[go: up one dir, main page]

CN101166259B - Mobile phone TV service protection method, system, mobile phone TV server and terminal - Google Patents

Mobile phone TV service protection method, system, mobile phone TV server and terminal Download PDF

Info

Publication number
CN101166259B
CN101166259B CN2006101505460A CN200610150546A CN101166259B CN 101166259 B CN101166259 B CN 101166259B CN 2006101505460 A CN2006101505460 A CN 2006101505460A CN 200610150546 A CN200610150546 A CN 200610150546A CN 101166259 B CN101166259 B CN 101166259B
Authority
CN
China
Prior art keywords
key
content
business cipher
message
cipher key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2006101505460A
Other languages
Chinese (zh)
Other versions
CN101166259A (en
Inventor
张勤伟
李智斌
孙瑞囡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2006101505460A priority Critical patent/CN101166259B/en
Priority to PCT/CN2007/070477 priority patent/WO2008046323A1/en
Publication of CN101166259A publication Critical patent/CN101166259A/en
Application granted granted Critical
Publication of CN101166259B publication Critical patent/CN101166259B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/21Server components or server architectures
    • H04N21/214Specialised server platform, e.g. server located in an airplane, hotel, hospital
    • H04N21/2146Specialised server platform, e.g. server located in an airplane, hotel, hospital located in mass transportation means, e.g. aircraft, train or bus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26606Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing entitlement messages, e.g. Entitlement Control Message [ECM] or Entitlement Management Message [EMM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/45Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
    • H04N21/462Content or additional data management, e.g. creating a master electronic program guide from data received from the Internet and a Head-end, controlling the complexity of a video stream by scaling the resolution or bit-rate based on the client capabilities
    • H04N21/4623Processing of entitlement messages, e.g. ECM [Entitlement Control Message] or EMM [Entitlement Management Message]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/65Transmission of management data between client and server
    • H04N21/658Transmission by the client directed to the server
    • H04N21/6581Reference data, e.g. a movie identifier for ordering a movie or a product identifier in a home shopping application
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Computer Graphics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The method includes following steps: using content cipher key (CCK), the handset TV server encrypts content of broadcast; using service cipher key (SCK) to encrypt CCK; using the user cipher key (UCK) to encrypt SCK; using broadcast through broadcast channel to down send encrypted content and CCK; using point to point channel to down send encrypted SCK to terminal; using UCK, the terminal decrypts received encrypted SCK to obtain SCK; using the obtained SCK to decrypt the received encrypted CCK so as to obtain CCK; using the obtained CCK to decrypt the encrypted content so as to obtain content. Moreover, the invention also discloses the system for protecting the handset TV service, the handset TV terminal, and smart card. The invention raises quality of service under condition of reducing burden of terminal as low as possible, and raises flexibility for developing services further.

Description

Mobile phone TV service protection method, system, mobile phone TV server and terminal
Technical field
The present invention relates to field of mobile phone, relate in particular to a kind of mobile phone TV service protection method, mobile phone TV services protection system, mobile phone TV server, mobile phone TV terminal and smart card.
Background technology
Along with developing rapidly of information technology, the upgrading of portable terminal is maked rapid progress, and various business of carrying out based on portable terminal are also more and more abundanter.Considerably beyond the function of making a phone call, mobile phone can also be taken pictures, listen to the music etc. such as, mobile phone of today, and mobile TV is as a brand-new business, begins test gradually all over the world or examination is commercial even commercial.
The operation of mobile phone TV services needs the support of service protection mechanism usually, and service protection provides a kind of mandate access control, guarantees to have only the user who has ordered mobile phone TV services could receive and represent mobile TV program.The basic thought of service protection is to adopt triple cipher key delivery mechanism, and specifically, the work that mobile phone TV server and terminal need be done is as follows respectively:
Mobile phone TV server: 1, use content key content to be encrypted, and broadcasting issues the content of encryption by symmetric encipherment algorithm; 2, use business cipher key by the symmetric encipherment algorithm encrypted content key, and broadcasting issue encrypted content key; 3, use user key by symmetric encipherment algorithm or rivest, shamir, adelman secure service key, and use point-to-point passage or broadcast channel to issue encrypted service key.
Terminal: 1, receive encrypted service key, use the user key deciphering, acquisition business cipher key plaintext is also preserved; 2, receive encrypted content key, and the business cipher key that used for the 1st step obtained is deciphered the acquisition content key; 3, the content after reception is encrypted, and the content key that used for the 2nd step obtained is deciphered the acquisition content.
Before terminal is formally brought into use mobile phone TV services, need and the server negotiate user key, user key becomes with the server adnation in terminal respectively, does not transmit on point-to-point exchange channels.
Existing mobile TV system mainly is divided into based on ground or satellite digital broadcasting technology and based on two kinds of multimedia broadcast-multicast service (MBMS) technology, and wherein, MBMS is based on the business that the 3G (Third Generation) Moblie network is carried out.Below respectively to carrying out brief description based on the digital broadcasting technology with based on the service protection mechanism in the mobile TV system of MBMS technology.
One, based on the mobile TV system of digital broadcasting technology
Use the digital broadcast network distributing contents based on the mobile TV system of digital broadcasting technology, on the bandwidth and the channel that can provide, promptly have more advantage based on mobile network's mobile TV system than mobile TV system based on the MBMS technology.Implement service protection based on the mechanism that the mobile TV system service condition receiving system of digital broadcasting technology provides; triple keys in the Digital Transmission process are respectively: control word CW, business cipher key SK, individual distributing key PDK; wherein, CW is equivalent to content key, SK is that business cipher key, PDK are equivalent to user key.
Referring to shown in Figure 1, condition receiving system comprises that mainly encrypting the front end reconciliation connects airtight the receipts control terminal.Wherein, front end mainly comprises control word generator, scrambler, authorization control message builder ECMG, entitlement management message maker EMMG, multiplexer, SAS Subscriber Authorization System SAS and Subscriber Management System SMS.Control word generator produces at random by certain sequential and adds descramble key CW, and sends the CW that produces to scrambler and ECMG; Scrambler adopts CW by common scrambling algorithm real-time scrambling video/audio data programs stream, and sends by the program stream of multiplexer after with scrambling; ECMG adopts business cipher key SK that CW is encrypted, and the privately owned algorithm for encryption with CW and access control condition AC information usefulness CA manufacturer generates Entitlement Control Message ECM, and by multiplexer ECM sent; EMMG adopts PDK that SK and customer management information are encrypted, generate entitlement management message EMM, and EMM is sent by multiplexer, customer management information is formed by the Subscriber Management System of provider, comprises channel information that user's name, address, intelligent card numbers, bill, user buy, effective time or the like.
Terminal mainly comprises demodulation multiplexer, entitlement management message decipher, authorization control decrypt messages device and descrambler.Wherein, demodulation multiplexer is used for the data flow that receiving front-end sends, and carries out demultiplexing; The entitlement management message decipher is used for the EMM according to EMM key (private key for user) the deciphering stream of storing on the smart card; Authorization control decrypt messages device is used for the ECM according to ECM key (business cipher key) the deciphering stream of storing on the smart card, and sends the CW that comprises among the ECM to descrambler; Program stream after descrambler adopts CW to scrambling carries out descrambling, restores program stream expressly.
As seen, in the mobile TV system based on the digital broadcasting technology, mobile phone TV server need broadcast to EMM all terminals, and whether to one's name each terminal need discern each EMM; And owing to be broadcast transmission, server can't be known terminal and whether receive EMM, can receive EMM in order to guarantee terminal, and server need repeat to send EMM into each terminal.Such send mode will seriously take the bandwidth of broadcast channel; And because EMM is a broadcast transmission, all terminals can both receive, but each EMM has only a terminal to use, so each terminal needs all to judge whether EMM sends to oneself, and this will seriously increase the processing burden of terminal; In addition, even terminal has received the EMM of oneself, but do not repeating transmission because server is not known still, terminal just need repeat to handle the same like this processing burden that can increase terminal.
Two, based on the mobile TV system of MBMS technology
The channel that uses base station system to provide based on the mobile TV system of MBMS technology issues content, because the restriction of bandwidth and frequency, the channel that can provide lacks than the mobile TV system based on the digital broadcasting technology, and the bandwidth of broadcast channel is also little.Be based on universal authentication framework GBA that 3G (Third Generation) Moblie standard partnerization project 3GPP formulates based on the service protection technology of the mobile TV system of MBMS technology, have following essential characteristic:
1, use MBMS stream secrete key MTK (MBMS traffic key) content that broadcasting issues to be encrypted by symmetric encipherment algorithm; 2, the MTK that uses MBMS Service Key MSK to issue by the symmetric encipherment algorithm broadcast encryption; 3, use GBA to share key MUK and encrypt the point-to-point MSK that issues by symmetric encipherment algorithm; 4, by the GBA initialization procedure, terminal and network side negotiating about cipher key shared MUK, shared key generate in terminal and network side respectively, need not generate on any passage.Wherein, MTK is equivalent to content key, and MSK is a business cipher key, and MUK is equivalent to user key.
The GBA initialization procedure is the universal safety identifying procedure that 3GPP formulates, and consults a shared key K s by this flow process between terminal and the network side, and this Ks will use as key seed, can generate the key that needs in the concrete application.
Referring to shown in Figure 2, GBA initialization flow process mainly may further comprise the steps:
Step 201: terminal sends key negotiation request to guide service functional module (BSF, Bootstrapping ServerFunction), comprises user ID in this request.
Wherein, BSF is a server of network side; User ID is IMSI International Mobile Subscriber Identity IMSI or IMPI etc.Terminal mainly comprises Transmit-Receive Unit and smart card two parts, Transmit-Receive Unit mainly be responsible for BSF between communicate by letter and transfer of data; Preserve the secret keys K that operator presets in the smart card, information such as user ID IMPI/IMSI and some security algorithms.
Step 202:BSF obtains the authentication tuple from AUC, authentication tuple AV=RAND ‖ AUTN ‖ XRES ‖ CK ‖ IK after receiving the key negotiation request of terminal initiation.
Step 203:BSF sends to terminal with RAND in the authentication tuple and AUTN.
Wherein, AUTN is used for terminal network is authenticated; RAND is used for terminal and generates session key and response message, then response message is sent to BSF, allows BSF that terminal is authenticated.
Step 204: after terminal is received the data that BSF sends, use built-in security algorithm and the secret keys K of smart card that AUTN is authenticated, after authentication was passed through, the random number RA ND that terminal uses secret keys K and BSF to issue calculated RES and session key IK, CK.
Step 205: terminal is carried at RES and sends to BSF in the response message.
After step 206:BSF receives the response message that terminal sends, terminal is authenticated, judge whether the RES that carries in the response message equals the XRES that AUC sends, judge just that the user is whether legal and judge promptly whether the private information in the smart card is legal, if authentication is passed through, BSF then generates a GBA and shares key K s, reaches key identification B-TID, and the life cycle of configuring cipher key Ks, wherein, Ks=CK ‖ IK.
Step 207:BSF sends to terminal with B-TID and life cycle information.
Step 208: after terminal is received B-TID and life cycle information, generate Ks=CK ‖ IK, and the B-TID that BSF is sent and life cycle are as key identification and the life cycle of the harsh Ks that becomes according to IK that generates in the step 204 and CK.
After Ks generated, terminal and BSF just can continue to generate Ks_int_NAF and Ks_ext_NAF with Ks as key seed, and these two keys will use in concrete operation flow.Continue to use the address of MBMS to these two keys, wherein, Ks_int_NAF is called MUK in MBMS, is used for the secure service key; Ks_ext_NAF is called MRK, the authenticating user identification when being used for service order and business cipher key request.
As seen, in the mobile TV system based on the MBMS technology, using point-to-point lane negotiation will user key and issuing service key by the mobile network is a kind of relatively mechanism of safety.But, be subjected to mobile network's restriction itself, when down sending content, there is significant disadvantages, because limited bandwidth that the base station can provide, the relative received terrestrial digital broadcasting of supporting of channel will lack, and high-quality video need take more bandwidth, therefore, based on poor than received terrestrial digital broadcasting of the video quality of MBMS technology, that is to say that the quality of service that is provided based on the mobile TV system of MBMS technology will be lower than the quality of service that the mobile TV system based on the digital broadcasting technology is provided.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of mobile phone TV service protection method, mobile phone TV services protection system, mobile phone TV server, mobile phone TV terminal and smart card, under the situation that as far as possible reduces the terminal burden, improve quality of service.
For achieving the above object, mobile phone TV service protection method provided by the invention is as follows:
Mobile phone TV server uses content key that broadcasted content is encrypted, use business cipher key that content key is encrypted, use user key that business cipher key is encrypted, and issue content and content key after the encryption by broadcast channel broadcasting, determine the business cipher key term of validity according to user's order relations, and the business cipher key term of validity and encrypted service key are handed down to terminal by point-to-point passage;
Terminal uses user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and use the content key that obtains that the content after encrypting is decrypted the acquisition content.
Wherein, described mobile phone TV server use user key further comprises before business cipher key is encrypted: terminal and guide service functional module BSF consult user key, and mobile phone TV server obtains the user key of this terminal from BSF.
This method further comprises: the combination that metering period is divided into time interval according to the encryption period of content key;
Described user is when the monthly payment user, and described business cipher key term of validity zero hour is the metering period zero hour, and described business cipher key term of validity finish time is the metering period finish time;
Described user is during for consumption user in due order, and described business cipher key term of validity zero hour is the lower limit of program place zero hour time interval, and described business cipher key term of validity finish time is that program stops the upper limit of place time interval constantly.
Described mobile phone TV server further comprises when issuing encrypted content key by broadcast channel broadcasting: come into force constantly according to content key that CW_ID generates content key sign MTK_ID, and MTK_ID broadcasting is handed down to terminal;
Described terminal uses the business cipher key that obtains further to comprise before the encrypted content key of receiving is decrypted: whether terminal judges content key sign MTK_ID is in the business cipher key term of validity, if then use the business cipher key that obtains that the encrypted content key of receiving is decrypted; Otherwise refusal is decrypted.
Described content key sign MTK_ID is the content key higher limit of CW_ID place time interval constantly that comes into force.
The corresponding method that is provided; the present invention also provides a kind of mobile phone TV services protection system; this system comprises: mobile phone TV server and mobile phone TV terminal; wherein; described mobile phone TV server comprises scrambler and cipher key management unit; described scrambler comprises control word maker and content-encrypt module, wherein
Described scrambler comprises control word maker and content-encrypt module, wherein,
The control word maker is used to generate content key, and the content key that generates is sent to cipher key management unit and content-encrypt module;
The content-encrypt module is used to receive the content key from the control word maker, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Described cipher key management unit comprises user key administration module, business cipher key administration module, content key message generating module and authorization control message builder, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used for the management service key, business cipher key is sent to the content key message generating module, and be used for obtaining user key from the user key administration module, use user key that business cipher key is encrypted, generation comprises the business cipher key message of encrypting the back business cipher key, and determine the business cipher key term of validity according to user's order relations, and in the business cipher key message that generates, further carry the business cipher key term of validity, and business cipher key message is sent to terminal by point-to-point passage;
The content key message generating module, be used to receive from the business cipher key of business cipher key administration module and from the content key of control word maker, use business cipher key that content key is encrypted, generation comprises the content key message of encrypting the back content key, and content key message is sent to the authorization control message builder;
The authorization control message builder is used to receive the content key message from the content key message generating module, and content key message is further packed, and generates authorization control message, and the authorization control message that generates is sent to scrambler;
Described scrambler is further used for receiving the authorization control message from the authorization control message builder, and issues the authorization control message of receiving by broadcast channel broadcasting;
Described terminal comprises smart card and Transmit-Receive Unit, wherein,
Smart card, be used for the leading subscriber key, and be used to receive encrypted service key from mobile phone TV server, use user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, and be used to receive encrypted content key from mobile phone TV server, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and the content key that obtains is sent to Transmit-Receive Unit;
Transmit-Receive Unit is used to receive from the content key of smart card and from the content after the encryption of mobile phone TV server, and the content after using the content key receive to the encryption of receiving is decrypted and obtains content expressly.
Described smart card comprises user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive business cipher key message from mobile phone TV server, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, and content key is decrypted the acquisition content key after using the business cipher key receive to the encryption of carrying in the content key message of receiving, and the content key that obtains is sent to Transmit-Receive Unit;
Described Transmit-Receive Unit comprises authorization control message resolution module, content decryption module and content revealing module, wherein,
The authorization control message resolution module is used to receive the authorization control message from mobile phone TV server, parses content key message from authorization control message, and the content key message that parses is sent to the content key deciphering module;
Content decryption module, be used to receive from the content key of content key deciphering module and from the content after the encryption of mobile phone TV server, the content of the content key that use is received after to the encryption of receiving is decrypted and obtains content expressly, and the content after will deciphering sends to the content revealing module;
The content revealing module is used to receive the content from content decryption module, and the content of receiving decoded represents.
Described scrambler is further used for determining that content key comes into force constantly after generating content key, and content key come into force sends to the content key message generating module constantly;
The content key that described content key message generating module is further used for receiving from scrambler comes into force constantly, and comes into force according to content key and to generate the content key sign constantly, and further carries the content key sign in the content key message that generates.
The content key deciphering module of described terminal is further used for obtaining the business cipher key term of validity from the business cipher key administration module of terminal, and judges that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity.
And the present invention also provides a kind of mobile phone TV server, comprising: scrambler and cipher key management unit, wherein,
Scrambler is used to generate content key, and the content key that generates is sent to cipher key management unit, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Cipher key management unit, be used for leading subscriber key and business cipher key, use user key that business cipher key is encrypted, issue encrypted service key by point-to-point passage, and be used to receive content key from scrambler, and use business cipher key that content key is encrypted, determine the business cipher key term of validity according to user's order relations, and in the business cipher key message that generates, further carry the business cipher key term of validity, issue encrypted content key by broadcast channel broadcasting;
Wherein, describedly determine the business cipher key term of validity and in the business cipher key message that generates, further carry the business cipher key term of validity and carry out by the business cipher key administration module in the cipher key management unit according to user's order relations.
Described scrambler comprises control word maker and content-encrypt module, wherein,
The control word maker is used to generate content key, and the content key that generates is sent to cipher key management unit and content-encrypt module;
The content-encrypt module is used to receive the content key from the control word maker, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Described cipher key management unit comprises user key administration module, business cipher key administration module, content key message generating module and authorization control message builder, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used for the management service key, business cipher key is sent to the content key message generating module, and be used for obtaining user key from the user key administration module, use user key that business cipher key is encrypted, generation comprises the business cipher key message of encrypting the back business cipher key, and by point-to-point passage issuing service key message;
The content key message generating module, be used to receive from the business cipher key of business cipher key administration module and from the content key of control word maker, use business cipher key that content key is encrypted, generation comprises the content key message of encrypting the back content key, and content key message is sent to the authorization control message builder;
The authorization control message builder is used to receive the content key message from the content key message generating module, and content key message is further packed, and generates authorization control message, and the authorization control message that generates is sent to scrambler;
Described scrambler is further used for receiving the authorization control message from the authorization control message builder, and issues the authorization control message of receiving by broadcast channel broadcasting.
Described scrambler is further used for determining that content key comes into force constantly after generating content key, and content key come into force sends to the content key message generating module constantly;
The content key that described content key message generating module is further used for receiving from scrambler comes into force constantly, and comes into force according to content key and to generate the content key sign constantly, and further carries the content key sign in the content key message that generates.
The present invention also provides a kind of mobile phone TV terminal, comprising: smart card and Transmit-Receive Unit, wherein,
Described smart card comprises user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive the point-to-point business cipher key message that issues, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, and obtain the business cipher key term of validity from professional key management module, and judge that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity, if, the business cipher key that use is received to the encryption of carrying in the content key message of receiving after content key be decrypted the acquisition content key, and the content key that obtains is sent to Transmit-Receive Unit;
Described Transmit-Receive Unit comprises authorization control message resolution module, content decryption module and content revealing module, wherein,
The authorization control message resolution module is used to receive the authorization control message that broadcasting issues, and parses content key message from authorization control message, and the content key message that parses is sent to the content key deciphering module;
Content decryption module, be used to receive the content after the encryption that content key and broadcasting from the content key deciphering module issues, the content of the content key that use is received after to the encryption of receiving is decrypted and obtains content expressly, and the content after will deciphering sends to the content revealing module;
The content revealing module is used to receive the content from content decryption module, and the content of receiving decoded represents.
In addition, the present invention also provides a kind of smart card, comprising: user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive the point-to-point business cipher key message that issues, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, and obtain the business cipher key term of validity from professional key management module, and judge that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity, if, content key is decrypted the acquisition content key after then using the business cipher key receive to the encryption of carrying in the content key message of receiving, and the content key that obtains is sent to Transmit-Receive Unit.
This shows; the present invention combines the mobile TV resist technology based on condition reception and 3GPP universal authentication framework; issue content and content key by digital broadcast network broadcasting; by the point-to-point issuing service key of mobile network; existing mobile network's closure and fail safe have not only been made full use of; but also solved mobile network's limited bandwidth, shortcomings such as the channel that provides is few, poor video quality, reached the demand that under the situation that as far as possible reduces the terminal burden, improves quality of service.And the present invention is by being provided with the business cipher key term of validity, also realized in the same business program can by monthly payment and in due order various types of users such as consumption receive simultaneously, improved the professional flexibility of carrying out.
Description of drawings
Fig. 1 is a condition receiving system structural representation of the prior art.
Fig. 2 is a GBA initialization schematic flow sheet of the prior art.
Fig. 3 is the mobile phone TV services protection system structural representation among the present invention.
Fig. 4 is a kind of implementation structure schematic diagram of mobile phone TV services protection system among the present invention.
Fig. 5 is the complete mobile TV system configuration schematic diagram among the present invention.
Fig. 6 is the mobile phone TV service protection method flow chart in the embodiment of the invention.
Fig. 7 is the HTTP digest verification process schematic diagram in the embodiment of the invention.
Fig. 8 for the CW in the embodiment of the invention comes into force constantly, playing programs time and time interval concern schematic diagram.
Fig. 9 is the flow chart that terminal carrying out service receives in the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, the embodiment that develops simultaneously with reference to the accompanying drawings is described in further detail the present invention.
The basic thought of mobile phone TV service protection method provided by the invention is: in conjunction with the mobile TV resist technology based on condition reception and 3GPP universal authentication framework; issue content and content key by digital broadcast network broadcasting, by the point-to-point issuing service key of mobile network.
That is to say, mobile phone TV server uses content key that broadcasted content is encrypted, use business cipher key that content key is encrypted, use user key that business cipher key is encrypted, and issue content and content key after the encryption by broadcast channel broadcasting, issue encrypted service key by point-to-point passage to terminal; Terminal uses user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and use the content key that obtains that the content after encrypting is decrypted the acquisition content.
The corresponding mobile phone TV service protection method that is provided, the present invention also provides a kind of mobile phone TV services protection system, and referring to shown in Figure 3, this system comprises mobile phone TV server and mobile phone TV terminal.
Mobile phone TV server comprises scrambler and cipher key management unit, wherein, and scrambler, be used to generate content key, the content key that generates is sent to cipher key management unit, and use content key that broadcasted content is encrypted, issue content after the encryption by broadcast channel broadcasting; Cipher key management unit, be used for leading subscriber key and business cipher key, use user key that business cipher key is encrypted, by point-to-point passage encrypted service key is sent to terminal, and be used to receive content key from scrambler, use business cipher key that content key is encrypted, issue encrypted content key by broadcast channel broadcasting.
Terminal comprises smart card and Transmit-Receive Unit, wherein, smart card, be used for the leading subscriber key, and be used to receive encrypted service key from mobile phone TV server, use user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, and be used to receive encrypted content key from mobile phone TV server, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and the content key that obtains is sent to Transmit-Receive Unit; Transmit-Receive Unit is used to receive from the content key of smart card and from the content after the encryption of mobile phone TV server, and the content after using the content key receive to the encryption of receiving is decrypted and obtains content expressly.
The mobile phone TV server that provides about Fig. 3 and the specific implementation structure of terminal can be referring to shown in Figure 4, and wherein, scrambler comprises control word maker and content-encrypt module; Cipher key management unit comprises user key administration module, business cipher key administration module, content key message generating module and authorization control message builder ECMG; Smart card comprises user key administration module, business cipher key administration module and content key deciphering module, and Transmit-Receive Unit comprises authorization control message resolution module EECM, content decryption module and content revealing module.About the function of each module and annexation each other, follow-up associated methods is described in detail.
And the present invention also provides a kind of mobile phone TV server and mobile phone TV terminal, and its structure is consistent with server and terminal among Fig. 3 respectively, and specific implementation is can be respectively consistent with server and terminal among Fig. 4, gives unnecessary details no longer one by one here.
In addition, the present invention also provides a kind of smart card, and its structure is consistent with the smart card among Fig. 4, also repeats no more here.
In the mobile phone TV services operation process of reality, constitute complete mobile TV system, except possessing above-mentioned basic logic entity, some logic entities that may also comprise other, such as, referring to shown in Figure 5, mobile phone TV server also comprises business logic processing module, service management module, order relations administration module, multiplexer and other functional module except comprising cipher key management unit and scrambler; BSF is mobile network's standard component; Content source is a content supplier.
Wherein, the business logic processing module is equivalent to the scheduler module of mobile phone TV server, is responsible for the request of reception and process user, the work between collaborative each functional module; The function of service management module mainly is each business that the management service merchant provides, as the maintenance service title, and professional price, the order mode limits, metering period control etc.; The order relations administration module is mainly used to the order relations of leading subscriber; Multiplexer is mainly used in the data flow of reception from scrambler, and these streams are sent after multiplexing; Other functional module may comprise charging entity, database etc.
For ease of understanding, below in conjunction with Fig. 3, Fig. 4 and Fig. 5 mobile phone TV service protection method provided by the invention is elaborated, referring to shown in Figure 6, this method mainly may further comprise the steps:
Step 601: terminal and BSF consult GBA and share key, and its concrete operations are consistent with existing GBA initialization procedure, repeat no more here.
Step 602: user's operating terminal sends the service order request to mobile phone TV server.
Comprise service identification ServiceID in the service order request, may also comprise information such as ordering date, subscription type.
Mobile phone TV server can all dispose a business cipher key MSK for each business, and preserves corresponding relation<ServiceID professional and business cipher key, MSK_ID 〉, MSK_ID is a business key label.The preservation of configuration service key and described corresponding relation can be finished by the business cipher key administration module of mobile phone TV server.
Step 603: after mobile phone TV server is received the service order request of terminal initiation, the user is carried out sharing based on GBA the HTTP digest authentication of key, if authentication is passed through, then execution in step 604; Otherwise the mobile phone TV server refusal carries out Business Processing, process ends.
Step 604: mobile phone TV server is created order relations according to the service order request of receiving for the user.
Such as, the order relations of establishment is:<user ID, and service identification, subscription type is ordered the date 〉, user's order relations is responsible for preservation by the order relations administration module.
For ease of the description of follow-up flow process, below earlier the data distributing process of mobile TV server side is carried out brief description.
Control word maker in the scrambler sends to content key message generating module and content-encrypt module with the content key that generates after generating content key CW; The content-encrypt module uses the content key from the control word maker receive that the broadcasted content program stream is encrypted, and issues content after the encryption by broadcast channel broadcasting; The business cipher key that the use of content key message generating module is obtained from professional key management module is encrypted the content key of receiving from the control word maker, generation comprises the content key message of encrypting the back content key, and content key message is sent to authorization control message builder ECMG; The authorization control message builder will further be packed from the content key message of content key message generating module, generate authorization control message ECM, and the ECM message that generates is sent to scrambler; Scrambler issues the ECM message of receiving from the authorization control message builder by broadcast channel broadcasting.
Step 605: content and ECM message after the encryption that terminal reception mobile phone TV server issues, if find not have the business cipher key of decrypted content keys, then from ECM message, extract MSK_ID, generate the business cipher key request message, and send to mobile phone TV server, the acquisition request business cipher key may comprise in the business cipher key request message that GBA shares associated safety parameters such as key.
Step 606: after mobile phone TV server is received the business cipher key request that terminal sends, terminal is carried out sharing based on GBA the HTTP digest authentication of key, if authentication is passed through, then execution in step 607; Otherwise, the processing of process ends.
HTTP digest verification process herein and Fig. 7 basically identical, mainly finished by the user key administration module of mobile phone TV server, difference is that the service order request of mentioning among Fig. 7 changes to the business cipher key request here, about the detailed process of authentication, give unnecessary details no longer one by one here.
Step 607: mobile phone TV server is searched the pairing business cipher key of MSK_ID that terminal is asked, and use GBA to share key MUK business cipher key is encrypted, regeneration business cipher key message, then with the business cipher key message that generates by the point-to-point terminal that is handed down to of mobile network.
In addition, for satisfying the needs of commencing business flexibly, also can carry the business cipher key term of validity in business cipher key message, detailed process is as follows:
After authentication was passed through, the user key administration module fed back to the business logic processing module with authentification of user by the result; The business logic processing module receives that authentication is by behind the result, inquire about this user's order relations to the order relations administration module, after obtaining user's order relations, the business logic processing module sends to the business cipher key administration module with order relations, and the requested service key management module generates and sends business cipher key message for the user; The pairing business cipher key of MSK_ID that the business cipher key administration module is obtained previous generation and safeguarded by oneself, and after obtaining order relations, determine the business cipher key term of validity according to order relations, and to the shared key MUK of user key administration module request GBA, use MUK secure service key, regeneration business cipher key message, follow the encryption method of MIKEY agreement regulation during encryption, MUK is as the pre-shared-key that describes in the MIKEY agreement, then, the business cipher key administration module is by business cipher key message point-to-point the be handed down to terminal of mobile network with generation.
Step 608: after terminal is received business cipher key message, use GBA to share key MUK the encrypted service key of carrying in the business cipher key message of receiving is decrypted, obtain business cipher key and preservation.
The detailed process of step 608 is as follows: after the Transmit-Receive Unit of terminal is received business cipher key message, the business cipher key message of receiving is sent to business cipher key administration module in the smart card, the business cipher key administration module obtains the shared key MUK of GBA from the user key administration module of terminal, and use the shared key MUK of GBA that the encrypted service key of carrying in the business cipher key message of receiving is decrypted, obtain business cipher key and preservation, if comprise business cipher key term of validity information in the business cipher key message, the business cipher key administration module is then preserved this business cipher key term of validity simultaneously.
Step 609: after terminal is received ECM message, from ECM message, parse content key message, and use the business cipher key that obtains that the encrypted content key of carrying in the content key message is decrypted, obtain content key.
Step 610: the content of the content key that terminal use to obtain after to the encryption of receiving is decrypted, and obtains content expressly, thereby realized watching of the business ordered.
Wherein, the process of the described HTTP digest authentication of step 603 is mainly finished by the user key administration module of mobile phone TV server, and its detailed process mainly may further comprise the steps referring to shown in Figure 7:
Step 701: terminal sends the service order request to mobile phone TV server.
May comprise in the service order request that GBA shares associated safety parameters such as key, Hash hash value response as B-TID and the generation of use MD5 algorithm, wherein, response=MD5[MD5 (username:realm:password): nonce:nc:cnonce:qop:MD5 (method:URI)], the response parameter is server authentication user's a foundation, when generating, it use B-TID as username, use MRK as password, the detailed standard criterion rfc 2617:HTTP Authentication:Basic andDigest Access Authentication that please refer to the IETF formulation of the concrete computational methods of response parameter and the explanation of other parameter describes in detail here no longer one by one.
Step 702: after the business logic processing module in the mobile phone TV server is received the service order request that terminal sends, the service order request of receiving is sent to the user key administration module, the user key administration module judges whether comprised in the service order request of receiving that GBA shares associated safety parameters such as key, if then execution in step 706; Otherwise, execution in step 703.
Step 703: if do not comprise these parameters in the service order request, cause authentification failure, and find in the client software information of user key administration module from professional subscription request that the terminal support authenticates based on the HTTP digest that GBA shares key, then the user key administration module returns the unauthorized response message to terminal, requires terminal to use the HTTP digest authentication mechanism based on the shared key of GBA to authenticate again.
Step 704: after terminal is received the unauthorized response message, regenerate the service order request, the authentication of this request message (Authorization) head part is observed the regulation among the HTTP digest, wherein comprises B parameter-TID and response.
Step 705: the service order request that terminal regenerates in mobile phone TV server forwarding step 704.
Step 706: after the user key administration module of mobile phone TV server is received the service order request, find corresponding MRK, and use generates the identical response of mechanism generation of response with terminal described in the step 701 according to the B-TID that wherein carries.
If the user key administration module does not find the user key (MUK, MRK etc.) of B-TID correspondence in the data of self preserving, perhaps the user key of Bao Cuning is expired, then the user key administration module sends the request of obtaining new user key to BSF, to obtain user key, comprise B-TID in this request, so that BSF seeks corresponding user key.
BSF is a standard component, as long as the design of interface is followed the 3GPP normal structure and formulated the application server (NAF) of description among standard criterion 3GPP TS 24.109V7.1.0:Bootstrappinginterface (Ub) the and network application function interface (Ua) and the interface between the BSF between user key administration module and the BSF, the user key administration module just can communicate with BSF.The GBA that the user key administration module is preserved shares key and be used for authentication or secure service key in follow-up operation flow.
Step 707: whether the response that the judgement of business cipher key administration module generates is identical with the response that terminal is sent, if it is identical, B-TID, MRK that the terminal preservation then is described are identical with B-TID, the MRK of the maintenance of user key administration module, this user is legal, authentication is passed through, execution in step 708; Otherwise, illustrating that this terminal is an illegal terminal, business cipher key administration module refusal is handled process ends for this terminal carrying out service.
After the user key administration module passes through user's authentication, the order relations administration module will generate order relations and preservation for this user.
Step 708: the user key administration module is to terminal return authentication success response message, and this message comprises Authenticate-info head, response-auth parameter.
Step 709: terminal authenticates the authentication success response message of receiving, promptly verifies the response-auth parameter, and concrete verification method is detailed to please refer to the rfc2617 standard criterion, repeats no more here.This step is optional.
Wherein, in step 708, the user key administration module can also be carried at business cipher key in the authentication success response message and send to terminal, and like this, terminal just can be again to mobile phone TV server requested service key when deciphering order professional.Business cipher key issues by the mobile network is point-to-point, and use MUK to encrypt before issuing, concrete cipher mode is with reference to ietf standard document rfc3830MIKEY:Multimedia Internet KEYing, and MUK will use as the pre-shared-key that describes in this standard.
About the above-mentioned business cipher key term of validity, be meant the service time that business cipher key can decrypted content keys, the business cipher key administration module can be controlled the useful life of business cipher key by the business cipher key term of validity is set, the business cipher key term of validity is provided with when business cipher key issues, and issues together in company with business cipher key message.The length of a business cipher key term of validity is relevant with the number of programs that is used for deciphering in the same business with this business cipher key, if a business cipher key is used for deciphering all programs of whole service, then the term of validity of this business cipher key just needs to cover the broadcast time of these all programs of business; If business cipher key only is used for deciphering a program in this business, then the term of validity of this business cipher key is exactly the duration section that this program predetermination broadcasts.Pei Zhi reason has been considered when business is carried out exactly like this, and the program in the monthly payment business also can offer the user simultaneously and consume (pay-per-view) in due order.
The business cipher key term of validity can use absolute time to represent, if a business cipher key is used for deciphering the interior program of all metering periods, then the term of validity scope of this business cipher key is<metering period zero hour, metering period finish time 〉, term of validity scope such as a business cipher key is<20060801000000,20060831235959 〉, represent that then this business cipher key came into force in o'clock sharp 1 day 0 August in 2006, lost efficacy to o'clock sharp 31 days 24 August in 2006, that is to say that this key can decipher all programs that belong to this business between 24 of 31, on Augusts zero point to 06 on August 1st, 06.If business cipher key is used for deciphering a program in the business, i.e. consumption condition in due order, then the term of validity scope of business cipher key be<order program zero hour, order program finish time 〉.
When terminal attempts to use the business cipher key decrypted content keys, need to judge that current time is whether in the scope of this business cipher key term of validity, if not in business cipher key term of validity scope, then smart card is refused decrypted content keys, and stopping to handle decrypting process, the deciphering decoding of content also will stop.The fail safe of this mode needs the time synchronized mechanism between terminal and the mobile phone TV server to guarantee, existing synchronization mechanism can be provided by the 3G mobile network.
The method that another kind is provided with the business cipher key term of validity is that the term of validity is corresponded on the MTK_ID interval, and MTK_ID is one group of sequence number that increases progressively, and specific practice is as follows: the duration length of being determined metering period by the service management module; Determine the encryption period of content key CW by scrambler, and the informing business key management module, the encryption period of CW is exactly that each CW will be used for encrypting content how long; The business cipher key administration module uses the encryption period of CW that metering period is divided into a plurality of time intervals.
Owing to be not the time interval on the just in time corresponding terminal of encryption period that can accomplish each CW when the scrambler encrypted content, so business cipher key term of validity create-rule is as follows:
The lower limit of business cipher key term of validity zero hour=program place zero hour time interval;
Business cipher key term of validity finish time=program stops the upper limit of place time interval constantly.
If business cipher key is the interior program of the whole metering period of deciphering, then
Zero hour business cipher key term of validity zero hour=metering period;
Finish time business cipher key term of validity finish time=metering period.
After scrambler generates CW, need to determine the CW_ID constantly that comes into force of CW, it is the zero hour of scrambler with this CW encrypted content, then, scrambler sends to the content key message generating module with CW_ID with CW, and the content key message generating module generates content key sign MTK_ID according to CW_ID.Wherein, MTK_ID searches the corresponding content key CW according to this sign when being used for the terminal deciphering content, also be used for the smart card judgement business cipher key of preserving and decipher the corresponding content key of this sign, that is to say, judge that MTK_ID is whether in business cipher key term of validity scope, if, smart card then uses the business cipher key decrypted content keys; If do not exist, smart card then stops decrypting process.
Wherein, CW_ID is a UTC temporal information, and scrambler can calculate coming into force constantly of each CW according to the layout of program and the encryption period of CW.Because the broadcast time of each program all is layout in advance, therefore can calculate the program duration according to the play start time and the concluding time of program, and, so will use how many CW to encrypt during each playing programs and can calculate acquisition divided by the CW encryption period by the program duration because the encryption period of CW can set.For a programmed program, be used to encrypt it first CW to come into force constantly be exactly the moment that program begins to broadcast, coming into force of other CW is exactly that the CW encryption period that adds up on the basis constantly of coming into force of previous CW gets final product constantly, i.e. T n=T N-1+ CW encryption period, wherein, n=2,3,4 ..., T nThat represents n CW comes into force constantly T 1=program zero hour.Need to prove, be a UTC time because CW comes into force constantly, and the encryption period of CW was calculated by second, so T n=T N-1+ CW encryption period is a schematic formula, T N-1This part need carry out the conversion of standard time+CW encryption period.
In addition, the method that generates MTK_ID according to CW_ID also has a variety of, such as, directly use CW_ID as MTK_ID; Perhaps, form after the use CW_ID conversion is as MTK_ID, after receiving the CW and CW_ID that scrambler sends as the content key message generating module, judge it is in that CW comes into force constantly for which time interval, the higher limit of using the place time interval then is as MTK_ID, i.e. the MTK_ID=CW higher limit of place time interval constantly that comes into force.
Figure 8 shows that CW comes into force constantly, playing programs time and time interval concern schematic diagram, wherein, article one, line is represented coming into force constantly of each CW, the second line is represented the playing programs time, the 3rd line express time interval, as seen, second CW's comes into force moment point between two time points of t1, t2, promptly be positioned at second time interval of whole metering period, therefore desirable MTK_ID=2 similarly can also determine other MTK_ID.The playing programs time among Fig. 8 is since second time interval, finishes at the 5th time interval, can decipher the CW that all encrypt this program in order to guarantee business cipher key, and the business cipher key term of validity is t1-t5, and business cipher key can be untied MTK_ID=2,3,4,5 CW.Wherein, t1 is exactly the lower limit between the program location zero hour, and t5 is exactly the lower limit between the program location finish time.
Before issuing, business cipher key needs to generate business cipher key message, the business cipher key message format that ginseng is shown in Table 1, can use the mode of describing in the ietf standard tissue suggestion rfc3830MIKEY agreement to encapsulate key and relevant parameter, institutional framework detailed description about business cipher key message can be with reference to the rfc3830 standard document, and the data field of only the present invention being correlated with stresses here.
Common HDR
MSK_ID
TS
MIKEY RAND
IDi
IDr
{SP}
KEMAC
Table 1
Common HDR: the universal information head of each MIKEY message necessity;
MSK_ID: this territory is the expansion to the MIKEY agreement, wherein places business key label;
TS:Time Stamp, timestamp is used to prevent Replay Attack and prevents to repeat to receive MIKEY message;
MIKEY RAND: a business cipher key module random number is used for generating encryption key and authentication secret in conjunction with the KEMAC key data;
IDi: sender of the message ID;
IDr: message acceptance person ID;
KEMAC: the identifying code of wherein placing business cipher key, the business cipher key term of validity and this business cipher key message.KEMAC is placed on last territory of whole M IKEY message usually, and its structure is as shown in table 2:
- - -
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!Next payload !Encr alg !Encr data len !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Encr data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!Mac alg ! MAC ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Table 2
Next payload: indicate the load of next data field, also defer to the MIKEY agreement here;
Encr alg: the cryptographic algorithm that indicates use;
Encr data len: the length that indicates the enciphered data part;
Encr data: wherein placed encrypted service key, the business cipher key term of validity and some relevant parameters;
Mac alg: indicate message authentication algorithm;
Mac: deposit the business cipher key Message Authentication Code, be used to verify the integrality of this business cipher key message, Mac has encapsulated the back in whole M IKEY message and has used the HMAC-SHA-1 algorithm computation to obtain, and leaves in the Mac territory.
Wherein, Encr data structure is as shown in table 3:
- - -
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next payload !Type !KV !Key data len !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!Salt len (optional) !Salt data (optional) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! KV data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Table 3
Next payload: the load that indicates next data field;
Type: indicate the Key Tpe that comprises, as Type=2, expression is a key, and the type here is the appointment of MIKEY agreement, specifically can be with reference to the MIKEY agreement;
KV: indicate the type of the term of validity, as KV=Interval, the expression term of validity is a time interval;
Key data len: the key data length after the encryption;
Key data: the key data after the encryption has comprised encrypted service key here;
Salt data, Salt len: optional random number and length thereof, the present invention does not need;
KV data: the business cipher key term of validity, use a time upper and lower limit to constituting.
KV data structure is as shown in table 4:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!VF Length !Valid From ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!VT Length !Valid To (expires) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Table 4
VF length: the term of validity length zero hour;
Valid From: term of validity zero hour, as placing the time interval lower limit (standard time form or sequence number form) of the business cipher key term of validity;
VT length: the term of validity length finish time;
Valid To: term of validity finish time, as placing the time interval higher limit (standard time form or sequence number form) of the business cipher key term of validity.
After the Transmit-Receive Unit of terminal is received the MIKEY message that mobile phone TV server issues, give smart card with the MIKEY forwards of receiving; Smart card is at first judged the type of the MIKEY message of receiving, if this MIKEY message comprises MSK_ID and MTK_ID, illustrate that then this MIKEY message is content key message, if this MIKEY message includes only MSK_ID, illustrate that then this MIKEY message is business cipher key message, after judging MIKEY message and being business cipher key message, smart card utilizes IDi, IDr generates user key sign MUK_ID, and the Mac identifying code among the extraction KEMAC, carry out the message integrity checking, if authentication failed, then smart card abandons this message, and returns failure response to Transmit-Receive Unit, if be proved to be successful, then smart card reads the MUK of MUK_ID correspondence, and uses encrypted service key and business cipher key term of validity KV data among the MUK deciphering KEMAC, obtains MSK and the business cipher key term of validity and related preservation.
After the content key message generating module generates content key sign MTK_ID according to CW_ID, use business cipher key encrypted content key CW, and be packaged into content key message, the content key message format that ginseng is shown in Table 5, cipher mode and encapsulation format can be followed the mode of advising in the rfc3830 standard and carry out.
Common HDR
MSK_ID
MTK_ID
TS
KEMAC
Table 5
Common HDR:MIKEY message universal information head;
MSK_ID: encrypt the business key label that CW uses;
MTK_ID: the content key sign, corresponding with certain CW;
TS: timestamp prevents that Replay Attack and terminal are used to the content key message of avoiding reprocessing identical;
KEMAC: the identifying code of content key and this content key message.
Different with KEMAC in the business cipher key message is not have the term of validity information of CW among the KEMAC of content key message.The KEMAC structure of content key message is as shown in table 6:
- - -
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!Next payload !Encr alg !Encr data len !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Encr data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!Mac alg ! MAC ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Table 6
Next payload: the load that indicates next data field;
Encr alg: the cryptographic algorithm that indicates use;
Encr data len: the length that indicates the enciphered data part;
Encr data: wherein placed by business cipher key MSK encrypted content key CW and some relevant parameters;
Mac alg: indicate message authentication algorithm;
Mac: deposit the content key Message Authentication Code, be used to verify the integrality of this content key message.
Wherein, the structure of Encr data is as shown in table 7:
- - -
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next payload !Type !KV !Key data len !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Table 7
Next payload: the load of indicating next data field;
Type: indicate the Key Tpe that comprises, as Type=2, expression is a key, and the type here is the appointment of MIKEY agreement, specifically can be with reference to the MIKEY agreement;
KV: term of validity type, because content key do not have the term of validity, so this value in the content key message is 0, specifically can be with reference to the regulation in the standard;
Key data len: the key data length after the encryption;
Key data: the key data after the encryption.
After the content key message generating module generates content key message, the content key message that generates is sent to authorization control message builder ECMG, ECMG further packs content key message, generate the authorization control message ECM that multiplexer can be multiplexing, and the ECM message that generates is sent to scrambler.The process that generates in the process that ECMG generates ECM message and the condition receiving system is consistent, repeats no more here.
Interface between ECMG and the scrambler belongs to prior art, and in the prior art, the CW that scrambler generates directly sends to ECMG, and the ECM that ECMG generates returns to scrambler again.Continue to use this two interfaces among the present invention, still, it is that scrambler is connected with the content key message generating module that CW supplies with interface, and it is that ECMG is connected with scrambler that ECM returns interface.The communication of this docking port will be set up communication port earlier, set up stream again, these two steps all are to be purpose to send data, in the present invention, scrambler can send to the content key message generating module with CW and CW_ID by CW_provision message, ECMG can return to scrambler with ECM by ECM_response message after generating ECM.
Scrambler uses content key CW scrambled program content, the broadcast of program is that prior layout is good and play in strict accordance with chronological order, must come into force constantly identical with the CW of scrambler notice mobile phone TV services platform as far as possible the service time of encrypting the CW of these programme contents, error can not surpass a CW encryption period, and the synchronization mechanism of existence conditions receiving system can guarantee this requirement; Otherwise terminal can't be deciphered broadcast or can't the global solution heavy seeding be put a program after receiving encrypted content, how guarantee that terminal in time obtains ECM and uses the CW among the correct ECM to decipher the prior art that programme content belongs to condition receiving system.During broadcast program, programme content and corresponding ECM message will be packaged into MPEG-2TS stream by scrambler, and will be multiplexing through multiplexer then, broadcast to terminal.
After below terminal being obtained business cipher key, carry out the professional process that receives and be further elaborated,, mainly may further comprise the steps referring to shown in Figure 9:
Step 901: after the Transmit-Receive Unit of terminal receives the MPEG-2TS stream of broadcasting, carry out demultiplexing by demodulation multiplexer, obtain program content data and ECM message, and any buffered program content, and from ECM message, parse MIKEY message by ECM parsing module EECM, and the MIKEY message that parses sent to smart card, the request smart card is decrypted to obtain content key CW.
Step 902: after smart card is received the MIKEY message that Transmit-Receive Unit sends, at first judge the type of the MIKEY message of receiving, if this MIKEY message comprises MSK_ID and MTK_ID, illustrate that then this MIKEY message is content key message, smart card extracts MSK_ID from the content key message of receiving.
Step 903: smart card extracts the TS information in the MIKEY message again, and the TS corresponding with the MSK_ID of extraction in the step 902 of preserving compares, if the TS of Ti Quing is less than or equal to the TS of preservation once more, then abandon this message, and return failure response, the processing of process ends to Transmit-Receive Unit; If the TS of Ti Quing is greater than the TS that preserves once more, then execution in step 904.
Step 904: smart card is sought the business cipher key of self preserving according to the MSK_ID that obtains in step 902, after finding the MSK of MSK_ID correspondence, smart card judges that the MTK_ID that carries in this MIKEY message is whether in business cipher key term of validity scope, if MTK_ID is smaller or equal to the lower limit of the term of validity or more than or equal to the upper limit of the term of validity, then smart card abandons this MIEKY message, and return failure response, the processing of process ends to Transmit-Receive Unit; If MTK_ID is between the upper and lower limit of the term of validity, then execution in step 905.
Step 905: smart card extracts the Mac identifying code from MIEKY message, and carries out the message integrity checking, if authentication failed, smart card then abandons this MIEKY message, and returns failure response to Transmit-Receive Unit, the processing of process ends; If be proved to be successful, TS that smart card then will newly be received replace previous that preserve, with this message in the corresponding TS of MSK_ID that comprises, execution in step 906 then.
Step 906: smart card uses MSK that the encrypted content key of carrying in the MIEKY message is decrypted, and obtains content key CW, and the CW that obtains is returned to Transmit-Receive Unit.
Receive the content key message that Transmit-Receive Unit sends, use business cipher key MSK to be decrypted and obtain content key CW, and, mainly finish by the content key deciphering module in the smart card with the process that the CW that obtains returns to Transmit-Receive Unit.
Step 907: after the content decryption module in the Transmit-Receive Unit is received the CW that smart card returns, use the content after the encryption that CW issues the broadcasting of receiving to be decrypted, and the content after will deciphering sends to the content revealing module, decodes after the content revealing module is received and plays displaying.
For ease of understanding, the present invention is carried out brief description below by a specific embodiment.
Suppose that mobile phone TV server provides professional with the channel form to the user, a professional corresponding channel, business cipher key of a channel configuration contains a plurality of programs in the channel.The user can order a channel, receives mobile phone TV services in the monthly payment mode, also can consume pay-per-view in due order, orders the program in any channel at any time, as long as the monthly payment user has ordered a channel, just can watch all programs of this channel.
Mobile TV operator whenever provides a sports channel program, service management module in the mobile phone TV server just disposes this business, and be that new business distributes a service identification Sports001, the configuration subscription options is monthly payment and consumption in due order, pricing information is set is: 5 yuan/month of monthly payments, consume 0.5 yuan/program in due order.The business cipher key administration module generates and safeguards the business cipher key MSK of this sports channel, safeguards MSK and corresponding professional corresponding relation<Sports001 simultaneously, MSK_sports001 〉, wherein, MSK_sports001 is this business key label.
Suppose that user 10:00 in day morning checks business guide, find above-mentioned sports channel, do not think monthly payment, only want to see " world cup is excellent scores " program of 20:00-20:30 in evening on the same day, so operating terminal sends a service order request, the user need click " world cup is excellent scores ", and subscription type is selected pay-per-view.Mobile phone TV server receives subscription request, after the user is authenticated, creates order relations<user name xxxxxx (as cell-phone number), and " world cup is excellent scores ", pay-per-view orders the date ... (optional information) 〉.
To point in evenings 8 on the same day, the user opens mobile phone TV terminal, prepare to receive excellent goal program, after if terminal receives the content of encrypting, find not decipher in the smart card business cipher key of CW, then seek business key label MSK_ID from content key message, and send the business cipher key request message to mobile phone TV server, these steps are to user transparent.After mobile phone TV server is received the business cipher key request message, the user is authenticated, and after authentication is passed through, to service management module inquiring user order relations, when finding that this user has ordered the excellent goal program of world cup of Sports001 channel, and when belonging to the pay-per-view consumption pattern, the business cipher key administration module calculates according to the program arrangement of " world cup excellent score " that to dispose this day 20:00-20:30 time interval during this period of time for the business cipher key of this user's Sports001 channel be the business cipher key term of validity, just, use the GBA that consults before this user to share key MUK secure service key and point-to-point issuing then during this period of time with the MTK_ID interval range of the CW that uses.
Terminal just begins decryption content after receiving business cipher key, during decryption content, at first by the CW behind the smart card use business cipher key enabling decryption of encrypted, and, before CW of the every deciphering of smart card, all need to judge MTK_ID whether within business cipher key term of validity scope, if, the CW behind the enabling decryption of encrypted then continued; If do not exist, then refusal continues deciphering.Behind the CW after obtaining deciphering, terminal uses CW that the programme content after encrypting is decrypted, and acquisition programme content plaintext also represents to the user.At broadcast program after half an hour, smart card finds that MTK_ID exceeds the higher limit of the business cipher key term of validity, then stops the CW behind the enabling decryption of encrypted, and the user can't watch other program that surpasses the order time.
The above has carried out further detailed description to purpose of the present invention, technical scheme and beneficial effect; institute is understood that; the above is not in order to restriction the present invention; within the spirit and principles in the present invention all; any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (14)

1. a mobile phone TV service protection method is characterized in that, this method comprises:
Mobile phone TV server uses content key that broadcasted content is encrypted, use business cipher key that content key is encrypted, use user key that business cipher key is encrypted, and issue content and content key after the encryption by broadcast channel broadcasting, determine the business cipher key term of validity according to user's order relations, and the business cipher key term of validity and encrypted service key are handed down to terminal by point-to-point passage;
Terminal uses user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and use the content key that obtains that the content after encrypting is decrypted the acquisition content.
2. method according to claim 1, it is characterized in that, described mobile phone TV server use user key further comprises before business cipher key is encrypted: terminal and guide service functional module BSF consult user key, and mobile phone TV server obtains the user key of this terminal from BSF.
3. method according to claim 1 is characterized in that, this method further comprises: the combination that metering period is divided into time interval according to the encryption period of content key;
Described user is when the monthly payment user, and described business cipher key term of validity zero hour is the metering period zero hour, and described business cipher key term of validity finish time is the metering period finish time;
Described user is during for consumption user in due order, and described business cipher key term of validity zero hour is the lower limit of program place zero hour time interval, and described business cipher key term of validity finish time is that program stops the upper limit of place time interval constantly.
4. according to claim 1 or 3 described methods, it is characterized in that, described mobile phone TV server further comprises when issuing encrypted content key by broadcast channel broadcasting: come into force constantly according to content key that CW_ID generates content key sign MTK_ID, and MTK_ID broadcasting is handed down to terminal;
Described terminal uses the business cipher key that obtains further to comprise before the encrypted content key of receiving is decrypted: whether terminal judges content key sign MTK_ID is in the business cipher key term of validity, if then use the business cipher key that obtains that the encrypted content key of receiving is decrypted; Otherwise refusal is decrypted.
5. method according to claim 4 is characterized in that, described content key sign MTK_ID is the content key higher limit of CW_ID place time interval constantly that comes into force.
6. mobile phone TV services protection system, this system comprises mobile phone TV server and mobile phone TV terminal, it is characterized in that; described mobile phone TV server comprises scrambler and cipher key management unit; described scrambler comprises control word maker and content-encrypt module, wherein
The control word maker is used to generate content key, and the content key that generates is sent to cipher key management unit and content-encrypt module;
The content-encrypt module is used to receive the content key from the control word maker, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Described cipher key management unit comprises user key administration module, business cipher key administration module, content key message generating module and authorization control message builder, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used for the management service key, business cipher key is sent to the content key message generating module, and be used for obtaining user key from the user key administration module, use user key that business cipher key is encrypted, generation comprises the business cipher key message of encrypting the back business cipher key, and determine the business cipher key term of validity according to user's order relations, and in the business cipher key message that generates, further carry the business cipher key term of validity, and business cipher key message is sent to terminal by point-to-point passage;
The content key message generating module, be used to receive from the business cipher key of business cipher key administration module and from the content key of control word maker, use business cipher key that content key is encrypted, generation comprises the content key message of encrypting the back content key, and content key message is sent to the authorization control message builder;
The authorization control message builder is used to receive the content key message from the content key message generating module, and content key message is further packed, and generates authorization control message, and the authorization control message that generates is sent to scrambler;
Described scrambler is further used for receiving the authorization control message from the authorization control message builder, and issues the authorization control message of receiving by broadcast channel broadcasting;
Described terminal comprises smart card and Transmit-Receive Unit, wherein,
Smart card, be used for the leading subscriber key, and be used to receive encrypted service key from mobile phone TV server, use user key that the encrypted service key of receiving is decrypted the acquisition business cipher key, and be used to receive encrypted content key from mobile phone TV server, use the business cipher key that obtains that the encrypted content key of receiving is decrypted the acquisition content key, and the content key that obtains is sent to Transmit-Receive Unit;
Transmit-Receive Unit is used to receive from the content key of smart card and from the content after the encryption of mobile phone TV server, and the content after using the content key receive to the encryption of receiving is decrypted and obtains content expressly.
7. system according to claim 6 is characterized in that, described smart card comprises user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive business cipher key message from mobile phone TV server, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, and content key is decrypted the acquisition content key after using the business cipher key receive to the encryption of carrying in the content key message of receiving, and the content key that obtains is sent to Transmit-Receive Unit;
Described Transmit-Receive Unit comprises authorization control message resolution module, content decryption module and content revealing module, wherein,
The authorization control message resolution module is used to receive the authorization control message from mobile phone TV server, parses content key message from authorization control message, and the content key message that parses is sent to the content key deciphering module;
Content decryption module, be used to receive from the content key of content key deciphering module and from the content after the encryption of mobile phone TV server, the content of the content key that use is received after to the encryption of receiving is decrypted and obtains content expressly, and the content after will deciphering sends to the content revealing module;
The content revealing module is used to receive the content from content decryption module, and the content of receiving decoded represents.
8. system according to claim 6 is characterized in that, described scrambler is further used for determining that content key comes into force constantly after generating content key, and content key come into force sends to the content key message generating module constantly;
The content key that described content key message generating module is further used for receiving from scrambler comes into force constantly, and comes into force according to content key and to generate the content key sign constantly, and further carries the content key sign in the content key message that generates.
9. system according to claim 8, it is characterized in that, the content key deciphering module of described terminal is further used for obtaining the business cipher key term of validity from the business cipher key administration module of terminal, and judges that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity.
10. a mobile phone TV server is characterized in that, this mobile phone TV server comprises scrambler and cipher key management unit, wherein,
Scrambler is used to generate content key, and the content key that generates is sent to cipher key management unit, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Cipher key management unit, be used for leading subscriber key and business cipher key, use user key that business cipher key is encrypted, issue encrypted service key by point-to-point passage, and be used to receive content key from scrambler, and use business cipher key that content key is encrypted, determine the business cipher key term of validity according to user's order relations, and in the business cipher key message that generates, further carry the business cipher key term of validity, issue encrypted content key by broadcast channel broadcasting;
Wherein, describedly determine the business cipher key term of validity and in the business cipher key message that generates, further carry the business cipher key term of validity and carry out by the business cipher key administration module of cipher key management unit according to user's order relations.
11. mobile phone TV server according to claim 10 is characterized in that, described scrambler comprises control word maker and content-encrypt module, wherein,
The control word maker is used to generate content key, and the content key that generates is sent to cipher key management unit and content-encrypt module;
The content-encrypt module is used to receive the content key from the control word maker, and uses content key that broadcasted content is encrypted, and issues content after the encryption by broadcast channel broadcasting;
Described cipher key management unit comprises user key administration module, business cipher key administration module, content key message generating module and authorization control message builder, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used for the management service key, business cipher key is sent to the content key message generating module, and be used for obtaining user key from the user key administration module, use user key that business cipher key is encrypted, generation comprises the business cipher key message of encrypting the back business cipher key, and by point-to-point passage issuing service key message;
The content key message generating module, be used to receive from the business cipher key of business cipher key administration module and from the content key of control word maker, use business cipher key that content key is encrypted, generation comprises the content key message of encrypting the back content key, and content key message is sent to the authorization control message builder;
The authorization control message builder is used to receive the content key message from the content key message generating module, and content key message is further packed, and generates authorization control message, and the authorization control message that generates is sent to scrambler;
Described scrambler is further used for receiving the authorization control message from the authorization control message builder, and issues the authorization control message of receiving by broadcast channel broadcasting.
12. mobile phone TV server according to claim 10 is characterized in that, described scrambler is further used for determining that content key comes into force constantly after generating content key, and content key come into force sends to the content key message generating module constantly;
The content key that described content key message generating module is further used for receiving from scrambler comes into force constantly, and comes into force according to content key and to generate the content key sign constantly, and further carries the content key sign in the content key message that generates.
13. a mobile phone TV terminal is characterized in that, comprises smart card and Transmit-Receive Unit, described smart card comprises user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive the point-to-point business cipher key message that issues, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, obtain the business cipher key term of validity from professional key management module, and judge that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity, if, content key is decrypted the acquisition content key after then using the business cipher key receive to the encryption of carrying in the content key message of receiving, and the content key that obtains is sent to Transmit-Receive Unit;
Described Transmit-Receive Unit comprises authorization control message resolution module, content decryption module and content revealing module, wherein,
The authorization control message resolution module is used to receive the authorization control message that broadcasting issues, and parses content key message from authorization control message, and the content key message that parses is sent to the content key deciphering module;
Content decryption module, be used to receive the content after the encryption that content key and broadcasting from the content key deciphering module issues, the content of the content key that use is received after to the encryption of receiving is decrypted and obtains content expressly, and the content after will deciphering sends to the content revealing module;
The content revealing module is used to receive the content from content decryption module, and the content of receiving decoded represents.
14. a smart card is characterized in that, this smart card comprises user key administration module, business cipher key administration module and content key deciphering module, wherein,
The user key administration module is used for the leading subscriber key;
The business cipher key administration module, be used to receive the point-to-point business cipher key message that issues, obtain user key from the user key administration module, business cipher key is decrypted the acquisition business cipher key after using user key to the encryption of carrying in the business cipher key message of receiving, and the business cipher key that obtains is sent to the content key deciphering module;
The content key deciphering module, be used to receive from the business cipher key of business cipher key administration module and from the content key message of Transmit-Receive Unit, and obtain the business cipher key term of validity from professional key management module, and judge that the content key sign of carrying in the content key message receive is whether in the business cipher key term of validity, if, the business cipher key that use is received to the encryption of carrying in the content key message of receiving after content key be decrypted the acquisition content key, and the content key that obtains is sent to Transmit-Receive Unit.
CN2006101505460A 2006-10-16 2006-10-16 Mobile phone TV service protection method, system, mobile phone TV server and terminal Active CN101166259B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2006101505460A CN101166259B (en) 2006-10-16 2006-10-16 Mobile phone TV service protection method, system, mobile phone TV server and terminal
PCT/CN2007/070477 WO2008046323A1 (en) 2006-10-16 2007-08-14 Mobile telephone television service protect method, system and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006101505460A CN101166259B (en) 2006-10-16 2006-10-16 Mobile phone TV service protection method, system, mobile phone TV server and terminal

Publications (2)

Publication Number Publication Date
CN101166259A CN101166259A (en) 2008-04-23
CN101166259B true CN101166259B (en) 2010-11-10

Family

ID=39313615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006101505460A Active CN101166259B (en) 2006-10-16 2006-10-16 Mobile phone TV service protection method, system, mobile phone TV server and terminal

Country Status (2)

Country Link
CN (1) CN101166259B (en)
WO (1) WO2008046323A1 (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753965B (en) * 2008-12-04 2011-09-28 中国移动通信集团公司 Charging method and system of mobile television and user identification module and equipment
CN101765107A (en) * 2008-12-26 2010-06-30 中兴通讯股份有限公司 Method, system and device as well as terminal for implementation of multimedia information service
CN101562520B (en) * 2009-05-21 2011-07-06 普天信息技术研究院有限公司 Service key distribution method and system, and key distribution method
CN101594521B (en) * 2009-06-26 2012-07-18 中兴通讯股份有限公司 Method, terminal and system for realizing interactive service of mobile TV data card
CN102055721B (en) * 2009-11-02 2014-06-11 中兴通讯股份有限公司 Access control method and device
CN102123390B (en) * 2010-01-07 2014-01-29 中国移动通信集团公司 Method, device and terminal for service key processing
CN101909052A (en) * 2010-06-28 2010-12-08 中兴通讯股份有限公司 Home gateway authentication method and system
CN101977299A (en) * 2010-09-19 2011-02-16 中兴通讯股份有限公司 Method and system for protecting mobile TV contents
CN102457774B (en) * 2010-10-20 2014-03-12 中国移动通信有限公司 Method, device and system for processing television program data
CN103686251B (en) * 2012-09-05 2017-02-22 中国移动通信集团公司 System, method and device for playing program stream in multimedia broadcasting service
CN104519013B (en) * 2013-09-27 2018-08-14 华为技术有限公司 Ensure the method, apparatus and system of media stream safety
US10962622B2 (en) 2013-12-23 2021-03-30 Rosemount Inc. Analog process variable transmitter with electronic calibration
CN105791954B (en) * 2014-12-23 2019-02-01 深圳Tcl新技术有限公司 Digital TV terminal condition receiving method, terminal and system
US10469477B2 (en) 2015-03-31 2019-11-05 Amazon Technologies, Inc. Key export techniques
CN106487501B (en) 2015-08-27 2020-12-08 华为技术有限公司 Key distribution and reception method, key management center, first and second network elements
CN106231346B (en) * 2016-08-05 2020-01-17 中国传媒大学 A distributed encryption method for offline video
CN106254896B (en) * 2016-08-05 2019-11-26 中国传媒大学 A kind of distributed cryptographic method for real-time video
CN110351232A (en) * 2018-04-08 2019-10-18 珠海汇金科技股份有限公司 Camera safe encryption method and system
US10326797B1 (en) * 2018-10-03 2019-06-18 Clover Network, Inc Provisioning a secure connection using a pre-shared key
CN113852957B (en) * 2020-06-09 2024-11-08 中国移动通信有限公司研究院 Security server, SP server, terminal, security authorization method and system
CN112565281B (en) * 2020-12-09 2021-09-17 北京深思数盾科技股份有限公司 Information processing method, server and system of service key
EP4311165A4 (en) * 2021-03-29 2024-01-24 Huawei Technologies Co., Ltd. Data transmission method and apparatus
CN112995784B (en) * 2021-05-19 2021-09-21 杭州海康威视数字技术股份有限公司 Video data slice encryption method, device and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1284818A (en) * 2000-09-29 2001-02-21 清华大学 Full digital conditioned receiving method for video broadcost in cable TV network
CN1526237A (en) * 2000-08-24 2004-09-01 ���ɶ��ɷ����޹�˾ Transmitting and processing protected content
CN1549595A (en) * 2003-05-09 2004-11-24 华为技术有限公司 An information transmission method and device for an interactive digital broadcast television system
CN1725853A (en) * 2004-07-21 2006-01-25 华为技术有限公司 A Realization Method of Obtaining Online Information of Users
CN1829389A (en) * 2006-04-14 2006-09-06 中国移动通信集团公司 Method and system for supporting terminal roaming in mobile broadcast television service
CN1845599A (en) * 2006-05-17 2006-10-11 中国移动通信集团公司 Method for obtaining and updating service key in mobile TV service
CN1845600A (en) * 2006-05-17 2006-10-11 中国移动通信集团公司 Method and system for implementing user key negotiation in mobile broadcast television service

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1526237A (en) * 2000-08-24 2004-09-01 ���ɶ��ɷ����޹�˾ Transmitting and processing protected content
CN1284818A (en) * 2000-09-29 2001-02-21 清华大学 Full digital conditioned receiving method for video broadcost in cable TV network
CN1549595A (en) * 2003-05-09 2004-11-24 华为技术有限公司 An information transmission method and device for an interactive digital broadcast television system
CN1725853A (en) * 2004-07-21 2006-01-25 华为技术有限公司 A Realization Method of Obtaining Online Information of Users
CN1829389A (en) * 2006-04-14 2006-09-06 中国移动通信集团公司 Method and system for supporting terminal roaming in mobile broadcast television service
CN1845599A (en) * 2006-05-17 2006-10-11 中国移动通信集团公司 Method for obtaining and updating service key in mobile TV service
CN1845600A (en) * 2006-05-17 2006-10-11 中国移动通信集团公司 Method and system for implementing user key negotiation in mobile broadcast television service

Also Published As

Publication number Publication date
WO2008046323A1 (en) 2008-04-24
CN101166259A (en) 2008-04-23

Similar Documents

Publication Publication Date Title
CN101166259B (en) Mobile phone TV service protection method, system, mobile phone TV server and terminal
CA2496677C (en) Method and apparatus for secure data transmission in a mobile communication system
US7702904B2 (en) Key management system and multicast delivery system using the same
CA2442656C (en) Method and apparatus for security in a data processing system
AU2002342014B2 (en) Method and apparatus for security in a data processing system
EP2061244B1 (en) Protection of broadcast content with key distribution using telecommunications network
CN101513011B (en) Method and system for the continuous transmission of encrypted data of a broadcast service to a mobile terminal
CN101009553A (en) Secret key safety method and system for realizing multi-network integration mobile multi-media broadcasting system
AU2002342014A1 (en) Method and apparatus for security in a data processing system
CN100442839C (en) An information transmission method and device for an interactive digital broadcast television system
CN1946018B (en) Encrypting and de-encrypting method for medium flow
CN101562520A (en) Method and system for distributing service secret keys
CN101119200A (en) Method, network unit, terminal and system for providing broadcast/multicast service
CN103546767B (en) Content protection method and system of multimedia service
CN102917252A (en) IPTV (internet protocol television) program stream content protection system and method
CN100544429C (en) A kind of mobile phone TV services content protecting method
CN101262589A (en) Mobile TV broadcast control system and mobile TV broadcast control network
CN102238422B (en) Digital television broadcasting conditional access system
CN101977299A (en) Method and system for protecting mobile TV contents
CN101193308A (en) Method and device for playing video/audio signals in communication network
CN102857870B (en) Mobile phone cell broadcast service encryption method
WO2009124889A1 (en) Method for protection of keys exchanged between a smartcard and a terminal
HK1076553B (en) Method and apparatus for security in a data processing system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant