CN100366082C - Method of on-line user authentication in digital TV network - Google Patents
Method of on-line user authentication in digital TV network Download PDFInfo
- Publication number
- CN100366082C CN100366082C CNB2003101218000A CN200310121800A CN100366082C CN 100366082 C CN100366082 C CN 100366082C CN B2003101218000 A CNB2003101218000 A CN B2003101218000A CN 200310121800 A CN200310121800 A CN 200310121800A CN 100366082 C CN100366082 C CN 100366082C
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- network
- message
- standard grade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000004519 manufacturing process Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 4
- 238000005096 rolling process Methods 0.000 claims description 4
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 230000002452 interceptive effect Effects 0.000 description 8
- 230000007175 bidirectional communication Effects 0.000 description 5
- 238000005336 cracking Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006854 communication Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
The present invention relates to a method of on-line user authentication in digital television networks, which comprises the following steps: the request information of user on-line authentication is received by a front terminal for judging whether a user is authorized or not; if the user is authorized, the user is set as an on-line user; if the user is not authorized, the wrong information is returned for inquiring whether the identity user is independently on-line or not; if the user is independently on-line, the authentication is passed; the correct information is returned; if the user is not independently on-line, the authentication fails; the user is set as an illegal user; the wrong information is returned. By applying the method of the present invention, the front terminal can authenticate the user for enhancing the safety of a network.
Description
Technical field
The present invention relates to digital TV network, relate in particular to the user anthority identifying method of reaching the standard grade in the digital TV network.
Background technology
In the simulated television epoch, spectators watch that program is free, and television advertising is the major source of revenues of operator.Along with the Digital Television epoch at hand, basic change will take place in the profit model of operator, spectators watch that program needs to pay, pay per view will become the major source of revenues of operator.In order to guarantee that operator is to pay per view, the very important point is to guarantee to have only in digital TV network validated user can watch program, in order to reach this purpose, introduced conditional access system CAS (Conditional Access System) in the Digital Television.
The core of CAS is the fail safe that guarantees operation system under unilateral network.CAS encrypts TV programme at front end (HeadEnd), and the mandate of leading subscriber.Have only validated user to be decrypted at user's receiving terminal, watch program normally TV programme through authorizing; The user of process mandate is not owing to can't decipher, and normally TV reception has so just reached the purpose that the control user pays dues.
The CAS structure as shown in Figure 1, security system comprises three infill layers: the bottom is encrypted business code flow, is called scrambling (Scramble) again, that is: scrambler carries out scrambling to the audio/video code stream of MPEG2, the scrambling key is control word CW (Control Words); The intermediate layer is that CAS encrypts the access control condition of TV programme, generates Entitlement Control Message ECM (Entitlement Control Message), and encryption key can claim business cipher key; Top layer is that CAS encrypts the authorized user message that Subscriber Management System SMS provides, and generates Entitlement Management Message EMM (Entitlement Management Message), and encryption key generally is user's a personal key.
Traditional TV network is a unidirectional broadcast network, and the various control informations of CAS generally are broadcast to all users together by radio network and Business Stream.
The access control condition of program is broadcasted at TS (Transfer Stream) so that the ECM form is multiplexing.Just can receive programming access controlled condition fast in order to guarantee that the user starts shooting, ECM is periodic broadcast (sites) in turn, and the cycle that wheel is broadcast arrives between second at millisecond.
User's authorization message EMM multiplexingly is broadcast to STB's in TS stream.Owing to be unidirectional network, digital TV front-end can't know whether the user is online, can the immediate updating mandate in order to guarantee the user, and all users' authorization message EMM also take turns and broadcasts, i.e. periodic broadcast (sites) in turn.If the user is in 1,000,000, the bandwidth that takies of EMM is just very considerable so, in order to guarantee the EMM finite bandwidth, the general less change of authorized user message, the EMM wheel broadcast the cycle minute to hour between, relevant with EMM bandwidth and number of users.
User terminal (Receiver) is commonly referred to as set-top box (STB:Set Top Box), comprises client-side program (CA Client), descrambling module (Descramber) and the decoder module etc. of CAS.CAS also is equipped with a subscriber identification module for each user terminal, typical subscriber identification module such as smart card (Smart Card), and subscriber identification module provides the unique identification of user identity, and user's personal key.
After STB started shooting, STB extracted the EMM that sends to oneself from broadcasting stream, by subscriber identification module deciphering and explanation, was used for upgrading and authorized and be kept at subscriber identification module.When the user selects certain sponsored program, STB at first checks oneself whether to be authorized to watch, if authorize then can extract the ECM of this program correspondence in the broadcasting stream, by the subscriber identification module program and explain the access control condition of this program, if the user satisfies this access consideration, then the user can obtain CW and program is carried out descrambling watches.
The mode that the user obtains CW has 2 kinds of modes according to the difference of CAS, and a kind of CW of being is broadcast to user terminal by ECM, and a kind of is that user terminal is synchronous according to EMC information and front end, generates corresponding C W on terminal use's identification module.
Because traditional CAS is based on unidirectional broadcast network, the fail safe of system depends on the being perfectly safe property of technology of CAS.But reached a kind of common recognition in academia: do not have the system that is perfectly safe, all systems all can be cracked, the problem of the time of just cracking and the size of cost.Practice shows that also the traditional CAS system nearly all occurred pirate.
The clone that one of more common crack method carries out physically smart card exactly duplicates, and the pirate user utilization is duplicated smart card and freely watched sponsored program.Also having one of kind of common crack method is exactly the encryption key that the hacker cracks ECM or EMM, illegally obtains the program mandate, freely watches pay TV programs.
In order to solve problem of piracy, CAS producer proposes following viewpoint:
1. if hacker's cost of cracking safety system surpasses it and cracks income, the hacker cracks shortage the power of system so.
2. if the pirate cost of hacker or disabled user is higher than its pirate income, hacker or disabled user will lack pirate power so.
At first point, traditional CAS is improved self system, to improve the being perfectly safe property of system.
Adopt to strengthen the method for the physical security characteristic of smart card such as traditional CAS producer, reduce the possibility that smart card is replicated.Select for use special-purpose smart card even oneself to make, perhaps increase the design of Intelligent Card complexity, perhaps constantly upgrade and upgrade the version of smart card.
Select complicated cryptographic algorithm for use such as traditional CAS, select long methods such as key for use, increase and crack difficulty.Regularly or irregularly change simultaneously business cipher key, reduce the influence after cracking.
At second point, traditional CAS adopts in subscriber terminal side carries out the method that local user's identity is differentiated, that is: machine card matching technology is to improve the relative safety of system.
The pairing of machine card is meant that user terminal STB and subscriber identification module smart card must bundle pairing and use, and during user terminal work, smart card carries out authentication to STB.In realization,, can require smart card and STB to authenticate mutually in order to guarantee the reliability of machine card pairing.Do not copied for the unique identification that guarantees STB, also can be taked the safeguard measure of STB sign, such as encrypting etc.
By machine card matching technology, can effectively improve pirate cost.Originally pirate user only need be bought a sheet smart card and can illegally watch program, must also will buy the pirate STB of a pairing so now, could illegally steal and see.About about unit, about about unit, the cost of pirate STB is much larger than the cost of pirate smart card greatly for the selling price of smart card greatly for the selling price of STB at present.
Because there is unique identification in STB, pirate STB just is unfavorable for producing in batches, and this also can increase pirate cost.And because the physical size of STB, the production and marketing of pirate STB is relatively easily arrested.The reduction that these are all indirect the risk of CAS piracy.
Facts have proved that the local user's identity authentication schemes that adopts the machine card to match can improve the relative safety of traditional CAS.This method of differentiating based on local user's identity of unilateral network, though can improve the relative safety of system, still there is following shortcoming in it:
1. the scheme differentiated of the local user's identity piracy that can't stop STB from technological means.The user is as long as buy pirate smart card simultaneously and pirate STB just can continue illegally to watch program;
2. Dao Ban income is still greater than pirate cost.Pirate user needs only pirate smart card of disposable purchase and STB, just can freely illegally watch sponsored program for a long time;
3. can't differentiate by cracking key and steal the disabled user who sees program;
4. whether front end can't exist the disabled user in the discrimination natwork, therefore can't take corresponding means to close down the disabled user.
Along with social progress, the programming network will be gradually to the evolution of two-way interactive network.Utilize the Internet, the fail safe that we can take multiple way to improve traditional CAS, thus provide a safe and reliable pay TV platform to operator.
Summary of the invention
The present invention provides a kind of in digital television interactive formula network promptly in view of the defective of described unilateral network user side authentication, and front end carries out the method for authentication to user identity.Use the method for the invention, whether front end just can be differentiated when the user reaches the standard grade is the disabled user, thereby satisfies the needs of TV network fail safe.
The user anthority identifying method of reaching the standard grade in a kind of digital TV network of the present invention may further comprise the steps:
Step 1: front end receives user's authentication request message of reaching the standard grade;
Step 2: judge whether this user is authorized to, if it is the online user that this user is set; If not, return error message;
Whether step 3: it is online separately to inquire about this identity user, if authentication is passed through, returns correct message; If not, failed authentication, it is the disabled user that this user is set, and returns error message.
Described step 1 also comprises: user's forward end when start sends the step of the authentication request message of reaching the standard grade.
Described method is further comprising the steps of:
Step 4: user's notice front end when shutdown rolls off the production line;
Step 5: front end response user offline notice is provided with this user and is the user of rolling off the production line.
Described authentication request message comprises the User Identity sign indicating number.
Use method of the present invention, can reach following beneficial effect:
Front end can be differentiated user identity in the net, thereby improves security of system;
Front end can be differentiated the pirate user that duplicates smart card, so that close down immediately.
More particularly, because headend equipment is substantially in the independent machine room of operator, and be based on private network, therefore can think safely, the subscriber data that front end is preserved is real.Because user terminal is to be kept in user's hand, can't guarantee the physical security of terminal, the user can study and revise terminal, and therefore the reliability of traditional terminal local authentication will be had a greatly reduced quality, and discriminating can guarantee reliability and front end of the present invention is to user identity.
For traditional mode of duplicating smart card piracy, if the user has bought pirate STB simultaneously, the terminal local authentication just can't solve.But in the solution of the present invention, the user because the front end unified management is reached the standard grade, it is online that front end can find immediately whether the user of common identity is arranged, and judges whether to occur the disabled user, thereby efficiently solve the pirate mode of duplicating smart card.
Therefore, adopt the present invention program, can effectively differentiate the user identity in the digital TV network, thus the fail safe that improves system.
Description of drawings
Fig. 1 is the cas system structure chart;
Fig. 2 is a digital television interactive formula network organizing schematic diagram;
Fig. 3 is for carrying out the flow chart of authentication to the user that reaches the standard grade among the method for the invention embodiment.
Embodiment
Be described with reference to the accompanying drawings the present invention with an embodiment below.
The interactive network networking structure that the method for the invention is used, be on the basis of present unidirectional broadcast network, to increase an Internet, between user terminal and front end, can set up a return path, front end utilizes return path to obtain user terminal information, thereby user's identity is differentiated.
Embodiment networking structure of the present invention comprises as shown in Figure 2: set-top box, subscriber identification module, bi-directional communication modules, mutual return network and interactive server module;
Set-top box reads the user ID and user service information, the forward end that load on subscriber identification module and initiates service request;
The bi-directional communication modules modulation is sent to the certificate server module from the user business request information of set-top box through mutual return network; Reception is from the control command message of interactive server, and demodulation control command message reaches set-top box;
The interactive server module can be the certificate server module, is arranged on the front end of digital network, and user business request information is carried out analysis authentication; The record authentication result; Send control command message according to authentication result, and beam back bi-directional communication modules through mutual return network;
Mutual return network is one of PSTN, GSM, CABLE, 3G or communication satellite.
Bi-directional communication modules is a modulator-demodulator or is built in the set-top box module.If the Internet is PSTN, bi-directional communication modules is exactly a MODEM so.
Front end increases corresponding interactive server, such as certificate server, does not have independent sign in the present embodiment networking diagram, and the unification of front end all devices is designated front end.
Embodiment one: the user anthority identifying method of reaching the standard grade
As shown in Figure 3, in digital TV network, front end specifically may further comprise the steps the flow chart that the user that reaches the standard grade carries out authentication:
1. front end receives user's authentication request message of reaching the standard grade, and comprises user identification code in user's the authentication request message;
2. read user's data;
3. judge whether this user is legal, if it is the online user that this user is set; If not, authentification failure is changed to the disabled user with this user, returns error message;
4. judge whether this identity user is unique, if authentication is passed through, returns correct message among the online user; If not, authentification failure, it is the disabled user that this user is set, and returns error message;
5. user's notice front end when shutdown rolls off the production line;
6. front end response user offline notice is provided with this user and is the user of rolling off the production line.
To sum up, during the user terminal start, active and front end are set up the return path user on-line notification, notify the user off-line by return path in the time of user's shutdown.Front end is differentiated the legitimacy and the uniqueness of user identity according to user's authentication request of reaching the standard grade, and whether promptly whether this user opens an account, have the user of common identity simultaneously online.After the user reached the standard grade and differentiates successfully, the front end user was set to presence, and the user just can TV reception.If front end finds that user identity is illegal, perhaps there are a plurality of user terminals of same subscriber sign simultaneously online, think that then this user is illegal user.
Embodiment two, another method for authenticating of user of reaching the standard grade
Specifically may further comprise the steps:
1. user's forward end when start sends the authentication request message of reaching the standard grade, and comprises user identification code in the authentication request message;
2. front end receives user's authentication request of reaching the standard grade;
3. front end reads subscriber data, judges whether this user is legal, if continue; If not, return error message;
4. front end inquiry online user information judges whether to have with this user identity and passes through authentication and online, and if not, authentication is passed through, and it is the online user that this user is set, and returns correct message; If, failed authentication, it is the disabled user that this user is set, and returns error message;
5. user's notice front end when shutdown rolls off the production line;
6. front end response user offline notice is provided with this user and is the user of rolling off the production line.
Embodiment two is with the difference of embodiment one judge this user for after being authorized to the user, whether inquiry has had the user of common identity in the online user in advance, if having, thinks that then this user is replicated, and can be judged to be the disabled user.
Claims (4)
1. the user anthority identifying method of reaching the standard grade in the digital TV network is characterized in that, may further comprise the steps:
Step 1: front end receives user's authentication request message of reaching the standard grade;
Step 2: judge whether this user is authorized to, if it is the online user that this user is set; If not, return error message;
Whether step 3: it is online separately to inquire about this identity user, if authentication is passed through, returns correct message; If not, failed authentication, it is the disabled user that this user is set, and returns error message.
2. the method for claim 1 is characterized in that, step 1 also comprises: user's forward end when start sends the step of the authentication request message of reaching the standard grade.
3. the method for claim 1 is characterized in that, and is further comprising the steps of:
Step 4: user's notice front end when shutdown rolls off the production line;
Step 5: front end response user offline notice is provided with this user and is the user of rolling off the production line.
4. the method for claim 1 is characterized in that, described authentication request message comprises the User Identity sign indicating number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101218000A CN100366082C (en) | 2003-12-24 | 2003-12-24 | Method of on-line user authentication in digital TV network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101218000A CN100366082C (en) | 2003-12-24 | 2003-12-24 | Method of on-line user authentication in digital TV network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1633169A CN1633169A (en) | 2005-06-29 |
| CN100366082C true CN100366082C (en) | 2008-01-30 |
Family
ID=34844277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101218000A Expired - Fee Related CN100366082C (en) | 2003-12-24 | 2003-12-24 | Method of on-line user authentication in digital TV network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100366082C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155293B (en) * | 2006-09-25 | 2011-11-30 | 华为技术有限公司 | Method, system and device for network live television service channel authorization |
| CN101047832B (en) * | 2007-04-30 | 2010-06-23 | 中兴通讯股份有限公司 | Implementing method for service capability authentication and its trigger of internet network TV |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1254473A (en) * | 1997-03-21 | 2000-05-24 | 卡纳尔股份有限公司 | Broadcast and reception system, and conditional access system therefor |
| CN1291846A (en) * | 2000-10-11 | 2001-04-18 | 张学斌 | Detection and management system for user connection state of cable TV network |
| CN1607831A (en) * | 2003-10-13 | 2005-04-20 | 成都润网科技有限公司 | Bidirectional real-time authentication digital television conditional receiving system |
-
2003
- 2003-12-24 CN CNB2003101218000A patent/CN100366082C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1254473A (en) * | 1997-03-21 | 2000-05-24 | 卡纳尔股份有限公司 | Broadcast and reception system, and conditional access system therefor |
| CN1291846A (en) * | 2000-10-11 | 2001-04-18 | 张学斌 | Detection and management system for user connection state of cable TV network |
| CN1607831A (en) * | 2003-10-13 | 2005-04-20 | 成都润网科技有限公司 | Bidirectional real-time authentication digital television conditional receiving system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1633169A (en) | 2005-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1171454C (en) | Method and apparatus for encrypted data stream transmission | |
| CN101076109B (en) | Digital TV two-way CA system and program subscription/cancellation method based on the system | |
| US7305555B2 (en) | Smart card mating protocol | |
| EP2802152B1 (en) | Method for secure processing a stream of encrypted digital audio / video data | |
| US8060902B2 (en) | System for receiving broadcast digital data comprising a master digital terminal, and at least one slave digital terminal | |
| CN100562098C (en) | Digital television conditional access system and handling process thereof | |
| US20060136718A1 (en) | Method for transmitting digital data in a local network | |
| US20050089168A1 (en) | Method and system for conditional access | |
| JPH11177961A (en) | Information broadcast method | |
| EP1813107B1 (en) | Method and apparatus for supporting multiple broadcasters independently using a single conditional access system | |
| EP1788811B1 (en) | A method for obtaining user's on-line information | |
| CN100384251C (en) | User authorization method and its authorization system | |
| CN100366082C (en) | Method of on-line user authentication in digital TV network | |
| CN102265634A (en) | Transmission, reception and identification methods, security processor and information recording medium for said methods | |
| CN101321261A (en) | Front-end system, user terminal and authorization management information distribution method | |
| CN100353764C (en) | Method of in-line user authentication in digital TV network | |
| CN1753487B (en) | Control system of watching digital TV and its method | |
| CN201142735Y (en) | Digital television conditional access system | |
| CN100403797C (en) | Method and system for learning information about on-line/off-line/in-line of user | |
| CN101505402A (en) | Authentication method for uni-directional network digital television conditional receiving system terminal deciphering module | |
| KR101261903B1 (en) | Stb authenticating system and method for iptv | |
| KR101138126B1 (en) | Cas system and method for iptv | |
| KR20160067722A (en) | Method for tramsmitting message between distributed authorization server and cam authentication sub-system and rcas headend | |
| JP2007300651A (en) | Information broadcasting method, receiver, information center, and receiving method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080130 Termination date: 20121224 |