CN102065092B - Method and system for authorizing digital signature of application program of set top box - Google Patents
Method and system for authorizing digital signature of application program of set top box Download PDFInfo
- Publication number
- CN102065092B CN102065092B CN 201010617801 CN201010617801A CN102065092B CN 102065092 B CN102065092 B CN 102065092B CN 201010617801 CN201010617801 CN 201010617801 CN 201010617801 A CN201010617801 A CN 201010617801A CN 102065092 B CN102065092 B CN 102065092B
- Authority
- CN
- China
- Prior art keywords
- top box
- sequence
- signature
- information
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the relevant technical field of set top boxes, in particular to a method and system for authorizing a digital signature of an application program of a set top box. The method comprises the steps of: carrying out safe symmetrical encryption on a signature information sequence by a service end by using safe symmetrically encrypted secret keys; encrypting a signature sequence by using asymmetrically encrypted secrete keys to obtain an encrypted signature sequence, wherein a public key and the encrypted signature sequence are used as certificates; obtaining a signed application program of the set top box by the set top box, decrypting the encrypted signature sequence of the certificates by using the public key, sending verification information to the service end through safe communication; and verifying the verification information by the service end, sending the symmetrically encrypted secret keys to the set top box, decrypting the encrypted signature information sequence by the set top box by using the symmetrically encrypted secret keys to obtain the signature information sequence and installing after verifying. The technical scheme provided by the invention is more flexible compared with a PKI (Public Key Infrastructure) digital certificate technology, and the processing mechanism is simpler.
Description
Technical field
The present invention relates to the set-top box correlative technology field, particularly a kind of set-top box application progressive number signature authentication method and system thereof.
Background technology
Existing set-top box application progressive number signature authentication method as shown in Figure 1, the PKIX of employing (Public Key Infrastructure, PKI) digital certificate technique adopts the asymmetrical encryption system of RSA, and is safer.But the existing signature authentication method real free time is long, between set-top box developer and software developer, increased simultaneously third-party certification authority (CA, Certificate Authority) mechanism, system are complicated, and have increased cost.
Summary of the invention
First goal of the invention of the present invention is to provide a kind of set-top box application progressive number signature authentication method, with the comparatively complicated technical problem of set-top box application progressive number signature authentication method that solves prior art.
In order to realize first goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number signature authentication method, described method comprises:
Signature step:
Service end uses the symmetric cryptographic key of safety that the signing messages sequence that comprises set-top box identifying information tract is carried out safe symmetric cryptography, and described set-top box identifying information tract is used for the set-top box scope that marking machine top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used for sign software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out amalgamation obtain set-top box application program through signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
As a kind of preferred version, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
As a kind of preferred version, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract identifies is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
As a kind of preferred version, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
As further preferred version, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box identifies at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
As further preferred version, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
Second goal of the invention of the present invention is to provide a kind of set-top box application progressive number Signature Authentication System, the digital signature authentication method that is provided to use first goal of the invention of the present invention.
In order to realize second goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of set-top box application progressive number Signature Authentication System, described system comprises:
Be arranged on the signature blocks of Digital signature service end, comprise:
Use safe symmetric cryptographic key the signing messages sequence that comprises set-top box identifying information tract to be carried out the service end symmetric cryptography module of safe symmetric cryptography;
Preserve the service end memory module for the symmetric cryptographic key of the software information software developer information sequence section that identifies software information and software developer and correspondence thereof;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key to comprising software information software developer information sequence section and being encrypted the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and the ciphering signature sequence certificates constructing module as certificate;
Set-top box application program and certificate are carried out amalgamation obtain die section through the set-top box application program of signature;
Be arranged on the set-top box authentication module of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive service end end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the symmetrical deciphering module of set-top box of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication module of service end, described service end authentication module is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by closing optical fibre-coaxial cable net or Ethernet with set-top box.
As a kind of preferred version, described signature blocks also comprises the extraction module that uses digest algorithm to extract unique program digest tract from the set-top box application program, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
Technical scheme of the present invention, owing to relying on front end and service end to carry out signature verification, so flexibility can be more flexible with respect to the PKI digital certificate technique, treatment mechanism is also simpler.
Description of drawings
Fig. 1 is the signature schematic diagram of the embodiment of the invention;
Fig. 2 is the authentication schematic diagram of the embodiment of the invention.
Embodiment
The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.
Set-top box application progressive number certificate is mainly realized three functions:
1, determines that this application program can operate on the machine of what model, i.e. the top-set hardware characteristic.
2, determine whether this application program is legal, whether this application program is in the registration of set-top box manufacturer, the i.e. fail safe of application program.
3, determine that the corresponding application program of digital certificate in this application program is exactly this application program, be equivalent to the identity card of application program.
The segmentation of digital certificate and description:
1, software information software developer information sequence section.The main descriptor of describing software, developer's information.
2, program digest tract.Utilize traditional digest algorithm to extract the summary of software, and extract the software identity card.
3, set-top box identifying information tract.The main applicable top-set hardware version of software of describing, area etc. are with the relevant information of set-top box.
Be illustrated in figure 1 as certificate manufacturing process:
1, the software developer submits to set-top box manufacturer with set-top box identifying information tract, software information software developer information sequence section and set-top box application program and carries out testing authentication.
If 2 software tests checking is passed through, the signature system of set-top box manufacturer uses digest algorithm to extract unique program digest tract of this software, and according to the key of the symmetric cryptography of a safety of certain law generation, and with set-top box identifying information tract and program digest tract behind the symmetric cryptography via safety, with data feedback to the software developer, and software and software developer's information sequence section and program digest tract left in the online verification system, and generate counterpart keys.
Above-mentioned digest algorithm can be existing various program digest algorithms, only need to extract one section unique tract from application program and get final product.
3, afterwards, software developer's signature system uses the asymmetry cryptographic algorithm of safety to generate one group of effective key and PKI, and with key amalgamation software information software developer information sequence section, program digest tract (symmetric cryptography), set-top box identifying information tract (symmetric cryptography) data is afterwards carried out asymmetric encryption.Data after encrypting with PKI amalgamation be in the same place, as certificate, be attached to set-top box application program head, be distributed to the user and use.
Among the embodiment, the signature system of software developer's signature system, online verification system and set-top box manufacturer consists of service end jointly, and described online verification system and signature system can be arranged for unified setting also can divide.
During mounting software (being the set-top box application program), to the processing of certificate as shown in Figure 2:
1, utilize PKI to other part deciphering of certificate beyond the PKI.
2, the software information software developer information sequence section after will deciphering is sent out by secure communication and is sent to server end.
3, server end is searched the information of this software, if find, just sends key to set-top box, if can not find, also to the set-top box feedback error.
If 4 receive server-side error, installation procedure not then.If receive the key that server sends, then with key set-top box identifying information tract and program digest tract be decrypted.
If 5 set-top box identifying information tracts can not adapt to this type, or the Software match that some authorization informations of service routine summary tract are installed needs do not go up, and then withdraws from installation.No person continues.
6, extract the summary of the software that needs installation with digest algorithm, if program digest tract relevant information is not wanted to meet after summary and the deciphering, then withdraw from installation.No person's mounting software.
Claims (8)
1. a set-top box application progressive number signature authentication method is characterized in that, described method comprises:
Signature step:
Service end uses the symmetric cryptographic key of safety that the signing messages sequence that comprises set-top box identifying information tract is carried out safe symmetric cryptography, and described set-top box identifying information tract is used for the set-top box scope that marking machine top box application program is suitable for;
Service end is preserved software information software developer information sequence section and the corresponding symmetric cryptographic key thereof that is used for sign software information and software developer;
With software information software developer information sequence section, through the signing messages sequence of symmetric cryptography as signature sequence;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key that signature sequence is encrypted and obtain the ciphering signature sequence, with PKI and ciphering signature sequence as certificate;
Set-top box application program and certificate are carried out amalgamation obtain set-top box application program through signature, finish the digital signature step;
The certifying signature step:
Set-top box obtains the set-top box application program through signature, and the ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the signature sequence of the signing messages sequence of symmetric cryptography;
Send authorization information by secure communication to service end;
Service end is verified authorization information, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
If set-top box receives the service end feedback error, then withdraw from, otherwise use the symmetric cryptographic key that receives that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the signing messages sequence of set-top box identifying information tract;
If the signing messages sequence satisfies the set-top box proof rule, set-top box fitting machine top box application program then, otherwise withdraw from.
2. signature authentication method according to claim 1 is characterized in that, described authorization information is the software information software developer information sequence section after deciphering, and described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then is judged as and satisfies the service end proof rule, does not satisfy the service end proof rule otherwise be judged as.
3. signature authentication method according to claim 1, it is characterized in that, described set-top box proof rule is: if set-top box is in the set-top box scope that the set-top box application program that set-top box identifying information tract identifies is suitable for, then be judged as and satisfy proof rule, do not satisfy proof rule otherwise be judged as.
4. signature authentication method according to claim 1 is characterized in that, described signing messages sequence also comprises uses digest algorithm to extract the first unique program digest tract from the set-top box application program.
5. signature authentication method according to claim 4 is characterized in that, described set-top box proof rule is:
If in the set-top box scope that the set-top box application program that set-top box identifies at set-top box identifying information tract is suitable for, and;
The first program digest tract is consistent from the second program digest tract that the extraction of set-top box application program obtains by digest algorithm with set-top box, then is judged as and satisfies proof rule;
Do not satisfy proof rule otherwise be judged as.
6. signature authentication method according to claim 4 is characterized in that, in the described signature step, service end is also preserved the first program digest tract;
Described authorization information comprises the software information software developer information sequence section after the deciphering and passes through the signature sequence of the signing messages sequence of symmetric cryptography;
Described service end proof rule is:
Service end is searched according to software information software developer information sequence section, if preserve software information software developer information sequence section, then adopt corresponding symmetric cryptographic key that the signing messages sequence through symmetric cryptography is decoded, obtain set-top box identifying information tract and the 3rd program digest tract, if the first program digest tract is consistent with the 3rd program digest tract, then be judged as and satisfy the service end proof rule, do not satisfy the service end proof rule otherwise be judged as.
7. set-top box application progressive number Signature Authentication System, application rights requires 1~6 each described digital signature authentication method, it is characterized in that, and described system comprises:
Be arranged on the signature unit of Digital signature service end, comprise:
Use safe symmetric cryptographic key the signing messages sequence that comprises set-top box identifying information tract to be carried out the service end symmetric cryptography module of safe symmetric cryptography;
Preserve the service end memory module for the symmetric cryptographic key of the software information software developer information sequence section that identifies software information and software developer and correspondence thereof;
Use the asymmetry cryptographic algorithm of safety to generate one group of effective asymmetric cryptographic key and PKI, use asymmetric cryptographic key to comprising software information software developer information sequence section and being encrypted the asymmetric encryption module that obtains the ciphering signature sequence through the signature sequence of the signing messages sequence of symmetric cryptography;
With PKI and the ciphering signature sequence certificates constructing module as certificate;
Set-top box application program and certificate are carried out amalgamation obtain die section through the set-top box application program of signature;
Be arranged on the set-top box authentication unit of set-top box, comprise:
The ciphering signature sequence that uses public-key to certificate is decrypted, and obtains comprising software information software developer information sequence section and through the asymmetric deciphering module of set-top box of the signature sequence of the signing messages sequence of symmetric cryptography;
Send the set-top box transport module of authorization information to service end by secure communication;
If receive the service end feedback error, then withdraw from, otherwise use the symmetric cryptographic key receive that the signing messages sequence through symmetric cryptography is decrypted, obtain comprising the symmetrical deciphering module of set-top box of the signing messages sequence of set-top box identifying information tract;
The set-top box authentication module of the signing messages sequence being verified according to the set-top box proof rule;
When the signing messages sequence satisfies the set-top box proof rule, the set-top box set up applications module of fitting machine top box application program;
Be arranged on the service end authentication unit of service end, described service end authentication unit is used for the authorization information that receives is verified, if satisfy the service end proof rule, then sends the symmetric cryptographic key corresponding with authorization information to set-top box, otherwise, to the set-top box feedback error;
Service end is connected by Ethernet with set-top box.
8. application program digital signature identification according to claim 7 system, it is characterized in that, described signature unit also comprises the extraction module that uses digest algorithm to extract unique program digest tract from the set-top box application program, and described signing messages sequence also comprises the program digest tract that obtains by extraction module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010617801 CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010617801 CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102065092A CN102065092A (en) | 2011-05-18 |
| CN102065092B true CN102065092B (en) | 2013-03-06 |
Family
ID=44000193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010617801 Active CN102065092B (en) | 2010-12-31 | 2010-12-31 | Method and system for authorizing digital signature of application program of set top box |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102065092B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103402141A (en) * | 2013-08-06 | 2013-11-20 | 江苏省广电有线信息网络股份有限公司南京分公司 | Ukey-based secure television payment method |
| CN103946856B (en) * | 2013-09-30 | 2016-11-16 | 华为技术有限公司 | Encrypting and deciphering processing method, device and equipment |
| CN104796745A (en) * | 2015-03-26 | 2015-07-22 | 成都市斯达鑫辉视讯科技有限公司 | Safety protection method for set top box |
| CN108280917A (en) * | 2018-03-21 | 2018-07-13 | 首创置业股份有限公司 | A kind of access control system and equipment based on Internet of Things public service platform |
| US10924793B2 (en) * | 2018-06-03 | 2021-02-16 | Apple Inc. | Generic streaming media device configured as set top box |
| CN110176985A (en) * | 2019-05-08 | 2019-08-27 | 重庆八戒电子商务有限公司 | A kind of information ciphering method, device and storage medium |
| CN114785514B (en) * | 2022-03-23 | 2023-11-14 | 国网上海能源互联网研究院有限公司 | Method and system for application license authorization of industrial Internet of things terminal |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247507A (en) * | 2008-03-17 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Digital copyright managing method of distributed television broadcast station and broadcast and television network operator |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006031203A1 (en) * | 2005-01-06 | 2006-03-23 | Measat Broadcast Network Systems Sdn. Bhd. | An interactive television system |
-
2010
- 2010-12-31 CN CN 201010617801 patent/CN102065092B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247507A (en) * | 2008-03-17 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Digital copyright managing method of distributed television broadcast station and broadcast and television network operator |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102065092A (en) | 2011-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3318043B1 (en) | Mutual authentication of confidential communication | |
| CN102065092B (en) | Method and system for authorizing digital signature of application program of set top box | |
| CN110881048B (en) | Safety communication method and device based on identity authentication | |
| CN101828357B (en) | Credential provisioning method and device | |
| US6839841B1 (en) | Self-generation of certificates using secure microprocessor in a device for transferring digital information | |
| CN104735068B (en) | Method based on the close SIP safety certification of state | |
| CN101212293B (en) | Identity authentication method and system | |
| CN102802036B (en) | System and method for identifying digital television | |
| CN110891061B (en) | Data encryption and decryption method and device, storage medium and encrypted file | |
| CN111372247A (en) | Terminal secure access method and terminal secure access system based on narrowband Internet of things | |
| CN106790064B (en) | The method that both sides are communicated in credible root server-cloud computing server model | |
| CN102111265A (en) | Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal | |
| CN103597520A (en) | Method and apparatus for identity-based ticketing | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| EP3544226B1 (en) | Unified secure device provisioning | |
| CN114697040B (en) | Electronic signature method and system based on symmetric key | |
| CN103051869A (en) | System and method for encrypting camera video in real time | |
| CN103684798A (en) | Authentication system used in distributed user service | |
| CN107645500B (en) | Broadcast data interaction method and device | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
| CN103281188B (en) | A kind of back up the method and system of private key in electronic signature token | |
| CN104883260B (en) | Certificate information processing and verification method, processing terminal and authentication server | |
| CN108933659A (en) | A kind of authentication system and verification method of smart grid | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |