[go: up one dir, main page]

CN100384251C - User Authorization Method and Its Authorization System - Google Patents

User Authorization Method and Its Authorization System Download PDF

Info

Publication number
CN100384251C
CN100384251C CNB2004100703821A CN200410070382A CN100384251C CN 100384251 C CN100384251 C CN 100384251C CN B2004100703821 A CNB2004100703821 A CN B2004100703821A CN 200410070382 A CN200410070382 A CN 200410070382A CN 100384251 C CN100384251 C CN 100384251C
Authority
CN
China
Prior art keywords
user
user side
personal key
dynamic personal
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100703821A
Other languages
Chinese (zh)
Other versions
CN1735192A (en
Inventor
刘进明
鞠德刚
胡峻岭
许永红
姚峻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100703821A priority Critical patent/CN100384251C/en
Priority to PCT/CN2005/001092 priority patent/WO2006012788A1/en
Publication of CN1735192A publication Critical patent/CN1735192A/en
Application granted granted Critical
Publication of CN100384251C publication Critical patent/CN100384251C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/418External card to be used in combination with the client device, e.g. for conditional access
    • H04N21/4181External card to be used in combination with the client device, e.g. for conditional access for conditional access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/44Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs
    • H04N21/4405Processing of video elementary streams, e.g. splicing a video clip retrieved from local storage with an incoming video stream or rendering scenes according to encoded video stream scene graphs involving video stream decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • H04N7/17318Direct or substantially direct transmission and handling of requests

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Graphics (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

本发明提供了一种用户授权方法,包括设置前端和用户端共享的具有生存期的动态个人密钥;检查动态个人密钥的生存期是否到达,如果是,更新生存期到达的动态个人密钥后返回继续检查动态个人密钥的生存期;否则前端基于动态个人密钥对传输流实施加密、加扰及授权处理,用户端基于动态个人密钥对加扰传输流实施解密及解扰处理。相应地,本发明还提供了一种用户授权系统。本发明可以降低非法用户使用克隆智能卡收看电视节目的机率,同时降低运营商为维护智能卡所造成的经济损失。

Figure 200410070382

The invention provides a user authorization method, including setting a dynamic personal key with a lifetime shared by the front end and the user end; checking whether the lifetime of the dynamic personal key has reached, and if so, updating the dynamic personal key whose lifetime has reached Then return to continue to check the lifetime of the dynamic personal key; otherwise, the front end encrypts, scrambles and authorizes the transmission stream based on the dynamic personal key, and the client performs decryption and descrambling processing on the scrambled transmission stream based on the dynamic personal key. Correspondingly, the invention also provides a user authorization system. The invention can reduce the probability of illegal users using cloned smart cards to watch TV programs, and at the same time reduce the economic losses caused by operators for maintaining the smart cards.

Figure 200410070382

Description

用户授权方法及其授权系统 User Authorization Method and Its Authorization System

技术领域 technical field

本发明涉及广播电视领域的有线电视技术,尤其涉及一种用户授权方法及其授权系统。The invention relates to the cable television technology in the field of broadcasting and television, in particular to a user authorization method and an authorization system thereof.

背景技术 Background technique

目前,随着广播电视系统面向数字化、产业化的发展,用户为自身收看的电视节目内容进行付费已成为这一发展的必然,而要实现用户为自身收看的电视节目内容进行付费的目的,首要解决的技术问题是应该对收看电视节目的用户进行有效管理。At present, with the digitalization and industrialization of the radio and television system, it has become inevitable for users to pay for the content of the TV programs they watch. The technical problem to be solved is that users who watch TV programs should be effectively managed.

条件接收系统(CAS,Conditional Access System)就是在现有广播电视网中实施的用于对用户进行有效管理的方式之一,而由CAS技术实现的对用户进行管理的主要过程如下:Conditional Access System (CAS, Conditional Access System) is one of the ways to effectively manage users implemented in the existing broadcasting television network, and the main process of user management realized by CAS technology is as follows:

广播电视网的前端(HE,Head End)对要发送给用户的电视节目数据进行加扰处理,然后再对用户能够收看的节目进行授权,并且授权处理后的授权数据还要进行加密处理后才能传送到最终用户端;The front-end (HE, Head End) of the radio and television network performs scrambling processing on the TV program data to be sent to the user, and then authorizes the programs that the user can watch, and the authorized data after authorization processing must be encrypted before being processed. transmitted to the end user;

用户端接收到电视节目后,只有合法用户才能对加密处理的授权数据进行解密,得到相应的授权数据,然后使用授权数据对加扰处理的电视节目进行解扰处理,以正常收看电视节目;而非法用户或者没有正常接收到自身授权数据的用户由于无法对加扰处理的电视节目进行解扰,因此就不能正常收看电视节目,这样就到达了对用户收看的电视节目内容进行控制和管理的目的,进而驱使用户为自己所收看的电视节目内容进行付费。After the client receives the TV program, only the legal user can decrypt the encrypted authorization data to obtain the corresponding authorization data, and then use the authorization data to descramble the scrambled TV program to watch the TV program normally; Illegal users or users who have not normally received their own authorized data cannot descramble the scrambled TV programs, so they cannot watch TV programs normally, thus achieving the purpose of controlling and managing the content of TV programs watched by users , and then drive users to pay for the content of the TV programs they watch.

参照图1,该图是现有技术在广播电视网中实现对电视节目进行加解扰及加解密处理的原理示意图;其对电视节目数据进行加解扰处理及加解密处理的过程如下:With reference to Fig. 1, this figure is the principle schematic diagram that prior art realizes adding and descrambling and encrypting and decrypting processing to TV program in the radio television network; It carries out adding and descrambling processing and the process of encrypting and decrypting processing to TV program data as follows:

在广播电视网的前端HE 10中进行如下操作:Perform the following operations in HE 10, the front end of the broadcast television network:

1)电视节目在播出前,加扰器使用控制字(CW,Control Words)对电视节目数据复用处理后传输流(TS,Transport Stream)进行加扰处理,可以表示为:1) Before the TV program is broadcast, the scrambler uses the control word (CW, Control Words) to scramble the transport stream (TS, Transport Stream) after the TV program data is multiplexed, which can be expressed as:

TS+CW->TS’;TS+CW->TS';

2)CAS技术的核心实际上是对控制字CW的传输进行控制,因此在前端HE 10中还要使用业务密钥(SK,Service Key)对控制字CW进行加密处理,形成授权控制信息(ECM,Entitlement Control Message),可以表示为:2) The core of CAS technology is actually to control the transmission of the control word CW, so in the front-end HE 10, the service key (SK, Service Key) is also used to encrypt the control word CW to form authorization control information (ECM , Entitlement Control Message), can be expressed as:

CW+SK->ECM;CW+SK->ECM;

其中由业务密钥SK加密处理后的控制字CW封装在ECM中传送,其中ECM中还包括节目来源、内容分类和节目收费价格等信息;The control word CW encrypted by the service key SK is encapsulated in the ECM for transmission, and the ECM also includes information such as the source of the program, the classification of the content, and the charging price of the program;

3)前端HE 10再根据用户注册时的授权信息,使用用户的个人分配密钥(PDK,Personal Distribute Keyword)对业务密钥SK进行加密处理,形成授权管理信息(EMM,Entitlement Management Message),可以表示为:3) The front-end HE 10 uses the user's personal distribution key (PDK, Personal Distribute Keyword) to encrypt the service key SK according to the authorization information at the time of user registration to form an entitlement management message (EMM, Entitlement Management Message). Expressed as:

SK+PDK->EMM;SK+PDK->EMM;

其中由个人分配密钥PDK加密处理的业务密钥SK封装在EMM中传送,EMM中还包括接收方地址信息、用户授权信息和用户可以收看的电视节目时间段信息等。The service key SK encrypted by the personal distribution key PDK is encapsulated and transmitted in the EMM, and the EMM also includes address information of the receiver, user authorization information, and time period information of TV programs that the user can watch.

其中上述的EMM数据主要针对用户而生成,ECM数据主要针对电视节目数据而生成,生成的EMM数据和ECM数据与电视节目数据一起复用在传输流TS里通过光纤同轴混合有线电视网络(HFC,Hybrid Fiber-Coaxial)传输到用户端。The above-mentioned EMM data is mainly generated for users, and the ECM data is mainly generated for TV program data. The generated EMM data and ECM data are multiplexed together with the TV program data in the transport stream TS through the fiber-coaxial hybrid cable TV network (HFC , Hybrid Fiber-Coaxial) to the client.

用户端的机顶盒(STB,Set-Top Box)20接收到广播电视网的前端HE 10发来的传输流TS后,使用智能卡(Smart Card)中存有的用户注册授权数据对传输流TS进行如下的解密及解扰处理:After the set-top box (STB, Set-Top Box) 20 at the user end receives the transport stream TS sent by the front-end HE 10 of the broadcast television network, it uses the user registration authorization data stored in the smart card (Smart Card) to perform the following operations on the transport stream TS Decryption and descrambling processing:

4)STB 20从传输流TS中过滤出ECM数据和EMM数据;4) STB 20 filters out ECM data and EMM data from transport stream TS;

5)通过智能卡的接口将ECM数据和EMM数据送到智能卡内部;5) Send the ECM data and EMM data to the inside of the smart card through the interface of the smart card;

6)智能卡读取自身存有的授权数据中的个人分配密钥PDK,利用PDK对EMM数据进行解密,得到业务密钥SK,可以表示为:6) The smart card reads the personal distribution key PDK in its own authorized data, uses the PDK to decrypt the EMM data, and obtains the service key SK, which can be expressed as:

EMM+PDK->SK;EMM+PDK->SK;

7)智能卡利用得到的业务密钥SK对ECM数据进行解码,得到控制字CW,可以表示为:7) The smart card uses the obtained service key SK to decode the ECM data to obtain the control word CW, which can be expressed as:

ECM+SK->CW;ECM+SK->CW;

智能卡将得到的CW通过相应接口发送给STB的解扰引擎;The smart card sends the obtained CW to the descrambling engine of the STB through the corresponding interface;

8)机顶盒STB 20的解扰引擎利用控制字CW对进行了加扰处理的传输流TS进行解扰处理,以得到电视节目数据的明文形式,可以表示为:8) The descrambling engine of the set-top box STB 20 uses the control word CW to descramble the scrambled transport stream TS to obtain the plain text form of the TV program data, which can be expressed as:

TS’+CW->TS;TS'+CW->TS;

解扰处理后的节目数据经过解复用和解调等处理后,就可以恢复出原始的音视频图像信息,以播放给用户进行收看。After the descrambled program data is processed by demultiplexing and demodulation, the original audio and video image information can be restored to be played for users to watch.

由此可见,上述使用CAS技术能够实现对电视节目数据进行加解密及加解扰处理,以驱使用户对自身收看的电视节目进行付费,从而实现了使广播电视运营商能够为自身提供的业务进行合理性收费的目的。It can be seen that the above-mentioned use of CAS technology can implement encryption, decryption, scrambling and descrambling of TV program data, so as to drive users to pay for the TV programs they watch, thus enabling broadcast and TV operators to provide services for themselves. Reasonable Fee Purposes.

但是由于在用户端,用户的授权数据(最主要的是个人分配密钥PDK)都保存在用户手持的智能卡中,这样就容易导致在经济利益的驱使下,不法分子可以采用各种方法对合法用户手持的智能卡进行克隆(包括对个人分配密钥PDK的复制),再通过非法渠道大量出售克隆的智能卡以牟取暴利,从而导致了广播电视运营商大量客户的流失,造成了不可估量的经济损失。However, because at the user end, the user's authorization data (the most important is the personal distribution key PDK) is stored in the smart card held by the user, it is easy to lead to the drive of economic interests, criminals can use various methods to attack legal Clone the smart card held by the user (including the copy of the personal distribution key PDK), and then sell a large number of cloned smart cards through illegal channels to make huge profits, which leads to the loss of a large number of customers of radio and television operators, resulting in immeasurable economic losses .

因为传统的广播电视系统是一个单向传输的广播网络,广播电视运营商根本无法获知用户是否在线的情况,因此就无法对用户身份的合法性与唯一性进行鉴权,所以即使大量持有非法智能卡的身份信息相同的用户同时在线收看电视节目,运营商也无能为力。Because the traditional radio and television system is a one-way transmission broadcast network, radio and television operators have no way of knowing whether users are online, so they cannot authenticate the legitimacy and uniqueness of user identities, so even if a large number of illegal Users with the same identity information on the smart card watch TV programs online at the same time, and the operator is helpless.

目前,广播电视运营商为防止非法用户对智能卡进行克隆,提供了两种处理措施:At present, radio and television operators provide two processing measures to prevent illegal users from cloning smart cards:

第一,加强智能卡本身的物理安全,以降低智能卡被克隆的可能性,但是这种方式必将会增加智能卡的烧制成本;First, strengthen the physical security of the smart card itself to reduce the possibility of the smart card being cloned, but this method will definitely increase the burning cost of the smart card;

第二,在发现智能卡被克隆后及时进行智能卡升级处理,即更换智能卡中存储的用户授权数据(最主要是更换个人分配密钥PDK),以使非法用户克隆的智能卡在进行了智能卡升级处理后,不能再正常使用。但是这种处理方式却面临着即使一张智能卡被克隆,广播电视运营商也要将整个系统中的所有智能卡全部进行升级处理,并更换全部用户端的智能卡,其主要原因在于运营商并不太容易知道哪些智能卡被克隆了,而哪些智能卡没有被克隆;其次即使只有一张智能卡被克隆,则其他智能卡也存在被克隆的可能性,因此必须更换整个智能卡系统才能避免这种风险。但是如果更换整个系统的所有智能卡,也同样会增加运营商为升级所有智能卡而带来的经济损失。Second, after the smart card is found to be cloned, the smart card upgrade process is carried out in time, that is, the user authorization data stored in the smart card is replaced (the most important thing is to replace the personal distribution key PDK), so that the smart card cloned by the illegal user can be processed after the smart card upgrade process. , can no longer be used normally. However, this processing method faces the problem that even if a smart card is cloned, the broadcasting and television operators have to upgrade all the smart cards in the entire system and replace all the smart cards at the user end. The main reason is that it is not easy for the operator Know which smart cards have been cloned and which smart cards have not been cloned; secondly, even if only one smart card is cloned, other smart cards may also be cloned, so the entire smart card system must be replaced to avoid this risk. However, if all the smart cards in the whole system are replaced, it will also increase the operator's economic loss for upgrading all the smart cards.

发明内容 Contents of the invention

本发明提出一种用户授权方法及其授权系统,以解决现有广播电视系统中因授权技术的不完善而存在的大量非法用户使用克隆智能卡收看电视节目的问题。The invention proposes a user authorization method and its authorization system to solve the problem that a large number of illegal users use cloned smart cards to watch TV programs due to imperfect authorization technology in the existing broadcasting TV system.

为解决上述问题,本发明提出了一种用户授权方法,包括步骤:In order to solve the above problems, the present invention proposes a user authorization method, comprising steps:

(1)设置前端和用户端共享的具有生存期的动态个人密钥;(1) Set a dynamic personal key with a lifetime shared by the front end and the user end;

(2)检查所述动态个人密钥的生存期是否到达,如果是继续步骤(3);否则转至步骤(4);(2) Check whether the lifetime of the dynamic personal key arrives, if it is to continue step (3); otherwise go to step (4);

(3)更新生存期到达的所述动态个人密钥后返回步骤(2);(3) Return to step (2) after updating the dynamic personal key whose lifetime has arrived;

(4)前端基于所述动态个人密钥对传输流实施加密、加扰及授权处理,用户端基于所述动态个人密钥对加扰传输流实施解密及解扰处理。(4) The front end encrypts, scrambles, and authorizes the transmission stream based on the dynamic personal key, and the user end performs decryption and descrambling processing on the scrambled transmission stream based on the dynamic personal key.

所述步骤(2)中以周期规律检查动态个人密钥的生存期。In the step (2), the lifetime of the dynamic personal key is checked periodically.

所述步骤(2)具体包括如下步骤:Described step (2) specifically comprises the following steps:

(21)设置一固定时长值;(21) set a fixed duration value;

(22)判断当前检测时间点距动态个人密钥生存期到达时间点的时长值是否小于所述固定时长值,如果是,判定动态个人密钥的生存期已到达;(22) Whether the duration value between the current detection time point and the arrival time point of the dynamic personal key lifetime is less than the fixed duration value, if yes, the lifetime of the dynamic personal key is determined to have arrived;

否则判定未到达。Otherwise the decision is not reached.

所述步骤(3)在更新动态个人密钥之前还包括对动态个人密钥生存期到达的用户端进行身份认证的步骤,如果认证通过继续更新动态个人密钥处理,否则结束。The step (3) also includes the step of authenticating the user whose lifetime of the dynamic personal key has reached before updating the dynamic personal key. If the authentication is passed, continue to update the dynamic personal key, otherwise end.

所述步骤(2)中检查动态个人密钥的生存期是由前端完成。Checking the lifetime of the dynamic personal key in the step (2) is completed by the front end.

所述步骤(3)对动态个人密钥生存期到达的用户端进行身份认证的过程具体包括步骤:Described step (3) carries out the process of identity authentication to the user end that dynamic personal key lifetime arrives specifically comprises steps:

(31)所述前端发送认证指示命令到动态个人密钥生存期到达的用户端,指示用户端到前端进行身份认证;(31) The front end sends an authentication instruction command to the user end whose dynamic personal key lifetime has arrived, and instructs the user end to perform identity authentication to the front end;

(32)用户端将自身标识信息上传到前端;(32) The client uploads its own identification information to the front end;

(33)前端根据用户端的标识信息对用户端进行身份认证。(33) The front end performs identity authentication on the user terminal according to the identification information of the user terminal.

所述步骤(31)之前还包括前端判断动态个人密钥生存期到达的用户端是否在线的步骤。Before the step (31), the front end also includes a step of judging whether the user end whose lifetime of the dynamic personal key has reached is online.

所述步骤(2)中检查动态个人密钥的生存期由用户端完成。In the step (2), checking the lifetime of the dynamic personal key is completed by the user end.

所述步骤(3)对动态个人密钥生存期到达的用户端进行身份认证的过程具体包括步骤:Described step (3) carries out the process of identity authentication to the user end that dynamic personal key lifetime arrives specifically comprises steps:

(3a)动态个人密钥生存期到达的用户端将自身标识信息上传到广播电视网前端;(3a) The user terminal whose lifetime of the dynamic personal key has reached uploads its own identification information to the front end of the radio and television network;

(3b)前端根据用户端的标识信息对用户端进行身份认证。(3b) The front end performs identity authentication on the user terminal according to the identification information of the user terminal.

所述步骤(3)更新动态个人密钥的过程具体包括:The process of said step (3) updating the dynamic personal key specifically includes:

(3-1)前端利用与用户端共享的个人分配密钥对更新的动态个人密钥进行加密后下发给用户端;(3-1) The front end uses the personal distribution key shared with the client to encrypt the updated dynamic personal key and then sends it to the client;

(3-2)用户端利用用户身份识别模块中存储的个人分配密钥对加密的动态个人密钥数据进行解密,得到更新的动态个人密钥。(3-2) The user terminal uses the personal distribution key stored in the user identity recognition module to decrypt the encrypted dynamic personal key data to obtain an updated dynamic personal key.

所述步骤(3-1)中广播电视网前端将加密后的动态个人密钥数据通过有线通信网的有线传输线路或无线通信网的无线传输线路下发到用户端。In the step (3-1), the front end of the radio and television network sends the encrypted dynamic personal key data to the user terminal through the wired transmission line of the wired communication network or the wireless transmission line of the wireless communication network.

所述用户端标识信息包括:The client identification information includes:

用户端机顶盒的ID标识信息;或ID identification information of the set-top box at the user end; or

用户端用户身份识别模块中存储的用户身份标识信息;或User identification information stored in the user identification module of the client terminal; or

用户端机顶盒ID标识信息和用户端用户身份识别模块中存储的用户身份标识信息的绑定关系。The binding relationship between the set-top box ID information of the user end and the user identity information stored in the user identity identification module of the user end.

其中步骤(4)中所述基于动态个人密钥对传输流实施加密、加扰及授权处理的过程具体包括:Wherein the process of implementing encryption, scrambling and authorization processing on the transmission stream based on the dynamic personal key described in step (4) specifically includes:

(41)所述前端使用控制字对传输流进行加扰处理;(41) The front end uses the control word to scramble the transport stream;

(42)使用业务密钥对控制字进行加密处理,得到授权控制信息;(42) Encrypting the control word with the service key to obtain authorization control information;

(43)使用动态个人密钥对业务密钥进行加密处理,得到授权管理信息;(43) Use the dynamic personal key to encrypt the service key to obtain authorization management information;

(44)将授权控制信息和授权管理信息复用到传输流中下发到用户端;(44) multiplexing the authorization control information and authorization management information into the transport stream and sending it to the client;

所述基于动态个人密钥对加扰传输流实施解密及解扰处理的过程具体包括:The process of decrypting and descrambling the scrambled transport stream based on the dynamic personal key specifically includes:

(45)所述用户端使用动态个人密钥对授权管理信息进行解密处理,得到业务密钥;(45) The client uses a dynamic personal key to decrypt the authorization management information to obtain a service key;

(46)使用业务密钥对授权控制信息进行解密处理,得到控制字;(46) Use the service key to decrypt the authorization control information to obtain the control word;

(47)使用控制字对加扰传输流进行解扰处理。(47) Descrambling the scrambled transport stream by using the control word.

相应地,本发明还提出了一种用户授权系统,包括用于广播节目流的前端和用于接收节目流的用户端,所述用户端包括用于处理节目流信息的机顶盒和用于存储用户授权数据的用户身份识别模块,所述的系统还包括:Correspondingly, the present invention also proposes a user authorization system, including a front end for broadcasting program streams and a user end for receiving program streams, the user end including a set-top box for processing program stream information and storing user The user identity identification module of authorization data, the system also includes:

在所述用户端设置有与机顶盒连接的双向通信模块,用于检测针对每个用户端分别预置的、具有生存期的动态个人密钥是否到期;用于将用户端标识信息上传到所述前端,并用于接收前端发来的更新的用户授权数据;A two-way communication module connected to a set-top box is provided at the user end, which is used to detect whether the dynamic personal key with a lifetime that is preset for each user end expires; and is used to upload the user end identification information to the set-top box. The above-mentioned front-end is used to receive the updated user authorization data sent by the front-end;

在所述前端设置有认证服务器,与所述双向通信模块通过双向传输线路连接,用于检测针对每个用户端分别预置的、具有生存期的动态个人密钥是否到期,用于根据用户端上传的标识信息对用户端进行身份认证处理,并在认证通过后更新用户端的用户授权数据,并将更新的用户授权数据发送到用户端的双向通信模块;An authentication server is provided at the front end, which is connected to the two-way communication module through a two-way transmission line, and is used to detect whether the dynamic personal key with a lifetime that is preset for each client end expires, and is used to The identification information uploaded by the terminal performs identity authentication processing on the user terminal, and updates the user authorization data of the user terminal after the authentication is passed, and sends the updated user authorization data to the two-way communication module of the user terminal;

在所述前端设置有与双向通信模块连接的加密加扰模块,用于基于所述动态个人密钥对传输流实施加密、加扰及授权处理;An encryption and scrambling module connected to the two-way communication module is provided at the front end, and is used to encrypt, scramble and authorize the transmission stream based on the dynamic personal key;

在所述用户端设置有与机顶盒连接的解密解扰模块,用于基于所述动态个人密钥对加扰传输流实施解密及解扰处理。A decryption and descrambling module connected to the set-top box is arranged at the user end, and is used for performing decryption and descrambling processing on the scrambled transmission stream based on the dynamic personal key.

所述双向通信模块通过设置在机顶盒内部实现与机顶盒的连接。The two-way communication module realizes the connection with the set-top box by being arranged inside the set-top box.

所述双向通信模块为无线通信模块,通过无线通信网的无线传输线路与所述认证服务器连接;或The two-way communication module is a wireless communication module, which is connected to the authentication server through a wireless transmission line of a wireless communication network; or

所述双向通信模块为有线通信模块,通过有线通信网的有线传输线路与所述认证服务器连接。The two-way communication module is a wired communication module, which is connected to the authentication server through a wired transmission line of a wired communication network.

本发明能够到达如下有益效果:The present invention can reach following beneficial effect:

由于本发明基于广播电视网的用户授权方法通过在前端和用户端分别设置动态个人密钥,前端和用户端基于动态个人密钥对传输流实施加解密及加解扰处理,并在动态个人密钥的生存期到达时,及时对动态个人密钥进行更新,这样由于动态个人密钥的定时更新就可以限制非法用户克隆智能卡的有效时间,为非法用户克隆智能卡带来了操作难度,从而降低了非法用户使用克隆智能卡收看电视节目的机率,同时降低了运营商为维护智能卡所造成的经济损失。Because the user authorization method based on the broadcast television network of the present invention sets dynamic personal keys respectively at the front end and the user end, the front end and the user end implement encryption, decryption, and descrambling processing on the transmission stream based on the dynamic personal key, and the dynamic personal key When the lifetime of the key is reached, the dynamic personal key is updated in time, so that the regular update of the dynamic personal key can limit the valid time for the illegal user to clone the smart card, which brings operational difficulty for the illegal user to clone the smart card, thereby reducing the Illegal users use cloned smart cards to watch TV programs, and at the same time reduce the economic losses caused by operators to maintain smart cards.

同时,由于本发明基于广播电视网的用户授权系统在用户端设置有双向通信模块,同时在前端设置有认证服务器,认证服务器和双向通信模块之间通过双向传输线路连接,这样可以实现广播电视网前端和用户端双方之间相互传递用户端标识信息和动态更新的用户授权数据,从而为前端动态更新用户端的用户授权数据提供了平台,因此降低了非法用户使用克隆智能卡收看电视节目的机率,并降低了运营商为维护智能卡所造成的经济损失。Simultaneously, because the user authorization system based on the radio and television network of the present invention is provided with a two-way communication module at the user end, is provided with an authentication server at the front end simultaneously, is connected by a two-way transmission line between the authentication server and the two-way communication module, can realize broadcast television network like this Both the front end and the user end transmit the user end identification information and dynamically updated user authorization data to each other, thus providing a platform for the front end to dynamically update the user end user authorization data, thereby reducing the probability of illegal users using cloned smart cards to watch TV programs, and The economic loss caused by the operator to maintain the smart card is reduced.

附图说明 Description of drawings

图1是现有技术在广播电视网中实现对电视节目进行加解扰及加解密处理的原理示意图;Fig. 1 is the schematic diagram of the principle of implementing scrambling, descrambling and encryption and decryption of TV programs in the broadcast television network in the prior art;

图2是本发明基于广播电视网的用户授权系统的基本组成结构框图;Fig. 2 is the basic composition structural block diagram of the user authorization system based on broadcasting television network of the present invention;

图3是本发明基于广播电视网的用户授权方法的基本实现原理流程图;Fig. 3 is the flow chart of the basic realization principle of the user authorization method based on the radio and television network of the present invention;

图4是在本发明基于广播电视网的用户授权方法中,由前端发起的对用户端进行身份认证处理的过程示意图;4 is a schematic diagram of the process of identity authentication processing initiated by the front end for the user terminal in the user authorization method based on the broadcast television network of the present invention;

图5是在本发明基于广播电视网的用户授权方法中,由用户端发起的对用户端进行身份认证处理的过程示意图。FIG. 5 is a schematic diagram of the identity authentication process initiated by the user terminal in the broadcast television network-based user authorization method of the present invention.

具体实施方式 Detailed ways

本发明基于广播电视网的用户授权方法及其授权系统的设计思想是:能够在广播电视网络正常运营过程中,以一种用户不可察觉的方式更换智能卡(智能卡只是用户身份识别模块中的一种特例,为了说明本发明要求的保护范围,下面以用户身份识别模块进行说明,其中现有技术中已存在的智能卡是这里所述的用户身份识别模块中的一种典型的例子)中保存的用户授权数据,从而减少非法分子克隆用户身份识别模块所带来的非法经济利益,并降低广播电视网络运营商为维护整个用户身份识别模块系统而造成的经济损失。但是本发明基于广播电视网的用户授权方法及其授权系统只是相对现有技术而言,能够减少非法用户克隆用户身份识别模块的机率,而并不能从根本上杜绝用户身份识别模块被非法克隆的可能性。The present invention is based on the user authorization method of the radio and television network and the design idea of the authorization system thereof is: the smart card can be replaced in a way that the user cannot perceive during the normal operation of the radio and television network (the smart card is only one of the user identification modules) As a special case, in order to illustrate the scope of protection required by the present invention, the user identification module will be described below, wherein the existing smart card in the prior art is a typical example of the user identification module described here). Authorized data, thereby reducing the illegal economic benefits brought by illegal elements cloning the user identification module, and reducing the economic losses caused by the radio and television network operators to maintain the entire user identification module system. However, the present invention's user authorization method and authorization system based on the radio and television network can only reduce the probability of illegal users cloning the user identification module compared with the prior art, but cannot fundamentally prevent the user identification module from being illegally cloned. possibility.

下面首先结合附图对本发明提出的基于广播电视网的用户授权系统的基本原理进行详细阐述。参照图2,该图是本发明基于广播电视网的用户授权系统的基本组成结构框图,其中用户授权系统的工作原理如下:Firstly, the basic principles of the broadcast television network-based user authorization system proposed by the present invention will be described in detail below with reference to the accompanying drawings. With reference to Fig. 2, this figure is the basic composition structural block diagram of the user authorization system based on broadcast television network of the present invention, and wherein the operating principle of user authorization system is as follows:

由于目前的广播电视网是由用于广播节目流的前端HE 2和用于接收节目流的用户端所组成的,其中用户端一般包括用于处理节目流信息的机顶盒4和用于存储用户授权数据和用户身份标识信息的用户身份识别模块5,而目前广播电视网的工作模式都是由前端HE 2通过广播信道单向对所有用户端来进行广播节目流信息的,而用户端并不能通过广播信道向前端HE 2来发送反向通信信息,因此为增加广播电视网的前端HE 2和用户端之间的双向认证功能,需作如下设置:Since the current broadcast television network is composed of a front-end HE 2 for broadcasting program streams and a user end for receiving program streams, wherein the user end generally includes a set-top box 4 for processing program stream information and for storing user authorization The user identification module 5 for data and user identification information, and the current working mode of the broadcast television network is that the front-end HE 2 broadcasts program stream information to all user terminals unidirectionally through the broadcast channel, and the user terminals cannot pass The broadcast channel sends reverse communication information to the front-end HE 2, so in order to increase the two-way authentication function between the front-end HE 2 of the broadcasting network and the client, the following settings are required:

在用户端设置一个与机顶盒4连接的双向通信模块3,以用于将用户端标识信息上传到前端HE 2,同时还用于接收前端HE 2发来的更新的用户授权数据;其中双向通信模块3可以通过设置在机顶盒4的内部来实现与机顶盒4的连接,这样就会构成一个带交互通信模块功能的机顶盒;当然双向通信模块3也可以通过设置在机顶盒4的外部来实现与机顶盒4的外置连接;A two-way communication module 3 connected to the set-top box 4 is set at the user end, for uploading the user end identification information to the front-end HE 2, and also for receiving the updated user authorization data sent by the front-end HE 2; wherein the two-way communication module 3 can realize the connection with the set-top box 4 by being arranged on the inside of the set-top box 4, so that a set-top box with an interactive communication module function will be formed; External connection;

同时在广播电视网的前端HE 2设置一个认证服务器1,该设置的认证服务器1与用户端侧的双向通信模块3之间通过双向传输线路进行连接,其用于根据用户端上传的标识信息对用户端进行身份认证处理,并在认证通过后更新用户端的用户授权数据,并将更新的用户授权数据发送到用户端的双向通信模块3。At the same time, an authentication server 1 is set at the front end HE 2 of the broadcast television network, and the authentication server 1 of the setting is connected with the two-way communication module 3 on the client side by a two-way transmission line, which is used for identifying information uploaded by the client according to the identity information uploaded by the client. The user end performs identity authentication processing, and updates the user authorization data of the user end after passing the authentication, and sends the updated user authorization data to the two-way communication module 3 of the user end.

其中用于连接广播电视网前端设置的认证服务器1和用户端机顶盒4处设置的双向通信模块3的双向传输线路的物理形态可以为无线传输线路,如为GSM通信网中的无线传输信道或为3G通信网中的无线传输信道等,这时双向通信模块3为具有无线通信功能的无线通信模块;也可以为有线传输线路,如为PSTN通信网中的有线传输信道或为广播电视网中的有线传输信道(即Cable信道)等,这时双向通信模块3就为有线通信模块。Wherein the physical form of the two-way transmission line that is used to connect the certification server 1 that the front end of the radio and television network is provided with and the two-way communication module 3 that the client set-top box 4 places are provided with can be a wireless transmission line, such as a wireless transmission channel in a GSM communication network or for The wireless transmission channel in the 3G communication network etc., at this moment two-way communication module 3 is the wireless communication module with wireless communication function; Wired transmission channel (ie Cable channel), etc., at this moment, the two-way communication module 3 is a wired communication module.

基于上述在广播电视网上建立的用户授权系统,广播电视网前端HE 2就可以通过单向广播信道单向广播传输流TS到所有用户端的机顶盒4,而用户端需要到前端HE 2进行身份认证时,就可以通过设置的双向通信模块3将自身的标识信息通过双向传输线路上传到前端HE 2侧的认证服务器1,由认证服务器1对用户端的身份合法性进行认证,并在用户端身份认证通过后,将对其更新的用户授权数据通过认证服务器1和双向通信模块3之间的双先传输线路下发到用户端侧的双向通信模块3,用户端根据双向通信模块3接收的更新后的用户授权数据来实现对自身用户授权数据的更新。Based on the above-mentioned user authorization system established on the radio and television network, the front-end HE 2 of the radio and television network can unidirectionally broadcast the transmission stream TS to all user-end set-top boxes 4 through a unidirectional broadcast channel, and when the user-end needs to go to the front-end HE 2 for identity authentication , you can upload your own identification information to the authentication server 1 on the front-end HE 2 side through the bidirectional communication module 3 provided through the bidirectional transmission line. Afterwards, the updated user authorization data will be sent to the two-way communication module 3 on the client side through the dual transmission line between the authentication server 1 and the two-way communication module 3. User authorization data to update its own user authorization data.

相应地,本发明还提出了一种基于广播电视网的用户授权方法,下面结合附图对本发明基于广播电视网的用户授权方法的基本实现原理进行详细阐述。参照图3,该图是本发明基于广播电视网的用户授权方法的基本实现原理流程图;其基本实现过程如下:Correspondingly, the present invention also proposes a user authorization method based on the broadcast television network. The basic realization principle of the user authorization method based on the broadcast television network of the present invention will be described in detail below in conjunction with the accompanying drawings. With reference to Fig. 3, this figure is the basic realization principle flow chart of the present invention based on the user authorization method of broadcast television network; Its basic realization process is as follows:

步骤S10,设置具有生存期的动态个人密钥(DPK,Dynamic PersonalKey),即广播电视网的前端为每个用户分别设置一个DPK,其中DPK是有生存期的,需要在其生存一段时间后对其进行更新处理;其中为每个用户设置的DPK,前端和用户端都共享这个DPK,即针对每一用户,前端存有为该用户设置的DPK,用户端也存有该设置的DPK,一般用户端会将该设置的DPK存放在自身携带的用户身份识别模块中。Step S10, setting has the dynamic individual key (DPK, Dynamic PersonalKey) of lifetime, promptly the front-end of broadcasting television network sets up a DPK respectively for each user, and wherein DPK has lifetime, needs after it lives for a period of time. It performs update processing; the DPK set for each user is shared by the front end and the user end, that is, for each user, the front end stores the DPK set for the user, and the user end also stores the set DPK. The user terminal will store the set DPK in the user identification module carried by itself.

步骤S20,检测每个用户的DPK是否到达其生存期,其中可以采取周期规律对每个用户的DPK生存期进行检查,如果某个用户的DPK到达了其生存期,执行步骤S30;否则执行步骤S60;其中判断每个DPK是否到达其生存期的方法可以采取如下方式:Step S20, detect whether the DPK of each user has reached its lifetime, wherein the DPK lifetime of each user can be checked by adopting a periodic law, if the DPK of a certain user has reached its lifetime, perform step S30; otherwise, perform step S20 S60; the method for judging whether each DPK has reached its lifetime may be as follows:

1)预先设置一个固定时长值(如1小时);1) Preset a fixed duration value (such as 1 hour);

2)判断当前检测时间点距动态个人密钥DPK生存期到达时间点的时长值是否小于1)中设置的固定时长值,如果是,则可以判定动态个人密钥DPK的生存期已到达;否则可以判定DPK的生存期未到达(其中当前检测时间点可以在DPK生存期到达时间点的前面,也可以在到达时间点的后面,即在检测DPK生存期时,其DPK可能即将到达生存期或已经到达了生存期)。2) Judging whether the duration value between the current detection time point and the arrival time point of the dynamic personal key DPK lifetime is less than the fixed duration value set in 1), if yes, it can be determined that the lifetime of the dynamic personal key DPK has arrived; otherwise It can be determined that the lifetime of the DPK has not been reached (the current detection time point can be before or after the arrival time point of the DPK lifetime, that is, when the DPK lifetime is detected, its DPK may be about to reach the lifetime or has reached the lifetime).

另外,根据具体情况,可以选择由广播电视网的前端来检查每个DPK的生存期;也可以选择由广播电视网的用户端来检查每个DPK的生存期。In addition, according to specific conditions, the front-end of the broadcasting network may choose to check the lifetime of each DPK; or the user end of the broadcasting network may choose to check the lifetime of each DPK.

步骤S30,广播电视网的前端对DPK生存期到达的用户端进行身份认证,一般情况下,前端可以通过对用户端的ID标识信息进行认证,来判断用户端的身份是否合法,如前端可以通过对用户端机顶盒的ID标识信息进行认证,来判定用户端是否为合法用户;也可以通过对用户端用户身份识别模块中存储的用户身份标识信息进行认证,来判定用户端是否为合法用户;当然更为安全的认证方式是前端通过认证用户端的机顶盒ID标识信息和用户身份识别模块中存储的用户身份标识信息的绑定关系,来判断用户端是否为合法用户。In step S30, the front-end of the broadcast television network performs identity authentication on the user terminal whose DPK lifetime has arrived. Generally, the front-end can judge whether the identity of the user terminal is legal by authenticating the ID identification information of the user terminal. The ID identification information of terminal set-top box is authenticated to determine whether the user terminal is a legal user; it is also possible to determine whether the user terminal is a legal user by authenticating the user identity information stored in the user identification module of the user terminal; certainly more The safe authentication method is that the front end judges whether the user end is a legal user by authenticating the binding relationship between the set-top box ID information of the user end and the user identity information stored in the user identification module.

步骤S40,如果前端对用户端进行身份认证通过,执行步骤S50,否则结束,执行下一次的DPK生存期检测。Step S40, if the front end passes the identity authentication of the user end, execute step S50, otherwise end, and execute the next DPK lifetime detection.

步骤S50,广播电视网前端更新生存期已经到达的DPK后,到达结束程序,等待执行下一次的DPK生存期检测。其中广播电视网前端对到达生存期的DPK进行更新的过程如下:In step S50, after the front-end of the radio and television network updates the DPK whose lifetime has been reached, it reaches the end procedure and waits for the next DPK lifetime detection to be performed. The front-end of the radio and television network updates the DPK that has reached the lifetime as follows:

a.前端利用与用户端共享的个人分配密钥PDK(其中PDK是在用户入网注册时,由网络运营商为其分配的静态个人授权数据,PDK也分别保存在前端和用户端手持的用户身份识别模块中)对更新后的动态个人密钥DPK进行加密处理后下发给用户端;a. The front-end uses the personal distribution key PDK shared with the user end (the PDK is the static personal authorization data assigned by the network operator when the user registers on the network, and the PDK is also stored in the front-end and the user identity held by the user end respectively. In the identification module), the updated dynamic personal key DPK is encrypted and then sent to the client;

b.用户端接收到a中的加密数据后,利用自身用户身份识别模块中存储的个人分配密钥PDK对加密的动态个人密钥数据进行解密处理,得到更新后的动态个人密钥DPK。b. After receiving the encrypted data in a, the user terminal uses the personal distribution key PDK stored in its own user identification module to decrypt the encrypted dynamic personal key data to obtain the updated dynamic personal key DPK.

利用这种方式传输更新的DPK,可以保证更新的DPK的安全性,其中加密处理的DPK数据可以选择通过有线通信网的有线传输线路或者无线通信网的无线传输线路来传输下发到用户端,这样其安全性也会得到较好的保证;当然也可以选择使用广播信道(Cable信道)来传输下发加密处理后的DPK数据到用户端,但是这样传输数据的安全性保证会稍差一些。Using this method to transmit the updated DPK can ensure the security of the updated DPK, wherein the encrypted DPK data can be transmitted to the client through the wired transmission line of the wired communication network or the wireless transmission line of the wireless communication network. In this way, its security will be better guaranteed; of course, you can also choose to use the broadcast channel (Cable channel) to transmit the encrypted DPK data to the client, but the security guarantee of the transmitted data will be slightly worse.

步骤S60,广播电视网前端基于动态个人密钥DPK对传输流TS实施加密、加扰及授权处理,对应地用户端基于该共享的动态个人密钥DPK对前端通过广播信道下发的加扰传输流TS实施解密及解扰处理,以得到解扰后的TS,然后用户端的机顶盒对解扰处理的TS进行解复用及解码等处理,以显示给用户观看,然后到达结束程序,等待执行下一次的DPK生存期检测。Step S60, the front-end of the radio and television network encrypts, scrambles, and authorizes the transport stream TS based on the dynamic personal key DPK, and correspondingly, the user end scrambles the transmission sent by the front-end through the broadcast channel based on the shared dynamic personal key DPK The stream TS is decrypted and descrambled to obtain the descrambled TS, and then the set-top box at the user end performs demultiplexing and decoding processing on the descrambled TS to display to the user, and then reaches the end of the program, waiting for the next execution. One-time DPK lifetime detection.

其中广播电视网前端基于动态个人密钥DPK对要发送到用户端机顶盒的传输流TS实施加密、加扰及授权处理的过程如下:The front end of the radio and television network encrypts, scrambles, and authorizes the transport stream TS to be sent to the user's set-top box based on the dynamic personal key DPK as follows:

A、广播电视网前端使用控制字CW对传输流TS进行加扰处理,得到加扰传输流TS’;可以表示为:TS+CW->TS’;A. The front end of the radio and television network uses the control word CW to scramble the transport stream TS to obtain the scrambled transport stream TS'; it can be expressed as: TS+CW->TS';

B、前端再使用业务密钥SK对控制字CW进行加密处理,得到授权控制信息ECM,可以表示为:CW+SK->ECM;B. The front end uses the service key SK to encrypt the control word CW to obtain the authorization control information ECM, which can be expressed as: CW+SK->ECM;

C、前端再使用动态个人密钥DPK对业务密钥SK进行加密处理,得到授权管理信息EMM,可以表示为:SK+DPK->EMM;C. The front end uses the dynamic personal key DPK to encrypt the service key SK to obtain the authorization management information EMM, which can be expressed as: SK+DPK->EMM;

步骤S70,相应地,广播电视网用户端基于动态个人密钥DPK对接收的加扰传输流TS’实施解密及解扰处理的过程如下:Step S70, correspondingly, the process of decrypting and descrambling the received scrambled transport stream TS' based on the dynamic personal key DPK at the client end of the broadcasting television network is as follows:

D、用户端将接收到的ECM和EMM数据发送到用户身份识别模块中,用户身份识别模块通过自身存储的DPK对EMM进行解密,得到SK,可以表示为:EMM+DPK->SK;D. The client sends the received ECM and EMM data to the user identification module, and the user identification module decrypts the EMM through its own stored DPK to obtain SK, which can be expressed as: EMM+DPK->SK;

E、用户端的用户身份识别模块利用得到的SK对ECM进行解密,得到CW,可以表示为:ECM+SK->CW;E. The user identification module at the user end uses the obtained SK to decrypt the ECM to obtain the CW, which can be expressed as: ECM+SK->CW;

F、用户端的用户身份识别模块将得到的CW反馈给用户端的机顶盒,机顶盒中的解扰引擎利用得到的CW对加扰传输流TS’实施解扰处理,得到传输流TS,可以表示为:TS’+CW->TS。F. The user identification module at the user end feeds back the obtained CW to the set-top box at the user end, and the descrambling engine in the set-top box uses the obtained CW to perform descrambling processing on the scrambled transport stream TS' to obtain the transport stream TS, which can be expressed as: TS '+CW->TS.

由上述可见,本发明基于广播电视网的用户授权方法是在传统CAS三层加密的体系下,增加了一层动态个人密钥(DPK)作为工作密钥,同时按照一定的有效期限制与更新策略对这个工作密钥进行更新,从而完成了对用户身份识别模块中存储的用户授权数据的更新;在双向传输线路传递DPK的时候再利用用户的个人分配密钥(PDK)对其进行加密,即密钥体系变为四层,如下:As can be seen from the above, the user authorization method based on the broadcast television network of the present invention is to add a layer of dynamic personal key (DPK) as a working key under the system of traditional CAS three-layer encryption, and simultaneously limit and update the policy according to a certain period of validity This working key is updated, thereby completing the update of the user authorization data stored in the user identification module; when the two-way transmission line transmits the DPK, it is encrypted with the user's personal distribution key (PDK), that is The key system becomes four layers, as follows:

TS+CW->TS’TS+CW->TS'

CW+SK->ECMCW+SK->ECM

SK+DPK->EMMSK+DPK->EMM

这三层加密体制用于传输流的加密及加扰处理;The three-layer encryption system is used for encryption and scrambling of transmission streams;

DPK+PDK->EMM2DPK+PDK->EMM2

这层加密体制用于动态个人密钥DPK更新传输时的加密处理,其中EMM2优选使用双向传输线路进行传输。This layer of encryption system is used for encryption processing when the dynamic personal key DPK is updated and transmitted, and EMM2 preferably uses a bidirectional transmission line for transmission.

其中由广播电视网前端对用户端进行身份认证的过程可以由前端发起,也可以由用户端发起,下面对这两种情况进行详细说明。The identity authentication process of the user terminal by the front end of the broadcast television network may be initiated by the front end or by the user end, and the two cases will be described in detail below.

参照图4,该图是在本发明基于广播电视网的用户授权方法中,由前端发起的对用户端进行身份认证处理的过程示意图;其处理过程如下:With reference to Fig. 4, this figure is in the user authorization method based on broadcast television network of the present invention, the process schematic diagram that is initiated by the front end and carries out identity authentication process to the client; Its processing process is as follows:

步骤S100,广播电视网的前端检测下一个用户的DPK生存期,其中对于初始状态,该下一个用户即为第一个用户,后续逐一对每一用户端的DPK进行生存期检查处理,其中可以采用周期规律对每一用户端的DPK进行一次轮回检查操作;Step S100, the front end of the broadcasting network detects the lifetime of the DPK of the next user, wherein for the initial state, the next user is the first user, and then performs lifetime check processing on the DPK of each client one by one. The DPK of each client is checked periodically;

步骤S110,前端判断检测的该用户的DPK生存期是否到达,如果是,执行步骤S130,否则执行步骤S120;Step S110, the front end judges whether the DPK lifetime of the detected user has reached, if yes, execute step S130, otherwise execute step S120;

步骤S120,前端再次判断检测的该用户的DPK距离其生存期的到达是否小于1小时,如果是执行步骤S130,否则转至执行步骤S195;Step S120, the front end again judges whether the detected DPK of the user is less than 1 hour away from the arrival of its lifetime, if so, execute step S130, otherwise go to execute step S195;

步骤S130,前端再判断该DPK已到达其生存期的用户是否在线,如果在线,执行步骤S140;否则转至执行步骤S195;其中判断DPK已到达生存期的用户是否在线的实现方式如下:Step S130, the front end judges whether the user whose DPK has reached its lifetime is online, if online, execute step S140; otherwise, go to step S195; wherein the implementation of judging whether the user whose DPK has reached the lifetime is online is as follows:

前端对上次认证通过的用户,将默认这个用户是在线用户,并为每一个用户保存一个关于是否在线的状态变量,直到下次认证过程用户端无响应或者认证失败,前端将认定当前用户为离线状态。For the user who passed the last authentication, the front-end will default the user as an online user, and save a state variable about whether it is online for each user. Until the next authentication process, the user end does not respond or the authentication fails, the front-end will identify the current user as Offline status.

步骤S140,前端发送认证指示命令到DPK生存期已到达的该用户端;Step S140, the front end sends an authentication indication command to the client whose DPK lifetime has reached;

步骤S150,该用户端接收到前端发来的认证指示命令后,将自身的标识信息通过双向传输线路上传到前端,其中用户端上传的标识信息可以为用户端机顶盒的ID标识信息,也可以为用户端用户身份识别模块中存储的用户身份标识信息,也可以为机顶盒ID标识信息和用户身份识别模块中存储的用户身份标识信息的绑定关系;Step S150, after receiving the authentication instruction command sent by the front end, the client uploads its own identification information to the front end through the bidirectional transmission line, wherein the identification information uploaded by the user end can be the ID identification information of the set-top box of the user end, or can be The user identification information stored in the user identification module at the user end may also be the binding relationship between the set-top box ID identification information and the user identification information stored in the user identification module;

步骤S160,前端根据该用户端发来的标识信息,采用认证服务器对其身份进行认证处理;Step S160, the front end uses the authentication server to authenticate its identity according to the identification information sent by the client;

步骤S170,前端根据步骤S160的认证结果,判断该用户端的身份认证是否通过,如果认证通过执行步骤S180,否则转至执行步骤S195;Step S170, the front end judges whether the identity authentication of the client is passed according to the authentication result of step S160, if the authentication is passed, execute step S180, otherwise go to execute step S195;

步骤S180,前端对生存期到达的DPK进行更新,并用前端和用户端共享的PDK对更新后的DPK进行加密处理,即DPK+PDK->EMM2,得到加密数据EMM2,然后将EMM2发送到相应的用户端;Step S180, the front-end updates the DPK that has reached the lifetime, and encrypts the updated DPK with the PDK shared by the front-end and the client, that is, DPK+PDK->EMM2, obtains encrypted data EMM2, and then sends EMM2 to the corresponding user terminal;

步骤S190,用户端机顶盒接收到前端发来的加密数据EMM2后,将其发送至用户身份识别模块,用户身份识别模块利用自身存储的PDK对EMM2数据进行解密处理,得到更新的DPK,并将其存储,其解密过程可以表示为:EMM2+PDK->DPK;Step S190, after receiving the encrypted data EMM2 sent by the front end, the client set-top box sends it to the user identification module, and the user identification module uses the PDK stored by itself to decrypt the EMM2 data, obtains the updated DPK, and sends it storage, the decryption process can be expressed as: EMM2+PDK->DPK;

步骤S195,前端判断该次轮回检测每个用户的DPK是否到达其生存期的操作是否完成,即判断每个用户端的DPK是否都已检测到,如果是则结束,以等待下一轮的对每个用户端的DPK生存期进行检测的操作;否则返回执行步骤S100,继续检测下一个用户的DPK的生存期是否到达。Step S195, the front end judges whether the operation of detecting whether the DPK of each user has reached its lifetime in this cycle is completed, that is, judges whether the DPK of each user has been detected, and if so, ends and waits for the next round of DPK for each user. The operation of detecting the DPK lifetime of a client; otherwise, return to step S100, and continue to detect whether the lifetime of the DPK of the next user is reached.

参照图5,该图是在本发明基于广播电视网的用户授权方法中,由用户端发起的对用户端进行身份认证处理的过程示意图;其处理过程如下:With reference to Fig. 5, this figure is in the user authorization method based on broadcast television network of the present invention, the process schematic diagram that the user terminal is carried out identity authentication process initiated by the user terminal; Its processing process is as follows:

步骤S200,用户端将自身机顶盒STB开机后,用户端将自动检查自身的DPK生存期;用户端可以采用周期规律对自身的DPK生存期进行检查;Step S200, after the user end starts its own set-top box STB, the user end will automatically check its own DPK lifetime; the user end can check its own DPK lifetime by using a periodic rule;

步骤S210,用户端判断自身的DPK是否到达其生存期,如果是,执行步骤S230;否则执行步骤S220;Step S210, the client judges whether its own DPK has reached its lifetime, if yes, execute step S230; otherwise execute step S220;

步骤S220,用户端再次判断自身DPK距离其生存期到达时长值是否小于1小时,如果是,执行步骤S230;否则结束,以等待下一次DPK生存期是否到达的检测;Step S220, the user terminal judges again whether the duration of the DPK from its lifetime is less than 1 hour, if yes, execute step S230; otherwise end, to wait for the next detection of whether the lifetime of the DPK is reached;

步骤S230,为避免同时有大量DPK到达生存期的STB同时发起认证流程而导致前端认证服务器过载,所以用户端在这里将采取退避一段时间的处理方式;Step S230, in order to prevent the front-end authentication server from being overloaded when a large number of STBs with DPKs reaching the lifetime simultaneously initiate the authentication process, so the client will take a back-off method here for a period of time;

步骤S240,退避时间过后,用户端将自身的标识信息通过双向传输线路上传到前端,其中用户端上传的标识信息可以为用户端机顶盒的ID标识信息,也可以为用户端用户身份识别模块中存储的用户身份标识信息,当然也可以为机顶盒ID标识信息和用户身份识别模块中存储的用户身份标识信息的绑定关系;Step S240, after the back-off time has elapsed, the user end uploads its own identification information to the front end through a two-way transmission line, wherein the identification information uploaded by the user end can be the ID identification information of the user end set-top box, or can be the ID information stored in the user identification module of the user end. The user identification information, of course, can also be the binding relationship between the set-top box ID identification information and the user identification information stored in the user identification module;

步骤S250,前端根据用户端发来的标识信息,采用认证服务器对其身份进行认证处理;Step S250, the front end uses the authentication server to authenticate its identity according to the identification information sent by the client;

步骤S260,前端根据步骤S250的认证结果,判断用户端的身份认证是否通过,如果认证通过执行步骤S270,否则结束,以等待下一次DPK生存期是否到达的检测;Step S260, the front end judges whether the identity authentication of the user terminal is passed according to the authentication result of step S250, if the authentication is passed, execute step S270, otherwise end, to wait for the detection of whether the next DPK lifetime arrives;

步骤S270,前端对生存期到达的DPK进行更新,并用前端和用户端共享的PDK对更新后的DPK进行加密处理,即DPK+PDK->EMM2,得到加密数据EMM2,然后将EMM2发送到发起认证的用户端;Step S270, the front-end updates the DPK that has reached the lifetime, and encrypts the updated DPK with the PDK shared by the front-end and the client, that is, DPK+PDK->EMM2, obtains the encrypted data EMM2, and then sends EMM2 to the initiating authentication client side;

步骤S280,用户端机顶盒接收到前端发来的加密数据EMM2后,将其发送至用户身份识别模块,用户身份识别模块利用自身存储的PDK对EMM2数据进行解密处理,得到更新的DPK,并将其存储,其解密过程可以表示为:EMM2+PDK->DPK;然后结束,以等待下一次DPK生存期是否到达的检测。Step S280, after receiving the encrypted data EMM2 sent by the front end, the user terminal set-top box sends it to the user identification module, and the user identification module uses the PDK stored by itself to decrypt the EMM2 data, obtains an updated DPK, and sends it storage, the decryption process can be expressed as: EMM2+PDK->DPK; and then end, to wait for the detection of whether the next DPK lifetime is reached.

综上所述,本发明基于广播电视网的用户授权方法及其授权系统的基本思想就是广播电视网的前端依旧利用单向的广播信道(Cable信道)广播电视节目传输流TS,而单独使用在用户端机顶盒中设置的双向通信模块和前端与用户端之间设置的双向传输线路来完成用户端的身份认证处理和动态个人密钥DPK的更新处理;从而可以实现通过周期性更改动态个人密钥DPK来降低非法用户利用克隆用户身份识别模块来获得非法经济利益的目的,即只要控制DPK的更新周期就能够有效限制非法用户克隆用户身份识别模块的有效时间,而使非法用户克隆用户身份识别模块的操作难度系数加大。同时也降低了运行商为维护整个用户身份识别模块系统所造成的成本损失,因为只要通过周期更新每个用户身份识别模块的DPK,就不再需要在部分用户身份识别模块被克隆的情况下,还要更换所有实际的物理用户身份识别模块,所以其经济成本一定会降低。To sum up, the basic idea of the present invention based on the user authorization method of the broadcast television network and its authorization system is that the front end of the broadcast television network still uses the one-way broadcast channel (Cable channel) to broadcast the TV program transport stream TS, and uses it separately in The two-way communication module set in the set-top box of the user end and the two-way transmission line set between the front end and the user end complete the identity authentication processing of the user end and the update processing of the dynamic personal key DPK; thus, it is possible to realize the periodic change of the dynamic personal key DPK To reduce the purpose of illegal users to obtain illegal economic benefits by cloning the user identification module, that is, as long as the update cycle of the DPK is controlled, the effective time for the illegal user to clone the user identification module can be effectively limited, so that the illegal user can clone the user identification module. The coefficient of difficulty of operation increases. At the same time, it also reduces the cost loss caused by the operator to maintain the entire user identification module system, because as long as the DPK of each user identification module is updated periodically, it is no longer necessary to clone part of the user identification module. All the actual physical Subscriber Modules will also be replaced, so the economic cost must be reduced.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications should also be It is regarded as the protection scope of the present invention.

Claims (16)

1. a subscriber entitlement method is characterized in that, comprises step:
(1) at each user side front end and the shared dynamic personal key with life cycle of user side are set respectively;
(2) whether arrive the life cycle of the described dynamic personal key of inspection, if continue step (3); Otherwise go to step (4);
(3) return step (2) behind the described dynamic personal key of renewal arrival life cycle;
(4) front end is implemented encryption, scrambling and authorisation process based on described dynamic personal key to transport stream, and user side is implemented deciphering and scramble process based on described dynamic personal key to the scrambling transport stream.
2. subscriber entitlement method according to claim 1 is characterized in that, in the described step (2) with life cycle of the dynamic personal key of periodic law inspection.
3. subscriber entitlement method according to claim 1 is characterized in that, described step (2) specifically comprises the steps:
(21) a fixing duration value is set;
(22) judge that whether the duration value of the dynamic personal key of current detection time point distance point time of advent life cycle is less than described fixedly duration value, if judge that arrived the life cycle of dynamic personal key; Otherwise judgement no show.
4. subscriber entitlement method according to claim 1, it is characterized in that, described step (3) also comprised the step that user side that dynamic personal key is arrived life cycle carries out authentication before upgrading dynamic personal key, if authentication is handled by continuing to upgrade dynamic personal key, otherwise finishes.
5. subscriber entitlement method according to claim 4 is characterized in that, checks in the described step (2) that be to be finished by front end the life cycle of dynamic personal key.
6. subscriber entitlement method according to claim 5 is characterized in that, described step (3) specifically comprises step to the process that the user side that arrives dynamic personal key life cycle carries out authentication:
(31) described front end sends the user side of authentication directive command to arrival life cycle of dynamic personal key, and the indication user side carries out authentication to front end;
(32) user side with the self identification information uploading to front end;
(33) front end carries out authentication according to the identification information of user side to user side.
7. subscriber entitlement method according to claim 6 is characterized in that, described step (31) also comprises the step that user side that front end judges that dynamic personal key arrives life cycle is whether online before.
8. subscriber entitlement method according to claim 4 is characterized in that, checks in the described step (2) that finished by user side the life cycle of dynamic personal key.
9. subscriber entitlement method according to claim 8 is characterized in that, described step (3) specifically comprises step to the process that the user side that arrives dynamic personal key life cycle carries out authentication:
(3a) dynamically the user side that arrives life cycle of personal key with the self identification information uploading to the broadcasting and television network front end;
(3b) front end carries out authentication according to the identification information of user side to user side.
10. subscriber entitlement method according to claim 1 is characterized in that, the process that described step (3) is upgraded dynamic personal key specifically comprises:
Be handed down to user side after (3-1) the shared individual distributing key of front end utilization and user side is encrypted the dynamic personal key that upgrades;
(3-2) user side utilizes the individual distributing key of storing in the user identification module that the dynamic personal key data of encrypting are decrypted the dynamic personal key that obtains upgrading.
11. subscriber entitlement method according to claim 10, it is characterized in that the dynamic personal key data after the broadcasting and television network front end will be encrypted in the described step (3-1) are issued to user side by the wire transmission circuit of wire net or the wireless transmission link of wireless communication networks.
12., it is characterized in that described user side identification information comprises according to claim 6 or 9 described subscriber entitlement methods:
The ID identification information of user side set-top box; Or
The User Identity information of storing in the user side user identification module; Or
The binding relationship of the User Identity information of storing in user side set-top box ID identification information and the user side user identification module.
13. subscriber entitlement method according to claim 1 is characterized in that,
The process of based on dynamic personal key transport stream being implemented encryption, scrambling and authorisation process described in the step (4) specifically comprises:
(41) described front end uses control word that transport stream is carried out the scrambling processing;
(42) use business cipher key control word to be carried out encryption, authorized control information;
(43) use dynamic personal key business cipher key to be carried out encryption, authorized management information;
(44) Entitlement Control Message and Entitlement Management Message are multiplexed into are issued to user side in the transport stream;
The described process of the scrambling transport stream being implemented deciphering and scramble process based on dynamic personal key specifically comprises:
(45) described user side uses dynamic personal key that Entitlement Management Message is decrypted processing, obtains business cipher key;
(46) use business cipher key Entitlement Control Message to be decrypted processing, controlled word;
(47) use control word that the scrambling transport stream is carried out scramble process.
14. SAS Subscriber Authorization System, comprise the front end that is used for broadcast program stream and be used for the user side that program receiving flows, described user side comprises and is used to handle the set-top box of program stream information and be used to store the user identification module of user authorization data, it is characterized in that described system also comprises:
Be provided with the bi-directional communication modules that is connected with set-top box at described user side, be used to detect at each user side dynamic personal key that preset respectively, that have life cycle and whether expire; Be used for the user side identification information is uploaded to described front end, and be used for the user authorization data of the renewal that receiving front-end sends;
Be provided with certificate server at described front end, be connected by reversible link with described bi-directional communication modules, be used to detect at each user side dynamic personal key that preset respectively, that have life cycle and whether expire, the identification information of uploading according to user side carries out the authentication processing to user side, and authenticating the user authorization data of upgrading user side by the back, and the user authorization data of upgrading is sent to the bi-directional communication modules of user side;
Be provided with the encryption scrambling module that is connected with bi-directional communication modules at described front end, be used for transport stream being implemented encryption, scrambling and authorisation process based on described dynamic personal key;
Be provided with the deciphering and descrambling module that is connected with set-top box at described user side, be used for the scrambling transport stream being implemented deciphering and scramble process based on described dynamic personal key.
15. SAS Subscriber Authorization System according to claim 14 is characterized in that, set-top box is inner to be realized and being connected of set-top box described bi-directional communication modules by being arranged on.
16. SAS Subscriber Authorization System according to claim 14 is characterized in that,
Described bi-directional communication modules is a wireless communication module, and the wireless transmission link by wireless communication networks is connected with described certificate server; Or
Described bi-directional communication modules is a wire communication module, and the wire transmission circuit by wire net is connected with described certificate server.
CNB2004100703821A 2004-08-02 2004-08-02 User Authorization Method and Its Authorization System Expired - Fee Related CN100384251C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2004100703821A CN100384251C (en) 2004-08-02 2004-08-02 User Authorization Method and Its Authorization System
PCT/CN2005/001092 WO2006012788A1 (en) 2004-08-02 2005-07-21 Subscriber authorizating method and authorizating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100703821A CN100384251C (en) 2004-08-02 2004-08-02 User Authorization Method and Its Authorization System

Publications (2)

Publication Number Publication Date
CN1735192A CN1735192A (en) 2006-02-15
CN100384251C true CN100384251C (en) 2008-04-23

Family

ID=35786871

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100703821A Expired - Fee Related CN100384251C (en) 2004-08-02 2004-08-02 User Authorization Method and Its Authorization System

Country Status (2)

Country Link
CN (1) CN100384251C (en)
WO (1) WO2006012788A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8584174B1 (en) 2006-02-17 2013-11-12 Verizon Services Corp. Systems and methods for fantasy league service via television
US9143735B2 (en) 2006-02-17 2015-09-22 Verizon Patent And Licensing Inc. Systems and methods for providing a personal channel via television
US8522276B2 (en) 2006-02-17 2013-08-27 Verizon Services Organization Inc. System and methods for voicing text in an interactive programming guide
US8713615B2 (en) * 2006-02-17 2014-04-29 Verizon Laboratories Inc. Systems and methods for providing a shared folder via television
US7917583B2 (en) 2006-02-17 2011-03-29 Verizon Patent And Licensing Inc. Television integrated chat and presence systems and methods
KR100781531B1 (en) 2006-09-19 2007-12-03 삼성전자주식회사 Method and apparatus for providing content service
CN101257358B (en) * 2008-04-17 2011-09-21 中兴通讯股份有限公司 Method and system for updating user cipher key
CN101568070B (en) * 2008-04-23 2012-11-28 中兴通讯股份有限公司 Mobile terminal management system and method
CN101772045B (en) * 2008-12-30 2012-06-06 中国移动通信集团公司 Method and device for detecting anti-cloning telecommunication intelligent card
CN104954841B (en) * 2015-06-17 2019-10-18 上海玮舟微电子科技有限公司 The method of compatible a variety of conditional access and the video playback apparatus being applicable in
CN105611353A (en) * 2015-12-23 2016-05-25 福建新大陆通信科技股份有限公司 Conditional access method by using fingerprint for set top box
CN106302457A (en) * 2016-08-16 2017-01-04 上海斐讯数据通信技术有限公司 A kind of data communications method and system
DE102019108049A1 (en) * 2019-03-28 2020-10-01 Pilz Gmbh & Co. Kg Access control system for controlling a user's access to one or more operating functions of a technical system
CN114205552B (en) * 2021-01-08 2025-07-25 浙江宇视科技有限公司 Code stream encryption method, code stream decryption method, device, electronic equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259260A (en) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 Conditional access system for set-top boxes
CN1266572A (en) * 1998-04-01 2000-09-13 松下电器产业株式会社 Data transmitting/receiving method, data transmistter, dtaa receiver, data transmitting/receiving system, AV content transmitting method
US20020087971A1 (en) * 2000-10-26 2002-07-04 Cochran Keith R. Communication protocol for content on demand system with callback time
US20030147532A1 (en) * 2002-02-07 2003-08-07 Tomi Hakkarainen Hybrid network encrypt/decrypt scheme
CN1444826A (en) * 2000-06-02 2003-09-24 通用仪器公司 A system to deliver encrypted access control information
CN2593500Y (en) * 2002-12-16 2003-12-17 浪潮电子信息产业股份有限公司 Sharing buffering interactive set top box
CN1581858A (en) * 2003-08-05 2005-02-16 中兴通讯股份有限公司 Media gate link right discriminating method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3565715B2 (en) * 1998-07-02 2004-09-15 松下電器産業株式会社 Broadcast system and broadcast transceiver
US20030208561A1 (en) * 2000-05-31 2003-11-06 Khoi Hoang Counterfeit STB prevention through protocol switching
US20020083438A1 (en) * 2000-10-26 2002-06-27 So Nicol Chung Pang System for securely delivering encrypted content on demand with access contrl

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259260A (en) * 1997-06-06 2000-07-05 汤姆森消费电子有限公司 Conditional access system for set-top boxes
CN1266572A (en) * 1998-04-01 2000-09-13 松下电器产业株式会社 Data transmitting/receiving method, data transmistter, dtaa receiver, data transmitting/receiving system, AV content transmitting method
CN1444826A (en) * 2000-06-02 2003-09-24 通用仪器公司 A system to deliver encrypted access control information
US20020087971A1 (en) * 2000-10-26 2002-07-04 Cochran Keith R. Communication protocol for content on demand system with callback time
US20030147532A1 (en) * 2002-02-07 2003-08-07 Tomi Hakkarainen Hybrid network encrypt/decrypt scheme
CN2593500Y (en) * 2002-12-16 2003-12-17 浪潮电子信息产业股份有限公司 Sharing buffering interactive set top box
CN1581858A (en) * 2003-08-05 2005-02-16 中兴通讯股份有限公司 Media gate link right discriminating method

Also Published As

Publication number Publication date
CN1735192A (en) 2006-02-15
WO2006012788A1 (en) 2006-02-09

Similar Documents

Publication Publication Date Title
US8488794B2 (en) Method for access control to a scrambled content
CN101263714B (en) Method for authenticating a target device connected to a master device
US9479825B2 (en) Terminal based on conditional access technology
CN101076109B (en) Digital TV two-way CA system and program subscription/cancellation method based on the system
US8060902B2 (en) System for receiving broadcast digital data comprising a master digital terminal, and at least one slave digital terminal
CN102802036B (en) System and method for identifying digital television
CN103975604B (en) For handling the method and multimedia unit of digital broadcast transmission stream
CN100384251C (en) User Authorization Method and Its Authorization System
CN101945249B (en) Process stream in can recorded content
EP2506590A1 (en) Authentication Certificates
CN101945248A (en) But handle the recorded content in the stream
RU2519395C2 (en) Method of controlling access to set of channels for receiving or decoding device (versions)
CN101208952A (en) Multimedia access device registration system and method
EP1788811B1 (en) A method for obtaining user's on-line information
CN102084664A (en) Unit and method for secure processing of access controlled audio/video data
US20120257749A1 (en) Method and processing unit for secure processing of access controlled audio/video data
TW201031199A (en) Method and device for reception of control words, and device for transmission thereof
CN100551034C (en) A kind of mobile multi-media service implementation method and condition receiving system
CN101895393A (en) IPTV (Internet Protocol Television) user security terminal
US20050071866A1 (en) System for receiving broadcast digital data comprising a master digital terminal, and at least one slave digital terminal
CN100499470C (en) System and method for implementing prepaid services in mobile multimedia broadcast
JP4521392B2 (en) Pay television systems associated with decoders and smart cards, rights revocation methods in such systems, and messages sent to such decoders
KR20100069373A (en) Conditional access system and method exchanging randon value
KR20080088012A (en) Interworking authentication method of multiple terminals using user identification information
CN101331767B (en) Access control method for scrambled content

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: HUAWEI SOFTWARE TECHNOLOGIES LTD.

Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD.

Effective date: 20090327

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20090327

Address after: No. 94 Ande gate, Yuhuatai District, Jiangsu, Nanjing

Patentee after: Huawei Technologies Co.,Ltd.

Address before: Bantian HUAWEI headquarters office building, Longgang District, Shenzhen, Guangdong

Patentee before: Huawei Technologies Co., Ltd.

C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080423

Termination date: 20120802