供的一种交互式网络电视频道安全播放的方法的流程图;1 is a flowchart of a method for securely playing an interactive network television channel according to the present invention;
图2为本发明提供的一种交互式网络电视频道安全播放的方法的流程图;2 is a flowchart of a method for securely playing an interactive network television channel according to the present invention;
图3为本发明提供的一种交互式网络电视频道安全播放的装置的结构 示意图;3 is a structure of an apparatus for securely playing an interactive network television channel according to the present invention schematic diagram;
图4为本发明提供的一种交互式网络电视频道安全播放的装置的结构示意图;4 is a schematic structural diagram of an apparatus for securely playing an interactive network television channel according to the present invention;
图5为本发明提供的一种交互式网络电视频道安全播放的系统流程架构图;FIG. 5 is a schematic structural diagram of a system for securely playing an interactive network television channel according to the present invention; FIG.
图6是本发明实施例二的安全密钥管理图;6 is a security key management diagram of Embodiment 2 of the present invention;
图7是本发明实施例二的数字签名流程示意图7 is a schematic diagram of a digital signature process according to Embodiment 2 of the present invention;
图8是本发明实施例二的签名验证流程示意图;8 is a schematic diagram of a signature verification process according to Embodiment 2 of the present invention;
图9是本发明实施例二的签名信息格式图。FIG. 9 is a diagram of a signature information format according to Embodiment 2 of the present invention.
具体实施方式detailed description
为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
如图1所示,本发明实施例提供一种交互式网络电视频道安全播放的方法,应用于签名服务器,所述方法包括:As shown in FIG. 1 , an embodiment of the present invention provides a method for securely playing an interactive network television channel, which is applied to a signature server, and the method includes:
对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;Performing digital signature on the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。And transmitting the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
优选地,所述方法之前还包括:获得传输私钥。Preferably, the method further comprises: obtaining a transmission private key.
其中,获得传输私钥包括:Wherein, obtaining the transmission private key includes:
接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输 私钥。Received key management server transmitted through the data encryption standard DES symmetrically encrypted transmission Private key.
其中,所述预定算法包括:椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA(Digital Signature Algorithm)算法、DH算法。The predetermined algorithm includes: an elliptic curve ECC algorithm, an RSA algorithm, a digital signal algorithm DSA (Digital Signature Algorithm) algorithm, and a DH algorithm.
对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流包括:The received interactive network television IPTV code stream is digitally signed according to a predetermined algorithm by using a transmission private key, and generating the signature information flow includes:
通过DES对称解密算法得到传输私钥;The transmission private key is obtained by the DES symmetric decryption algorithm;
计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
采用预定算法和所述传输私钥对所述摘要进行加密;Encrypting the digest using a predetermined algorithm and the transport private key;
封装所述IPTV码流的摘要加密信息,生成所述签名信息流。Encapsulating the digest encryption information of the IPTV code stream to generate the signature information stream.
如图2所示,本发明实施例还提供一种交互式网络电视频道安全播放的方法,应用于签名检测服务器,所述方法包括:As shown in FIG. 2, an embodiment of the present invention further provides a method for securely playing an interactive network television channel, which is applied to a signature detection server, and the method includes:
利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;The validity of the transmission public key is verified by a predetermined algorithm by using a digital signature of the transmission public key;
利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;Performing signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted public key passed through verification;
将经过验证的所述IPTV码流传输到终端待播放。The verified IPTV code stream is transmitted to the terminal to be played.
本发明实施例的两次验证分别是对解密所需的传输公钥进行验证,以及对IPTV码流进行验证;先验证传输公钥的合法性,然后才能使用合法的传输公钥验证IPTV码流。The two verifications in the embodiment of the present invention respectively verify the transmission public key required for decryption, and verify the IPTV code stream; first verify the validity of the transmission public key, and then use the legal transmission public key to verify the IPTV code stream. .
优选地,所述方法之前还包括:获得传输公钥。Preferably, the method further comprises: obtaining a transmission public key.
其中,获得传输公钥包括:Wherein, obtaining the transmission public key includes:
接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Receiving a transport public key delivered by the key management server through the certificate, where the certificate includes a signature of the transport public key and the root private key to transmit the public key.
其中,所述预定算法包括:椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA算法、DH算法。 The predetermined algorithm includes: an elliptic curve ECC algorithm, an RSA algorithm, a digital signal algorithm DSA algorithm, and a DH algorithm.
优选地,所述的方法还包括:当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码流进行告警。Preferably, the method further includes: when the transmission public key verification fails and/or the legality verification fails, the IPTV code stream is alerted.
其中,利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证包括:The legality verification of the transmission public key by using a digital signature of the transmission public key according to a predetermined algorithm includes:
通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
其中,利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证包括:The signature verification of the interactive network television IPTV code stream by using the received signature information stream and the transmitted transmission public key includes:
从所述IPTV码流的签名结构中提取加密数据;Extracting encrypted data from a signature structure of the IPTV code stream;
计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;Decrypting the digest value by using a predetermined algorithm and a transmission public key passed by the verification to obtain a digest value of the original IPTV code stream;
将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The calculated digest value is compared with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
本发明实施例中对IPTV码流使用传输私钥按特定算法进行签名,将媒体流以及签名信息传输到对端;对端对码流、签名信息使用传输公钥按特定算法验证,验证成功播放IPTV码流。In the embodiment of the present invention, the IPTV code stream is transmitted by using a transmission private key according to a specific algorithm, and the media stream and the signature information are transmitted to the opposite end; the opposite end of the code stream and the signature information are verified by a specific algorithm using the transmission public key, and the verification is successfully played. IPTV code stream.
如图3所示,本发明实施例提供一种交互式网络电视频道安全播放的装置,设置于签名服务器,包括:As shown in FIG. 3, an embodiment of the present invention provides an apparatus for securely playing an interactive network television channel, which is installed in a signature server, and includes:
签名模块,设置为对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature module is configured to digitally sign the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
第一传输模块,设置为将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。The first transmission module is configured to transmit the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
所述的装置还包括:第一获取模块,设置为获得传输私钥。The device further includes: a first obtaining module configured to obtain a transmission private key.
所述第一获取模块获得传输私钥是指:The obtaining, by the first obtaining module, the transmission private key means:
接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥。 The receiving private key transmitted by the key management server after being symmetrically encrypted by the data encryption standard DES.
所述签名模块包括:The signature module includes:
私钥单元,设置为通过DES对称解密算法得到传输私钥;a private key unit, configured to obtain a transport private key by using a DES symmetric decryption algorithm;
摘要单元,设置为计算所述IPTV码流的摘要值;a digest unit, configured to calculate a digest value of the IPTV code stream;
加密单元,设置为采用预定算法和所述传输私钥对所述摘要进行加密;An encryption unit configured to encrypt the digest using a predetermined algorithm and the transport private key;
封装单元,设置为封装所述IPTV码流的摘要加密信息,生成所述签名信息流。And an encapsulating unit, configured to encapsulate digest encryption information of the IPTV code stream, to generate the signature information stream.
如图4所示,本发明实施例一种交互式网络电视频道安全播放的装置,设置于签名检测服务器,包括:As shown in FIG. 4, an apparatus for securely playing an interactive network television channel according to an embodiment of the present invention is provided in a signature detection server, including:
第一验证模块,设置为利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;a first verification module, configured to perform validity verification on the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
第二验证模块,设置为利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;a second verification module, configured to perform signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted transmission public key;
第二传输模块,设置为传输将经过验证的所述IPTV码流传输到终端待播放。The second transmission module is configured to transmit the verified IPTV code stream to the terminal to be played.
所述的装置还包括:第二获取模块,设置为获得传输公钥。The device further includes: a second obtaining module configured to obtain a transmission public key.
所述第二获取模块获得传输公钥是指:The obtaining the public key by the second obtaining module refers to:
接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Receiving a transport public key delivered by the key management server through the certificate, where the certificate includes a signature of the transport public key and the root private key to transmit the public key.
所述的装置还包括:告警模块,设置为当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码流进行告警。The device further includes: an alarm module configured to alert the IPTV code stream when the transmission public key verification fails and/or the legality verification fails.
所述第一验证模块利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证是指:The first verification module uses the digital signature of the transmission public key to verify the legality of the transmission public key according to a predetermined algorithm:
通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
第二验证模块包括:The second verification module includes:
提取单元,设置为从所述IPTV码流的签名结构中提取加密数据; An extracting unit configured to extract encrypted data from a signature structure of the IPTV code stream;
计算单元,设置为计算所述IPTV码流的摘要值;a calculating unit, configured to calculate a digest value of the IPTV code stream;
解密单元,设置为采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;a decryption unit, configured to decrypt the digest value by using a predetermined algorithm and a transmission public key that is verified to obtain a digest value of the original IPTV code stream;
比较单元,设置为将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The comparison unit is configured to compare the calculated digest value with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
如图5所示,本发明实施例一种交互式网络电视频道安全播放的系统,包括:签名服务器、签名检测服务器。As shown in FIG. 5, a system for securely playing an interactive network television channel according to an embodiment of the present invention includes: a signature server and a signature detection server.
签名服务器对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature server digitally signs the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
签名服务器将所述IPTV码流和签名信息流传输到签名检测服务器;The signature server transmits the IPTV code stream and the signature information stream to the signature detection server;
签名检测服务器利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;The signature detection server validates the validity of the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
签名检测服务器利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;The signature detection server uses the received signature information stream and the transmitted public key to verify the signature verification of the interactive network television IPTV code stream;
签名检测服务器将经过验证的所述IPTV码流传输到终端待播放。The signature detection server transmits the verified IPTV code stream to the terminal to be played.
所述的系统还包括:密钥管理服务器,所述签名服务器接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥,所述签名检测服务器接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。The system further includes: a key management server, the signature server receives a transmission private key that is sent by the key management server after being symmetrically encrypted by the data encryption standard DES, and the signature detection server receives the key management server and sends the certificate through the certificate. The transmission public key, the certificate includes a signature of the transmission public key and the root private key to transmit the public key.
传输公钥证书的格式为:The format of the transport public key certificate is:
传输公钥Transfer public key
-----BEGIN SIGN----------BEGIN SIGN-----
根私钥对安全传输公钥的签名The signature of the root private key to the secure transmission public key
-----END SIGN----- -----END SIGN-----
实施例一 Embodiment 1
本发明所述IPTV频道安全播放的方法包括以下步骤:The method for safely broadcasting an IPTV channel according to the present invention includes the following steps:
第一步,源端提供IPTV媒体流,比如IPTV服务器输出的RTP流;In the first step, the source provides an IPTV media stream, such as an RTP stream output by the IPTV server;
第二步,签名服务器接收RTP流并按特定算法进行签名,签名信息流在IPTV网络中采用两级密钥的强安全传输,即媒体流的数字签名和公钥证书的数字签名使用两级不同的密钥生成;将RTP流和签名信息通过单播或组播方式输出;In the second step, the signature server receives the RTP stream and signs it according to a specific algorithm. The signature information stream is strongly transmitted in the IPTV network using a two-level key, that is, the digital signature of the media stream and the digital signature of the public key certificate are used in two levels. Key generation; output RTP stream and signature information by unicast or multicast;
第三步,签名检测服务器接收RTP流和签名信息,按特定算法进行签名验证,对验证失败的码流进行告警;In the third step, the signature detection server receives the RTP stream and the signature information, performs signature verification according to a specific algorithm, and alerts the code stream that fails verification;
第四步,IPTV终端播放验证通过的媒体流。In the fourth step, the IPTV terminal plays the media stream that is verified by the IPTV terminal.
实施例二Embodiment 2
1、签名对象,本实施例的IPTV频道码流均是RTP(实时传输协议,Real-time Transport Protocol)格式封装的媒体数据,例如IPTV内容提供商通过编码器输出TS(Transport Stream,传输流),再经过转码服务器查找关键帧输出RTP流。1. The signature object, the IPTV channel code stream in this embodiment is the media data encapsulated in the RTP (Real-time Transport Protocol) format, for example, the IPTV content provider outputs the TS (Transport Stream) through the encoder. Then, through the transcoding server, find the key frame output RTP stream.
2、如图6所示,密钥管理,本实施例采用两级密钥的强安全传输,IPTV码流的数字签名和公钥证书的数字签名使用两级不同的密钥生成,IPTV码流的数字签名使用传输私钥,验证使用传输公钥。其中,传输私钥由密钥管理服务器通过DES对称加密后下发到签名服务器,传输公钥以证书的形式下发给签名检测服务器(证书包含安全传输公钥和根私钥对安全传输公钥的签名),签名检测服务器在接收到安全传输公钥证书和根公钥时,需要使用根公钥来验证安全传输公钥的合法性。2. As shown in FIG. 6, key management, this embodiment uses a strong secure transmission of a two-level key, and the digital signature of the IPTV stream and the digital signature of the public key certificate are generated using two different levels of keys, and the IPTV stream is generated. The digital signature uses the transport private key to verify the use of the transport public key. The transmission private key is symmetrically encrypted by the key management server and sent to the signature server by the DES, and the transmission public key is sent to the signature detection server in the form of a certificate (the certificate includes the secure transmission public key and the root private key to securely transmit the public key. Signature) When the signature detection server receives the secure transmission public key certificate and the root public key, it needs to use the root public key to verify the validity of the secure transmission public key.
3、如图7所示,媒体数字签名,签名服务器接收媒体RTP流,采用椭圆曲线ECC算法进行签名,因为最后在终端展现的是媒体数据,因此只对TS数据进行签名,流程如下: 3. As shown in FIG. 7 , the media digital signature, the signature server receives the media RTP stream, and uses the elliptic curve ECC algorithm to sign, because finally the media data is displayed in the terminal, so only the TS data is signed, the flow is as follows:
(1)解密安全传输私钥,通过DES对称解密算法得到安全传输私钥;(1) Decrypt the secure transmission private key, and obtain the secure transmission private key through the DES symmetric decryption algorithm;
(2)提取媒体数据,从RTP流中提取TS负载准备开始签名;(2) extracting the media data, extracting the TS load from the RTP stream to prepare to start the signature;
(3)计算哈希摘要,对上述媒体数据计算摘要值;(3) calculating a hash digest, and calculating a digest value for the media data;
(4)加密消息摘要,采用椭圆曲线数字签名算法ECDSA和安全传输私钥对上述摘要进行加密;(4) encrypting the message digest, encrypting the digest using an elliptic curve digital signature algorithm ECDSA and a secure transmission private key;
(5)封装加密信息,将上述加密信息存入签名信息结构体t_SignPacketInfo{},包含标志字段、算法索引、抽样步长、抽样宽度、签名长度、签名信息以及附加长度;(5) encapsulating the encrypted information, and storing the encrypted information in the signature information structure t_SignPacketInfo{}, including the flag field, the algorithm index, the sampling step size, the sampling width, the signature length, the signature information, and the additional length;
4、签名信息传输,根据媒体数据和签名数据传输的形式不同,分为带内传输和带外传输两种;4. Signature information transmission, according to different forms of media data and signature data transmission, is divided into two types: in-band transmission and out-of-band transmission;
a)带内传输是将媒体数据和对应的签名信息放入同一个RTP中,因此需要对RTP包进行扩展,采用RFC3550的规范按照规范要求扩展,将P字段置为1,在RTP包的尾部进行扩展签名信息结构。a) In-band transmission is to put the media data and the corresponding signature information into the same RTP. Therefore, the RTP packet needs to be extended. The RFC3550 specification is extended according to the specification, and the P field is set to 1, at the end of the RTP packet. Perform an extended signature information structure.
b)带外传输是将媒体数据和签名数据分开传输,对传输的内容进行监控,发现内容被篡改后,能够及时告警,对原始媒体流不做修改。签名信息单独封装到一个RTP中:PT字段修改为99,其余RTP包头数据和对应的媒体RTP包保持一致,并在负载中放入签名信息结构。b) Out-of-band transmission is to separately transmit media data and signature data, monitor the content of the transmission, and find that after the content has been tampered with, it can promptly alert and not modify the original media stream. The signature information is separately encapsulated into an RTP: the PT field is modified to 99, and the remaining RTP header data is consistent with the corresponding media RTP packet, and the signature information structure is placed in the payload.
5、如图8所示,码流签名的验证,根据签名传输方式的不同,对签名检测模块的部署进行相应区分;5. As shown in FIG. 8 , the verification of the code stream signature is performed according to the difference of the signature transmission mode, and the deployment of the signature detection module is correspondingly distinguished;
a)带内传输时,需在终端集成签名验证模块,接收IPTV媒体流,逐个RTP包进行签名验证,对验证失败的码流进行告警。a) In-band transmission, the terminal needs to integrate the signature verification module, receive the IPTV media stream, perform signature verification on an RTP-by-RT packet, and alarm the code stream that fails verification.
b)带外传输时,在终端前单独部署签名检测服务器,同时接收IPTV媒体流和签名信息流,并缓存IPTV源码流数据,当接收到签名信息包,则根据RTP包头(Seq+Timestamp)和RTP扩展头寻找IPTV的源数据包,然后进行签名验证,对验证不通过的码流源进行告警;如图9所示,头部是RTP扩展头,紧跟着是签名信息的头部,再加上签名信息。 b) When the out-of-band transmission is performed, the signature detection server is separately deployed in front of the terminal, and the IPTV media stream and the signature information stream are received at the same time, and the IPTV source stream data is buffered. When the signature packet is received, according to the RTP packet header (Seq+Timestamp) and The RTP extension header searches for the source data packet of the IPTV, and then performs signature verification to alert the code stream source that fails verification; as shown in FIG. 9, the header is an RTP extension header, followed by the header of the signature information, and then Plus signature information.
签名验证也同样采用椭圆曲线ECC算法,流程如下:The signature verification also uses the elliptic curve ECC algorithm. The flow is as follows:
(1)验证安全传输公钥,通过根公钥和传输公钥的签名信息验证传输公钥的合法性;(1) verifying the security transmission public key, verifying the validity of the transmission public key by using the root public key and the signature information of the transmission public key;
(2)提取媒体数据和加密数据,从RTP中提取媒体数据,以及从签名结构中提取加密数据;(2) extracting media data and encrypted data, extracting media data from the RTP, and extracting the encrypted data from the signature structure;
(3)计算摘要,对上述媒体数据计算摘要值,摘要算法从表1所示中选取;这里摘要算法通过调用开源的Openssl库里的现有算法类实现。(3) Calculate the summary, calculate the digest value for the above media data, and the digest algorithm is selected from Table 1; the digest algorithm is implemented by calling the existing algorithm class in the open source Openssl library.
表1Table 1
Figure PCTCN2017089940-appb-000001
Figure PCTCN2017089940-appb-000001
(4)解密加密数据,采用椭圆曲线数字签名算法ECDSA和验证通过的安全传输公钥对上述摘要进行解密,得到原始媒体数据的摘要值;(4) decrypting the encrypted data, decrypting the abstract by using an elliptic curve digital signature algorithm ECDSA and a secure transmission public key passed by the verification to obtain a digest value of the original media data;
(5)验证摘要,将上述计算得到的摘要值与解密后的原始媒体的摘要进行比较,一致则认为验证通过,否则验证失败; (5) Verification summary, comparing the calculated digest value with the decrypted original media summary, and agreeing that the verification is passed, otherwise the verification fails;
6、终端播放,终端播放验证通过的媒体数据,对不符合签名即验证失败的媒体数据拒绝播放。6. The terminal plays, and the terminal plays the media data that has passed the verification, and the media data that does not meet the signature, that is, the verification fails, is refused to play.
虽然本发明所揭露的实施方式如上,但所述的内容仅为便于理解本发明而采用的实施方式,并非用以限定本发明。任何本发明所属领域内的技术人员,在不脱离本发明所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本发明的专利保护范围,仍须以所附的权利要求书所界定的范围为准。While the embodiments of the present invention have been described above, the described embodiments are merely for the purpose of understanding the invention and are not intended to limit the invention. Any modification and variation in the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention. The scope defined by the appended claims shall prevail.
工业实用性Industrial applicability
在本发明实施例的交互式网络电视频道安全播放过程中,签名信息在IPTV网络中采用两级密钥的强安全传输,即IPTV码流的数字签名和公钥证书的数字签名使用两级不同的密钥生成,达到了IPTV直播安全防篡改效果,且内容安全性得到有效提高,进而解决了现有IPTV码流安全传输技术中存在的安全性不足的问题。 In the secure broadcast process of the interactive network television channel in the embodiment of the present invention, the signature information is strongly transmitted in the IPTV network using two levels of keys, that is, the digital signature of the IPTV code stream and the digital signature of the public key certificate are used in two levels. The key generation achieves the IPTV live broadcast security anti-tamper effect, and the content security is effectively improved, thereby solving the problem of insufficient security in the existing IPTV code stream security transmission technology.

Claims (26)

  1. 一种交互式网络电视频道安全播放的方法,应用于签名服务器,所述方法包括:A method for securely playing an interactive network television channel is applied to a signature server, the method comprising:
    对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;Performing digital signature on the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
    将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。And transmitting the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
  2. 根据权利要求1所述的方法,其中,所述方法之前还包括:获得传输私钥。The method of claim 1 wherein the method further comprises: obtaining a transmission private key.
  3. 根据权利要求2所述的方法,其中,获得传输私钥包括:The method of claim 2 wherein obtaining the transmission private key comprises:
    接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥。The receiving private key transmitted by the key management server after being symmetrically encrypted by the data encryption standard DES.
  4. 根据权利要求1所述的方法,其中,所述预定算法包括:The method of claim 1 wherein said predetermined algorithm comprises:
    椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA算法、DH算法。Elliptic curve ECC algorithm, RSA algorithm, digital signal algorithm DSA algorithm, DH algorithm.
  5. 根据权利要求1所述的方法,其中,对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流包括:The method according to claim 1, wherein the received interactive network television IPTV code stream is digitally signed according to a predetermined algorithm by using a transmission private key, and generating the signature information stream comprises:
    通过DES对称解密算法得到传输私钥;The transmission private key is obtained by the DES symmetric decryption algorithm;
    计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
    采用预定算法和所述传输私钥对所述摘要进行加密;Encrypting the digest using a predetermined algorithm and the transport private key;
    封装所述IPTV码流的摘要加密信息,生成所述签名信息流。 Encapsulating the digest encryption information of the IPTV code stream to generate the signature information stream.
  6. 一种交互式网络电视频道安全播放的方法,应用于签名检测服务器,所述方法包括:A method for securely playing an interactive network television channel is applied to a signature detection server, and the method includes:
    利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;The validity of the transmission public key is verified by a predetermined algorithm by using a digital signature of the transmission public key;
    利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;Performing signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted public key passed through verification;
    将经过验证的所述IPTV码流传输到终端待播放。The verified IPTV code stream is transmitted to the terminal to be played.
  7. 根据权利要求6所述的方法,其中,所述方法之前还包括:获得传输公钥。The method of claim 6 wherein said method further comprises: obtaining a transmission public key.
  8. 根据权利要求7所述的方法,其中,获得传输公钥包括:The method of claim 7, wherein obtaining the transmission public key comprises:
    接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Receiving a transport public key delivered by the key management server through the certificate, where the certificate includes a signature of the transport public key and the root private key to transmit the public key.
  9. 根据权利要求6所述的方法,其中,所述预定算法包括:The method of claim 6 wherein said predetermined algorithm comprises:
    椭圆曲线ECC算法、RSA算法、数字信号运算法则DSA算法、DH算法。Elliptic curve ECC algorithm, RSA algorithm, digital signal algorithm DSA algorithm, DH algorithm.
  10. 根据权利要求6所述的方法,其中,还包括:当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码流进行告警。The method according to claim 6, further comprising: alerting the IPTV code stream when the transmission public key verification fails and/or the legality verification fails.
  11. 根据权利要求8所述的方法,其中,利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证包括:The method according to claim 8, wherein the validity verification of the transmission public key by a predetermined algorithm by using a digital signature of the transmission public key comprises:
    通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
  12. 根据权利要求6所述的方法,其中,利用接收到的签名信息 流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证包括:The method of claim 6 wherein the received signature information is utilized The signature verification of the interactive network television IPTV code stream by the transmission and verification of the transmitted public key includes:
    从所述IPTV码流的签名结构中提取加密数据;Extracting encrypted data from a signature structure of the IPTV code stream;
    计算所述IPTV码流的摘要值;Calculating a digest value of the IPTV code stream;
    采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;Decrypting the digest value by using a predetermined algorithm and a transmission public key passed by the verification to obtain a digest value of the original IPTV code stream;
    将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The calculated digest value is compared with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
  13. 一种交互式网络电视频道安全播放的装置,设置于签名服务器,包括:An apparatus for securely playing an interactive network television channel, disposed on a signature server, comprising:
    签名模块,设置为对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature module is configured to digitally sign the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
    第一传输模块,设置为将所述IPTV码流和签名信息流传输到签名检测服务器,以使得所述签名检测服务器利用传输公钥进行检测校验。The first transmission module is configured to transmit the IPTV code stream and the signature information stream to the signature detection server, so that the signature detection server performs detection and verification by using the transmission public key.
  14. 根据权利要求13所述的装置,其中,还包括:第一获取模块,设置为获得传输私钥。The apparatus of claim 13, further comprising: a first acquisition module configured to obtain a transmission private key.
  15. 根据权利要求14所述的装置,其中,所述第一获取模块获得传输私钥是指:The apparatus according to claim 14, wherein the obtaining, by the first acquisition module, the transmission private key means:
    接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥。The receiving private key transmitted by the key management server after being symmetrically encrypted by the data encryption standard DES.
  16. 根据权利要求13所述的装置,其中,所述签名模块包括: The apparatus of claim 13 wherein said signature module comprises:
    私钥单元,设置为通过DES对称解密算法得到传输私钥;a private key unit, configured to obtain a transport private key by using a DES symmetric decryption algorithm;
    摘要单元,设置为计算所述IPTV码流的摘要值;a digest unit, configured to calculate a digest value of the IPTV code stream;
    加密单元,设置为采用预定算法和所述传输私钥对所述摘要进行加密;An encryption unit configured to encrypt the digest using a predetermined algorithm and the transport private key;
    封装单元,设置为封装所述IPTV码流的摘要加密信息,生成所述签名信息流。And an encapsulating unit, configured to encapsulate digest encryption information of the IPTV code stream, to generate the signature information stream.
  17. 一种交互式网络电视频道安全播放的装置,设置于签名检测服务器,包括:A device for safely playing an interactive network television channel, which is disposed on a signature detection server, and includes:
    第一验证模块,设置为利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;a first verification module, configured to perform validity verification on the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
    第二验证模块,设置为利用接收到的签名信息流和验证通过的传输公钥对交互式网络电视IPTV码流进行签名验证;a second verification module, configured to perform signature verification on the interactive network television IPTV code stream by using the received signature information stream and the transmitted transmission public key;
    第二传输模块,设置为传输将经过验证的所述IPTV码流传输到终端待播放。The second transmission module is configured to transmit the verified IPTV code stream to the terminal to be played.
  18. 根据权利要求17所述的装置,其中,还包括:第二获取模块,设置为获得传输公钥。The apparatus of claim 17, further comprising: a second acquisition module configured to obtain a transmission public key.
  19. 根据权利要求18所述的装置,其中,所述第二获取模块获得传输公钥是指:The apparatus of claim 18, wherein the obtaining, by the second acquisition module, the transmission of the public key means:
    接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。Receiving a transport public key delivered by the key management server through the certificate, where the certificate includes a signature of the transport public key and the root private key to transmit the public key.
  20. 根据权利要求17所述的装置,其中,还包括:告警模块,设置为当传输公钥验证失败和/或合法性验证失败时,对所述IPTV码 流进行告警。The apparatus according to claim 17, further comprising: an alarm module configured to: when the transmission public key verification fails and/or the legality verification fails, the IPTV code The flow is alarmed.
  21. 根据权利要求19所述的装置,其中,所述第一验证模块利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证是指:The apparatus according to claim 19, wherein the first verification module validates the transmission public key by a predetermined algorithm by using a digital signature of the transmission public key, which means:
    通过所述根公钥和传输公钥的数字签名信息验证传输公钥的合法性。The validity of the transmission public key is verified by the root public key and the digital signature information of the transmission public key.
  22. 根据权利要求17所述的装置,其中,第二验证模块包括:The apparatus of claim 17, wherein the second verification module comprises:
    提取单元,设置为从所述IPTV码流的签名结构中提取加密数据;An extracting unit configured to extract encrypted data from a signature structure of the IPTV code stream;
    计算单元,设置为计算所述IPTV码流的摘要值;a calculating unit, configured to calculate a digest value of the IPTV code stream;
    解密单元,设置为采用预定算法和验证通过的传输公钥对所述摘要值进行解密,得到原始IPTV码流的摘要值;a decryption unit, configured to decrypt the digest value by using a predetermined algorithm and a transmission public key that is verified to obtain a digest value of the original IPTV code stream;
    比较单元,设置为将计算得到的摘要值与解密后的原始摘要值进行比较,一致则验证通过,否则验证失败。The comparison unit is configured to compare the calculated digest value with the decrypted original digest value, and the verification is passed, otherwise the verification fails.
  23. 一种交互式网络电视频道安全播放的系统,包括:签名服务器、签名检测服务器;A system for safely playing an interactive network television channel, comprising: a signature server and a signature detection server;
    签名服务器对接收到的交互式网络电视IPTV码流利用传输私钥按预定算法进行数字签名,生成签名信息流;The signature server digitally signs the received interactive network television IPTV code stream by using a transmission private key according to a predetermined algorithm to generate a signature information stream;
    签名服务器将所述IPTV码流和签名信息流传输到签名检测服务器;The signature server transmits the IPTV code stream and the signature information stream to the signature detection server;
    签名检测服务器利用传输公钥的数字签名对所述传输公钥按预定算法进行合法性验证;The signature detection server validates the validity of the transmission public key according to a predetermined algorithm by using a digital signature of the transmission public key;
    签名检测服务器利用接收到的签名信息流和验证通过的传输公 钥对交互式网络电视IPTV码流进行签名验证;The signature detection server utilizes the received signature information stream and the transmission passed by the verification The key performs signature verification on the interactive network television IPTV code stream;
    签名检测服务器将经过验证的所述IPTV码流传输到终端待播放。The signature detection server transmits the verified IPTV code stream to the terminal to be played.
  24. 根据权利要求23所述的系统,其中,还包括:密钥管理服务器,所述签名服务器接收密钥管理服务器通过数据加密标准DES对称加密后下发的传输私钥,所述签名检测服务器接收密钥管理服务器通过证书下发的传输公钥,所述证书包括传输公钥和根私钥对传输公钥的签名。The system of claim 23, further comprising: a key management server, the signature server receiving a transmission private key issued by the key management server after being symmetrically encrypted by the data encryption standard DES, the signature detection server receiving the secret The key management server transmits a public key delivered by the certificate, and the certificate includes a signature of the transmission public key and the root private key to transmit the public key.
  25. 一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行权利要求1至5中任一项所述的方法。A storage medium, the storage medium comprising a stored program, wherein the program is executed to perform the method of any one of claims 1 to 5.
  26. 一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行权利要求6至12中任一项所述的方法。 A storage medium, the storage medium comprising a stored program, wherein the program is executed to perform the method of any one of claims 6 to 12.
PCT/CN2017/089940 2016-06-28 2017-06-26 Method, device and system for secure playback on internet protocol television channel WO2018001193A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610486957.0A CN107547918A (en) 2016-06-28 2016-06-28 The methods, devices and systems that a kind of IPTV channel plays safely
CN201610486957.0 2016-06-28

Publications (1)

Publication Number Publication Date
WO2018001193A1 true WO2018001193A1 (en) 2018-01-04

Family

ID=60786565

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/089940 WO2018001193A1 (en) 2016-06-28 2017-06-26 Method, device and system for secure playback on internet protocol television channel

Country Status (2)

Country Link
CN (1) CN107547918A (en)
WO (1) WO2018001193A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046649A (en) * 2019-03-12 2019-07-23 阿里巴巴集团控股有限公司 A kind of multimedia messages prison broadcasting method, apparatus and system based on block chain
CN111324912A (en) * 2018-12-14 2020-06-23 中国电信股份有限公司 File checking method, system and computer readable storage medium
CN112235607A (en) * 2020-09-16 2021-01-15 浙江大华技术股份有限公司 Data security protection method, device, equipment and storage medium
CN114640487A (en) * 2020-12-16 2022-06-17 慧盾信息安全科技(北京)有限公司 GB35114 standard real-time detection system and method for avoiding interruption of operation of video monitoring equipment
CN115914677A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Intelligent video safety networking device and server

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868641B (en) * 2018-08-28 2021-12-07 中国电信股份有限公司 Method and system for detecting validity of live broadcast source
CN111526378B (en) * 2019-02-02 2022-01-14 华为技术有限公司 Signature information transmission method and device
CN110536030B (en) * 2019-08-16 2021-11-16 咪咕文化科技有限公司 Video color ring transmission method, system, electronic equipment and storage medium
CN113868682A (en) * 2021-09-28 2021-12-31 山东云缦智能科技有限公司 Multimedia file encryption and decryption method based on RSA
CN116489426B (en) * 2023-05-06 2024-02-06 中国计量科学研究院 Trusted video generation and verification system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080101414A1 (en) * 2006-10-25 2008-05-01 Verizon Services Organization Inc. Methods and apparatus for content scrambling in a communications system
CN101207794A (en) * 2006-12-19 2008-06-25 中兴通讯股份有限公司 Method for enciphering and deciphering number copyright management of IPTV system
CN101425114A (en) * 2008-12-12 2009-05-06 四川长虹电器股份有限公司 Software upgrading bag packaging method and software upgrading method
CN101751273A (en) * 2008-12-15 2010-06-23 中国科学院声学研究所 Safety guide device and method for embedded system
CN101794486A (en) * 2010-02-02 2010-08-04 李东风 Brand new electronic fund transferring method capable of realizing safe earmarking and unloading
US20120303511A1 (en) * 2011-04-21 2012-11-29 Environmental Financial Products, LLC Method and system for determining market estimates with market based measures

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640785B (en) * 2008-07-30 2011-08-17 航天信息股份有限公司 Encrypting/decrypting system and encrypting/decrypting method for interactive network television
CN101902477B (en) * 2010-07-26 2016-08-03 北京邦天信息技术有限公司 Transmission system, reception system, the recognition methods of media stream and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080101414A1 (en) * 2006-10-25 2008-05-01 Verizon Services Organization Inc. Methods and apparatus for content scrambling in a communications system
CN101207794A (en) * 2006-12-19 2008-06-25 中兴通讯股份有限公司 Method for enciphering and deciphering number copyright management of IPTV system
CN101425114A (en) * 2008-12-12 2009-05-06 四川长虹电器股份有限公司 Software upgrading bag packaging method and software upgrading method
CN101751273A (en) * 2008-12-15 2010-06-23 中国科学院声学研究所 Safety guide device and method for embedded system
CN101794486A (en) * 2010-02-02 2010-08-04 李东风 Brand new electronic fund transferring method capable of realizing safe earmarking and unloading
US20120303511A1 (en) * 2011-04-21 2012-11-29 Environmental Financial Products, LLC Method and system for determining market estimates with market based measures

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111324912A (en) * 2018-12-14 2020-06-23 中国电信股份有限公司 File checking method, system and computer readable storage medium
CN111324912B (en) * 2018-12-14 2023-03-28 中国电信股份有限公司 File checking method, system and computer readable storage medium
CN110046649A (en) * 2019-03-12 2019-07-23 阿里巴巴集团控股有限公司 A kind of multimedia messages prison broadcasting method, apparatus and system based on block chain
CN112235607A (en) * 2020-09-16 2021-01-15 浙江大华技术股份有限公司 Data security protection method, device, equipment and storage medium
CN114640487A (en) * 2020-12-16 2022-06-17 慧盾信息安全科技(北京)有限公司 GB35114 standard real-time detection system and method for avoiding interruption of operation of video monitoring equipment
CN114640487B (en) * 2020-12-16 2024-03-12 慧盾信息安全科技(北京)有限公司 GB35114 standard real-time detection system and method for avoiding interruption of operation of video monitoring equipment
CN115914677A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Intelligent video safety networking device and server

Also Published As

Publication number Publication date
CN107547918A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
WO2018001193A1 (en) Method, device and system for secure playback on internet protocol television channel
CN105939484B (en) A kind of the encryption playback method and its system of audio-video
CN101534433B (en) Streaming media encryption method
US9553725B2 (en) System and method for authenticating data
US11552786B2 (en) System and method for authenticating data while minimizing bandwidth
CN109218825B (en) Video encryption system
CN109151508B (en) Video encryption method
CN104506503B (en) A kind of security certification system based on broadcasting and TV one-way transport network
US11259082B2 (en) Systems and methods for data processing, storage, and retrieval from a server
WO2017193949A1 (en) Code stream tampering monitoring method and device and communication system
CN102916971A (en) Electronic data curing system and method
EP3659311B1 (en) Data stream integrity
WO2017198069A1 (en) Streaming media file processing method and apparatus
JP4193380B2 (en) Electronic signature system for stream transfer
CN114697040A (en) Electronic signature method and system based on symmetric key
CN110868641B (en) Method and system for detecting validity of live broadcast source
US20120110335A1 (en) Secure Association of Metadata with Content
CA2934367C (en) Method and apparatus for digitally signing a file
US10691778B2 (en) Method and system for providing secure codecs
CN112583772B (en) Data acquisition and storage platform
CN115955310B (en) Information source encryption multimedia data export security protection method, device and equipment
CN111382451A (en) Security level identification method and device, electronic equipment and storage medium
CN115277093B (en) Tamper verification method, tamper verification system, tamper verification device and electronic equipment
CN114189706B (en) Media playing method, system, device, computer equipment and storage medium
JP2005020218A (en) License information transmission apparatus, license information transmission program, license information transmission method and license information receiver, license information reception program, and license information reception method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17819190

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17819190

Country of ref document: EP

Kind code of ref document: A1