WO2022242607A1 - 视频数据切片加密方法、装置、系统以及电子设备 - Google Patents

视频数据切片加密方法、装置、系统以及电子设备 Download PDF

Info

Publication number
WO2022242607A1
WO2022242607A1 PCT/CN2022/093116 CN2022093116W WO2022242607A1 WO 2022242607 A1 WO2022242607 A1 WO 2022242607A1 CN 2022093116 W CN2022093116 W CN 2022093116W WO 2022242607 A1 WO2022242607 A1 WO 2022242607A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
ciphertext
video
management system
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2022/093116
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
王滨
陈思
陈加栋
姚相振
李琳
黄晶晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to JP2023571699A priority Critical patent/JP7515751B2/ja
Publication of WO2022242607A1 publication Critical patent/WO2022242607A1/zh
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/835Generation of protective data, e.g. certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/80Generation or processing of content or additional data by content creator independently of the distribution process; Content per se
    • H04N21/83Generation or processing of protective or descriptive data associated with content; Content structuring
    • H04N21/845Structuring of content, e.g. decomposing content into time segments
    • H04N21/8456Structuring of content, e.g. decomposing content into time segments by decomposing the content in the time domain, e.g. in time segments

Definitions

  • the present application relates to the field of information security, in particular to a video data slice encryption method, device, system and electronic equipment.
  • the present application provides a video data slice encryption method, device and system.
  • a video data slice encryption method which is applied to a target encryption node in a video data slice encryption system including a key management system and a plurality of encryption nodes, and the target encryption node is the Any encryption node in the plurality of encryption nodes, the multiple video data slices obtained by segmenting the same video stream or video file are distributed to at least two encryption nodes in the plurality of encryption nodes for encryption processing, the method include:
  • the target encryption node obtains a first key ID, and obtains a first protection key from a key management system according to the first key ID; the target encryption node generates a first random number, and uses the first key ID A random number is used as the first video key, and the video data slice to be encrypted is encrypted to obtain the first video ciphertext; wherein, the protection keys corresponding to the same key ID are the same;
  • the target encryption node uses the first protection key to encrypt the first video key to obtain a first key ciphertext
  • the target encryption node saves the first key ciphertext and the first key ID to the first video ciphertext.
  • a video data slice encryption device which is applied to a target encryption node in a video data slice encryption system including a key management system and a plurality of encryption nodes, and the target encryption node is the Any one of the plurality of encryption nodes, multiple video data slices obtained by segmenting the same video stream or video file are distributed to at least two encryption nodes in the plurality of encryption nodes for encryption processing, the device include:
  • An obtaining unit configured to obtain a first key ID, and obtain a first protection key from the key management system according to the first key ID; wherein, the protection keys corresponding to the same key ID are the same;
  • An encryption unit configured to generate a first random number, and use the first random number as a first video key to encrypt the video data slice to be encrypted to obtain a first video ciphertext
  • the encryption unit is further configured to use the first protection key to encrypt the first video key to obtain a first key ciphertext;
  • a processing unit configured to save the first key ciphertext and the first key ID in the first video ciphertext.
  • a video data slice encryption system including a key management system and multiple encryption nodes, and multiple video data slices obtained by segmenting the same video stream or video file are distributed to the At least two encryption nodes among the plurality of encryption nodes perform encryption processing, wherein:
  • the encryption node is configured to obtain a first key ID when serving as a target encryption node, and obtain a first protection key from a key management system according to the first key ID; and generate a first random number, And use the first random number as the first video key to encrypt the video data slice to be encrypted to obtain the first video ciphertext; wherein, the corresponding protection keys of the same key ID are the same;
  • the key management system is configured to send the protection key corresponding to the first key ID to the target encryption node if the target encryption node passes the verification;
  • the encryption node is further configured to use the first protection key to encrypt the first video key to obtain a first key ciphertext when serving as a target encryption node;
  • the encryption node is further configured to store the first key ciphertext and the first key ID in the first video ciphertext when serving as a target encryption node.
  • an electronic device which is applied to a target encryption node in a video data slice encryption system including a key management system and a plurality of encryption nodes, the target encryption node being the plurality of encryption nodes
  • the target encryption node being the plurality of encryption nodes
  • the electronic device includes processing A processor and a machine-readable storage medium storing machine-executable instructions, wherein the processor is configured to execute the machine-executable instructions to perform the following operations:
  • multiple video data slices obtained by segmenting the same video stream or video file are assigned to at least two encryption nodes for encryption processing, and the same video stream or video file is encrypted by at least two encryption nodes.
  • Different video data slices of video files are encrypted, which realizes distributed encryption and improves the encryption efficiency of video data slices; in addition, when encrypting video data slices, the encryption node can use the generated random number as the video key, and
  • the video key is encrypted using the protection key obtained from the key management system, which ensures the security of the video key and improves the security of video data slices.
  • FIG. 1 is a schematic flow diagram of a video data slice encryption method shown in an exemplary embodiment of the present application
  • Fig. 2 is a schematic flow diagram of a target encryption node obtaining a first protection key from a key management system according to a first key ID according to an exemplary embodiment of the present application;
  • Fig. 3 is a schematic flowchart of a video data slice decryption method shown in an exemplary embodiment of the present application
  • FIG. 4 is a schematic structural diagram of a specific application scenario of a video data slice encryption method shown in an exemplary embodiment of the present application
  • Fig. 5 is a schematic flow diagram of phases 1 to 4 of a video data slice encryption scheme shown in an exemplary embodiment of the present application;
  • FIG. 6 is a schematic structural diagram of a video data slice encryption device shown in an exemplary embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of another video data slice encryption device shown in another exemplary embodiment of the present application.
  • FIG. 8 is a schematic diagram of a hardware structure of an electronic device shown in an exemplary embodiment of the present application.
  • Fig. 9 is a schematic structural diagram of a system for encrypting video data slices according to an exemplary embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a video data slice encryption method provided by an embodiment of the present application. As shown in FIG. 1 , the flow of the video data slice encryption method may include steps S100 to S130.
  • the video data slice encryption system may include multiple encryption nodes, and multiple video data slices obtained by segmenting the same video stream or video file may be allocated to the At least two encryption nodes among the plurality of encryption nodes perform encryption processing.
  • the at least two encryption nodes use different keys (which may be referred to as Video Encryption Key (Video Encryption Key, VEK for short) or video key) when encrypting different allocated video data slices.
  • Video Encryption Key Video Encryption Key, VEK for short
  • video key video key
  • the VEK used by each encryption node to encrypt the video data slice can be encrypted and stored, and the key used to encrypt the VEK (which can be called the video key
  • the encryption key Video Key Encryption Key, VKEK for short) or protection key
  • VKEK Video Key Encryption Key
  • the subject of execution of steps S100 to S130 may be any one of the above-mentioned multiple encryption nodes (referred to as a target encryption node herein).
  • serial numbers of the steps in the embodiments of the present application do not mean the order of execution, and the execution order of each process should be determined by its functions and internal logic, and should not constitute any obligation for the implementation of the embodiments of the present application. limited.
  • Step S100 the target encryption node obtains the first key identification (ID), and obtains the first protection key from the key management system according to the first key ID; wherein, the first protection key is controlled by the key management system If the target encryption node passes the verification, it is sent to the target encryption node; the protection keys corresponding to the same key ID are the same.
  • ID first key identification
  • the first protection key is controlled by the key management system
  • Step S110 the target encryption node generates a first random number, and uses the first random number as a first video key to encrypt the video data slice to be encrypted to obtain a first video ciphertext.
  • the target encryption node when the target encryption node needs to encrypt the allocated video data slice, on the one hand, the target encryption node can generate a random number (referred to as the first random number in this article), and use the first random number
  • the number is used as the video key (referred to as the first video key in this paper) to encrypt the video data slice (referred to as the video data slice to be encrypted in this paper) that needs to be encrypted to obtain the corresponding video ciphertext (referred to as the video data slice in this paper). is the first video ciphertext).
  • the video keys used for encryption of different video data slices may be different, so that the leakage of a single video key will not affect the security of other video data slices.
  • the target encryption node may obtain a protection key (referred to as the first protection key herein) for encrypting the first video key from the key management system.
  • the key management system can maintain the mapping relationship between the key ID and the protection key, that is, the key management system can maintain the mapping relationship between the key ID and the protection key; the encryption node can Obtain the protection key corresponding to the key ID from the key management system according to the key ID.
  • mapping relationship between key IDs and protection keys may be one-to-one mapping, that is, the same key ID corresponds to the same protection key; different key IDs correspond to different protection keys.
  • the target encryption node may generate a key ID for obtaining the first protection key (herein referred to as the first key ID).
  • the target encryption node may generate the first key ID according to the timestamp.
  • the key management system may determine and record the first protection key when receiving the protection key acquisition request (which may be referred to as the first protection key acquisition request) carrying the first key ID sent by the target encryption node.
  • the mapping relationship between the key and the first key ID may be referred to as the first protection key acquisition request.
  • the key management system may pre-generate a certain number of protection keys, and when receiving a first protection key acquisition request, select an unused protection key from the certain number of protection keys as the first The key is protected, and the mapping relationship between the first protected key and the first key ID is recorded.
  • the key management system may generate the first protection key when receiving the first protection key acquisition request, and record the mapping relationship between the first protection key and the first key ID.
  • the target encryption node when the target encryption node needs to obtain the first protection key, it first obtains the first key ID from the key management system, and then obtains the second key ID from the key management system according to the first key ID. A protection key.
  • Step S120 the target encryption node uses the first protection key to encrypt the first video key to obtain the first key ciphertext.
  • Step S130 the target encryption node saves the first key ciphertext and the first key ID in the first video ciphertext.
  • the target encryption node when the first protection key is obtained in the above manner, can use the first protection key to encrypt the first video key to obtain the corresponding key ciphertext (herein referred to as first key ciphertext), to improve the security of the first video key.
  • first key ciphertext key ciphertext
  • the target encryption node can save the first key ciphertext and the first key ID to the first video ciphertext, so that the legal node can Obtaining the first protection key from the key management server according to the first key ID in the first video ciphertext, and decrypting the first key ciphertext according to the first protection key to obtain the first video key, Furthermore, the first video ciphertext is decrypted according to the first video key to obtain the first video data slice.
  • the above-mentioned legal node may include any one of the above-mentioned multiple encryption nodes or other nodes that have the right to obtain video data.
  • the target encryption node may save the first key ciphertext and the first key ID into the first video ciphertext in a concatenated manner, that is, splice the first key ciphertext and the first key ID into the first video ciphertext.
  • a concatenated manner that is, splice the first key ciphertext and the first key ID into the first video ciphertext.
  • multiple video data slices obtained by segmenting the same video stream or video file are assigned to at least two encryption nodes for encryption processing, and at least two encryption nodes perform encryption on the same video stream or video file.
  • Different video data slices of video files are encrypted, which realizes distributed encryption and improves the encryption efficiency of video data slices; in addition, when encrypting video data slices, the encryption node can use the generated random number as the video key, and
  • the video key is encrypted using the protection key obtained from the key management system, which ensures the security of the video key and improves the security of video data slices.
  • step S100 the target encryption node obtains the first protection key from the key management system according to the first key ID, which may be implemented through the following steps:
  • Step S101 the target encryption node generates a second random number, and uses the elliptic curve point product algorithm to generate key parameters according to the second random number and the base point on the elliptic curve;
  • Step S102 the target encryption node signs the device ID, first key ID and key parameters of the target encryption node using an elliptic curve-based cryptographic algorithm (Elliptic curve cryptography, referred to as ECC) according to the private key of the target encryption node, Get the first signature data;
  • ECC elliptic curve cryptography
  • Step S103 the target encryption node sends the device ID, first key ID, key parameters and first signature data to the key management system, so that the key management system can obtain the public key of the target encryption node according to the device ID, According to the public key of the target encryption node, use the cryptographic algorithm based on the elliptic curve to verify the first signature data, and when the verification is passed, use the third key to pair the first protection key corresponding to the first key ID
  • the key is encrypted to obtain the protected key ciphertext;
  • the third key is generated by the key management system using the elliptic curve point product algorithm based on the key parameters and the private key of the key management system;
  • Step S104 the target encryption node receives the protection key ciphertext sent by the key management system
  • Step S105 the target encryption node generates a fourth key by using the elliptic curve point product algorithm according to the public key of the key management system and the second random number;
  • Step S106 the target encryption node decrypts the protection key ciphertext according to the fourth key to obtain the first protection key.
  • the acquirer device may be verified according to an asymmetric algorithm.
  • the target encryption node may generate a random number (referred to herein as a second random number), and use the elliptic curve Dot product algorithm to generate key parameters.
  • a random number referred to herein as a second random number
  • the elliptic curve for example, a curve commonly used in the Elliptic Curve Digital Signature (ECDSA) algorithm may be selected, and the selection of the elliptic curve is not specifically limited in the embodiment of the present application.
  • EDSA Elliptic Curve Digital Signature
  • the key parameter R can be generated according to the following strategy:
  • represents the elliptic curve point multiplication operation.
  • the target encryption node when the target encryption node generates the key parameters in the above manner, the device ID, the first key ID and the generated The key parameter is used to sign to obtain the corresponding signature data (referred to as the first signature data herein).
  • the target encryption node may send the device ID, first key ID, key parameters and first signature data to the key management system.
  • the key management system When the key management system obtains the device ID, first key ID, key parameters and first signature data sent by the target encryption node, on the one hand, it can query the public key of the target encryption node according to the device ID.
  • each encryption node in the video data slice encryption system may register with the key management system before encrypting the video data slice.
  • the key management system can save the public key of the encryption node, and the encryption node can save the public key of the key management system.
  • the key management system when the key management system finds the public key of the target encryption node, it can verify the first signature data by using a cryptographic algorithm based on elliptic curves according to the public key of the target encryption node.
  • the key management system can use the elliptic curve point product algorithm to generate a corresponding key (referred to as the third key herein) according to the received key parameters and the private key of the key management system.
  • the third key k can be generated through the following strategy:
  • the key management system When the key management system passes the verification of the first signature data, it can be determined that the target encryption node is a legal node. At this time, the key management system can use the third key pair to protect the key corresponding to the first key ID ( For example, the above-mentioned first protection key) is encrypted to obtain the protection key ciphertext, and the protection key ciphertext is sent to the target encryption node.
  • the third key pair For example, the above-mentioned first protection key
  • the protection key ciphertext is sent to the target encryption node.
  • the target encryption node when it receives the protection key ciphertext, it can use the elliptic curve point product algorithm to generate the corresponding key (referred to as the fourth key).
  • the fourth key k' can be generated through the following strategy:
  • k and k' should be the same schedule, that is, k and k' can be the same value.
  • the fourth key may be used to decrypt the received protection key ciphertext to obtain the first protection key.
  • step S106 that is, the target encryption node decrypts the protection key ciphertext according to the fourth key
  • it may further include:
  • the target encryption node receives the key parameter ciphertext sent by the key management system, and the key parameter ciphertext is obtained by encrypting the key parameter with the third key by the key management system;
  • the target encryption node uses the fourth key to decrypt the key parameter ciphertext, and when the decrypted result is consistent with the key parameter, determines to execute the operation of decrypting the protection key ciphertext according to the fourth key.
  • the key management system in order to improve the reliability of the protection key, and thus improve the security of video data slices, before the key management system sends the protection key ciphertext to the target encryption node, it can also use the third key pair received
  • the key parameters are encrypted to obtain the key parameter ciphertext, and the key parameter ciphertext and the protection key ciphertext obtained in the above manner are sent to the target encryption node.
  • the target encryption node When the target encryption node receives the key parameter ciphertext and the protection key ciphertext, it can use the fourth key to decrypt the key parameter ciphertext, and compare the decrypted result with the above key parameter. If the two are consistent, Then it is determined that the key parameter ciphertext and the protection key ciphertext are sent by the key management system. At this time, the target encryption node can use the fourth key to decrypt the protection key ciphertext to obtain the first protection key.
  • the target encryption node does not receive the key parameter ciphertext, or fails to decrypt the received key parameter ciphertext according to the fourth key, or the decrypted result is inconsistent with the above key parameter , it can be determined that the received protection key ciphertext is unreliable, and at this time, the target encryption node does not need to decrypt the protection key ciphertext.
  • the video data slice encryption method provided by the embodiment of the present application may further include the following steps:
  • Step S300 when the target encryption node detects an instruction to decrypt the second video ciphertext, extract the second key ciphertext and the second key ID from the second video ciphertext;
  • Step S310 the target encryption node obtains the second protection key from the key management system according to the second key ID; wherein, the second protection key is sent to target encryption node;
  • Step S320 the target encryption node decrypts the second key ciphertext according to the second protection key to obtain the second video key;
  • Step S330 the target encryption node decrypts the second video ciphertext according to the second video key.
  • the second video ciphertext may be the above-mentioned first video ciphertext, or the second video ciphertext may also be any video data slice provided according to the embodiment of the present application other than the above-mentioned first video ciphertext
  • the video ciphertext obtained by encrypting the encryption method may be the above-mentioned first video ciphertext, or the second video ciphertext may also be any video data slice provided according to the embodiment of the present application other than the above-mentioned first video ciphertext The video ciphertext obtained by encrypting the encryption method.
  • the target encryption node when the target encryption node detects an instruction to decrypt the second video ciphertext, the target encryption node may extract the key ciphertext (herein referred to as the second key ciphertext) and the key ID (referred to herein as the second key ID).
  • the second key ciphertext herein referred to as the second key ciphertext
  • the second key ID the key ID
  • the second video ciphertext is the first video ciphertext
  • the second key ciphertext is the first key ciphertext
  • the second key ID is the first key ID
  • the target encryption node may acquire the corresponding protection key (referred to as the second protection key herein) from the key management system according to the extracted second key ID.
  • the second protection key herein
  • the specific implementation of the target encryption node obtaining the second protection key from the key management system according to the second key ID can refer to the description in the above embodiment that the target encryption node obtains the second protection key from the key management system according to the first key ID.
  • the relevant implementation of obtaining the first protection key in will not be repeated in this embodiment of the present application.
  • the target encryption node can decrypt the second key ciphertext extracted from the second video ciphertext according to the obtained second protection key to obtain the corresponding video key (referred to as the second video key herein), And decrypt the second video ciphertext according to the second video key.
  • the video data slice encryption system may include multiple encryption nodes (such as the Encryption node 1 to encryption node N, N is a positive integer greater than or equal to 2) and a key management system (Key Management System, referred to as KMS).
  • KMS Key Management System
  • the key management system can provide VKEK externally.
  • the key management system can be responsible for the generation, distribution and destruction of VKEK.
  • the key management system may include the aforementioned key management server.
  • the video data (video stream or video file) can be segmented to obtain multiple video data slices (U1-U5 in Figure 4), and the multiple Each video data slice is pushed to each encryption node, and each encryption node can randomly generate a working key (for example, the above video key), and interact with KMS to obtain VKEK (for example, the above protection key), and use the obtained VKEK Encrypt the working key to obtain the working key ciphertext (for example, the above-mentioned key ciphertext), use the generated working key to encrypt the video data slice to obtain the video ciphertext (EU1 ⁇ EU5 in Figure 4), and Splice the key ID corresponding to the VKEK and the working key ciphertext into the video ciphertext.
  • VKEK for example, the above protection key
  • the video data slice encryption scheme may include a registration phase, a key request phase, a video encryption phase, and a video decryption phase, and the implementation processes of each phase will be described below.
  • the encryption node sends the public key (assumed to be D) and the device ID of the node to KMS. After the KMS passes the verification of the encryption node, the public key D of the encryption node and the device ID are associated and stored.
  • the public key of the encryption node may be carried in the certificate and sent to the KMS, and the KMS will verify the encryption node according to the certificate.
  • KMS passes the verification of the encrypted node
  • KMS can extract the public key of the encrypted node from the certificate and store it in association with the device ID of the encrypted node.
  • KMS sends the KMS public key (assumed to be S) to the encryption node, and the encryption node stores the KMS public key.
  • the public key of the KMS can also be carried in the certificate and sent to the encryption node, and the encryption node verifies the KMS according to the certificate.
  • the encryption node passes the KMS verification, the encryption node can extract the KMS public key from the certificate and store the public key.
  • the encryption node uses the ECC algorithm to sign the device ID, key ID (which can be generated by the encryption node, such as based on the timestamp) and the key parameter R of the encryption node according to the private key of the encryption node to obtain the signature data Sig (device ID
  • the encryption node sends the device ID
  • KMS queries the public key of the encryption node according to the device ID, and uses the ECC algorithm to verify Sig(device ID
  • KMS queries the VKEK (assumed to be v) corresponding to the key ID according to the key ID.
  • KMS uses k as a symmetric key to encrypt R and v respectively to obtain corresponding ciphertexts c1 (for example, the above-mentioned key parameter ciphertext) and c2 (for example, the above-mentioned protection key ciphertext).
  • KMS sends c1 and c2 to the encryption node.
  • the encryption node uses k' to decrypt c1. If the result of decryption is R, execute 2.11; otherwise, return an error.
  • the encryption node uses k' to decrypt c2 to obtain the protection key v.
  • the encryption node can generate a key ID according to the timestamp, and obtain the protection key v from the KMS according to the key ID.
  • the implementation process can be found in A description of the key request phase above.
  • the encryption node generates a random number vek (for example, the above-mentioned first random number), and uses vek as a working key (ie, a video key).
  • vek for example, the above-mentioned first random number
  • the encryption node uses vek to encrypt the video data slice to obtain video ciphertext.
  • the encryption node uses v to encrypt vek to obtain vek ciphertext (for example, the above-mentioned key ciphertext).
  • the encryption node splices the vek ciphertext and key ID into the video ciphertext.
  • the encryption node extracts the vek ciphertext and key ID carried in the video ciphertext.
  • the encryption node obtains the protection key v from the KMS according to the key ID.
  • the key ID For the implementation process, please refer to the relevant description of the key request stage above.
  • the encryption node uses v to decrypt the vek ciphertext to obtain vek.
  • the encryption node uses vek to decrypt the video ciphertext.
  • FIG. 5 Exemplarily, the schematic flowcharts of the above-mentioned stages 1 to 4 may be shown in FIG. 5 .
  • FIG. 6 is a schematic structural diagram of a device for encrypting video data slices provided by an embodiment of the present application, wherein the device for encrypting video data slices can be applied to the encryption nodes in the above embodiments, as shown in FIG. 6,
  • the device for encrypting video data slices may include an acquisition unit 610 , an encryption unit 620 and a processing unit 630 .
  • the obtaining unit 610 is configured to obtain a first key ID, and obtain a first protection key from a key management system according to the first key ID; wherein, the first protection key is provided by the key management system Send to the target encryption node when the verification of the target encryption node is passed; the protection key corresponding to the same key ID is the same;
  • the encryption unit 620 is configured to generate a first random number, and use the first random number as a first video key to encrypt the video data slice to be encrypted to obtain a first video ciphertext;
  • the encryption unit 620 is further configured to use the first protection key to encrypt the first video key to obtain a first key ciphertext;
  • the processing unit 630 is configured to save the first key ciphertext and the first key ID to the first video ciphertext.
  • the obtaining unit 610 obtains the first protection key from the key management system according to the first key ID, including:
  • the device ID of the target encryption node sends the device ID of the target encryption node, the first key ID, the key parameters, and the first signature data to the key management system, so that the key management system according to the
  • the device ID obtains the public key of the target encryption node, and uses the cryptographic algorithm based on elliptic curves to verify the first signature data according to the public key of the target encryption node, and when the verification passes, according to the first signature data
  • the three keys encrypt the first protection key corresponding to the first key ID to obtain a protection key ciphertext; the third key is used by the key management system according to the key parameters and the private key of the key management system are generated using an elliptic curve point product algorithm;
  • the obtaining unit 610 before decrypting the protection key ciphertext according to the fourth key, is further configured to:
  • the device further includes an extraction unit 640 and a decryption unit 650 .
  • the extraction unit 640 is configured to extract a second key ciphertext and a second key ID from the second video ciphertext when an instruction to decrypt the second video ciphertext is detected;
  • the acquiring unit 610 is further configured to acquire a second protection key from the key management system according to the second key ID; sent to the target encryption node if the target encryption node passes the verification;
  • the decryption unit 650 is configured to decrypt the second key ciphertext according to the second protection key to obtain a second video key;
  • the decryption unit 650 is further configured to decrypt the second video ciphertext according to the second video key.
  • FIG. 8 is a schematic diagram of a hardware structure of an electronic device provided in an embodiment of the present application.
  • the electronic device may include a processor 801 and a machine-readable storage medium 802 storing machine-executable instructions.
  • the processor 801 and the machine-readable storage medium 802 can communicate via the system bus 803 .
  • the processor 801 can execute the video data slice encryption method described above.
  • the machine-readable storage medium 802 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, and the like.
  • the machine-readable storage medium can be RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, storage drive (such as hard disk drive), solid-state hard disk, any type of storage disk (such as CD, DVD, etc.), or similar storage media, or a combination thereof.
  • machine-readable storage medium where machine-executable instructions are stored in the machine-readable storage medium, and when the machine-executable instructions are executed by a processor, the video data slicing described above is implemented.
  • encryption method may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, and optical data storage device, among others.
  • FIG. 9 is a schematic structural diagram of a video data slice encryption system provided by an embodiment of the present application.
  • the video data slice encryption system includes a key management system 910 and a plurality of encryption nodes 920, Multiple video data slices obtained by segmenting the same video stream or video file are distributed to at least two encryption nodes 920 among the multiple encryption nodes 920 for encryption processing.
  • the encryption node 920 is configured to obtain a first key ID when serving as a target encryption node, and obtain a first protection key from a key management system according to the first key ID; and generate a first random number , and use the first random number as the first video key to encrypt the video data slice to be encrypted to obtain the first video ciphertext; wherein, the protection keys corresponding to the same key ID are the same;
  • the key management system 910 is configured to send the protection key corresponding to the first key ID to the target encryption node if the target encryption node passes the verification;
  • the encryption node 920 is further configured to use the first protection key to encrypt the first video key to obtain a first key ciphertext when serving as a target encryption node;
  • the encryption node 920 is further configured to store the first key ciphertext and the first key ID in the first video ciphertext when serving as a target encryption node.
  • the encryption node 920 is specifically configured to generate a second random number when serving as a target encryption node, and use the elliptic curve point product algorithm to generate Key parameters; according to the private key of the target encryption node, use an elliptic curve-based cryptographic algorithm to sign the device ID of the target encryption node, the first key ID, and the key parameters to obtain the second A signature data; sending the device ID, the first key ID, the key parameters and the first signature data to the key management system;
  • the key management system 910 is specifically configured to verify the first signature data according to the public key of the target encryption node using an elliptic curve-based cryptographic algorithm, and when the verification passes, according to the cryptographic algorithm, Key parameters and the private key of the key management system, using the elliptic curve point product algorithm to generate the third key;
  • the key management system 910 is further specifically configured to encrypt the first protection key corresponding to the device ID according to the third key to obtain a protection key ciphertext, and convert the protection key to The ciphertext is sent to the target encryption node;
  • the encryption node 920 is also specifically configured to receive the protection key ciphertext sent by the key management system when serving as the target encryption node; according to the public key of the key management system and the second random number , using an elliptic curve point product algorithm to generate a fourth key; decrypting the protection key ciphertext according to the fourth key to obtain the first protection key.
  • the key management system 910 is further configured to use the third key to encrypt the key parameters to obtain key parameter ciphertext, and send the key parameter ciphertext to said encryption node;
  • the encryption node 920 is also configured to receive the key parameter ciphertext sent by the key management system when serving as the target encryption node; use the fourth key to decrypt the key parameter ciphertext, and when When the decrypted result is consistent with the key parameter, the protection key ciphertext is decrypted according to the fourth key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Storage Device Security (AREA)
PCT/CN2022/093116 2021-05-19 2022-05-16 视频数据切片加密方法、装置、系统以及电子设备 Ceased WO2022242607A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023571699A JP7515751B2 (ja) 2021-05-19 2022-05-16 ビデオデータスライスの暗号化方法、装置、システム及び電子デバイス

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110546576.8 2021-05-19
CN202110546576.8A CN112995784B (zh) 2021-05-19 2021-05-19 视频数据切片加密方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2022242607A1 true WO2022242607A1 (zh) 2022-11-24

Family

ID=76337706

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/093116 Ceased WO2022242607A1 (zh) 2021-05-19 2022-05-16 视频数据切片加密方法、装置、系统以及电子设备

Country Status (3)

Country Link
JP (1) JP7515751B2 (https=)
CN (1) CN112995784B (https=)
WO (1) WO2022242607A1 (https=)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118410203A (zh) * 2024-06-26 2024-07-30 杭州海康威视系统技术有限公司 一种视频数据的存储、视频回放方法、装置及其设备
CN118678126A (zh) * 2024-08-21 2024-09-20 杭州海康威视数字技术股份有限公司 自适应跨域码流密码安全保护方法、系统及设备
CN119670119A (zh) * 2024-11-29 2025-03-21 中国农业银行股份有限公司 一种数据处理方法及相关装置

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995784B (zh) * 2021-05-19 2021-09-21 杭州海康威视数字技术股份有限公司 视频数据切片加密方法、装置和系统
CN113727058A (zh) * 2021-08-31 2021-11-30 成都卫士通信息产业股份有限公司 一种多媒体会议数据处理方法、系统、设备及存储介质
CN113890759B (zh) * 2021-09-28 2023-10-31 中国电信股份有限公司 文件传输方法、装置、电子设备和存储介质
CN114363011A (zh) * 2021-12-13 2022-04-15 浙江加我网络科技有限公司 一种超高清视频防泄露分享方法
CN116321022A (zh) * 2022-09-06 2023-06-23 阿波罗智能技术(北京)有限公司 空中下载ota数据文件的加密传输方法及其装置
CN118055270B (zh) * 2024-04-16 2024-07-26 腾讯科技(深圳)有限公司 视频处理方法、系统、装置、电子设备及存储介质

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101711027A (zh) * 2009-12-22 2010-05-19 上海大学 一种无线传感器网络中基于身份的分散密钥管理方法
CN102246455A (zh) * 2008-12-11 2011-11-16 三菱电机株式会社 自我认证通信设备以及设备认证系统
US20160198202A1 (en) * 2012-12-10 2016-07-07 Koninklijke Kpn N.V. Digital Rights Management for Segmented Content
CN106231346A (zh) * 2016-08-05 2016-12-14 中国传媒大学 一种针对离线视频的分布式加密方法
CN106254896A (zh) * 2016-08-05 2016-12-21 中国传媒大学 一种针对实时视频的分布式加密方法
US20170099136A1 (en) * 2015-10-01 2017-04-06 Time Warner Cable Enterprises Llc Encryption management, content recording management, and playback management in a network environment
CN111586445A (zh) * 2020-05-14 2020-08-25 中国人民公安大学 一种视频数据传输方法及装置
CN112995784A (zh) * 2021-05-19 2021-06-18 杭州海康威视数字技术股份有限公司 视频数据切片加密方法、装置和系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002176419A (ja) 2000-12-06 2002-06-21 Hitachi Ltd 権利保護方法
JP4561146B2 (ja) 2004-03-29 2010-10-13 ソニー株式会社 コンテンツ流通システム、暗号化装置、暗号化方法、情報処理プログラム、及び記憶媒体
CN101166259B (zh) * 2006-10-16 2010-11-10 华为技术有限公司 手机电视业务保护方法、系统、手机电视服务器及终端
CN101425862B (zh) * 2008-12-02 2011-08-10 中兴通讯股份有限公司 移动多媒体广播业务运营管理系统与方法
CN101931529B (zh) * 2010-08-09 2014-07-16 中兴通讯股份有限公司 一种数据加密方法、数据解密方法及节点

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102246455A (zh) * 2008-12-11 2011-11-16 三菱电机株式会社 自我认证通信设备以及设备认证系统
CN101711027A (zh) * 2009-12-22 2010-05-19 上海大学 一种无线传感器网络中基于身份的分散密钥管理方法
US20160198202A1 (en) * 2012-12-10 2016-07-07 Koninklijke Kpn N.V. Digital Rights Management for Segmented Content
US20170099136A1 (en) * 2015-10-01 2017-04-06 Time Warner Cable Enterprises Llc Encryption management, content recording management, and playback management in a network environment
CN106231346A (zh) * 2016-08-05 2016-12-14 中国传媒大学 一种针对离线视频的分布式加密方法
CN106254896A (zh) * 2016-08-05 2016-12-21 中国传媒大学 一种针对实时视频的分布式加密方法
CN111586445A (zh) * 2020-05-14 2020-08-25 中国人民公安大学 一种视频数据传输方法及装置
CN112995784A (zh) * 2021-05-19 2021-06-18 杭州海康威视数字技术股份有限公司 视频数据切片加密方法、装置和系统

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118410203A (zh) * 2024-06-26 2024-07-30 杭州海康威视系统技术有限公司 一种视频数据的存储、视频回放方法、装置及其设备
CN118678126A (zh) * 2024-08-21 2024-09-20 杭州海康威视数字技术股份有限公司 自适应跨域码流密码安全保护方法、系统及设备
CN119670119A (zh) * 2024-11-29 2025-03-21 中国农业银行股份有限公司 一种数据处理方法及相关装置

Also Published As

Publication number Publication date
CN112995784B (zh) 2021-09-21
JP2024518798A (ja) 2024-05-02
CN112995784A (zh) 2021-06-18
JP7515751B2 (ja) 2024-07-12

Similar Documents

Publication Publication Date Title
CN112995784B (zh) 视频数据切片加密方法、装置和系统
EP3732609B1 (en) Secure crypto system attributes
US9537657B1 (en) Multipart authenticated encryption
US8315395B2 (en) Nearly-stateless key escrow service
US8744076B2 (en) Method and apparatus for encrypting data to facilitate resource savings and tamper detection
CN110391900B (zh) 基于sm2算法的私钥处理方法、终端及密钥中心
US11212082B2 (en) Ciphertext based quorum cryptosystem
JP6763378B2 (ja) 暗号情報作成装置、暗号情報作成方法、暗号情報作成プログラム、及び、照合システム
CN109918925A (zh) 数据存储方法、数据节点及存储介质
US8600061B2 (en) Generating secure device secret key
JPWO2014112551A1 (ja) 分割保管装置、秘密鍵分割保管方法
US10484182B2 (en) Encrypted text verification system, method, and recording medium
CN111970114B (zh) 文件加密方法、系统、服务器和存储介质
CN114416734B (zh) 基于区块链分布式哈希列表的信息存储方法、设备及介质
US7499552B2 (en) Cipher method and system for verifying a decryption of an encrypted user data key
CN114513302A (zh) 一种数据加解密方法及设备
CN110768797A (zh) 一种基于身份格式保留加密的数据脱敏方法
WO2024187914A1 (zh) 数据存储方法及装置、存储介质及电子设备
CN112954388A (zh) 一种数据文件的获取方法、装置、终端设备和存储介质
CN110188545B (zh) 一种基于链式数据库的数据加密方法及装置
CN111526167A (zh) 一种应用于区块链的数据传输方法及装置
CN113206739B (zh) 组合公钥cpk的密钥生成方法、装置及存储介质
CN113259723B (zh) 去中心化的视频密钥管理方法、装置与系统
CN117336077A (zh) 一种数据加解密方法和系统
CN114676452A (zh) 一种数据安全存储方法和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22803927

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023571699

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22803927

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 22803927

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 27.05.2024)

122 Ep: pct application non-entry in european phase

Ref document number: 22803927

Country of ref document: EP

Kind code of ref document: A1