[go: up one dir, main page]

CN1780413A - A key control method for multicast broadcast service - Google Patents

A key control method for multicast broadcast service Download PDF

Info

Publication number
CN1780413A
CN1780413A CN200410097285.1A CN200410097285A CN1780413A CN 1780413 A CN1780413 A CN 1780413A CN 200410097285 A CN200410097285 A CN 200410097285A CN 1780413 A CN1780413 A CN 1780413A
Authority
CN
China
Prior art keywords
key
travelling carriage
control method
mbs
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200410097285.1A
Other languages
Chinese (zh)
Other versions
CN100403814C (en
Inventor
肖正飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Innovation Polymerization LLC
Gw Partnership Co ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100972851A priority Critical patent/CN100403814C/en
Publication of CN1780413A publication Critical patent/CN1780413A/en
Application granted granted Critical
Publication of CN100403814C publication Critical patent/CN100403814C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The method includes following steps: setting public key for mobile station and its relevant private key; with the public key the multicast service delivery server encrypts the cipher key for multicast service, and sends it to mobile station; with the private key, the mobile station receives the cipher key of multicast service; the private key is stored in a module set for preventing illegally decoding the cipher, and is used to decrypt the received key message of multicast service; to secure the safely acquirement for public key, the following method can be adopted: the user id and its corresponding public key are registered in security center, or a digital certificate of public key is issued by mobile station.

Description

一种组播广播业务密钥控制方法A key control method for multicast broadcast service

技术领域technical field

本发明涉及组播广播业务,尤其涉及一种组播广播业务密钥控制方法。The invention relates to a multicast broadcast service, in particular to a key control method for a multicast broadcast service.

背景技术Background technique

组播和广播是一种从一个数据源向多个目标传送数据的技术,在传统移动网络中,小区广播业务(CBS:Cell Broadcast Service)允许低比特率数据通过小区共享广播信道向所有用户发送,属于消息类业务。现在,人们对移动通信的需求已不再满足于电话和消息业务,随着互联网的迅猛发展,大量多媒体业务涌现出来,其中一些应用业务要求多个用户能同时接收相同数据,如视频点播、电视广播、视频会议、网上教育、互动游戏等。这些移动多媒体业务与一般的数据相比,具有数据量大、持续时间长、时延敏感等特点。目前的IP组播技术只适用于有线IP网络,不适用于移动网络,因为移动网络具有特定的网络结构、功能实体和无线接口,这些都与有线IP网络不同。Multicast and broadcast are a technology to transmit data from one data source to multiple targets. In traditional mobile networks, Cell Broadcast Service (CBS: Cell Broadcast Service) allows low bit rate data to be sent to all users through the cell shared broadcast channel. , belonging to the message business. Now, people's demand for mobile communication is no longer satisfied with telephone and messaging services. With the rapid development of the Internet, a large number of multimedia services have emerged, some of which require multiple users to receive the same data at the same time, such as video on demand, TV, etc. Broadcasting, video conferencing, online education, interactive games, etc. Compared with general data, these mobile multimedia services have the characteristics of large data volume, long duration, and delay sensitivity. The current IP multicast technology is only applicable to wired IP networks, not mobile networks, because mobile networks have specific network structures, functional entities and wireless interfaces, which are different from wired IP networks.

为了有效地利用移动网络资源,一方面,宽带码分多址系统(WCDMA:Wide-band Code Division Multiple Addressing)/全球移动通信系统(GSM:Global System for Mobile communications)的全球标准化组织3GPP提出了多媒体组播和广播业务(MBMS:Multimedia Broadcast/Multicast Service);另一方面,在IEEE802.16的最新协议IEEE802.16e/D5中也引入了组播广播业务(MBS:Multicast and Broadcast Service),这些业务在移动网络中由一个数据源向多个用户发送数据。在移动网络中由一个数据源向多个用户发送数据的点到多点业务,实现了网络资源共享,提高了网络资源,尤其是空口接口资源的利用率。新提供的MBMS或MBS不仅能实现纯文本低速率的消息类组播和广播,而且还能实现高速多媒体业务的组播和广播,这无疑顺应了未来移动数据发展的趋势。In order to effectively utilize mobile network resources, on the one hand, the global standardization organization 3GPP of the Wideband Code Division Multiple Access System (WCDMA: Wide-band Code Division Multiple Addressing)/Global System for Mobile Communications (GSM: Global System for Mobile communications) proposed the multimedia Multicast and broadcast service (MBMS: Multimedia Broadcast/Multicast Service); on the other hand, the latest protocol IEEE802.16e/D5 of IEEE802.16 also introduces multicast broadcast service (MBS: Multicast and Broadcast Service), these services In a mobile network, a data source sends data to multiple users. In a mobile network, a point-to-multipoint service in which one data source sends data to multiple users realizes network resource sharing and improves network resource utilization, especially air interface resource utilization. The newly provided MBMS or MBS can not only realize plain text low-rate message multicast and broadcast, but also realize multicast and broadcast of high-speed multimedia services, which undoubtedly conforms to the future development trend of mobile data.

MBS业务的网络结构如图1所示,为了支持MBS业务,新增了移动网功能实体——组播广播业务分发服务器(MBS server),一方面,它是内容提供者的入口,另一方面,它要规划下属基站(BS:Base Station)的组播广播数据的发送,并且分发组播广播数据给下属的BS,此外,MSS、BS等功能实体进行增强,增加了与MBS业务相关的功能。The network structure of the MBS service is shown in Figure 1. In order to support the MBS service, a new mobile network functional entity—the multicast broadcast service distribution server (MBS server) is added. On the one hand, it is the entrance of the content provider, on the other hand , it plans the transmission of multicast broadcast data of subordinate base stations (BS: Base Station), and distributes multicast broadcast data to subordinate BSs. In addition, functional entities such as MSS and BS are enhanced to add functions related to MBS services .

MBS业务操作主要包括以下几个部分:MBS业务列表信息获取、MBS业务鉴权与加密密钥获取、MBS业务正常接收。The MBS service operation mainly includes the following parts: MBS service list information acquisition, MBS service authentication and encryption key acquisition, and MBS service normal reception.

如图2所示,MBS业务列表信息获取主要包括步骤1~3:As shown in Figure 2, the acquisition of MBS service list information mainly includes steps 1 to 3:

1、移动台(MSS:Mobile Subscribe Station)决定查询MBS业务内容列表,寻找相关的内容服务器;1. The mobile station (MSS: Mobile Subscribe Station) decides to query the MBS service content list to find the relevant content server;

2、MSS给一个或多个MBS服务器(MBS server)发送一个[HTTP]Request;2. MSS sends a [HTTP]Request to one or more MBS servers (MBS server);

3、MBS服务器(MBS server)发送一个[HTTP]Response,其中包括MBS内容列表,组播IP地址/端口号等;3. The MBS server (MBS server) sends a [HTTP] Response, which includes the MBS content list, multicast IP address/port number, etc.;

如图3所示,MBS业务鉴权与加密密钥获取主要包括步骤4~8:As shown in Figure 3, MBS service authentication and encryption key acquisition mainly include steps 4-8:

4、在获取MBS业务的内容列表信息以后,MSS发送DSA-REQ消息给BS,其中包括选定接收的MBS业务的组播IP地址/端口号;4. After obtaining the content list information of the MBS service, the MSS sends a DSA-REQ message to the BS, which includes the multicast IP address/port number of the selected MBS service;

5、BS发送DSX-RVD消息,同时进行MBS业务内容接收的鉴权过程;5. The BS sends the DSX-RVD message, and at the same time performs the authentication process for receiving the MBS service content;

6、经过成功的鉴权和授权过程以后,BS发送DSA-RSP消息,其中包括MBS下行业务参数(例如MBS SA-ID等);6. After a successful authentication and authorization process, the BS sends a DSA-RSP message, which includes MBS downlink service parameters (such as MBS SA-ID, etc.);

7、MSS发送PKM-REQ消息给BS,以获取MBS密钥,用该密钥解密接收到的MBS业务数据;7. The MSS sends a PKM-REQ message to the BS to obtain the MBS key, and uses the key to decrypt the received MBS service data;

8、BS发送PKM-RSP消息给MSS,其中包括MBS业务密钥;8. The BS sends a PKM-RSP message to the MSS, including the MBS service key;

在获取MBS下行业务参数和MBS密钥以后,MSS利用得到的信息接收相关MAC PDU,进入正常的MBS业务接收状态。MBS业务正常接收主要指利用接收到的MBS下行业务参数对MBS业务内容的接收过程。在目前的标准草案中,MBS下行业务参数主要包括MBS zone identifier、Multicast CID。After obtaining the MBS downlink service parameters and the MBS key, the MSS uses the obtained information to receive the relevant MAC PDU and enter the normal MBS service receiving state. The normal reception of the MBS service mainly refers to the process of receiving the MBS service content by using the received MBS downlink service parameters. In the current standard draft, the MBS downlink service parameters mainly include MBS zone identifier and Multicast CID.

公开密钥密码体系,又称为非对称密码体系,即加密密钥和解密密钥不同。可以公开的密钥叫做公钥,需要保密的密钥叫做私钥,由公钥很难导出私钥。用公钥加密的数据可以用私钥解密,反之,用私钥加密的数据也可以用公钥解密。利用公开密钥密码系统,可以提供数字签名服务。数字签名是指发送方用自己的私钥对信息进行加密,任何拥有与该私钥对应的公钥的人都可以将之解密,因为私钥只有发送方拥有,且保持秘密,其他实体不可能仿造发送方的签名,所以可以看作是发送方对信息的签名。Public key cryptography, also known as asymmetric cryptography, means that the encryption key and the decryption key are different. The key that can be disclosed is called the public key, and the key that needs to be kept secret is called the private key. It is difficult to derive the private key from the public key. Data encrypted with the public key can be decrypted with the private key, and vice versa, data encrypted with the private key can also be decrypted with the public key. Using public key cryptography, digital signature services can be provided. Digital signature means that the sender encrypts the information with its own private key, and anyone who has the public key corresponding to the private key can decrypt it, because the private key is only owned by the sender and kept secret, and other entities cannot Forge the sender's signature, so it can be regarded as the sender's signature on the information.

1978年Kohnfelder在他的学士论文中引入了公钥证书的概念,即通过证书把公钥传递给一个公钥使用者。公钥证书一般由权威机构(如安全认证中心(CA:Certification Authority))签发,采用数字签名技术将实体的姓名及其他个人身份信息和公钥绑定。目前,常用的证书有许多种不同的类型,如X.509证书等。In 1978, Kohnfelder introduced the concept of public key certificate in his bachelor's thesis, that is, the public key is passed to a public key user through the certificate. Public key certificates are generally issued by authoritative organizations (such as CA: Certification Authority), and digital signature technology is used to bind the entity's name and other personal identity information with the public key. Currently, there are many different types of commonly used certificates, such as X.509 certificates.

防拆密码模块是密钥管理中用到的一种常见技术,一般应用在智能卡业务中。防拆密码模块是通过某种特殊制造工艺,将密钥等重要信息封装在一个模块中,不能通过读指令从该模块中读取这些密钥信息,同时,也不能通过拆卸该模块获得内部存储信息,如果试图拆卸该模块,该模块会自动清除模块内存储的密钥信息。The tamper-resistant cryptographic module is a common technology used in key management, and is generally used in smart card services. The tamper-proof cryptographic module encapsulates important information such as keys in a module through a special manufacturing process. The key information cannot be read from the module by reading instructions, and at the same time, the internal storage cannot be obtained by disassembling the module. information, if you try to disassemble the module, the module will automatically clear the key information stored in the module.

MBS业务是在无线广播信道上发送的,每个MSS都能在广播信道上收取这些数据,但是由于对数据进行了加密,所以只有注册了某种MBS业务MSS才能对该MBS业务的数据进行解密并接收这种MBS业务。The MBS service is sent on the wireless broadcast channel, and each MSS can receive the data on the broadcast channel, but because the data is encrypted, only the MSS that has registered for a certain MBS service can decrypt the data of the MBS service And receive this MBS service.

由于MBS业务是在某个MBS域(Zone)内广播发送的,要求该MBS Zone内所有注册了这种MBS业务的MSS都能无缝的接收MBS业务,因此同一个MBS业务数据在同一个MBS Zone内使用同样的密钥进行加密。为了使注册了某种MBS业务的MSS能够正确接收这种业务的广播数据,当MSS向MBS服务器请求它注册的某种MBS服务时,MBS服务器向经过鉴权的MSS通过密钥交换过程分发该MBS业务的加密密钥。Since the MBS service is sent by broadcast in a certain MBS zone (Zone), all MSSs in the MBS Zone that have registered for this MBS service are required to receive the MBS service seamlessly, so the same MBS service data is stored in the same MBS The same key is used for encryption within the zone. In order to enable the MSS registered for a certain MBS service to correctly receive the broadcast data of this service, when the MSS requests the MBS server for a certain MBS service it has registered, the MBS server distributes the MBS service to the authenticated MSS through the key exchange process. The encryption key of the MBS service.

由于同一个MBS业务的数据是通过相同的加密密钥加密后在无线信道上广播的,这样就存在一个问题,如何保证加密密钥发送过程中的安全,以及防止注册了某MBS业务的用户不会把获得的MBS业务密钥故意泄露或匿名散布给其它未注册用户,就以上问题,MBS业务密钥管理没有提供任何保证机制。Since the data of the same MBS service is encrypted by the same encryption key and then broadcast on the wireless channel, there is a problem of how to ensure the security of the encryption key transmission process and prevent users who have registered for a certain MBS service from inadvertently The obtained MBS service key will be intentionally leaked or anonymously distributed to other unregistered users. Regarding the above issues, MBS service key management does not provide any guarantee mechanism.

发明内容Contents of the invention

本方法为组播广播业务提供一种安全发放业务密钥的控制方法,以保证业务密钥的安全,所述的组播广播业务密钥控制方法通过下列步骤实现:This method provides a control method for safely issuing a service key for the multicast broadcast service to ensure the security of the service key. The method for controlling the multicast broadcast service key is implemented through the following steps:

A:为移动台设置公钥及其对应的私钥;A: Set the public key and its corresponding private key for the mobile station;

B:组播广播业务分发服务器利用所述公钥加密组播广播业务密钥,并发送给移动台;B: The multicast broadcast service distribution server encrypts the multicast broadcast service key with the public key and sends it to the mobile station;

C:移动台利用所述私钥解密收到的组播广播业务密钥。C: The mobile station uses the private key to decrypt the received multicast broadcast service key.

所述的移动台设置有防拆密码模块保存所述私钥;所述防拆密码模块利用所述私钥解密移动台接收的组播广播业务密钥并保存,利用所述组播广播业务密钥解密移动台接收的组播广播业务数据。The mobile station is provided with an anti-tampering cryptographic module to store the private key; the anti-tampering cryptographic module uses the private key to decrypt and save the multicast broadcast service key received by the mobile station, and uses the multicast broadcast service key to The key decrypts the multicast broadcast service data received by the mobile station.

所述公钥和私钥由独立的安全中心设置,并由所述安全中心将移动台的私钥保存到其防拆密码模块中。The public key and the private key are set by an independent security center, and the security center saves the private key of the mobile station in its tamper-proof cryptographic module.

所述步骤A和B之间还包括步骤:A1:所述安全中心建立公钥库登记移动台的标识信息及其对应的公钥。A further step is included between steps A and B: A1: The security center establishes a public key database to register the identification information of the mobile station and its corresponding public key.

移动台向组播广播业务分发服务器发送其标识信息;The mobile station sends its identification information to the multicast broadcast service distribution server;

组播广播业务分发服务器根据移动台的标识信息,通过安全通道从安全中心中查找对应的公钥。The multicast broadcast service distribution server looks up the corresponding public key from the security center through the security channel according to the identification information of the mobile station.

由所述安全中心为移动台签发数字证书,所述数字证书包括移动台的标识信息和公钥。The security center issues a digital certificate for the mobile station, and the digital certificate includes identification information and a public key of the mobile station.

移动台向组播广播业务分发服务器发送所述数字证书;The mobile station sends the digital certificate to the multicast broadcast service distribution server;

组播广播业务分发服务器验证所述数字证书并提取该移动台的标识信息和公钥。The multicast broadcast service distribution server verifies the digital certificate and extracts the identification information and public key of the mobile station.

所述的控制方法还包括步骤D:移动台接收来自组播广播业务分发服务器的组播广播业务数据,并将所述组播广播业务数据输入所述防拆密码模块进行解密。The control method further includes step D: the mobile station receives the multicast broadcast service data from the multicast broadcast service distribution server, and inputs the multicast broadcast service data into the tamper-resistant password module for decryption.

使用本发明所述的组播广播业务密钥控制方法,能够有效防止业务密钥在发放过程中被窃取,并阻止注册用户获取业务密钥后故意泄露或匿名散布给未注册用户。Using the multicast broadcast service key control method of the present invention can effectively prevent the service key from being stolen during the distribution process, and prevent registered users from intentionally divulging or anonymously distributing the service key to unregistered users after obtaining the service key.

附图说明Description of drawings

图1为MBS业务的网络结构示意图;FIG. 1 is a schematic diagram of a network structure of an MBS service;

图2为移动台获取MBS业务列表的信息交互流程图;Fig. 2 is the flow chart of information interaction for the mobile station to obtain the MBS service list;

图3为移动台获取MBS业务下行参数和加密密钥的信息交互流程图。Fig. 3 is a flow chart of information interaction for the mobile station to obtain downlink parameters and encryption keys of the MBS service.

图4为实施例一流程图。Fig. 4 is a flow chart of Embodiment 1.

具体实施方式Detailed ways

为了正确接收MBS业务数据,注册了某种MBS业务的用户必须持有MBS业务密钥,而且这些密钥一定是通过鉴权和密钥交换从MBS服务器中得到。为了防止业务密钥在交换过程中被窃取,利用公开密钥密码体系由独立的安全中心为每一个移动台生成一对公钥和私钥,MBS服务器利用公钥加密MBS业务密钥后,再将其发送给移动台,移动台收到后利用私钥解密得到MBS业务密钥。In order to receive MBS service data correctly, users who have registered for a certain MBS service must hold MBS service keys, and these keys must be obtained from the MBS server through authentication and key exchange. In order to prevent the service key from being stolen during the exchange process, an independent security center generates a pair of public key and private key for each mobile station using the public key cryptography system. After the MBS server uses the public key to encrypt the MBS service key, then Send it to the mobile station, and the mobile station uses the private key to decrypt it to obtain the MBS service key after receiving it.

进一步,将公开密钥密码体系和防拆密码模块结合使用,将用户的私钥和业务密钥保存在防拆密码模块中,这样使得获得MBS业务的加密密钥的注册用户仍然没有办法接触并散布该业务密钥,从而防止注册用户不能泄露或散布业务自己的业务密钥。这种方案要求每个用户的MSS设备上都有一个防拆密码模块,该模块中存储着它的公开密钥对中的私钥,同时该模块中还集成了数据加密解密(包括公开密钥算法和对称密钥算法)模块具体执行加解密操作。MSS与MBS服务器进行鉴权和密钥交换过程中,MBS服务器通过安全的途径获得与MSS设备的防拆密码模块中存储的私钥相匹配的公钥,MBS服务器将MBS业务的加密密钥用该公钥加密,并发送给MSS,MSS必须将收到的这个消息输入到防拆密码模块中进行解密才能得到MBS业务密钥。MSS收到的MBS组播广播业务数据后也必须送到防拆密码模块中进行解密。这样,就阻止了用户直接接触MBS业务密钥,有效防止了密钥的故意泄露和匿名散布。Further, the combination of the public key cryptosystem and the anti-tampering cryptographic module stores the user's private key and service key in the anti-tampering cryptographic module, so that the registered user who obtains the encryption key of the MBS service still has no way to contact and This service key is distributed so that registered users cannot reveal or distribute the service's own service key. This scheme requires each user's MSS device to have an anti-tamper password module, which stores the private key in its public key pair, and also integrates data encryption and decryption (including public key Algorithm and Symmetric Key Algorithm) module specifically implements encryption and decryption operations. During authentication and key exchange between the MSS and the MBS server, the MBS server obtains the public key that matches the private key stored in the tamper-resistant password module of the MSS device through a secure way, and the MBS server uses the encryption key of the MBS service with The public key is encrypted and sent to the MSS. The MSS must input the received message into the anti-tampering password module for decryption to obtain the MBS service key. The MBS multicast broadcast service data received by the MSS must also be sent to the anti-tampering password module for decryption. In this way, the user is prevented from directly accessing the MBS service key, effectively preventing intentional disclosure and anonymous distribution of the key.

采用这种方案,需要解决的具体问题就是保证MBS服务器能够正确和安全地获得MSS的公钥,因为用户和攻击者都可能会自己生成公开密钥对,并将密钥对中的公钥发送给MBS服务器,如果MBS不能判断公钥是否与MSS设备的防拆密码模块中存储的私钥相匹配。当它用该公钥加密组播广播业务密钥并发送给用户时,用户或攻击者就可以用它自己生成的公开密钥对中的私钥将消息解开,得到MBS业务密钥。Using this scheme, the specific problem that needs to be solved is to ensure that the MBS server can obtain the MSS public key correctly and safely, because both the user and the attacker may generate a public key pair by themselves and send the public key in the key pair to For the MBS server, if the MBS cannot determine whether the public key matches the private key stored in the anti-tamper password module of the MSS device. When it encrypts the multicast broadcast service key with the public key and sends it to the user, the user or attacker can use the private key in the public key pair generated by itself to untangle the message to obtain the MBS service key.

一般可以通过下述两种方法,使MBS服务器能够正确和安全地得到与MSS设备防拆密码模块中的私钥相匹配的公钥。Generally, the following two methods can be used to enable the MBS server to correctly and safely obtain the public key that matches the private key in the tamper-proof cryptographic module of the MSS device.

实施例一:设置公钥库的方法Embodiment 1: The method of setting the public key storehouse

MSS设备在出厂前需要在一个MSS公钥库(如KDC:Key DistributionCenter密钥分配中心)中登记,登记的信息包括该MSS的一个唯一标识信息和公钥,公钥库由独立的安全中心设置并维护,安全中心具体负责生成公钥和私钥,并将私钥加载到移动台的防拆密码模块中。MSS在与MBS进行鉴权和密钥交换时,MSS向MBS发送它的唯一标识信息,MBS根据这个唯一标识,通过与安全中心之间建立的安全的通道,从MSS公钥库中得到MSS的公钥,并用该公钥对它产生的MBS业务密钥进行加密,将加密后的密钥信息发送给MSS,MSS在收到这个加密后的MBS业务密钥信息后,必须将它送到防拆卸的密码模块中用它的私钥解密才能得到MBS业务加密密钥。MSS在收到加密后的MBS业务数据后,也必须送到该密码模块中进行解密。这样就防止了用户直接接触MBS业务密钥,有效的减小了用户故意泄露或匿名散布MBS业务加密密钥的风险。MSS devices need to be registered in an MSS public key library (such as KDC: Key Distribution Center Key Distribution Center) before leaving the factory. The registered information includes a unique identification information and public key of the MSS. The public key library is set by an independent security center. And maintenance, the security center is specifically responsible for generating the public key and the private key, and loading the private key into the anti-tampering cryptographic module of the mobile station. When MSS performs authentication and key exchange with MBS, MSS sends its unique identification information to MBS, and MBS obtains MSS’s ID from MSS public key storehouse through the secure channel established with the security center according to this unique identification. public key, and use the public key to encrypt the MBS service key generated by it, and send the encrypted key information to MSS. After receiving the encrypted MBS service key information, MSS must send it to the defense Only by decrypting with its private key in the disassembled cryptographic module can the MBS service encryption key be obtained. After the MSS receives the encrypted MBS service data, it must also be sent to the cryptographic module for decryption. In this way, the user is prevented from directly touching the MBS service key, and the risk of the user intentionally leaking or anonymously distributing the MBS service encryption key is effectively reduced.

实施例二:签发公钥数字证书的方法Embodiment 2: Method for issuing a public key digital certificate

每个MSS设备在出厂后都获得一个由设备供应商或其它安全认证中心(CA:Certification Authority)机构签发的数字证书,该证书中包含了MSS的公钥,还可以包括一公钥验证信息,MBS服务器用该验证信息对公钥进行合法性验证。MSS在向MBS服务器请求获取MBS业务密钥的过程中需要向MBS服务器发送该数字证书。MBS服务器在获得该数字证书后,对该数字证书进行验证,得到MSS的公钥,并将该MSS注册的MBS业务密钥用该MSS的公钥加密后发送给MSS。MSS获得加密后的业务密钥信息后,必须将它送到防拆卸的密码模块中用它的私钥解密才能得到MBS业务加密密钥。MSS在收到加密后的MBS业务数据后,也必须送到该密码模块中进行解密。这样就防止了用户直接接触MBS业务密钥,有效的减小了用户故意泄露或匿名散布MBS业务加密密钥的风险。Each MSS device obtains a digital certificate issued by the device supplier or other security certification center (CA: Certification Authority) after leaving the factory. The certificate contains the MSS public key and can also include a public key verification information. The MBS server uses the verification information to verify the validity of the public key. The MSS needs to send the digital certificate to the MBS server during the process of requesting the MBS server to obtain the MBS service key. After obtaining the digital certificate, the MBS server verifies the digital certificate to obtain the public key of the MSS, encrypts the MBS service key registered with the MSS with the public key of the MSS, and sends it to the MSS. After MSS obtains the encrypted service key information, it must be sent to the anti-disassembly cryptographic module and decrypted with its private key to obtain the MBS service encryption key. After the MSS receives the encrypted MBS service data, it must also be sent to the cryptographic module for decryption. In this way, the user is prevented from directly touching the MBS service key, and the risk of the user intentionally leaking or anonymously distributing the MBS service encryption key is effectively reduced.

本发明提供了一种控制方法以保证MSS业务密钥的安全发放、并防止其被故意泄露或匿名散布,本方法适用于所有MBS业务。The invention provides a control method to ensure the safe distribution of the MSS service key and prevent it from being intentionally leaked or anonymously distributed, and the method is applicable to all MBS services.

Claims (10)

1, a kind of packet broadcasting service key controlling method is characterized in that, comprises the following steps:
A: for travelling carriage is provided with PKI and corresponding private key thereof;
B: the multicast broadcast service Distributor utilizes described public key encryption packet broadcasting service key, and sends to travelling carriage;
C: the packet broadcasting service key that travelling carriage utilizes described private key deciphering to receive.
2, control method as claimed in claim 1 is characterized in that: described travelling carriage is provided with the tamper crypto module and preserves described private key.
3, control method as claimed in claim 2, it is characterized in that: packet broadcasting service key and preservation that described tamper crypto module utilizes described private key deciphering travelling carriage to receive, the group broadcasting broadcast business data that utilizes described packet broadcasting service key deciphering travelling carriage to receive.
4, control method as claimed in claim 3 is characterized in that: described PKI and private key are provided with by security centre independently, and by described security centre private key are saved in the tamper crypto module of travelling carriage.
5, control method as claimed in claim 4 is characterized in that: also comprise step between described steps A and the B:
A1: described security centre sets up the identification information and the corresponding PKI thereof of PKI storehouse registration travelling carriage.
6, control method as claimed in claim 5 is characterized in that, also comprises the following steps: between described steps A 1 and the B
Travelling carriage sends its identification information to the multicast broadcast service Distributor;
The multicast broadcast service Distributor is searched corresponding PKI according to the identification information of travelling carriage by escape way from described PKI storehouse.
7, control method as claimed in claim 6 is characterized in that, described identification information sends to the multicast broadcast service Distributor with the packet broadcasting service key request message of travelling carriage.
8, control method as claimed in claim 4 is characterized in that, also comprises step between described steps A and the B:
A1: by described security centre is that travelling carriage is signed and issued digital certificate, and described digital certificate comprises the PKI of travelling carriage.
9, control method as claimed in claim 8 is characterized in that, also comprises the following steps: between described step a1 and the B
Travelling carriage sends described digital certificate to the multicast broadcast service Distributor;
The multicast broadcast service Distributor is verified described digital certificate and is obtained the PKI of this travelling carriage.
10, control method as claimed in claim 9 is characterized in that: described digital certificate sends to the multicast broadcast service Distributor with the packet broadcasting service key request message of travelling carriage.
CNB2004100972851A 2004-11-25 2004-11-25 A key control method for multicast broadcast service Expired - Fee Related CN100403814C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100972851A CN100403814C (en) 2004-11-25 2004-11-25 A key control method for multicast broadcast service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100972851A CN100403814C (en) 2004-11-25 2004-11-25 A key control method for multicast broadcast service

Publications (2)

Publication Number Publication Date
CN1780413A true CN1780413A (en) 2006-05-31
CN100403814C CN100403814C (en) 2008-07-16

Family

ID=36770493

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100972851A Expired - Fee Related CN100403814C (en) 2004-11-25 2004-11-25 A key control method for multicast broadcast service

Country Status (1)

Country Link
CN (1) CN100403814C (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008040242A1 (en) * 2006-09-20 2008-04-10 Huawei Technologies Co., Ltd. Method, network and terminal device for obtaining multicast broadcast service key
CN100463391C (en) * 2006-09-23 2009-02-18 西安西电捷通无线网络通信有限公司 Network key management and session key updating method
CN101170404B (en) * 2006-10-24 2010-05-19 华为技术有限公司 How to configure keys for specified groups
CN101873468A (en) * 2010-05-31 2010-10-27 中山大学深圳研究院 A digital television conditional access system, device and method
CN101883118A (en) * 2010-07-08 2010-11-10 长春吉大正元信息技术股份有限公司 Digital signature method for mass data
WO2010133056A1 (en) * 2009-05-21 2010-11-25 中兴通讯股份有限公司 Method and system for wireless data transmission
CN101094439B (en) * 2006-06-23 2011-05-04 华为技术有限公司 Method and device of assigning resources dynamically for broadcast service in wireless communication system
CN101370248B (en) * 2007-08-15 2011-12-07 中国移动通信集团公司 Cryptographic key updating method, third party server and system for activating third party application
CN101150467B (en) * 2006-09-19 2011-12-21 华为技术有限公司 Method for adding multicast and broadcast service into communication system and terminal
CN101364865B (en) * 2008-09-19 2012-02-01 西安西电捷通无线网络通信股份有限公司 Multicast key management method for wireless city region network
CN101150396B (en) * 2006-09-20 2012-04-25 华为技术有限公司 Method, network and terminal device for obtaining multicast and broadcast service secret key
US8184569B2 (en) 2006-09-19 2012-05-22 Huawei Technologies Co., Ltd. Method for terminal to join multicast broadcast service in wireless network and system using thereof
CN101494821B (en) * 2008-01-24 2012-10-10 中兴通讯股份有限公司 Method for receiving multicast and broadcast service program
CN103338437A (en) * 2013-07-11 2013-10-02 成都三零瑞通移动通信有限公司 Encryption method and system of mobile instant message
WO2016086788A1 (en) * 2014-12-02 2016-06-09 阿里巴巴集团控股有限公司 Method and apparatus for encrypting/decrypting data on mobile terminal
WO2016188353A1 (en) * 2015-05-22 2016-12-01 杭州海康威视数字技术股份有限公司 Network monitoring device and method, apparatus and system for resetting password thereof, and server
CN109347627A (en) * 2018-09-19 2019-02-15 平安科技(深圳)有限公司 Data encryption/decryption method, device, computer equipment and storage medium
WO2023109468A1 (en) * 2021-12-17 2023-06-22 浙江中控技术股份有限公司 Multicast communication key distribution method and system for industrial controller

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2951311B1 (en) * 1998-03-12 1999-09-20 株式会社高度移動通信セキュリティ技術研究所 Mobile communication dynamic secure grouping communication method
EP1119132A3 (en) * 2000-01-19 2003-01-02 Research In Motion Limited Broadcasting encrypted messages using session keys
CN1199394C (en) * 2002-04-09 2005-04-27 华为技术有限公司 Method for distributing key of multi-casting business
CN1284331C (en) * 2003-05-22 2006-11-08 中国科学院计算技术研究所 Safety communication method between communication system of networking computer and user oriented network layer
CN1277365C (en) * 2003-06-27 2006-09-27 武汉理工大学 High performance and quick public pin encryption

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094439B (en) * 2006-06-23 2011-05-04 华为技术有限公司 Method and device of assigning resources dynamically for broadcast service in wireless communication system
US8184569B2 (en) 2006-09-19 2012-05-22 Huawei Technologies Co., Ltd. Method for terminal to join multicast broadcast service in wireless network and system using thereof
CN101150467B (en) * 2006-09-19 2011-12-21 华为技术有限公司 Method for adding multicast and broadcast service into communication system and terminal
CN101150396B (en) * 2006-09-20 2012-04-25 华为技术有限公司 Method, network and terminal device for obtaining multicast and broadcast service secret key
WO2008040242A1 (en) * 2006-09-20 2008-04-10 Huawei Technologies Co., Ltd. Method, network and terminal device for obtaining multicast broadcast service key
CN100463391C (en) * 2006-09-23 2009-02-18 西安西电捷通无线网络通信有限公司 Network key management and session key updating method
US8306229B2 (en) 2006-09-23 2012-11-06 China Iwncomm Co., Ltd. Method for managing network key and updating session key
CN101170404B (en) * 2006-10-24 2010-05-19 华为技术有限公司 How to configure keys for specified groups
CN101370248B (en) * 2007-08-15 2011-12-07 中国移动通信集团公司 Cryptographic key updating method, third party server and system for activating third party application
CN101494821B (en) * 2008-01-24 2012-10-10 中兴通讯股份有限公司 Method for receiving multicast and broadcast service program
CN101364865B (en) * 2008-09-19 2012-02-01 西安西电捷通无线网络通信股份有限公司 Multicast key management method for wireless city region network
WO2010133056A1 (en) * 2009-05-21 2010-11-25 中兴通讯股份有限公司 Method and system for wireless data transmission
CN101873468A (en) * 2010-05-31 2010-10-27 中山大学深圳研究院 A digital television conditional access system, device and method
CN101883118A (en) * 2010-07-08 2010-11-10 长春吉大正元信息技术股份有限公司 Digital signature method for mass data
CN101883118B (en) * 2010-07-08 2012-10-17 长春吉大正元信息技术股份有限公司 Digital signature method for mass data
CN103338437B (en) * 2013-07-11 2016-06-08 成都三零瑞通移动通信有限公司 The encryption method of a kind of mobile instant message and system
CN103338437A (en) * 2013-07-11 2013-10-02 成都三零瑞通移动通信有限公司 Encryption method and system of mobile instant message
WO2016086788A1 (en) * 2014-12-02 2016-06-09 阿里巴巴集团控股有限公司 Method and apparatus for encrypting/decrypting data on mobile terminal
US11134377B2 (en) 2014-12-02 2021-09-28 Advanced New Technologies Co., Ltd. Encrypting/decrypting data on mobile terminal
WO2016188353A1 (en) * 2015-05-22 2016-12-01 杭州海康威视数字技术股份有限公司 Network monitoring device and method, apparatus and system for resetting password thereof, and server
US10831879B2 (en) 2015-05-22 2020-11-10 Hangzhou Hikvision Digital Technology Co., Ltd. Network monitoring device, method, apparatus and system for resetting password thereof, and server
CN109347627A (en) * 2018-09-19 2019-02-15 平安科技(深圳)有限公司 Data encryption/decryption method, device, computer equipment and storage medium
CN109347627B (en) * 2018-09-19 2023-08-29 平安科技(深圳)有限公司 Data encryption and decryption method and device, computer equipment and storage medium
WO2023109468A1 (en) * 2021-12-17 2023-06-22 浙江中控技术股份有限公司 Multicast communication key distribution method and system for industrial controller

Also Published As

Publication number Publication date
CN100403814C (en) 2008-07-16

Similar Documents

Publication Publication Date Title
Xue et al. RAAC: Robust and auditable access control with multiple attribute authorities for public cloud storage
KR100967323B1 (en) Method and apparatus for security in data processing system
CN101513011B (en) Method and system for continuous transmission of encrypted data of a broadcast service to a mobile terminal device
KR100886592B1 (en) Security method and apparatus of data processing system
CN100403814C (en) A key control method for multicast broadcast service
US7818792B2 (en) Method and system for providing third party authentication of authorization
ES2359507T3 (en) METHOD FOR MANAGING DIGITAL RIGHTS IN A DIFFUSION / MULTIDIFUSION SERVICE.
CN100380270C (en) Method and apparatus for secure data transmission in a mobile communication system
CA2475150C (en) System and method for providing key management protocol with client verification of authorization
WO2020133655A1 (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario
CN1933393A (en) Inter-entity coupling method, apparatus and system for content protection
US20090254997A1 (en) Method and apparatus for content rights management
CN105743641B (en) It is a kind of can explicit authentication public key multi-receiver label decryption method
CN108833339A (en) An Encrypted Access Control Method in Content-Centric Network
CN101562520B (en) Service key distribution method and system, and key distribution method
US8417933B2 (en) Inter-entity coupling method, apparatus and system for service protection
CN103139774B (en) Short message service processing method and short message service treatment system
CN101471771B (en) Method and system for transmitting and enciphering medium based on P2P network
CN100484266C (en) Method for mobile terminal using content of service of broadcast/multicast
KR101165350B1 (en) An Authentication Method of Device Member In Ubiquitous Computing Network
Mohamed et al. OMAC: a new access control architecture for overlay multicast communications
CN115396207A (en) Video conference safety protection method and system based on digital certificate authentication
Yeh et al. A conditional access system with efficient key distribution and revocation for mobile pay-TV systems
Ge et al. VisualSec: A secure message delivery scheme for online social networks based on profile images
Guo et al. Design of Multi-dimensional Electronic Channel Unified Identity Authentication Method for Power Information System

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20180528

Address after: California, USA

Patentee after: Global innovation polymerization LLC

Address before: London, England

Patentee before: GW partnership Co.,Ltd.

Effective date of registration: 20180528

Address after: London, England

Patentee after: GW partnership Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080716

CF01 Termination of patent right due to non-payment of annual fee