CN117807562A

CN117807562A - Data authorization method and related equipment

Info

Publication number: CN117807562A
Application number: CN202211216391.1A
Authority: CN
Inventors: 仲其涛
Original assignee: Petal Cloud Technology Co Ltd
Current assignee: Petal Cloud Technology Co Ltd
Priority date: 2022-09-30
Filing date: 2022-09-30
Publication date: 2024-04-02

Abstract

The embodiment of the application provides a data authorization method and related equipment, and relates to the technical field of digital protection. The method comprises the following steps: the first electronic device acquires the encrypted data and sends a decryption request for the encrypted data to a first DRM framework through a DRM framework API; the first electronic device responds to the decryption request and sends an authorized sharing request for the encrypted data to at least one second electronic device which is mutually connected with the first electronic device through the first DRM framework; the second electronic device sending license authorization of the encrypted data to the first electronic device through the second DRM framework in response to the authorization sharing request; the first electronic device receives the license authorization through the first DRM framework and decrypts the encrypted data based on the license authorization. The embodiment of the application can improve the data authorization efficiency among multiple devices.

Description

Data authorization method and related equipment

Technical Field

The present disclosure relates to the field of digital protection technologies, and in particular, to a data authorization method and related devices.

Background

To protect the rights of digital media, the digital media may be encrypted by digital rights management (Digital Rights Management, DRM) techniques. If the user needs to access the encrypted digital media through the terminal device, the authorized device can decrypt the encrypted digital media only if the user needs to request authorization for the terminal device. However, since the authorizations between different devices cannot be shared, when the same user accesses the same encrypted digital media using another terminal device, the authorizations for the other terminal device need to be requested again, thereby affecting the user experience.

Disclosure of Invention

In view of the foregoing, it is necessary to provide a data authorization method that solves the problem that when accessing encrypted data, different devices need to be repeatedly authorized because the authorization between the different devices cannot be shared.

In a first aspect, an embodiment of the present application provides a data authorization method, where the method includes: the first electronic device obtains encrypted data and sends a decryption request for the encrypted data to the first DRM framework through a DRM framework API (Application Programming Interface ); the first electronic device responds to the decryption request and sends an authorization sharing request for the encrypted data to at least one second electronic device which is mutually connected with the first electronic device through the first DRM framework; the second electronic device sends license authorization of the encrypted data to the first electronic device through a second DRM framework in response to the authorization sharing request; the first electronic device receives the license authorization through the first DRM framework and decrypts the encrypted data based on the license authorization.

By adopting the technical scheme, when the first electronic device accesses the encrypted data, the license authorization of the encrypted data can be obtained from the second electronic device which is in mutual trust connection based on the DRM framework API and the DRM framework, the encrypted data is decrypted, the license authorization is not required to be repeatedly obtained from the server, and the data authorization efficiency among multiple devices is improved.

In one possible implementation, the first DRM framework includes a first DRM API module, a first DRM framework module, and at least one first DRM function module, and the second DRM framework includes a second DRM API module, a second DRM framework module, and at least one second DRM function module, where the first DRM API module and the second DRM API module are configured to provide the same DRM framework API.

By adopting the technical scheme, the processing efficiency of the encrypted data can be improved based on the DRM API module, the DRM framework module and the DRM function module in the DRM framework.

In one possible implementation, the sending, through the DRM framework API, a decryption request for the encrypted data to the first DRM framework includes: sending a decryption request for the encrypted data to the first DRM framework module through the DRM framework API; and transmitting a decryption request for the encrypted data to the first DRM function module through the first DRM framework module.

By adopting the technical scheme, the encryption request is transmitted through the DRM API module, the DRM framework module and the DRM function module in the DRM framework, so that the processing efficiency of the encrypted data can be improved.

In one possible implementation, the method further includes: the first DRM function module responds to the decryption request and inquires whether license authorization of the encrypted data is obtained; if the first DRM function module has obtained the license authorization of the encrypted data, decrypting the encrypted data based on the obtained license authorization; or if the first DRM function module does not obtain license authorization of the encrypted data, sending an authorization sharing request of the encrypted data to at least one second electronic device which is in mutually trusted connection with the first electronic device through the first DRM framework module.

By adopting the technical scheme, when the encrypted data is acquired, the local license authorization is firstly inquired, and if the local license authorization of the encrypted data is not available, the license authorization of the encrypted data is acquired from the mutually-trusted second electronic equipment based on the DRM framework API and the DRM framework, so that the data authorization efficiency is improved.

In one possible implementation, the second electronic device transmitting, in response to the authorization sharing request, a license authorization for the encrypted data to the first electronic device through a second DRM framework includes: the second electronic equipment receives the authorization sharing request through a second DRM framework module and sends the authorization sharing request to a second DRM function module; the second DRM function module responds to the authorization sharing request and inquires whether license authorization of the encrypted data is obtained; if the second DRM function module has obtained the license authorization of the encrypted data, the obtained license authorization is sent to the first electronic device through the second DRM framework module.

By adopting the technical scheme, the second electronic device receives the authorization sharing request and the license sending authorization sent by the mutually-trusted first electronic device through the DRM framework module, so that the transmission efficiency of the authorization sharing request is improved.

In one possible implementation, the method further includes: if the second DRM function module has obtained the first license authorization of the encrypted data, validity period information is added to the first license authorization to generate a second license authorization; wherein the first license authorization is authorized to the second electronic device by a server providing the encrypted data; the second DRM function module sends the second license authorization to the first electronic device via the second DRM framework module.

By adopting the technical scheme, the second electronic equipment can set the validity period for license authorization, avoid abuse of license authorization and ensure data security.

In one possible implementation manner, the first electronic device and at least one second electronic device that is in mutually trusted connection with the first electronic device form a virtual group, and the method further includes: and if the second DRM function module has obtained a third license grant of the encrypted data, transmitting the third license grant to the first electronic device through the second DRM framework module, wherein the third license grant is granted to the virtual group by a server providing the encrypted data.

By adopting the technical scheme, the electronic devices in mutual trust connection form a virtual group, license authorization obtained by any electronic device in the group can be shared among the groups at will, and the data authorization efficiency among multiple devices is improved.

In a second aspect, an embodiment of the present application provides a data authorization method, applied to a first electronic device, where the method includes: acquiring encrypted data, and sending a decryption request for the encrypted data to a first DRM framework through a DRM framework API; transmitting, by the first DRM framework, an authorized sharing request for the encrypted data to at least one second electronic device that is mutually trusted with the first electronic device in response to the decryption request; and receiving license authorization sent by the second electronic device through the first DRM framework, and decrypting the encrypted data based on the license authorization.

In one possible implementation, the first DRM framework includes a first DRM API module, a first DRM framework module, and at least one first DRM function module, where the first DRM API module is configured to provide the DRM framework API.

By adopting the technical scheme, the encrypted data can be obtained through analysis of the obtained encryption parameters, and the corresponding license request is generated based on the encryption information of the encrypted data, so that the authorization efficiency of the data is effectively improved.

In one possible implementation, the sending, through the DRM framework API, a decryption request for the encrypted data to the first DRM framework includes: sending a decryption request for the encrypted data to the first DRM framework module through the DRM framework API; the first DRM framework module sends a decryption request for the encrypted data to the first DRM function module.

In one possible implementation, the method further includes: the first DRM function module responds to the decryption request and inquires whether license authorization of the encrypted data is obtained; if the first DRM function module has obtained the license authorization of the encrypted data, decrypting the encrypted data based on the obtained license authorization; or if the first DRM function module does not obtain license authorization of the encrypted data, sending an authorization sharing request of the encrypted data to the second electronic device through the first DRM framework module.

In one possible implementation, the receiving the license authorization by the first DRM framework and decrypting the encrypted data based on the license authorization includes: receiving, by the first DRM framework module, a second license grant sent by the second electronic device, and sending the second license grant to the first DRM functional module; wherein the second license authorization includes expiration information; the first DRM function module decrypts the encrypted data based on the second license authorization, and sends the authorization sharing request of the encrypted data to the second electronic device again through the first DRM framework module in the validity period of the second license authorization.

In one possible implementation, the first electronic device and at least one of the second electronic devices that are in mutually trusted connection with the first electronic device form a virtual group, the receiving the license authorization through the first DRM framework and decrypting the encrypted data based on the license authorization includes: receiving, by the first DRM framework module, a third license grant sent by the second electronic device, and sending the third license grant to the first DRM functional module; wherein the third license authorization is authorized to the virtual group by a server providing the encrypted data; the first DRM function module decrypts the encrypted data based on the third license authorization.

In one possible implementation, the obtaining the encrypted data includes: and receiving a circulation access request of the encrypted data, and data information and access information of the encrypted data, which are sent by the second electronic equipment, and acquiring the encrypted data from a server based on the data information and the access information.

By adopting the technical scheme, the encrypted data can be accessed uninterruptedly among multiple devices, and the data access experience of users is improved.

In a third aspect, an embodiment of the present application provides a data authorization method, applied to a second electronic device, where the method includes: acquiring encrypted data, and sending a license request for the encrypted data to a server providing the encrypted data; receiving license authorization returned by the server, and sending the license authorization to a second DRM framework through a DRM framework API, wherein the second DRM framework decrypts the encrypted data based on the license authorization; and receiving an authorization sharing request for the encrypted data, which is sent by a first electronic device in mutually trusted connection with the second electronic device, through the second DRM framework, and sending license authorization of the encrypted data to the first electronic device in response to the authorization sharing request.

By adopting the technical scheme, when the second electronic device accesses the encrypted data, the second electronic device can acquire the license authorization of the encrypted data from the server, decrypt the encrypted data, and share the license authorization to the first electronic device through the DRM framework, so that the data authorization efficiency among multiple devices is improved.

In one possible implementation, the second DRM framework includes a second DRM API module, a second DRM framework module, and at least one second DRM function module, where the second DRM API module is configured to provide the DRM framework API.

In one possible implementation, the method further includes: resolving the encrypted data to obtain encrypted parameters, and sending the encrypted parameters to the second DRM framework module through the DRM framework API; the second DRM framework module loads a corresponding second DRM function module based on the encryption parameter and sends the encryption parameter to the second DRM function module; the second DRM function module generates the license request based on the encryption parameter, authentication information, and public key information.

In one possible implementation, the sending the license grant through a DRM framework API to a second DRM framework, the second DRM framework decrypting the encrypted data based on the license grant includes: the license grant is sent to the second DRM framework module through the DRM framework API, the second DRM framework module sends the license grant to the second DRM function module, and the second DRM function module decrypts the encrypted data based on the license grant.

By adopting the technical scheme, the encryption data is decrypted based on the DRM framework, so that the decryption efficiency of the data is improved.

In one possible implementation, the transmitting, in response to the authorization sharing request, a license authorization for the encrypted data to the first electronic device includes: the second DRM framework module receives the authorization sharing request and sends the authorization sharing request to the second DRM function module; the second DRM function module responds to the authorization sharing request and inquires whether license authorization of the encrypted data is obtained; if the second DRM function module has obtained the license authorization of the encrypted data, the obtained license authorization is sent to the first electronic device through the second DRM framework module.

In one possible implementation, the method further includes: generating a circulation access request for the encrypted data in response to circulation access operation of a user on the encrypted data; and sending the circulation access request, the data information of the encrypted data and the access information to the first electronic equipment.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium comprising computer instructions that, when run on an electronic device, cause the electronic device to perform the data authorization method according to the first aspect.

In a fifth aspect, embodiments of the present application provide an electronic device, where the electronic device includes a processor and a memory, where the memory is configured to store instructions, and the processor is configured to invoke the instructions in the memory, so that the electronic device performs the data authorization method according to the first aspect.

In a sixth aspect, embodiments of the present application provide a computer program product for, when run on a computer, causing the computer to perform the data authorization method as described in the first aspect.

In a seventh aspect, there is provided an apparatus having a function of implementing the behavior of the electronic device in the method provided in the first aspect. The functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

It will be appreciated that the computer readable storage medium according to the fourth aspect, the electronic device according to the fifth aspect, the computer program product according to the sixth aspect, and the apparatus according to the seventh aspect correspond to the methods of the first, second and third aspects, and therefore, the advantages achieved by the method may refer to the advantages in the corresponding methods provided above, and will not be repeated herein.

Drawings

Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Fig. 2 is a schematic software structure of an electronic device according to an embodiment of the present application.

Fig. 3A is a schematic diagram of a general framework of DRM according to an embodiment of the present application.

Fig. 3B is a schematic diagram of a DRM framework of an android system according to an embodiment of the present application.

Fig. 3C is a schematic diagram of a multi-terminal authorization framework of media data according to an embodiment of the present application.

Fig. 4 is a schematic diagram of a data authorization system according to an embodiment of the present application.

Fig. 5 is a flowchart of a data authorization method according to an embodiment of the present application.

Fig. 6 is an application scenario schematic diagram of a data authorization method according to an embodiment of the present application.

Fig. 7 is a flow chart of resolving encrypted parameters from encrypted data, generating a license request based on the encrypted parameters, and sending the license request to an authorization server according to an embodiment of the present application.

Fig. 8 is a schematic diagram of a DRM framework according to an embodiment of the present application.

Fig. 9 is a schematic flow chart of generating a license request by the DRM framework according to an embodiment of the present application based on encryption parameters and authentication information of a user.

Fig. 10A is a schematic diagram of a setting interface according to an embodiment of the present application.

Fig. 10B is an interface schematic diagram of a super terminal program according to an embodiment of the present application.

FIG. 11A is a schematic diagram of a cross-end transfer according to an embodiment of the present application.

FIG. 11B is a schematic diagram of a multi-terminal collaboration interface, according to one embodiment of the present application.

Fig. 12 is a flowchart of a data authorization method according to another embodiment of the present application.

Fig. 13 is a flowchart of a data authorization method according to another embodiment of the present application.

Fig. 14 is a flowchart of a data authorization method according to another embodiment of the present application.

Fig. 15 is a schematic diagram of a virtual group architecture according to an embodiment of the present application.

Fig. 16 is a flowchart of a data authorization method according to another embodiment of the present application.

Fig. 17 is a schematic flow chart of generating a license request by the DRM framework according to another embodiment of the present application based on encryption parameters and authentication information of a user.

Detailed Description

It should be noted that "at least one" in this application means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and the representation may have three relationships, for example, a and/or B may represent: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The terms "first," "second," "third," "fourth" and the like in the description and in the claims and drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.

In the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion. The following embodiments and features of the embodiments may be combined with each other without conflict.

For ease of understanding, a description of some of the concepts related to the embodiments of the present application are given by way of example for reference.

Cross-end migration: when a user initiates an operation on one device and switches to continue the aforementioned operation on another device, the user can immediately continue the previous operation on the other device. For example, the user views the video with a cell phone to a certain point in time and then switches to the tablet device to continue viewing the video from the last point in time of interruption.

Multiterminal collaboration: the software and hardware capabilities on multiple devices cooperate to provide a user with a more efficient, immersive experience than a single device as a whole. For example, when watching video through a large screen, the functions performed by the large screen are inconvenient to use, and the mobile phone/tablet computer can be used for operation (such as viewing angle switching, live shopping).

The electronic device may communicate with other electronic devices or servers over a communication network. The electronic device applied in the embodiment of the present application may be a communication device, for example, may be a server, or a terminal device. The terminal device may include at least one of a mobile phone, a foldable electronic device, a tablet computer, a personal computer (personal computer, PC), a laptop computer, a handheld computer, a notebook computer, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a cellular phone, a personal digital assistant (personal digital assistant, PDA), an augmented reality (augmented reality, AR) device, a Virtual Reality (VR) device, an artificial intelligence (artificial intelligence, AI) device, a wearable device, a vehicle-mounted device, a smart home device, and a smart city device, and the specific type of the electronic device is not particularly limited in the embodiments of the present application. The communication network may be a wired network or a wireless network. For example, the communication network may be a local area network (local area networks, LAN) or a wide area network (wide area networks, WAN), such as the internet. When the communication network is a local area network, the communication network may be, for example, a wireless fidelity (wireless fidelity, wi-Fi) hotspot network, a Wi-Fi P2P network, a bluetooth network, a zigbee network, or a near field communication (near field communication, NFC) network, or the like. When the communication network is a wide area network, the communication network may be, for example, a third generation mobile communication technology (3 rd-generation wireless telephone technology, 3G) network, a fourth generation mobile communication technology (the 4th generation mobile communication technology,4G) network, a fifth generation mobile communication technology (5 th-generation mobile communication technology, 5G) network, a future evolution public land mobile network (public land mobile network, PLMN), the internet, or the like.

In some embodiments, the electronic device may provide support for the operation of one or more APP (Application). APP may be abbreviated as an application, a software program capable of performing some or more specific functions. For example, instant messaging applications, video applications, audio applications, image capture applications, cloud desktop applications, and the like. The instant messaging applications may include, for example, short message applications,WhatsApp/>Photo sharingKakao/>Etc. Image capture class applications may include, for example, camera applications (system cameras or third party camera applications). Video-type applications may for example comprise +.> Etc. Audio-type applications may for example comprise +.>Etc. The application mentioned in the following embodiments may be a system application installed when the electronic device leaves the factory, or may be a third party application that is downloaded from a network or obtained from other electronic devices by a user during the process of using the electronic device.

Electronic devices include, but are not limited to, on-boardWindows/>Or other operating system.

Fig. 1 illustrates a schematic structure of an electronic device 10.

The electronic device 10 may include a processor 110, an external memory interface 120, an internal memory 121, an antenna 1, an antenna 2, a mobile communication module 130, a wireless communication module 140, an audio module 150, a sensor module 160, a camera module 170, a display screen 180, and the like.

It should be understood that the illustrated structure of the present embodiment does not constitute a specific limitation on the electronic device 10. In other embodiments of the present application, the electronic device 10 may include more or fewer components than shown, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The processor can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 may be a cache memory. The memory may hold instructions or data that are used or used more frequently by the processor 110. If the processor 110 needs to use the instruction or data, it can be called directly from the memory, avoiding repeated access, reducing the latency of the processor 110 and thus improving the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others. The processor 110 may be connected to modules such as an audio module, a wireless communication module, a display, a camera, etc. through at least one of the above interfaces.

It should be understood that the interfacing relationship between the modules illustrated in the embodiments of the present application is only illustrative and not limiting on the structure of the electronic device 10. In other embodiments of the present application, the electronic device 10 may also employ different interfacing manners, or a combination of interfacing manners, as in the above embodiments.

The wireless communication function of the electronic device 10 may be implemented by the antenna 1, the antenna 2, the mobile communication module 130, the wireless communication module 140, a modem processor, a baseband processor, and the like.

The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. Each antenna in the electronic device 10 may be used to cover a single or multiple communication bands. Different antennas may also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed into a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.

The mobile communication module 130 may provide a solution for wireless communication including 2G/3G/4G/5G, etc. applied on the electronic device 10. The mobile communication module 130 may include at least one filter, switch, power amplifier, low noise amplifier, etc. The mobile communication module 130 may receive electromagnetic waves from the antenna 1, perform processes such as filtering, amplifying, and the like on the received electromagnetic waves, and transmit the processed electromagnetic waves to the modem processor for demodulation. The mobile communication module 130 can amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through the antenna 1 to radiate. In some embodiments, at least some of the functional modules of the mobile communication module 130 may be disposed in the processor 110. In some embodiments, at least some of the functional modules of the mobile communication module 130 may be disposed in the same device as at least some of the modules of the processor 110.

The modem processor may include a modulator and a demodulator. The modulator is used for modulating the low-frequency baseband signal to be transmitted into a medium-high frequency signal. The demodulator is used for demodulating the received electromagnetic wave signal into a low-frequency baseband signal. The demodulator then transmits the demodulated low frequency baseband signal to the baseband processor for processing. The low frequency baseband signal is processed by the baseband processor and then transferred to the application processor. The application processor outputs a sound signal through the audio module or displays an image or video through the display 180. In some embodiments, the modem processor may be a stand-alone device. In other embodiments, the modem processor may be provided in the same device as the mobile communication module 130 or other functional module, independent of the processor 110.

The wireless communication module 140 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN), bluetooth (BT), bluetooth low energy (bluetooth low energy, BLE), ultra Wide Band (UWB), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), NFC, infrared technology (IR), etc. applied to the electronic device 10. The wireless communication module 140 may be one or more devices integrating at least one communication processing module. The wireless communication module 140 receives electromagnetic waves via the antenna 2, modulates the electromagnetic wave signals, filters the electromagnetic wave signals, and transmits the processed signals to the processor 110. The wireless communication module 140 may also receive a signal to be transmitted from the processor 110, frequency modulate it, amplify it, and convert it into electromagnetic waves through the antenna 2.

In some embodiments, antenna 1 and mobile communication module 130 of electronic device 10 are coupled, and antenna 2 and wireless communication module 140 are coupled, such that electronic device 10 may communicate with networks and other electronic devices through wireless communication techniques. The wireless communication techniques may include the Global System for Mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR techniques, among others. The GNSS may include a global satellite positioning system (global positioning system, GPS), a global navigation satellite system (global navigation satellite system, GLONASS), a beidou satellite navigation system (beidou navigation satellite system, BDS), a quasi zenith satellite system (quasi-zenith satellite system, QZSS) and/or a satellite based augmentation system (satellite based augmentation systems, SBAS).

The electronic device 10 may implement display functions via a GPU, a display screen 180, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display 180 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.

The sensor module comprises a touch sensor, a pressure sensor, a fingerprint sensor and the like. The camera module 170 includes a camera. The display 180 is used to display images, videos, and the like. The display 180 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (AMOLED) or an active-matrix organic light-emitting diode (matrix organic light emitting diode), a flexible light-emitting diode (flex), a mini, a Micro led, a Micro-OLED, a quantum dot light-emitting diode (quantum dot light emitting diodes, QLED), or the like. In some embodiments, the electronic device 10 may include 1 or more display screens 180.

The electronic device 10 may implement camera functions through the camera module 170, isp, video codec, GPU, display 180, and application processor AP, neural network processor NPU, etc.

The digital signal processor is used for processing digital signals, and can also process other digital signals. For example, when the electronic device 10 is selecting a frequency bin, the digital signal processor is used to fourier transform the frequency bin energy, or the like.

Video codecs are used to compress or decompress digital video. The electronic device 10 may support one or more video codecs. In this way, the electronic device 10 may play or record video in a variety of encoding formats, such as: dynamic picture experts group (moving picture experts group, MPEG) 1, MPEG2, MPEG3, MPEG4, etc.

The NPU is a neural-network (NN) computing processor, and can rapidly process input information by referencing a biological neural network structure, for example, referencing a transmission mode between human brain neurons, and can also continuously perform self-learning. Applications such as intelligent awareness of the electronic device 10 may be implemented by the NPU, for example: image recognition, face recognition, speech recognition, text understanding, etc.

The external memory interface 120 may be used to connect an external memory card, such as a Micro SD card, to enable expansion of the memory capabilities of the electronic device 10. The external memory card communicates with the processor 110 through an external memory interface 120 to implement data storage functions. For example, data such as music, video, etc. is stored in an external memory card. Or transmitting data such as music, video, etc. from the electronic device to an external memory card.

The internal memory 121 may be used to store computer executable program code that includes instructions. The internal memory 121 may include a storage program area and a storage data area. The storage program area may store an application program (such as a sound playing function, an image playing function, etc.) required for at least one function of the operating system, etc. The storage data area may store data created during use of the electronic device 10 (e.g., audio data, phonebook, etc.), and so forth. In addition, the internal memory 121 may include a high-speed random access memory, and may further include a nonvolatile memory such as at least one magnetic disk storage device, a flash memory device, a universal flash memory (universal flash storage, UFS), and the like. The processor 110 performs various functional methods or data processing of the electronic device 10 by executing instructions stored in the internal memory 121 and/or instructions stored in a memory provided in the processor.

The audio module 150 is used to convert digital audio information into an analog audio signal output and also to convert an analog audio input into a digital audio signal. The audio module 150 may also be used to encode and decode audio signals. In some embodiments, the audio module 150 may be disposed in the processor 110, or some functional modules of the audio module 150 may be disposed in the processor 110.

The software system of the electronic device 10 may employ a layered architecture, an event driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture. Taking an Android system with a layered architecture as an example, the embodiment of the application illustrates a software structure of the electronic device 10.

Fig. 2 is a software architecture diagram of the electronic device 10 according to the embodiment of the present application.

The layered architecture divides the software into several layers, each with distinct roles and branches. The layers communicate with each other through a software interface. In some embodiments, the Android system is divided into five layers, from top to bottom, an application layer, an application framework layer, an Zhuoyun row (ART) and native C/c++ libraries, a hardware abstraction layer (Hardware Abstract Layer, HAL), and a kernel layer, respectively.

The application layer may include a series of application packages.

As shown in fig. 2, the application package may include applications for cameras, gallery, calendar, phone calls, maps, navigation, WLAN, bluetooth, music, video, short messages, etc.

The application framework layer provides an application programming interface (application programming interface, API) and programming framework for application programs of the application layer. The application framework layer includes a number of predefined functions.

As shown in FIG. 2, the application framework layer may include a window manager, a content provider, a view system, a resource manager, a notification manager, an activity manager, an input manager, and so forth.

The window manager provides window management services (Window Manager Service, WMS) that may be used for window management, window animation management, surface management, and as a transfer station to the input system.

The content provider is used to store and retrieve data and make such data accessible to applications. The data may include video, images, audio, calls made and received, browsing history and bookmarks, phonebooks, etc.

The view system includes visual controls, such as controls to display text, controls to display pictures, and the like. The view system may be used to build applications. The display interface may be composed of one or more views. For example, a display interface including a text message notification icon may include a view displaying text and a view displaying a picture.

The resource manager provides various resources, such as localization strings, icons, pictures, layout data, video data, and the like, to the application.

The notification manager allows the application to display notification information in a status bar, can be used to communicate notification type messages, can automatically disappear after a short dwell, and does not require user interaction. Such as notification manager is used to inform that the download is complete, message alerts, etc. The notification manager may also be a notification in the form of a chart or scroll bar text that appears on the system top status bar, such as a notification of a background running application, or a notification that appears on the screen in the form of a dialog window. For example, a text message is prompted in a status bar, a prompt tone is emitted, the electronic device vibrates, and an indicator light blinks, etc.

The activity manager may provide activity management services (Activity Manager Service, AMS) that may be used for system component (e.g., activity, service, content provider, broadcast receiver) start-up, handoff, scheduling, and application process management and scheduling tasks.

The input manager may provide input management services (Input Manager Service, IMS), which may be used to manage inputs to the system, such as touch screen inputs, key inputs, sensor inputs, and the like. The IMS retrieves events from the input device node and distributes the events to the appropriate windows through interactions with the WMS.

The android runtime includes a core library and An Zhuoyun rows. The android runtime is responsible for converting source code into machine code. Android runtime mainly includes employing Advanced Or Time (AOT) compilation techniques and Just In Time (JIT) compilation techniques.

The core library is mainly used for providing the functions of basic Java class libraries, such as basic data structures, mathematics, IO, tools, databases, networks and the like. The core library provides an API for the user to develop the android application.

The native C/c++ library may include a plurality of functional modules. For example: surface manager (surface manager), media Framework (Media Framework), libc, openGL ES, SQLite, webkit, etc.

The surface manager is used for managing the display subsystem and providing fusion of 2D and 3D layers for a plurality of application programs. Media frames support a variety of commonly used audio, video format playback and recording, still image data, and the like. The media library may support a variety of audio and video encoding formats, such as MPEG4, h.264, MP3, AAC, AMR, JPG, PNG, etc. OpenGL ES provides for drawing and manipulation of 2D graphics and 3D graphics in applications. SQLite provides a lightweight relational database for applications of the electronic device 10.

The hardware abstraction layer runs in a user space (user space), encapsulates the kernel layer driver, and provides a call interface to the upper layer.

The kernel layer is a layer between hardware and software. The inner core layer at least comprises a display driver, a camera driver, an audio driver and a sensor driver.

In order to better understand the data authorization method provided in the embodiments of the present application, an application scenario schematic diagram of the data authorization method provided in the embodiments of the present application is exemplarily described below with reference to fig. 3A to 3C.

DRM is a protection scheme based on PKI (Public Key Infrastructure ) systems. The purpose of DRM is to protect the copyright of digital media, and to technically prevent illegal copying of digital media, a user must be authorized to access or use the digital media. Wherein the authorization for the user is embodied in an authorization for the user device. The DRM enabled device has legitimate DRM device certificates. Each DRM certificate employs an asymmetric encryption algorithm, the certificate having a pair of public/private keys. The authorization information (License) is encrypted at the DRM server using the public key of the device, ensuring that only authorized devices can decrypt the authorization information, thereby decrypting encrypted digital media such as video content and the like. However, because the authorizations between different devices cannot be shared, when the same user uses another terminal device to access the same encrypted digital media, the authorization to the other terminal device needs to be requested again, which increases the complexity of accessing the digital media by the user, thereby affecting the user experience.

Referring to fig. 3A, a general framework diagram of DRM according to an embodiment of the present application is shown. The basic processing flow of encryption/decryption of DRM content is as follows: a Content Provider (CP) submits original Content (e.g., an unencrypted original video stream) to a Packager (Packager) for encryption; the packager obtains a key for encryption from a key management server (KeyManagerServer, KMS) and symmetrically encrypts the content; the encrypted video stream is injected into the content delivery network (Content Delivery Network, CDN); the terminal acquires the encrypted video stream through a content distribution network; the terminal plays the video content, and if the video content is found to be encrypted, the terminal requests authorization information (License) from an authorization Server (License Server), and the request message carries the public key of the device; after the server passes the authentication, the authorization server inquires a key corresponding to the video content from the key management server; the authorization server binds the secret key for decrypting the content and the playing control information of the media with the equipment, encrypts the secret key and the corresponding authorization information by using the public key of the terminal equipment, generates authorization data and returns the authorization data to the terminal; the terminal uses the private key to decrypt the authorized data, obtains the key carried in the authorized data for decryption, and decrypts the media data to obtain the clear stream (namely the video stream which can be directly decoded) for playing.

Fig. 3B is a schematic diagram of a DRM framework of an android system according to an embodiment of the present application. The android system DRM framework provides a unified DRM operation interface. Different DRM's are accessed to the DRM framework (Media DRM Framework) by means of plug in, and a unified API interface is provided by the framework layer.

Playing of encrypted video based on a DRM framework, comprising: an application (such as video playing software) firstly acquires an encrypted video code stream, analyzes the encrypted video code stream to obtain DRM encryption parameters, the application calls a MediaDRM interface to provide the DRM encryption parameters, and a framework layer calls an actual DRM module API (Application Program Interface, application programming interface) to generate an authorization request, wherein the authorization request carries public key information of equipment. And the application sends the authorization request to the cloud end to acquire an authorization response. The authorization response carries information such as a secret key, a secret key using rule and the like corresponding to the encrypted content, and the public key of the equipment is used for encryption protection. The application calls the API provided by MediaDRM and gives the authorization response to the DRM module for processing through the framework. The DRM module analyzes/verifies the authorization response, the application transmits the encrypted video code stream to the DRM module through the MediaDRM API, and the DRM module decrypts the encrypted video code stream by using the content key analyzed from the authorization response to obtain the original content code stream, so that the playing of the video is realized.

Referring to fig. 3C, a schematic diagram of a multi-terminal authorization framework of media data according to an embodiment of the present application is shown. The multi-terminal authorization flow of media data comprises: a user watches DRM encrypted video on equipment A, firstly, an account number is required to be logged in, and encrypted media data is downloaded; the video application analyzes the encryption parameters from the media data, calls the DRM framework API to generate an authorization request, and sends the authorization request to the cloud authorization service; the cloud authorization service verifies the user ordering relationship and generates an authorization response; the video application transmits the authorization response to the DRM framework API interface for analysis processing. The user clicks to play, the video application decrypts the encrypted code stream by calling the DRM framework API interface, and the video is played after the decrypted code stream is processed by decoding, rendering and the like; a user initiates circulation through a circulation service provided by the system, and synchronizes information such as a video content ID, a media data downloading URL, a playing starting point and the like which are currently being watched to a video application on a receiving end (equipment B); the video application on the equipment B ensures that the user logs in the same account, and downloads media data from the cloud; the video application on the equipment B analyzes the encryption parameters from the media data, calls a DRM framework API to generate an authorization request, and sends the authorization request to a cloud authorization service; the cloud authorization service verifies the user ordering relationship and generates an authorization response; the video application gives the authorization response to the DRM framework API interface for analysis; and the video application on the equipment B calls the DRM framework API interface to decrypt the encrypted code stream, and the decrypted code stream plays the video through decoding, rendering and other processes.

It can be seen that under the current DRM framework, for playback authorization of video content, deep binding with a single device is required. If a video application is to support the transfer of DRM encrypted content between two/more devices, the authorization cannot follow the switch, and the actions already completed at the sender (e.g., the operations of the authorization process) need to be repeated at the transfer receiver, the application processing logic of the transfer receiver is complex. The existing multi-terminal authorization limits that the circulation receiving terminal application must log in the same account number with the sending terminal, so that the service use threshold is increased, and the application range is reduced. In addition, one circulation needs to authorize the two devices independently, so that the authorization control of the cloud is not accurate any more. For example, one video stream view may be considered two views.

Referring to fig. 4, a schematic diagram of a data authorization system according to an embodiment of the present application is shown. The data authorization system 20 includes a first electronic device 21, a second electronic device 22, and a server 23. The server 23 may include an authorization server for providing a license authorization service and a content server for providing a content distribution service.

In order to solve the above-mentioned problems, embodiments of the present application provide a data authorization method, which can improve authorization efficiency between different devices when accessing encrypted digital media. A flowchart of a data authorization method according to an embodiment of the present application, which is applied to a data authorization system, is exemplarily described below with reference to fig. 5, where the data authorization method includes:

s11, the second electronic device acquires the encrypted data and sends a license request for the encrypted data to the authorization server.

In an embodiment of the present application, the second electronic device obtaining the encrypted data, and sending a license request for the encrypted data to the authorization server includes: the second electronic device obtains the encrypted data from the server in response to the access request to the encrypted data provided by the server, parses the encrypted data to obtain encryption parameters, generates a license request based on the encryption parameters, and sends the license request to the authorization server.

Fig. 6 is a schematic application scenario diagram of a data authorization method according to an embodiment of the present application. The server provides a content distribution service and a license authorization service, and the first electronic device and the second electronic device are installed with the same application program (for example, video playing software) for accessing encrypted data provided by the server, and each of the first electronic device and the second electronic device comprises a circulation service, and the first electronic device and the second electronic device adopt a unified DRM framework API.

In an embodiment of the present application, the server may provide encrypted data, where the encrypted data may be media data or general data, where the media data may be audio data, video data, image data, etc., and the media data may also be streaming media data, such as an audio stream, a video stream, an image stream, etc., and the general data may be text data, etc. The user may initiate an access request to the encrypted data provided by the server through the application of the second electronic device, and in response to the access request, download the encrypted data from the server through the application, where the process of downloading the encrypted data by the application is actually a process in which the server transmits the encrypted data to the second electronic device through the content distribution service.

In an embodiment of the present application, the access request to the encrypted data provided by the server may be triggered according to a selection operation of the video to be played. For example, the server is a video cloud server or a cloud platform, the application program is a video application, and the video provided by the video cloud server is encrypted video. The user can play the video by clicking the video application of the second electronic device, the video application sends an access request to the server in response to the play request of the user, and the content distribution service of the server transmits the media data of the selected video to the second electronic device.

In an embodiment of the present application, the encryption parameters include, but are not limited to, DRM type, encryption mode, and encryption number of the encrypted data. The refined flow of the second electronic device resolving the encrypted data to obtain the encrypted parameters, generating a license request based on the encrypted parameters, and sending the license request to the authorization server is shown in fig. 7, and specifically includes:

s111, analyzing the index data or the main data of the encrypted data to obtain the encrypted parameters.

In an embodiment of the present application, the encrypted data includes index data and main data, the index data is a table for indicating a correspondence between logical records and physical records, and is non-encrypted data in the encrypted data. The main data includes encrypted data and unencrypted data, and the encryption parameter is recorded in the unencrypted data. The index data and the main data are recorded with encryption parameters, so that the application program can analyze the index data or the main data to obtain the encryption parameters.

In an embodiment of the present application, the DRM type of the encrypted data may be determined according to a DRM technology that provides encryption for the data, for example, the DRM type may be Google Widevine, microsoft PlayReady, apple FairPlay, adobe Primetime, chinaDRM, etc. The encryption mode may include an encryption algorithm and an encryption mode, and the encryption algorithm may be an asymmetric encryption algorithm such as RSA (Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm ), ECC (Elliptic Curve Cryptography, elliptic encryption algorithm), or a symmetric encryption algorithm such as AES (Advanced Encryption Standard ), DES (Data Encryption Standard, data encryption standard), or the like. Encryption methods include slice encryption and whole encryption. The slice encryption is to encrypt data, and encrypt each slice separately, for example, for media data of video, each frame is one slice, and each frame may be encrypted. The whole encryption is to encrypt the whole of the data once. The encryption number is a universally unique identifier (Universally Unique Identifier, UUID) corresponding to the encryption type.

S112, generating a license request based on the encryption parameter and the authentication information of the user.

In an embodiment of the present application, after an application program (e.g., a video application in a second electronic device) parses the encrypted parameter from the index data or the main data of the encrypted data, the encrypted parameter and the authentication information of the user are transferred to a second DRM framework through a DRM framework API, and the second DRM framework generates a license request based on the encrypted parameter and the authentication information of the user.

In an embodiment of the present application, the second DRM framework 200 may be provided in an application framework layer of the second electronic device. Referring to fig. 8, a schematic diagram of a second DRM framework according to an embodiment of the present application is shown. The second DRM framework 200 comprises a second DRM API module 201, a second DRM framework module 202 and at least one second DRM function module 203.

In an embodiment of the present application, the second DRM API module provides a DRM framework API to an application layer of the second electronic device, masking differences between different devices of the underlying layer. The second DRM framework module is used for managing loading of different second DRM function modules, and is responsible for transmitting DRM authorization information among different devices after the plurality of electronic devices complete mutually trusted connection. The second DRM function module is responsible for license authorization management of DRM and decryption of encrypted data. Each second DRM function module corresponds to a DRM type and is used for realizing encryption and decryption of encrypted data corresponding to the DRM type.

In an embodiment of the present application, a detailed flow of generating a license request by the second DRM framework based on the encryption parameter and the authentication information of the user is shown in fig. 9, and specifically includes:

s1121, the application passes the encryption parameters and authentication information of the user to the second DRM framework module through the second DRM API module.

In an embodiment of the present application, after the application program parses the encrypted parameter from the index data or the main data of the encrypted data, the encrypted parameter and the authentication information of the user are transferred to the second DRM framework module through the second DRM API module. The authentication information of the user comprises login information input by the user in the application program, the login information can comprise an account number and a password, the account number can be a user name, a mobile phone number, a mailbox and the like, and the password can be a combination of letters, numbers and/or characters set by the user. When a user requests to log in an application program by inputting login information, the application program sends the login information to a server (for example, the server (which can provide the application program and corresponding media data) or a provider server of the application program) and the server verifies the login information, after the login information is verified, the user successfully logs in the application program, and the application program caches the login information as identity verification information of the user, for example, as cookie data.

S1122, the second DRM framework module transfers the encryption parameter and the authentication information of the user to the second DRM function module corresponding to the DRM type.

In an embodiment of the present application, the second DRM framework may include one or more second DRM function modules, each corresponding to one DRM type, and the corresponding DRM type data may be processed. When the second DRM framework comprises a plurality of second DRM function modules, the second DRM framework module loads the corresponding second DRM function modules according to the DRM types in the encryption parameters, and transmits the encryption parameters and authentication information of the user to the second DRM function modules corresponding to the DRM types.

And S1123, the second DRM function module generates a license request based on the encryption number, the authentication information of the user and the first public-private key pair.

In an embodiment of the present application, the first public-private key pair of the second electronic device includes a first public key and a first private key. The second DRM function module encapsulates the encryption number in the encryption parameter, the authentication information of the user and the first public key in the first public-private key pair, signs the first public key and generates a license request.

S113, the license request is sent to the authorization server.

In an embodiment of the present application, the second DRM function module passes the generated license request to the application through the second DRM framework module and the second DRM API module, and sends the license request to the authorization server through the application.

And S12, the second electronic equipment receives the license authorization returned by the server, sends the license authorization to the second DRM framework through the DRM framework API, and decrypts the encrypted data based on the license authorization.

In an embodiment of the present application, a server presets an encryption number, a mapping relationship between the encryption data and a key, after receiving a license request, the server sends the license request to a license authorization service, obtains an encryption code, authentication information and a first public key in the license request through the license authorization service, determines the encryption data and the key corresponding to the encryption number according to the mapping relationship between the encryption number, the encryption data and the key, verifies the authentication information of the user, determines whether the user has a right to access the encryption data, if the authentication information of the user passes, determines that the user has a right to access the encryption data, encrypts the key by using the first public key, and obtains the first encryption key.

Specifically, verifying the authentication information of the user includes: the server judges whether the user subscribes or subscribes to the encrypted data in advance based on the authentication information, and if the user is determined to have subscribed or subscribed to the encrypted data in advance, the server determines that the user has the authority to access the encrypted data.

In another embodiment of the present application, the server may further establish a whitelist for recording authentication information that is pre-subscribed to or subscribed to the encrypted data. Verifying the authentication information of the user includes: the server judges whether the authentication information of the user is in the white list, if the authentication information of the user is determined to be in the white list, the user is determined to have the authority to access the encrypted data, and if the authentication information of the user is determined not to be in the white list, the user is determined to have no authority to access the encrypted data.

In an embodiment of the present application, after obtaining the first encryption key, the license authorization service generates a first license authorization based on the first encryption key and the first control parameter, and sends the first license authorization to the application of the second electronic device. Wherein the first control parameter includes a license expiration date and an operation right. For example, the license expiration period may be one day, one month, or indefinite, etc., and the operation authority may include whether to allow screen casting, whether to allow offline access, etc.

In an embodiment of the present application, the application passes the first license authorization to the second DRM function module through the second DRM API module and the second DRM framework module. The second DRM function module obtains a first encryption key and a first control parameter in the first license authorization, decrypts the first encryption key through a first private key in the first public-private key pair to obtain a key of encrypted data, and decrypts the encrypted data through an encryption algorithm in the key and the encryption parameter to obtain decrypted data for the user to access. For example, if the encrypted data is an encrypted video code stream, after the video code stream is decrypted, the video code stream is decoded and rendered, and then the second electronic device may play the video through the application program.

And S13, the second electronic device responds to the circulation access request of the encrypted data and sends the data information and the access information of the encrypted data to the first electronic device which is mutually connected with the second electronic device in a trusted way.

In an embodiment of the present application, the second electronic device may establish a mutually trusted connection with other electronic devices, and the plurality of electronic devices that establish the mutually trusted connection form the super terminal. The electronic equipment which is in the same network and is logged in with the same account number can automatically establish mutual trust connection so as to form the super terminal. In other embodiments of the present application, the electronic devices may also establish a mutually trusted connection by scanning a two-dimensional code, a touch network, inputting a PIN (Personal Identification Number ) code of the opposite terminal, and bluetooth pairing.

In an embodiment of the present application, an electronic device in a super terminal is installed with a super terminal program, where the super terminal program can implement interconnection and collaborative services of multiple terminals, for example, video or music played on a current electronic device may be streamed to other terminals for playing, an application program of the other terminals is used on the current electronic device, a phone function of a mobile phone is used on the current electronic device, notification of the other terminals is synchronized to the current electronic device, the current electronic device shares an input device with a nearby computer, and stored data of the other terminals is accessed on the current electronic device.

Fig. 10A is a schematic diagram of a setting interface according to an embodiment of the present application. In an embodiment of the present application, a request for a stream access to encrypted data is initiated by a second electronic device. The setup interface (e.g., a slide setup interface) of the second electronic device includes a super terminal control. And in the process that the user accesses data through the second electronic equipment, the user can execute a sliding operation to control the second electronic equipment to display a setting interface, and controls the second electronic equipment to display an interface of the super terminal program by triggering the super terminal control. Fig. 10B is a schematic diagram of an interface of a super terminal program according to an embodiment of the present application. The interface of the super terminal program includes a second electronic device and an icon of at least one other electronic device (e.g., a first electronic device) that is mutually connected with the second electronic device, where the icon may indicate a type of electronic device, such as a smart phone, a smart watch, a tablet computer, a notebook computer, a sound, etc., and the icon of the at least one other electronic device is disposed around the icon of the first electronic device, and the user may perform a drag operation on the icon of any other electronic device (e.g., the first electronic device) so that the icon of the first electronic device is close to or partially overlapped with the icon of the second electronic device, and the first electronic device cooperates with the second electronic device in response to the drag operation of the user. In another embodiment of the present application, the request for the stream access to the encrypted data may also be initiated by the first electronic device. That is, the user may trigger the super terminal control in the first electronic device to control the first electronic device to display the interface of the super terminal program, and initiate the cooperative operation with the first electronic device in the first electronic device.

As shown in fig. 6, in the process of collaboration between the first electronic device and the second electronic device, if the user is accessing the encrypted data through the application program, the application program may initiate a circulation, generate a circulation access request, data information and access information for the encrypted data, and the circulation service sends the data information and access information of the encrypted data to the first electronic device in response to the circulation access request. The circulation service sends data information and access information of the encrypted data to the first electronic device based on a mutually-trusted network, wherein the mutually-trusted network can be Wi-Fi, bluetooth and the like.

In an embodiment of the present application, the data information of the encrypted data may include a data ID, a download address (Uniform Resource Locator, URL), and the like, and the access information of the encrypted data includes an access progress, for example, if the encrypted data is a video, the access progress is a playing progress of the video, if the encrypted data is music, the access progress is a playing progress of the music, if the encrypted data is text, the access progress is a browsing progress of the text, the playing progress may be a playing time, and the browsing progress may be a word percentage.

In an embodiment of the present application, referring to fig. 11A, a cross-terminal transfer may be used to perform video streaming, where when a user initiates an operation on one device and switches to another device to continue the foregoing operation, the user can immediately continue the previous operation on the other device. For example, the user views the video with a cell phone to a certain point in time and then switches to the tablet device to continue viewing the video from the last point in time of interruption.

In another embodiment of the present application, referring to fig. 11B, multi-terminal collaboration may also be used to perform video streaming, where software and hardware capabilities on multiple devices cooperate with each other to provide a user with a more efficient, immersive experience than a single device as a whole. For example, watching video on a large screen is inconvenient to use the function completed by the large screen, mobile phone/PAD operation (such as viewing angle switching and live shopping) is used, and for example, video played on a mobile phone is projected to the large screen, a television or a computer for playing.

S14, the first electronic device receives the data information and the access information of the encrypted data sent by the second electronic device, obtains the encrypted data based on the data information and the access information, and sends a decryption request of the encrypted data to the first DRM framework through the DRM framework API.

As described above, after the first electronic device or the second electronic device initiates the collaborative operation between the two devices by triggering the interface of the super terminal program displayed by the super terminal control, step S14 is executed, and the second electronic device sends the ID, the download address and the playing progress of the video played in the application to the first electronic device.

In an embodiment of the present application, the first electronic device may receive, through the circulation service, data information and access information of the encrypted data sent by the second electronic device, and after receiving the data information and the access information of the encrypted data sent by the second electronic device, open an application program for accessing the encrypted data, where the application program downloads the encrypted data from the server based on the data information and the access information of the encrypted data. Wherein the data ID in the data information is used to determine which data to download, the download address is used to determine where to download the encrypted data from, and the access information is used to determine which parts of the encrypted data to download. For example, the encrypted data is a video, the playing progress in the access information is a playing start point of the video played by the first electronic device, and the application program downloads a part after the playing start point in the video corresponding to the data ID from the download address.

In an embodiment of the present application, the first DRM framework 100 may be provided in an application framework layer of the first electronic device. As shown in fig. 8, the first DRM framework 100 includes a first DRM API module 101, a first DRM framework module 102, and at least one first DRM function module 103.

In an embodiment of the present application, the first DRM API module provides the DRM framework APIs to the application layer of the first electronic device, shielding differences between the underlying different devices. The first DRM framework module is used for managing loading of different first DRM function modules, and meanwhile, after the mutual trust connection of the plurality of electronic devices is completed, the first DRM framework module is responsible for transmitting DRM authorization information among different devices. The first DRM function module is responsible for license authorization management of DRM and decryption of encrypted data. Each first DRM function module corresponds to a DRM type and is used for realizing encryption and decryption of encrypted data corresponding to the DRM type.

In an embodiment of the present application, after the first electronic device downloads the encrypted data, as in step S11 in the above flow, the encrypted data is parsed to obtain the encrypted parameter, and a decryption request for the encrypted data is generated, and the decryption request and the encrypted parameter are transferred to the first DRM framework module through the first DRM API module of the first DRM framework of the first electronic device, and the first DRM framework module loads the first DRM function module corresponding to the DRM type.

And S15, the first electronic device responds to the decryption request and sends an authorized sharing request of the encrypted data to at least one second electronic device which is in mutually trusted connection with the first electronic device through the first DRM framework.

In an embodiment of the present application, the first DRM function module determines whether the first electronic device obtains the license authorization of the encrypted data based on the query, decrypts the encrypted data based on the key in the license authorization if the license authorization of the encrypted data has been obtained, generates an authorization sharing request if the license authorization of the encrypted data has not been obtained, and sends the authorization sharing request to at least one second electronic device that is mutually trusted with the first electronic device through the first DRM framework module, specifically, to the second DRM framework module of the second electronic device.

S16, the second electronic device receives the authorized sharing request and sends license authorization of the encrypted data to the first electronic device through the second DRM framework in response to the authorized sharing request.

In an embodiment of the present application, the second electronic device receives an authorized sharing request sent by the first electronic device, and generates a second license grant based on the first license grant in response to the authorized sharing request.

In an embodiment of the present application, the second electronic device receives, through the second DRM framework module, the authorization sharing request sent by the first electronic device, and passes the received authorization sharing request to the second DRM function module, where the second DRM function module generates the second license authorization based on the key for encrypting the data and the second control parameter. Wherein the second license authorization is a secondary authorization of the encrypted data.

In an embodiment of the present application, the second control parameter also includes a license validity period and an operation right, the license validity period in the second control parameter is smaller than or equal to the license validity period in the first control parameter, and the operation right in the second control parameter is also smaller than or equal to the operation right in the first control parameter. For example, if the license validity period in the first control parameter is one day, the license validity period in the second control parameter is ten minutes, and if the operation authority in the first control parameter may include permission to screen and permission to offline access, the operation authority in the second control parameter may include permission to screen and permission to offline access.

In an embodiment of the application, the second DRM function module of the second electronic device passes the generated second license grant to the second DRM framework module, and the second license grant is returned to the first DRM framework module of the first electronic device through the second DRM framework module, so that the first electronic device decrypts the encrypted data based on the key in the second license grant and accesses the encrypted data based on the second control parameter, i.e. accesses the encrypted data within the license validity period and the operation right in the second control parameter. After the license expiration period has ended, the first electronic device needs to reinitiate the authorized sharing request.

S17, the first electronic device receives the license authorization through the first DRM framework and decrypts the encrypted data based on the license authorization.

In an embodiment of the present application, the first electronic device receives, through the first DRM framework module, the second license grant returned by the second electronic device, the first DRM framework module transfers the received second license grant to the first DRM functional module, the first DRM functional module decrypts the encrypted data based on the key in the second license grant, returns the decrypted encrypted data to the application program, and accesses the encrypted data through the application program based on the second control parameter, that is, accesses the encrypted data within the license validity period and the operation right in the second control parameter. For example, if the encrypted data is an encrypted video code stream, after the video code stream is decrypted, the video code stream is decoded and rendered, and then the first electronic device may play the video through the application program.

In an embodiment of the present application, the first DRM framework module of the first electronic device and the second DRM framework module of the second electronic device may transmit authorization information (including an authorization sharing request and license authorization) based on the soft bus of the super terminal. The soft bus is a "intangible" bus built between 1+8+N devices (1 is a mobile phone; 8 stands for car set, sound box, earphone, watch, bracelet, flat panel, large screen, personal computer (personal computer, PC), augmented Reality (Augmented Reality, AR), virtual Reality (VR), N generally refers to other Internet of things (Internet of Things, IOT) devices), and has the characteristics of automatic discovery, instant use, ad hoc network (heterogeneous network networking), high bandwidth, low time delay, high reliability and the like. That is, through the soft bus technology, not only can all data be shared between the electronic devices, but also the electronic devices can be instantly interconnected with any device connected with the electronic devices through Bluetooth or the same local area network. In addition, the soft bus is also capable of sharing data between heterogeneous networks such as Bluetooth, WI-FI, etc. (e.g., receiving data via Bluetooth on the one hand and transmitting data via WI-FI on the other hand).

In the embodiment described in fig. 5 of the present application, the DRM function module is responsible for DRM authorized license management and decryption of the content. There is a little difference in the roles of the DRM function modules on different devices. The node that obtains the original license authorization from the cloud is an authorization control point, for example, the first electronic device obtains the first license authorization from the server, so the first electronic device is an authorization control point. The node that obtains the secondary authorization of the license to decrypt the content from the other nodes of the super terminal is the authorized point of use, e.g. in the above embodiment the second electronic device obtains the second license authorization from the first electronic device, so the second electronic device is the authorized point of use. Both types of nodes can decrypt the content.

In the embodiment described in fig. 5 of the present application, the DRM framework between mutually trusted devices provides a unified API interface to the outside, and presents a virtual super terminal to the upper APP, so that license authorization acquired between mutually trusted devices can be automatically shared between the devices; the DRM framework supporting the embodiments of the application receives the content decryption request, preferentially searches license authorization locally, and can inquire authorization from the mutually trusted device cluster when the license authorization is not locally authorized; the authorization control point adds validity period information into the secondary authorization information given to the authorization using point, the authorization using point does not persist the authorization information, and the secondary authorization can be requested again within the validity period appointed by the authorization control point.

Fig. 12 is a flowchart of a data authorization method according to another embodiment of the present application. The method is applied to the second electronic equipment, and the data authorization method comprises the following steps:

s21, acquiring the encrypted data, and sending a license request for the encrypted data to an authorization server.

In an embodiment of the present application, the second electronic device parses the encrypted data to obtain an encryption parameter, sends the encryption parameter to the second DRM framework module through the DRM framework API, loads a corresponding second DRM function module based on the encryption parameter, and sends the encryption parameter to the second DRM function module, and the second DRM function module generates the license request based on the encryption parameter, the authentication information, and the public key information. The public key information is a first public key in a first public-private key pair of the second electronic device.

S22, receiving license authorization returned by the server, and sending the license authorization to a second DRM framework through the DRM framework API, wherein the second DRM framework decrypts the encrypted data based on the license authorization.

In an embodiment of the application, the license grant is sent to the second DRM framework module through the DRM framework API, the second DRM framework module sends the license grant to the second DRM function module, and the second DRM function module decrypts the encrypted data based on the license grant.

S23, receiving an authorized sharing request of the encrypted data sent by the first electronic device which is in mutually trusted connection with the second electronic device through the second DRM framework, and responding to the authorized sharing request, and sending license authorization of the encrypted data to the first electronic device.

In one embodiment of the present application, transmitting a license authorization of the encrypted data to the first electronic device in response to the authorization sharing request includes: the second DRM framework module receives the authorized sharing request and sends the authorized sharing request to the second DRM function module; the second DRM function module responds to the authorization sharing request and inquires whether license authorization of the encrypted data is obtained; if the second DRM function module has obtained the license authorization of the encrypted data, the obtained license authorization is sent to the first electronic device via the second DRM framework module, so that the first electronic device can decrypt the encrypted data based on the license authorization.

In an embodiment of the present application, if the second DRM function module has obtained the first license grant of the encrypted data, validity period information is added to the first license grant to generate the second license grant. Wherein the first license authorization is authorized to the second electronic device by the server providing the encrypted data. The second DRM function module sends the second license authorization to the first electronic device via the second DRM framework module.

In another embodiment of the present application, the first electronic device and at least one second electronic device that is mutually connected with the first electronic device form a virtual group. If the second DRM function module has obtained the third license grant of the encrypted data, the third license grant is sent to the first electronic device via the second DRM framework module. Wherein the third license authorization is authorized to the virtual group by the server providing the encrypted data.

In an embodiment of the present application, the data authorization method further includes: and responding to the circulation access operation of the user on the encrypted data, generating a circulation access request on the encrypted data, and sending the circulation access request, the data information and the access information of the encrypted data to the first electronic equipment.

Fig. 13 is a flowchart of a data authorization method according to another embodiment of the present application. The method is applied to the first electronic equipment, and the data authorization method comprises the following steps:

s31, obtaining the encrypted data, and sending a decryption request for the encrypted data to the first DRM framework through the DRM framework API.

In an embodiment of the present application, the first electronic device receives a stream access request for encrypted data and data information and access information of the encrypted data, which are sent by the second electronic device, and obtains the encrypted data from the server based on the data information and the access information.

In an embodiment of the present application, sending a decryption request for encrypted data to the first DRM framework through the DRM framework API comprises: the first DRM framework module sends a request for decryption of the encrypted data to the first DRM framework module via the DRM framework API.

S32, responding to the decryption request, and sending an authorized sharing request for the encrypted data to at least one second electronic device which is mutually connected with the first electronic device through the first DRM framework.

In one embodiment of the present application, transmitting, by a first DRM framework, an authorized sharing request for encrypted data to at least one second electronic device that is in mutually trusted connection with the first electronic device in response to a decryption request comprises: the first DRM function module responds to the decryption request and inquires whether license authorization of the encrypted data is obtained; if the first DRM function module has obtained the license authorization of the encrypted data, decrypting the encrypted data based on the obtained license authorization; or if the first DRM function module does not obtain license authorization of the encrypted data, sending an authorization sharing request of the encrypted data to the second electronic device through the first DRM framework module.

In an embodiment of the present application, the first electronic device parses the encrypted data to obtain an encryption parameter, passes the encryption parameter to the first DRM function module via the first DRM API module and the first DRM framework module of the first DRM framework, the first DRM function module generates an authorization sharing request based on the encryption parameter, and passes the authorization sharing request to the application via the first DRM framework module and the first DRM API module, and the first electronic device sends the authorization sharing request to the second electronic device through the application.

And S33, receiving license authorization sent by the second electronic device through the first DRM framework, and decrypting the encrypted data based on the license authorization.

In an embodiment of the present application, the second license grant sent by the second electronic device is received by the first DRM framework module, and the second license grant is sent to the first DRM function module. Wherein the second license authorization includes expiration information. The first DRM function module decrypts the encrypted data based on the second license authorization and sends an authorization sharing request for the encrypted data to the second electronic device again via the first DRM framework module during the validity period of the second license authorization.

In another embodiment of the present application, the first electronic device and at least one second electronic device that is mutually connected with the first electronic device form a virtual group. The receiving license authorization through the first DRM framework and decrypting the encrypted data based on the license authorization includes: and receiving a third license authorization sent by the second electronic device through the first DRM framework module, and sending the third license authorization to the first DRM function module. Wherein the third license authorization is authorized to the virtual group by the server providing the encrypted data. The first DRM function module decrypts the encrypted data based on the third license authorization.

Fig. 14 is a flowchart of a data authorization method according to another embodiment of the present application. The method is applied to a data authorization system, and the data authorization method comprises the following steps:

s401, establishing mutual-communication connection between two or more electronic devices.

In an embodiment of the present application, the method for establishing the mutually trusted connection may be the same account number, scanning a two-dimensional code, touching one touch, inputting a PIN code of the opposite terminal, and the like. After the mutual trust connection is established between the devices, a safe communication link is established.

S402, the second electronic device responds to an encrypted data access request input by a user in the application program, and acquires encrypted data from the server.

In an embodiment of the present application, if the user wants to browse the video through the video application of the second electronic device, the video application obtains the encrypted media data from the content service of the cloud video website.

S403, the second electronic equipment analyzes the encryption parameters in the obtained encrypted data to generate an authorization request.

In an embodiment of the present application, the second electronic device generates the authorization request through a call chain between the DRM API module, the DRM framework module, and the DRM function module.

Specifically, the video application of the second electronic device transmits the encryption parameter to the DRM framework module through the DRM API module, the DRM framework module loads the corresponding DRM function module according to the DRM type in the encryption parameter and transmits the encryption parameter to the DRM function module, the DRM function module generates an authorization request according to the encryption parameter and the first public key of the second electronic device, and the generated authorization request is returned to the video application of the second electronic device through the DRM framework module and the DRM API module.

S404, the application program of the second electronic device sends an authorization request to the server and receives license authorization returned by the server.

In an embodiment of the present application, the video application of the second electronic device sends an authorization request to an authorization service of the video website, and the authorization service returns a license authorization for the encrypted content after authentication of the identity, the subscription relationship, and the like of the user is completed.

S405, the second electronic device decrypts the encrypted data based on the license authorization.

In an embodiment of the present application, the video application of the second electronic device passes the license authorization to the DRM function module for processing through a call chain between the DRM API module, the DRM framework module, and the DRM function module. The DRM function module decrypts the license authorization by adopting a first private key in the first public-private key pair, obtains a key of the media data, decrypts the media data by the key, and transmits the decrypted media data to the video application for decoding, rendering and playing through the DRM API module and the DRM framework module.

S406, the second electronic device initiates circulation in the process of accessing the encrypted data, and data information and access information of the encrypted data are sent to the first electronic device.

In an embodiment of the present application, a user views a video on a second electronic device, initiates streaming in the viewing process, and notifies a video application of the first electronic device through a video streaming service of information such as a content ID of the video, a media data URL, and the like.

S407, the first electronic device acquires the encrypted data from the server based on the data information and the access information.

In one embodiment of the present application, a content service of a video application on a first electronic device to a video website obtains encrypted media data.

And S408, the first electronic device transmits the encrypted data to the DRM function module, inquires whether the license authorization of the encrypted data exists locally, and decrypts the encrypted data if the license authorization of the encrypted data exists.

In an embodiment of the present application, the video application of the first electronic device decrypts the encrypted content through a call chain between the DRM API module, the DRM framework module, and the DRM function module.

S409, the DRM function module of the first electronic device detects license authorization without the encrypted data locally and returns information to the DRM framework.

S410, the DRM framework of the first electronic device inquires the devices in the mutually trusted cluster about authorization of the encrypted content.

S411, when the DRM framework of the second electronic device receives the authorization sharing request of other devices, the opposite terminal device is checked to be a member in the trusted cluster, the DRM function module is called to carry out secondary authorization, validity period information is added in the secondary authorization, and an authorization result is returned to the DRM framework of the first electronic device.

And S412, the DRM framework module of the second electronic device transmits the authorization result of the secondary authorization to the DRM framework module of the first electronic device.

S413, the DRM framework of the first electronic device transmits the secondary authorization to the DRM function module of the first electronic device for processing.

And S414, the DRM framework of the first electronic device gives the encrypted content to the DRM function module again for decryption.

And S415, the first electronic device returns the decryption result to the video application through the DRM framework module and the DRM API module.

S416, the video application of the first electronic device plays the video based on the decrypted code stream.

It will be appreciated that the video content is encrypted in frames, each of which is decrypted by the video application calling the DRM API. During the validity period of the secondary authorization acquired by the first electronic device, S309-S313 need not be executed, and the DRM function module of the first electronic device directly decrypts. After the expiration date is exceeded, S309-S313 are repeated.

In another embodiment of the present application, referring to fig. 15, a plurality of electronic devices in a super terminal, that is, a plurality of electronic devices that establish mutually trusted connection, form a virtual group, where the virtual group has a group certificate, and the group certificate is a second public-private key pair, and the second public-private key pair includes a second public key and a second private key. Each electronic device within the virtual group has the same group certificate.

Fig. 16 is a flowchart of a data authorization method according to another embodiment of the present application. The method is applied to a data authorization system, and the data authorization method comprises the following steps:

S51, the second electronic device responds to the access request of the encrypted data provided by the server and acquires the encrypted data from the server.

S52, the second electronic device analyzes the encrypted data to obtain the encrypted parameters, generates a license request based on the encrypted parameters, and sends the license request to the authorization server.

In the other embodiment of the present application, a refinement flow of the second DRM framework generating the license request based on the encryption parameter and the authentication information of the user is shown in fig. 17, and specifically includes:

s521, the application passes the encryption parameter and the authentication information of the user to the second DRM framework module through the second DRM API module.

And S522, the second DRM framework module transmits the encryption parameters and the authentication information of the user to a second DRM function module corresponding to the DRM type.

And S523, the second DRM function module generates a license request based on the encryption number, the authentication information of the user and the second public-private key pair.

In the other embodiment of the present application, the second DRM function encapsulates the encryption number in the encryption parameter, the authentication information of the user, and the second public key in the second public-private key pair, and signs with the second private key to generate the license request.

And S53, the second electronic device receives the third license authorization returned by the server, and decrypts the encrypted data based on the third license authorization.

In the other embodiment of the present application, the server presets the encryption number, the mapping relationship between the encryption data and the key, after receiving the license request, the server sends the license request to the license authorization service, obtains the encryption code, the authentication information and the second public key in the license request through the license authorization service, determines the encryption data and the key corresponding to the encryption number according to the mapping relationship between the encryption number, the encryption data and the key, verifies the authentication information of the user, determines whether the user has the authority to access the encryption data, if the authentication information of the user passes, determines that the user has the authority to access the encryption data, encrypts the key by using the second public key, and obtains the second encryption key.

In the further embodiment of the present application, after obtaining the second encryption key, the license authorization service generates a third license authorization based on the second encryption key and the first control parameter and sends the third license authorization to the application. Wherein the first control parameter includes a license expiration date and an operation right. For example, the license expiration period may be one day, one month, or indefinite, etc., and the operation authority may include whether to allow screen casting, whether to allow offline access, etc.

In the further embodiment of the present application, the application passes the third license authorization to the second DRM function module through the second DRM API module and the second DRM framework module. The second DRM function module obtains a second encryption key and a first control parameter in the third license authorization, decrypts the second encryption key through a second private key in a second public-private key pair to obtain a key of encrypted data, and decrypts the encrypted data through an encryption algorithm in the key and the encryption parameter to obtain decrypted data for the user to access. For example, if the encrypted data is an encrypted video code stream, after the video code stream is decrypted, the video code stream is decoded and rendered, and then the second electronic device may play the video.

It will be appreciated that the license request sent by the second electronic device to the server contains the second public key in the group certificate of the virtual group, and thus is actually a license request for the virtual group, and that the third license grant returned by the server to the second electronic device is encrypted by the second public key, and thus is also actually a license grant for the virtual group.

And S54, the second electronic device responds to the circulation access request of the encrypted data and sends the data information and the access information of the encrypted data to the first electronic device which is mutually connected with the second electronic device in a trusted way.

S55, the first electronic device receives the data information and the access information of the encrypted data sent by the second electronic device, and acquires the encrypted data from the server based on the data information and the access information.

S56, the first electronic device analyzes the encrypted data to obtain the encrypted parameters, generates an authorized sharing request based on the encrypted parameters, and sends the authorized sharing request to the second electronic device.

S57, the second electronic device receives the authorized sharing request sent by the first electronic device, and returns the third license authorization to the first electronic device in response to the authorized sharing request.

And S58, the first electronic device receives the third license authorization returned by the second electronic device and decrypts the encrypted data based on the third license authorization.

In the other embodiment of the present application, the first electronic device receives the third license grant returned by the first electronic device through the first DRM framework, decrypts the encrypted data based on the key in the third license grant, and accesses the encrypted data based on the first control parameter, that is, accesses the encrypted data within the license validity period and the operation authority in the first control parameter. For example, if the encrypted data is an encrypted video code stream, after the video code stream is decrypted, the video code stream is decoded and rendered, and then the first electronic device may play the video.

In the embodiment described in fig. 16 of the present application, the secondary authorization provided by the second electronic device to the first electronic device may directly copy the group authorization to the first electronic device. The authorization obtained by the first electronic device is completely consistent with the second electronic device, is not a temporary authorization any more, and is not required to be obtained again from the second electronic device after the validity period is reached.

The embodiment of the application also provides a computer storage medium, in which computer instructions are stored, which when executed on an electronic device, cause the electronic device to execute the related method to implement the data authorization method in the embodiment.

The present application also provides a computer program product which, when run on a computer, causes the computer to perform the data authorization method of the above embodiments.

In addition, embodiments of the present application also provide an apparatus, which may be specifically a chip, a component, or a module, and may include a processor and a memory connected to each other; the memory is configured to store computer-executable instructions, and when the device is running, the processor may execute the computer-executable instructions stored in the memory, so that the chip executes the data authorization method in the above method embodiments.

The electronic device, the computer storage medium, the computer program product, or the chip provided in the embodiments of the present application are used to execute the corresponding methods provided above, so that the beneficial effects thereof can be referred to the beneficial effects in the corresponding methods provided above, and are not described herein.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are illustrative, and the module or division of the units, for example, is a logic function division, and may be implemented in other manners, such as multiple units or components may be combined or integrated into another apparatus, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and the parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated unit may be stored in a readable storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Finally, it should be noted that the above embodiments are merely for illustrating the technical solution of the present application and not for limiting, and although the present application has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present application may be modified or substituted without departing from the spirit and scope of the technical solution of the present application.

Claims

1. A method of data authorization, the method comprising:

the first electronic device obtains encrypted data and sends a decryption request for the encrypted data to the first DRM framework through a DRM (Digital Rights Management ) framework API (Application Programming Interface, application programming interface);

the first electronic device responds to the decryption request and sends an authorization sharing request for the encrypted data to at least one second electronic device which is mutually connected with the first electronic device through the first DRM framework;

the second electronic device sends license authorization of the encrypted data to the first electronic device through a second DRM framework in response to the authorization sharing request;

the first electronic device receives the license authorization through the first DRM framework and decrypts the encrypted data based on the license authorization.

2. The data authorization method according to claim 1, wherein the first DRM framework comprises a first DRM API module, a first DRM framework module and at least one first DRM function module, and the second DRM framework comprises a second DRM API module, a second DRM framework module and at least one second DRM function module, and the first DRM API module and the second DRM API module are configured to provide the same DRM framework API.

3. The data authorization method according to claim 2, wherein the transmitting the decryption request for the encrypted data to the first DRM framework through the DRM framework API comprises:

sending a decryption request for the encrypted data to the first DRM framework module through the DRM framework API;

and transmitting a decryption request for the encrypted data to the first DRM function module through the first DRM framework module.

4. A data authorization method according to claim 3, wherein the method further comprises:

the first DRM function module responds to the decryption request and inquires whether license authorization of the encrypted data is obtained;

if the first DRM function module has obtained the license authorization of the encrypted data, decrypting the encrypted data based on the obtained license authorization; or (b)

And if the first DRM function module does not obtain license authorization of the encrypted data, sending an authorization sharing request of the encrypted data to at least one second electronic device which is mutually connected with the first electronic device through the first DRM framework module.

5. The data authorization method of claim 2, wherein the second electronic device transmitting license authorization for the encrypted data to the first electronic device through a second DRM framework in response to the authorization sharing request comprises:

the second electronic equipment receives the authorization sharing request through a second DRM framework module and sends the authorization sharing request to a second DRM function module;

the second DRM function module responds to the authorization sharing request and inquires whether license authorization of the encrypted data is obtained;

if the second DRM function module has obtained the license authorization of the encrypted data, the obtained license authorization is sent to the first electronic device through the second DRM framework module.

6. The data authorization method according to claim 5, wherein the method further comprises:

if the second DRM function module has obtained the first license authorization of the encrypted data, validity period information is added to the first license authorization to generate a second license authorization; wherein the first license authorization is authorized to the second electronic device by a server providing the encrypted data;

The second DRM function module sends the second license authorization to the first electronic device via the second DRM framework module.

7. The method of data authorization of claim 5, wherein the first electronic device and at least one of the second electronic devices that are mutually trusted with the first electronic device form a virtual group, the method further comprising:

and if the second DRM function module has obtained a third license grant of the encrypted data, transmitting the third license grant to the first electronic device through the second DRM framework module, wherein the third license grant is granted to the virtual group by a server providing the encrypted data.

8. A data authorization method applied to a first electronic device, the method comprising:

acquiring encrypted data, and sending a decryption request for the encrypted data to a first DRM framework through a DRM framework API;

transmitting, by the first DRM framework, an authorized sharing request for the encrypted data to at least one second electronic device that is mutually trusted with the first electronic device in response to the decryption request;

and receiving license authorization sent by the second electronic device through the first DRM framework, and decrypting the encrypted data based on the license authorization.

9. The data authorization method according to claim 8, wherein the first DRM framework comprises a first DRM API module, a first DRM framework module and at least one first DRM function module, the first DRM API module being configured to provide the DRM framework API.

10. The data authorization method according to claim 9, wherein the transmitting a decryption request for the encrypted data to the first DRM framework through the DRM framework API comprises:

the first DRM framework module sends a decryption request for the encrypted data to the first DRM function module.

11. The data authorization method according to claim 10, wherein the method further comprises:

And if the first DRM function module does not obtain license authorization of the encrypted data, sending an authorization sharing request of the encrypted data to the second electronic device through the first DRM framework module.

12. The data authorization method according to claim 9, wherein the receiving the license authorization through the first DRM framework and decrypting the encrypted data based on the license authorization includes:

receiving, by the first DRM framework module, a second license grant sent by the second electronic device, and sending the second license grant to the first DRM functional module; wherein the second license authorization includes expiration information;

the first DRM function module decrypts the encrypted data based on the second license authorization, and sends the authorization sharing request of the encrypted data to the second electronic device again through the first DRM framework module in the validity period of the second license authorization.

13. The method of data authorization according to claim 9, wherein the first electronic device and at least one of the second electronic devices that are mutually trusted with the first electronic device form a virtual group, wherein receiving the license authorization through the first DRM framework and decrypting the encrypted data based on the license authorization comprises:

receiving, by the first DRM framework module, a third license grant sent by the second electronic device, and sending the third license grant to the first DRM functional module; wherein the third license authorization is authorized to the virtual group by a server providing the encrypted data;

The first DRM function module decrypts the encrypted data based on the third license authorization.

14. The data authorization method according to claim 8, wherein the obtaining encrypted data includes:

and receiving a circulation access request of the encrypted data, and data information and access information of the encrypted data, which are sent by the second electronic equipment, and acquiring the encrypted data from a server based on the data information and the access information.

15. A data authorization method applied to a second electronic device, the method comprising:

acquiring encrypted data, and sending a license request for the encrypted data to a server providing the encrypted data;

receiving license authorization returned by the server, and sending the license authorization to a second DRM framework through a DRM framework API, wherein the second DRM framework decrypts the encrypted data based on the license authorization;

and receiving an authorization sharing request for the encrypted data, which is sent by a first electronic device in mutually trusted connection with the second electronic device, through the second DRM framework, and sending license authorization of the encrypted data to the first electronic device in response to the authorization sharing request.

16. The data authorization method according to claim 15, wherein the second DRM framework includes a second DRM API module, a second DRM framework module and at least one second DRM function module, the second DRM API module for providing the DRM framework API.

17. The data authorization method according to claim 16, wherein the method further comprises:

resolving the encrypted data to obtain encrypted parameters, and sending the encrypted parameters to the second DRM framework module through the DRM framework API;

the second DRM framework module loads a corresponding second DRM function module based on the encryption parameter and sends the encryption parameter to the second DRM function module;

the second DRM function module generates the license request based on the encryption parameter, authentication information, and public key information.

18. The data authorization method according to claim 17, wherein the sending the license authorization through a DRM framework API to a second DRM framework, the second DRM framework decrypting the encrypted data based on the license authorization comprises:

the license grant is sent to the second DRM framework module through the DRM framework API, the second DRM framework module sends the license grant to the second DRM function module, and the second DRM function module decrypts the encrypted data based on the license grant.

19. The data authorization method according to claim 18, wherein the method further comprises:

20. The method of data authorization of claim 18, wherein the first electronic device and at least one of the second electronic devices that are mutually trusted with the first electronic device form a virtual group, the method further comprising:

21. The data authorization method of claim 17, wherein the sending a license authorization for the encrypted data to the first electronic device in response to the authorization sharing request comprises:

The second DRM framework module receives the authorization sharing request and sends the authorization sharing request to the second DRM function module;

22. The data authorization method according to claim 15, wherein the method further comprises:

generating a circulation access request for the encrypted data in response to circulation access operation of a user on the encrypted data;

and sending the circulation access request, the data information of the encrypted data and the access information to the first electronic equipment.

23. A computer readable storage medium comprising computer instructions which, when run on an electronic device, cause the electronic device to perform the data authorization method of any one of claims 1 to 22.

24. An electronic device comprising a processor and a memory for storing instructions, the processor for invoking the instructions in the memory to cause the electronic device to perform the data authorization method of any of claims 1-22.

25. A chip coupled to a memory in an electronic device, the chip for controlling the electronic device to perform the data authorization method of any one of claims 1 to 22.