[go: up one dir, main page]

CN101132275B - A Security Protection System for Realizing the Right to Use Digital Content - Google Patents

A Security Protection System for Realizing the Right to Use Digital Content Download PDF

Info

Publication number
CN101132275B
CN101132275B CN200610112550A CN200610112550A CN101132275B CN 101132275 B CN101132275 B CN 101132275B CN 200610112550 A CN200610112550 A CN 200610112550A CN 200610112550 A CN200610112550 A CN 200610112550A CN 101132275 B CN101132275 B CN 101132275B
Authority
CN
China
Prior art keywords
file system
digital content
encrypted file
module
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200610112550A
Other languages
Chinese (zh)
Other versions
CN101132275A (en
Inventor
沙瀛
谭建龙
程学旗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN200610112550A priority Critical patent/CN101132275B/en
Publication of CN101132275A publication Critical patent/CN101132275A/en
Application granted granted Critical
Publication of CN101132275B publication Critical patent/CN101132275B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明公开了一种实现数字内容使用权利的安全保护系统,包括:控制模块、加密文件系统模块、加密文件系统加载模块和加密文件系统卸载模块。利用本发明,阻止了对数字内容使用权利的非法修改和删除,提高了数字内容使用权利的安全性,而且对媒体内容、媒体播放器透明,对数字内容使用权利的保护性能更好,用户根本没有机会对数字内容使用权利进行删除或窜改,有效地保证了数字内容使用权利的安全性。本发明提供的实现数字内容使用权利的安全保护系统作为一个独立的模块,能够很方便的嵌入到完整的数字版权保护系统中去,非常有利于本发明的推广和应用。

The invention discloses a security protection system for realizing the use right of digital content, comprising: a control module, an encrypted file system module, an encrypted file system loading module and an encrypted file system unloading module. Utilizing the present invention prevents the illegal modification and deletion of the right to use digital content, improves the security of the right to use digital content, and is transparent to media content and media players, and has better protection performance on the right to use digital content. There is no chance to delete or tamper with the right to use the digital content, effectively ensuring the security of the right to use the digital content. As an independent module, the security protection system for realizing the right to use digital content provided by the present invention can be easily embedded into a complete digital copyright protection system, which is very beneficial to the promotion and application of the present invention.

Description

A kind of digital content that realizes is used the safety system of right
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of digital content that realizes and use the safety system of right.
Background technology
Along with networks development, increasing digital media content is distributed by network, particularly looks the digital audio medium, is the main contents of consuming on the network, has the content of 60% transmission on the statistics display network all to follow to look audio frequency relevant.Under broadband environment, film, serial etc. is looked the important Consumption Power that audio content promotes broadband application especially.
But because digital media content, copy and original paper are identical, and the copy of digital content and propagation cost are extremely low, and the problem of therefore long-term puzzlement Virtual network operator and content supplier is exactly the pirate and illegal propagation problem of network of digital media content.Estimate according to U.S. disc employer's organization (RIAA), whole world every year because of the pirate economic loss that causes up to 5,000,000,000 dollars.American film employer's organization (MPAA) estimates that then piracy makes the annual income of American film industry reduce 2,500,000,000 dollars.
In order to stimulate and to keep the health of network digital media content consumption and develop right and the requirement that to take measures necessary to ensure that content supplier, Virtual network operator, agent and ultimate consumer are legal separately rapidly.And digital copyright management (Digital rights management DRM) adopts various technological means to ensure the lawful right of above-mentioned each side and the total solution of requirement just.
The digital copyright management technology provides a kind of method of protecting content of multimedia to exempt from unwarranted broadcast or duplicate, and it is not provided means by bootlegging or use for content supplier's protection digital media content.The DRM technology adopt usually encrypted digital content and therein whether the have the right service regeulations of play content of further decision user reach the purpose of protection content.Authorities such as whether service regeulations generally include can copy, reproduction time, broadcasting time.
As shown in Figure 1, Fig. 1 is typical DRM system reference architectural schematic.This DRM system comprises three main modular: content server (content server), license server (licenseserver) and trusted client (trust clients).
Content server is provided by the original figure media content that is provided by content supplier; after copyright protection is encrypted the original figure media content is increased digital copyright protection technology, the copyright protection technology that is adopted comprises to be encrypted with symmetric key digital media content etc.
License server is mainly used to generate and the distribution digital license, and carries out control such as authenticating user identification.Digital license is one and comprises the computer documents that digital content is used right (comprising rights of using, access times, useful life etc.), license awarding person and owner's information thereof.In the most of DRM system, digital content itself is through encryption.Therefore, digital license also comprises information such as decrypted digital content key usually.
Trusted client (content consumption environment) mainly comprises DRM controller and digital content tool using.The DRM controller is responsible for collecting information such as User Identity, the use of control figure content.If there is not licence, the DRM controller also is responsible for to the license server licensing.The digital content tool using is mainly used to assisted user and uses digital content.
Current most of DRM system is based on all that this reference architecture makes up. in this structure, trusted client (content consumption environment) if fail safe played crucial effects. the protection of client is not enough, and so whole DRM system just loses meaning.
User, mandate and content are three fundamentals of DRM system.The user is the founder and the user of content, and the user can be publisher, film making merchant, record company, enterprise or consumer individual.Content means the set of the digital content that all can spread through the internet.Mandate means permission, constraint and the obligation that loads on the content and award the user.
Client environment has constituted a content consumption environment, because all digital media contents are finally all in user client consumption and use.Therefore believable client environment is an important part in the digital copyright protection system.Because the digital media content of finally all need copyright protections all play to use on user's computer, the key issue that therefore how to make up a trusted client environment in the unsafe home environment of user be a DRM system.
Existing solution subject matter has: a kind of is at client layer media content and authority to be controlled, and fail safe is not high, is easy to be cracked or walk around; Another kind is that protection, the control of authority to media content all is to be embedded in the media player; or as a plug-in unit of media player; traditional DRM is in the design of trusted client; usually the DRM controller is placed on the media player the inside, when the user clicks played file, before player plays, carries out control corresponding.Its concrete realization generally all is an independently player or use Windows Media Player or the corresponding SDK of Helix carries out secondary development of one of exploitation, therefore the system that develops can only play the media file of particular type, compatibility is not high, has limited the media formats of support and the kind of media player.
Because protection and control to media file all are to realize in player; so the end user can only just can watch with the player of appointment for the media file that content supplier provides; and for content supplier; because the restriction of player; be not all to support for the media file of all forms, this also causes very big inconvenience to content supplier.And user's certificate, private key and associated rights statement thereof all preserve on user's the hard disk, even encrypting storing is also deleted by the user easily or altered.
Summary of the invention
(1) technical problem that will solve
At the deficiency that above-mentioned prior art exists, main purpose of the present invention is to provide a kind of digital content that realizes to use the safety system of right, uses the fail safe of right to improve digital content.
(2) technical scheme
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of digital content that realizes is used the safety system of right, and this system comprises:
Control module, be used for using right and digital content to write or read the encrypted file system that the encrypted file system module provides digital content, and call encrypted file system load-on module or encrypted file system Unload module, after loading the encrypted file system module, will make digital content use right to write calculator memory, and in real time use right according to the digital content in the operating position update calculation machine internal memory of digital content, the digital content of upgrading in calculator memory before unloading encrypted file system module uses right to be written to encrypted file system;
The encrypted file system module, be used to provide the encrypted file system of preserving digital content use right and digital content, use right and digital content to carry out cryptographic operation to the digital content that writes encrypted file system, use right and digital content to be decrypted operation the digital content of reading encrypted file system;
The encrypted file system load-on module is used to load the encrypted file system module, and the digital content of preserving in the encrypted file system that the user can be provided the encrypted file system module uses right and digital content to conduct interviews;
The encrypted file system Unload module is used to unload the encrypted file system module, and the digital content of preserving in the encrypted file system that the user can not be provided the encrypted file system module uses right and digital content to conduct interviews.
Described control module is further used for reading the digital content of preserving in the calculator memory according to the request that is received from the content tool using and uses right, judge whether the digital content tool using has digital content and use right, use right if the digital content tool using has digital content, then allow the content tool using to use digital content to use right; Otherwise, do not allow the content tool using to use digital content to use right.
Described control module is further used for revising the digital content of preserving in the calculator memory according to the request that is received from the content tool using and uses right.
Described control module is further used at the encrypted file system loading duration, changes, deletes, writes or read the digital content of preserving in the calculator memory and use right.
The encrypted file system that described encrypted file system module provides comprises:
The file system head, be used to preserve random number Salt, checking character string, file system front page this, the verification of key and, file system creates modification time, reserved area and data encryption key information;
The data field is used to preserve digital content and uses right and digital content.
Random number Salt in the described file system head is used for combining with the password that lands of input, according to the encryption key of certain password generating algorithm spanned file system head;
Checking character string in the described file system head is used for showing and is obtaining the process of data encryption key, judges trial solution decryption key generating algorithm, cryptographic algorithm, encryption mode, and the size of cryptographic block, whether the combination of the length of key is correct;
File system front page in the described file system head this, be used to guarantee to write the compatibility between encrypted file system content and the encrypted file system;
The verification of the key in the described file system head and, be used for trial solution decryption key generating algorithm, cryptographic algorithm, encryption mode, the size of cryptographic block, after the combination of the length of key, the data encryption key that obtains according to deciphering obtain verification and, judge the data encryption key verification of obtaining with the file system head in the verification of key and whether consistent, whether correct with this combination of judging trial;
File system in the described file system head is created modification time, is used to show the establishment and the modification time of file system;
Reserved area in the described file system head is used for later expansion;
Data encryption key information in the described file system head is used for digital content use right and digital content that encrypted data region is preserved.
Random number Salt in the file system head of described encrypted file system does not encrypt, checking character string in the file system head of described encrypted file system, file system front page this, the verification of key and, file system creates modification time, reserved area and data encryption key information and encrypts, described encrypted file system is all encrypted whole encrypted file system, the filename, the folder name that comprise the encrypted file system data field, the content of file and free space.
The file system head of described encrypted file system is by the secret key encryption that password, salt and key schedule generate of landing of input, described key schedule adopts general HMAC-RIPEMD-160, HMAC-SHA-1 or HMAC-WHIRLPOOL standard, and described Salt is used to increase the difficulty of assailant's off-line decryption.
The data field of described encrypted file system is encrypted by the data encryption key in the file system head, and described data encryption key is generated by random number generator, and random number generator generates the data encryption key and the salt of data field.
Described random number adopts the random number generating mode of the universal standard, or adopts the generating mode of the selected random number source of customization.
The generating mode of the random number source that described customization is selected comprises at least: the physical characteristic of the time interval of mouse moving, keystroke, the key assignments of keystroke, hard disk, the network characteristic of network interface card or operating system timer.
Described encrypted file system module adopts the data encryption key in the file system head to use right and digital content to encrypt to the digital content that writes when using right and digital content to carry out cryptographic operation to the digital content that writes encrypted file system;
Described encrypted file system module adopts the data encryption key in the file system head that content is decrypted when using right and digital content to be decrypted operation to the digital content of reading encrypted file system.
When described encrypted file system module is being used right and digital content is encrypted or during decryption oprerations to digital content, described encrypted file system module is according to the salt of preceding 64 bytes of password of importing and file system head, attempt the size of key schedule, cryptographic algorithm, encryption mode, cryptographic block and the various combinations that length allowed of key successively, judge whether described combination is satisfied:
1), with above-mentioned 5 various combination declassified document heads, if the checking character string after the deciphering is the specific character of appointment originally;
2), the deciphering after data encryption key verification and equal in the file header key verification and in content;
If satisfy, then this combination is correct, and the password of input also is correct; Otherwise this combination is incorrect;
If attempted after all combinations still incorrect, the password bad of explanation input then.
Described encrypted file system load-on module judges whether the password of input is correct when loading the encrypted file system module, if correct, then load the encrypted file system module; Otherwise, do not load the encrypted file system module.
Described encrypted file system Unload module unloads the encrypted file system module after receiving the order of closing related application or unloading encrypted file system module.
(3) beneficial effect
From technique scheme as can be seen, the present invention has following beneficial effect:
1, utilizes the present invention, by having made up an encrypted file system based on filter Driver on FSD at the operating system nucleus layer, the digital content that needs to preserve uses right to be kept in this encrypted file system, the user has only the correct password of input could load this encrypted file system, uses right and digital content thereby visit the digital content of preserving in this encrypted file system.When loading this file system, use right to read in the internal memory of computer digital content, afterwards digital content being used increase, the deletion of right or revised all is the operation of using right to carry out to the digital content that is kept in the internal memory, in the time of this encrypted file system of unloading, use right to write the original digital content use right of this encrypted file system covering the digital content that is kept in the internal memory, thereby stoped modification and the deletion of digital content being used right, improved the fail safe of digital content use right.
2, the present invention is with respect to prior art; fail safe is higher; and it is transparent to media content, media player; use the protective value of right better to digital content; the user has no chance to use right to delete or alter to digital content at all, has guaranteed that effectively digital content uses the fail safe of right.
3, the realization digital content provided by the invention safety system that uses right can be embedded into very easily in the complete digital copyright protection system and go as a module independently, is very beneficial for promotion and application of the present invention.
Description of drawings
Fig. 1 is typical DRM system reference architectural schematic;
Fig. 2 is the schematic diagram that realization digital content provided by the invention is used the right safety system;
Fig. 3 is the structural representation of encrypted file system provided by the invention;
The schematic diagram that Fig. 4 uses right to protect for the present invention to digital content.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.
The present invention will use the protection of right to be distributed in the core layer and the application layer of operating system to digital content; realize an encrypted file system module in core layer; the encrypting storing digital content is used right; guarantee that the user who only has corresponding password just can visit this encrypted file system module, and realize using the read-write operation of right to realize real-time encryption and decryption at digital content.When realizing the encrypted file system module loading, application layer use right to write calculator memory digital content, when unloading encrypted file system module, use right to be written in the encrypted file system that the encrypted file system module provides the digital content in the calculator memory.
As shown in Figure 2, Fig. 2 is the schematic diagram that realization digital content provided by the invention is used the right safety system, and this system comprises control module, encrypted file system module, encrypted file system load-on module and encrypted file system Unload module.
Wherein, control module is used for using right and digital content to write or read the encrypted file system that the encrypted file system module provides digital content, and call encrypted file system load-on module or encrypted file system Unload module, after loading the encrypted file system module, will make digital content use right to write calculator memory, and in real time use right according to the digital content in the operating position update calculation machine internal memory of digital content, the digital content of upgrading in calculator memory before unloading encrypted file system module uses right to be written to encrypted file system.It is mutual to realize that digital content uses the right safety system to take place by the control module and the external world, realizes the protection to digital content use right.
Realize that digital content use right safety system has constituted a believable client under the content consumption environment; the user at first obtains protected by copyright digital content to extraneous as the content server application by control module, obtains digital content to the license server application and uses right.Control module responding digital content tool using reads digital content and uses right determination number word content tool using whether to have corresponding digital content use right the request of digital content use right.Control module is upgraded digital content dynamically according to the operating position of digital content and is used right, and for example along with the use of content, the broadcasting time of the permission of relevance or reproduction time all can reduce accordingly.
The encrypted file system module is used to provide the encrypted file system of preserving digital content use right and digital content, use right and digital content to carry out cryptographic operation to the digital content that writes encrypted file system, use right and digital content to be decrypted operation the digital content of reading encrypted file system.The user has only the correct password of input just can visit this encrypted file system, and the content in the control module monitoring encrypted file system can not be copied away, promptly have only control module just can use digital content right to write this encrypted file system, after encrypted file system loads, use right to read in calculator memory digital content immediately, before the encrypted file system unloading, use right to be written to encrypted file system the digital content in the internal memory.So just stoped digital content is used the illegal deletion of right or distorted.
The encrypted file system load-on module,, being used to load the encrypted file system module, the digital content of preserving in the encrypted file system that the user can be provided the encrypted file system module uses right and digital content to conduct interviews.
The encrypted file system Unload module is used to unload the encrypted file system module, and the digital content of preserving in the encrypted file system that the user can not be provided the encrypted file system module uses right and digital content to conduct interviews.
Above-mentioned control module is further used for reading the digital content of preserving in the calculator memory according to the request that is received from the content tool using and uses right, judge whether the digital content tool using has digital content and use right, use right if the digital content tool using has digital content, then allow the content tool using to use digital content to use right; Otherwise, do not allow the content tool using to use digital content to use right.
Above-mentioned control module is further used for revising the digital content of preserving in the calculator memory according to the request that is received from the content tool using and uses right.
Above-mentioned control module is further used at the encrypted file system loading duration, changes, deletes, writes or read the digital content of preserving in the calculator memory and use right.
The encrypted file system that above-mentioned encrypted file system module provides as shown in Figure 3, Fig. 3 is the structural representation of encrypted file system provided by the invention, this encrypted file system comprises the file system head, be used to preserve random number Salt, checking character string, file system front page this, the verification of key and, file system creates modification time, reserved area and data encryption key information; The data field is used to preserve digital content and uses right and digital content.
Random number Salt in the above-mentioned file system head is used for combining with the password that lands of input, according to the encryption key of certain password generating algorithm spanned file system head.
Checking character string in the above-mentioned file system head is used for showing and is obtaining the process of data encryption key, judges trial solution decryption key generating algorithm, cryptographic algorithm, encryption mode, and the size of cryptographic block, whether the combination of the length of key is correct.
File system front page in the above-mentioned file system head this, be used to guarantee to write the compatibility between encrypted file system content and the encrypted file system.
The verification of the key in the above-mentioned file system head and, be used for trial solution decryption key generating algorithm, cryptographic algorithm, encryption mode, the size of cryptographic block, after the combination of the length of key, the data encryption key that obtains according to deciphering obtain verification and, judge the data encryption key verification of obtaining with the file system head in the verification of key and whether consistent, whether correct with this combination of judging trial.
File system in the above-mentioned file system head is created modification time, is used to show the establishment and the modification time of file system.
Reserved area in the above-mentioned file system head is used for later expansion.
Data encryption key information in the above-mentioned file system head is used for digital content use right and digital content that encrypted data region is preserved.
Random number Salt in the file system head of above-mentioned encrypted file system does not encrypt, the checking character string in the file system head of encrypted file system, file system front page this, the verification of key and, file system creates modification time, reserved area and data encryption key information and encrypts.Encrypted file system is all encrypted whole encrypted file system, comprises filename, the folder name of encrypted file system data field, the content of file and free space etc.
The file system head of above-mentioned encrypted file system is by the secret key encryption that password, salt and key schedule generate of landing of input, key schedule adopts standards such as general HMAC-RIPEMD-160, HMAC-SHA-1 or HMAC-WHIRLPOOL, and Salt is used to increase the difficulty of assailant's off-line decryption.
The data field of above-mentioned encrypted file system is encrypted by the data encryption key in the file system head, and data encryption key is generated by random number generator, and random number generator generates the data encryption key and the salt of data field.Random number adopts the random number generating mode of the universal standard, or adopts the generating mode of the selected random number source of customization.The generating mode of the random number source that customization is selected comprises at least: the physical characteristic of the time interval of mouse moving, keystroke, the key assignments of keystroke, hard disk, the network characteristic of network interface card or operating system timer etc.
Above-mentioned encrypted file system module is when using right and digital content to carry out cryptographic operation to the digital content that writes encrypted file system, adopt the data encryption key in the file system head to use right and digital content to encrypt, then the data encrypted content is write this file system the digital content that writes.The encrypted file system module adopts the data encryption key in the file system head that content is decrypted when using right and digital content to be decrypted operation to the digital content of reading encrypted file system, and the content after will deciphering is then returned.
When described encrypted file system module is being used right and digital content is encrypted or during decryption oprerations to digital content, described encrypted file system module is according to the salt of preceding 64 bytes of password of importing and file system head, attempt the size of key schedule, cryptographic algorithm, encryption mode, cryptographic block and the various combinations that length allowed of key successively, judge whether described combination is satisfied:
1), with above-mentioned 5 various combination declassified document heads, if the checking character string after the deciphering is the specific character of appointment originally;
2), the deciphering after data encryption key verification and equal in the file header key verification and in content;
If satisfy, then this combination is correct, and the password of input also is correct; Otherwise this combination is incorrect;
If attempted after all combinations still incorrect, the password bad of explanation input then.
Above-mentioned encrypted file system load-on module judges whether the password of input is correct when loading the encrypted file system module, if correct, then load the encrypted file system module; Otherwise, do not load the encrypted file system module.The encrypted file system Unload module unloads the encrypted file system module after receiving the order of closing related application or unloading encrypted file system module.
System determines whether loading this file system module according to the password of user's input, and the input password correctly just loads this file system module; When file system module loads, use right to read in the internal memory of computer the digital content of preserving in the file system.At the file system module loading duration, operations such as the change of the use right that all are related with digital content, deletion, increase all are to reading in the use right operation in the internal memory, and are irrelevant with the use right that is kept in the file system.
In the time of unloading of file system, the use right that is kept at the current digital relevance in the calculator memory write back in the file system go.After the unloading, the user can not visit this encrypted file system.
Below in conjunction with the schematic diagram of the described realization digital content use right safety system provided by the invention of Fig. 2, illustrate and realize digital content use right safety system workflow.Realize that digital content use right safety system workflow comprises that preproduction phase and digital content tool using use the digital content stage.
Wherein, the preproduction phase comprises:
1. create an encrypted file system:
Encrypted file system can be based on file or a Free Partition, and the user at first specifies a filename or idle subregion, and system will set up an encrypted file system on the basis of this file or Free Partition.The user is when creating encrypted file system, the login password of importing when selecting to load this encrypted file system, and the generating algorithm of the encryption key of select File system head, the cryptographic algorithm in file system data district, the encryption mode of data, the size of data encryption piece and the information such as length of key, then according to encrypted file system of information creating of selecting.
2. the user at first inputs the correct password that lands at this encrypted file system of loading, has only and has inputed the correct password that lands, and the user just can visit this file system, otherwise this file system is invisible.
3. control module is at first called the encrypted file system load-on module and is loaded encrypted file system; user's difference accessed content server and license server obtain digital content protected by copyright and digital content use right then; control module uses right, digital content to write in the encrypted file system and go the digital content of user applies, and calls encrypted file system Unload module unloading encrypted file system module.
4. work as data and write this encrypted file system, this encrypted file system module is carried out encrypting storing to it automatically, and when data were read this encrypted file system, this encrypted file system was decrypted operation to it automatically.Digital content uses right just to be kept in this encrypted file system.
The digital content tool using uses the content stage to comprise:
1. control module is at first called the encrypted file system load-on module;
2. the encrypted file system load-on module loads encrypted file system;
3. the control module use right that will be kept at the digital content association in the encrypted file system is read in the calculator memory.
4. when the digital content tool using uses digital content protected by copyright; need to judge whether the user has corresponding use right; therefore the digital content tool using sends request to control module, requires control module to judge whether digital content has corresponding right.
5. control module obtains the use right in the calculator memory, and according to current context environmental, judge whether the digital content tool using has corresponding right, and the result that will judge returns to the digital content tool using.
6. along with of the use of digital content tool using to digital content, the use right of digital content association may change, as the change of operable time, the change of operable number of times, all these all are to reading in the operation of the use right in the internal memory to the operation of using right.
7. after the user uses digital content, when preparing to log off, the use right of control module after with current renewal in the calculator memory writes back in the encrypted file system goes.Even the user can utilize file system to load like this, delete the use right and alter also inoperative the opportunity that use right in the file system can be visited, because after the file system unloading, being kept in the file system is the use right information of the current last state in the calculator memory, the user the various illegal operations of using right to carry out are not worked.
8. control module is called the encrypted file system Unload module;
9. the encrypted file system Unload module unloads encrypted file system;
It more than is exactly the entire flow of native system.
The schematic diagram that Fig. 4 uses right to protect for the present invention to digital content.The present invention will use the protection of right to be distributed in the application layer and the core layer of operating system to digital content; realize an encrypted file system module in core layer; the encrypting storing digital content is used right; guarantee that the user who only has corresponding password just can visit this encrypted file system module, and realize using the read-write operation of right to realize real-time encryption and decryption at digital content.When realizing the encrypted file system module loading, application layer use right to write calculator memory digital content, when unloading encrypted file system module, use right to be written in the encrypted file system that the encrypted file system module provides the digital content in the calculator memory.So just have no chance to use right to delete or distort, even perhaps deletion or distort also inoperative to digital content.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (15)

1.一种实现数字内容使用权利的安全保护系统,其特征在于,该系统包括:1. A security protection system for realizing the right to use digital content, characterized in that the system includes: 控制模块,用于将数字内容使用权利和数字内容写入或读出加密文件系统模块提供的加密文件系统,并调用加密文件系统加载模块或加密文件系统卸载模块,在加载加密文件系统模块后将使数字内容使用权利写入计算机内存,并实时根据数字内容的使用情况更新计算机内存中的数字内容使用权利,在卸载加密文件系统模块前将计算机内存中更新的数字内容使用权利写入到加密文件系统;The control module is used for writing or reading the encrypted file system provided by the encrypted file system module, and calling the encrypted file system loading module or the encrypted file system unloading module, after the encrypted file system module is loaded. Write the right to use the digital content into the computer memory, and update the right to use the digital content in the computer memory in real time according to the use of the digital content, and write the updated right to use the digital content in the computer memory to the encrypted file before uninstalling the encrypted file system module system; 加密文件系统模块,用于提供保存数字内容使用权利和数字内容的加密文件系统,对写入加密文件系统的数字内容使用权利和数字内容进行加密操作,对读出加密文件系统的数字内容使用权利和数字内容进行解密操作;The encrypted file system module is used to provide an encrypted file system for storing digital content use rights and digital content, perform encryption operations on digital content use rights and digital content written into the encrypted file system, and read out digital content use rights from the encrypted file system Decryption operation with digital content; 加密文件系统加载模块,用于加载加密文件系统模块,使用户能够对加密文件系统模块提供的加密文件系统中保存的数字内容使用权利和数字内容进行访问;The encrypted file system loading module is used to load the encrypted file system module, so that users can access the digital content usage rights and digital content stored in the encrypted file system provided by the encrypted file system module; 加密文件系统卸载模块,用于卸载加密文件系统模块,使用户不能对加密文件系统模块提供的加密文件系统中保存的数字内容使用权利和数字内容进行访问。The encrypted file system unloading module is used to uninstall the encrypted file system module, so that the user cannot access the digital content usage rights and digital content stored in the encrypted file system provided by the encrypted file system module. 2.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,2. The security protection system for realizing the right to use digital content according to claim 1, characterized in that, 所述控制模块进一步用于根据接收自内容使用工具的请求读取计算机内存中保存的数字内容使用权利,判断数字内容使用工具是否具有数字内容使用权利,如果数字内容使用工具具有数字内容使用权利,则允许内容使用工具使用数字内容使用权利;否则,不允许内容使用工具使用数字内容使用权利。The control module is further used to read the digital content usage rights stored in the computer memory according to the request received from the content usage tool, and judge whether the digital content usage tool has the digital content usage right, if the digital content usage tool has the digital content usage right, then the content usage tool is allowed to use the digital content usage rights; otherwise, the content usage tool is not allowed to use the digital content usage rights. 3.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,3. The security protection system for realizing the right to use digital content according to claim 1, characterized in that, 所述控制模块进一步用于根据接收自内容使用工具的请求修改计算机内存中保存的数字内容使用权利。The control module is further configured to modify the digital content usage rights stored in the computer memory according to the request received from the content usage tool. 4.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,4. The security protection system for realizing the right to use digital content according to claim 1, characterized in that, 所述控制模块进一步用于在加密文件系统模块加载期间,更改、删除、写入或读出计算机内存中保存的数字内容使用权利。The control module is further used for changing, deleting, writing or reading the right to use the digital content stored in the computer memory during the loading of the encrypted file system module. 5.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统模块提供的加密文件系统包括:5. The security protection system for realizing the right to use digital content according to claim 1, wherein the encrypted file system provided by the encrypted file system module includes: 文件系统头,用于保存随机数Salt、验证字符串、文件系统头版本、密钥的校验和、文件系统创建修改时间、保留区和数据加密密钥;File system header, used to save random number Salt, verification string, file system header version, key checksum, file system creation and modification time, reserved area and data encryption key; 数据区,用于保存数字内容使用权利和数字内容。The data area is used to store digital content usage rights and digital content. 6.根据权利要求5所述的实现数字内容使用权利的安全保护系统,其特征在于,6. The security protection system for realizing the right to use digital content according to claim 5, characterized in that, 所述文件系统头中的随机数Salt,用于与输入的登陆密码相结合,根据一定的密钥生成算法生成文件系统头加密密钥;The random number Salt in the file system header is used to combine with the input login password to generate the file system header encryption key according to a certain key generation algorithm; 所述文件系统头中的验证字符串,用于表明在获取数据加密密钥的过程中,判断尝试解密文件系统头加密密钥的密钥生成算法、加密算法、加密模式、加密块的大小和密钥的长度的组合是否正确;The verification character string in the file system header is used to indicate that in the process of obtaining the data encryption key, the key generation algorithm, encryption algorithm, encryption mode, encryption block size and Whether the combination of the length of the key is correct; 所述文件系统头中的文件系统头版本,用于保证写入加密文件系统内容与加密文件系统之间的兼容性;The file system header version in the file system header is used to ensure compatibility between the content written in the encrypted file system and the encrypted file system; 所述文件系统头中的密钥的校验和,用于尝试解密文件系统头加密密钥的密钥生成算法、加密算法、加密模式、加密块的大小和密钥的长度的组合后,根据解密获得的数据加密密钥获取校验和,判断获取的数据加密密钥校验和与文件系统头中的密钥的校验和是否一致,以此来判断尝试的组合是否正确;The checksum of the key in the file system header, after the combination of the key generation algorithm, encryption algorithm, encryption mode, encrypted block size, and key length used to attempt to decrypt the file system header encryption key, according to Obtain the checksum of the data encryption key obtained by decrypting, and judge whether the checksum of the obtained data encryption key is consistent with the checksum of the key in the file system header, so as to judge whether the combination of attempts is correct; 所述文件系统头中的文件系统创建修改时间,用于表明文件系统的创建及修改时间;The file system creation and modification time in the file system header is used to indicate the creation and modification time of the file system; 所述文件系统头中的保留区,用于以后的扩展;A reserved area in the file system header for future expansion; 所述文件系统头中的数据加密密钥,用于加密数据区中保存的数字内容使用权利和数字内容。The data encryption key in the file system header is used to encrypt the digital content usage rights and digital content stored in the data area. 7.根据权利要求5所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统的文件系统头中的随机数Salt是不加密的,所述加密文件系统的文件系统头中的验证字符串、文件系统头版本、密钥的校验和、文件系统创建修改时间、保留区和数据加密密钥是加密的,所述加密文件系统的数据区是由文件系统头中的数据加密密钥加密的,包括加密文件系统数据区的文件名、文件夹名,文件的内容和空闲空间。7. The security protection system for realizing the right to use digital content according to claim 5, wherein the random number Salt in the file system header of the encrypted file system is not encrypted, and the file system of the encrypted file system The verification string in the header, the file system header version, the checksum of the key, the file system creation modification time, the reserved area and the data encryption key are encrypted, and the data area of the encrypted file system is determined by the file system header. The data encrypted by the encryption key, including the file name and folder name of the data area of the encrypted file system, the content of the file and free space. 8.根据权利要求7所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统的文件系统头由输入的登陆密码、Salt和密钥生成算法生成的密钥加密,所述密钥生成算法采用通用的HMAC-RIPEMD-160、HMAC-SHA-1或HMAC-WHIRLPOOL标准,所述Salt用于增加攻击者离线破解密码的难度。8. The security protection system for realizing the right to use digital content according to claim 7, wherein the file system header of the encrypted file system is encrypted by the input login password, Salt and the key generated by the key generation algorithm, The key generation algorithm adopts the general HMAC-RIPEMD-160, HMAC-SHA-1 or HMAC-WHIRLPOOL standard, and the Salt is used to increase the difficulty for the attacker to crack the password offline. 9.根据权利要求7所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统的数据区由文件系统头中的数据加密密钥加密,所述数据加密密钥由随机数生成器生成,随机数生成器生成数据区的数据加密密钥和Salt。9. The security protection system for realizing the right to use digital content according to claim 7, wherein the data area of the encrypted file system is encrypted by a data encryption key in the file system header, and the data encryption key is encrypted by Generated by a random number generator, the random number generator generates the data encryption key and Salt of the data area. 10.根据权利要求9所述的实现数字内容使用权利的安全保护系统,其特征在于,所述随机数采用通用标准的随机数生成方式,或采用定制选定的随机数源的生成方式。10. The security protection system for realizing the right to use digital content according to claim 9, wherein the random number adopts a general standard random number generation method, or adopts a custom-selected random number source generation method. 11.根据权利要求10所述的实现数字内容使用权利的安全保护系统,其特征在于,所述定制选定的随机数源的生成方式至少包括:11. The security protection system for realizing the right to use digital content according to claim 10, characterized in that the generation method of the custom-selected random number source at least includes: 鼠标的移动、击键的时间间隔、击键的键值、硬盘的物理特性、网卡的网络特性或操作系统定时器。The movement of the mouse, the time interval between keystrokes, the key value of the keystroke, the physical characteristics of the hard disk, the network characteristics of the network card, or the operating system timer. 12.根据权利要求5所述的实现数字内容使用权利的安全保护系统,其特征在于,12. The security protection system for realizing the right to use digital content according to claim 5, characterized in that, 所述加密文件系统模块在对写入加密文件系统的数字内容使用权利和数字内容进行加密操作时,采用文件系统头中的数据加密密钥对写入的数字内容使用权利和数字内容进行加密;When the encrypted file system module encrypts the digital content usage rights and digital content written into the encrypted file system, it uses the data encryption key in the file system header to encrypt the written digital content usage rights and digital content; 所述加密文件系统模块在对读出加密文件系统的数字内容使用权利和数字内容进行解密操作时,采用文件系统头中的数据加密密钥对内容进行解密。The encrypted file system module uses the data encryption key in the file system header to decrypt the content when decrypting the digital content usage rights and digital content read from the encrypted file system. 13.根据权利要求12所述的实现数字内容使用权利的安全保护系统,其特征在于,当所述加密文件系统模块在对数字内容使用权利和数字内容进行加密或解密操作时,所述加密文件系统模块根据输入的密码和文件系统头的前64个字节的Salt,依次尝试密钥生成算法、加密算法、加密模式、加密块的大小和密钥的长度所允许的各种组合,判断所述组合是否满足下面两个条件:13. The security protection system for realizing the right to use digital content according to claim 12, wherein when the encrypted file system module encrypts or decrypts the right to use digital content and the digital content, the encrypted file According to the input password and the Salt of the first 64 bytes of the file system header, the system module sequentially tries various combinations allowed by the key generation algorithm, encryption algorithm, encryption mode, encryption block size and key length, and judges the Whether the above combination meets the following two conditions: 1)、用上述5项的各种组合解密文件系统头,如果解密后的验证字符串是当初指定的特定字符串,即文件系统头中保存的验证字符串;1), decrypt the file system header with various combinations of the above 5 items, if the decrypted verification character string is the specified character string at the beginning, that is, the verification character string stored in the file system head; 2)、解密后的数据加密密钥的校验和等于文件系统头中的密钥校验和中的内容;2), the checksum of the decrypted data encryption key is equal to the content in the key checksum in the file system header; 如果满足上述两个条件,则该组合是正确的,输入的密码也是正确的;否则,该组合不正确;If the above two conditions are met, the combination is correct and the password entered is correct; otherwise, the combination is incorrect; 如果尝试了所有的组合后仍然不正确,则说明输入的密码不正确。If it is still incorrect after trying all the combinations, the password entered is incorrect. 14.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统加载模块在加载加密文件系统模块时,判断输入的密码是否正确,如果正确,则加载加密文件系统模块;否则,不加载加密文件系统模块。14. The security protection system for realizing the right to use digital content according to claim 1, wherein the encrypted file system loading module judges whether the input password is correct when loading the encrypted file system module, and if it is correct, loads the encrypted file system module. Encrypted file system module; otherwise, the encrypted file system module is not loaded. 15.根据权利要求1所述的实现数字内容使用权利的安全保护系统,其特征在于,所述加密文件系统卸载模块在接收到关闭相关应用程序或卸载加密文件系统模块的命令后,卸载加密文件系统模块。15. The security protection system for realizing the right to use digital content according to claim 1, wherein the encrypted file system unloading module uninstalls the encrypted file after receiving an order to close related application programs or unload the encrypted file system module system modules.
CN200610112550A 2006-08-23 2006-08-23 A Security Protection System for Realizing the Right to Use Digital Content Active CN101132275B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610112550A CN101132275B (en) 2006-08-23 2006-08-23 A Security Protection System for Realizing the Right to Use Digital Content

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610112550A CN101132275B (en) 2006-08-23 2006-08-23 A Security Protection System for Realizing the Right to Use Digital Content

Publications (2)

Publication Number Publication Date
CN101132275A CN101132275A (en) 2008-02-27
CN101132275B true CN101132275B (en) 2010-05-12

Family

ID=39129408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610112550A Active CN101132275B (en) 2006-08-23 2006-08-23 A Security Protection System for Realizing the Right to Use Digital Content

Country Status (1)

Country Link
CN (1) CN101132275B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101585057B1 (en) * 2008-09-05 2016-01-14 삼성전자주식회사 Method and apparatus for managing digital rights management module
CN104809364A (en) * 2014-01-24 2015-07-29 中辉世纪传媒发展有限公司 Method and device for processing of application program of digital rights management (DRM) client
CN106656476B (en) * 2017-01-18 2020-12-01 腾讯科技(深圳)有限公司 Password protection method and device and computer readable storage medium
CN107688463B (en) * 2017-09-21 2020-08-18 杭州全维技术股份有限公司 Method for packaging version file of embedded equipment
CN108809939B (en) * 2018-04-25 2021-08-24 安克创新科技股份有限公司 Audio and video processing method, playing method and base station
CN111339578A (en) * 2020-02-21 2020-06-26 苏州浪潮智能科技有限公司 A key access method, apparatus, system, device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1392700A (en) * 2001-06-15 2003-01-22 三星电子株式会社 System and method for protecting content data
CN1525682A (en) * 2003-02-25 2004-09-01 Issuing a publisher use license off-line in a digital rights management (DRM) system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1392700A (en) * 2001-06-15 2003-01-22 三星电子株式会社 System and method for protecting content data
CN1525682A (en) * 2003-02-25 2004-09-01 Issuing a publisher use license off-line in a digital rights management (DRM) system

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
俞银燕等.数字版权保护技术研究综述.计算机学报28 12.2005,28(12),1957-1967.
俞银燕等.数字版权保护技术研究综述.计算机学报28 12.2005,28(12),1957-1967. *
李栋栋
李栋栋;谭建龙.基于本体的权限管理系统的研究与实现.计算机工程31 13.2005,31(13),43-45. *
谭建龙.基于本体的权限管理系统的研究与实现.计算机工程31 13.2005,31(13),43-45.
谭建龙等.一种实用Internet内容版权保护系统的设计与实现.计算机研究与发展38 10.2001,38(10),1999-1203.
谭建龙等.一种实用Internet内容版权保护系统的设计与实现.计算机研究与发展38 10.2001,38(10),1999-1203. *

Also Published As

Publication number Publication date
CN101132275A (en) 2008-02-27

Similar Documents

Publication Publication Date Title
US8856521B2 (en) Methods and systems for performing secure operations on an encrypted file
JP4304220B2 (en) Computer-readable recording medium having recorded self-protecting document and method of using self-protecting document
US8296585B2 (en) Method of encrypting/decrypting the document and a safety management storage device and system method of its safety management
JP4759513B2 (en) Data object management in dynamic, distributed and collaborative environments
US9075957B2 (en) Backing up digital content that is stored in a secured storage device
JP5033916B2 (en) Digital copyright management method for compressed files
CN100592313C (en) An electronic document anti-leakage system and its implementation method
US20090271319A1 (en) Embedded Licenses for Content
EP1357455A2 (en) Digital rights management on device without interactive authentication
US8776258B2 (en) Providing access rights to portions of a software application
KR20050111326A (en) Software-management system, recording medium, and information-processing device
CN102053925A (en) Realization method of data encryption in hard disk
CN101122938A (en) A method and system for securely processing data files
CN101132275B (en) A Security Protection System for Realizing the Right to Use Digital Content
KR100440037B1 (en) Document security system
JP4610557B2 (en) DATA MANAGEMENT METHOD, PROGRAM THEREOF, AND PROGRAM RECORDING MEDIUM
CN104580083A (en) System and method for providing safety protection for financial system
KR20070114011A (en) Data processing devices, data processing methods and computer program products for data processing
JP4662138B2 (en) Information leakage prevention method and system
CA2475384A1 (en) System and method for digital content management and controlling copyright protection
US8321915B1 (en) Control of access to mass storage system
JP3624971B2 (en) Software usage control method
JP5631251B2 (en) Information leakage prevention method
JP2008160485A (en) Document management system, document management method, document management server, work terminal, and program
CN101617318A (en) Be used for method and apparatus that content and licence are linked

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant