CN109495459B - Media data encryption method, system, device and storage medium - Google Patents
Media data encryption method, system, device and storage medium Download PDFInfo
- Publication number
- CN109495459B CN109495459B CN201811288858.7A CN201811288858A CN109495459B CN 109495459 B CN109495459 B CN 109495459B CN 201811288858 A CN201811288858 A CN 201811288858A CN 109495459 B CN109495459 B CN 109495459B
- Authority
- CN
- China
- Prior art keywords
- data
- configuration data
- media
- encryption
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Signal Processing For Digital Recording And Reproducing (AREA)
Abstract
The invention provides a media data encryption method, a system, equipment and a storage medium, wherein the method comprises the following steps: firstly, encrypting a media file to obtain a first encrypted file; encrypting the application configuration data to obtain encrypted application configuration data; encrypting the encryption parameters in the first encryption file by using unencrypted application configuration data to obtain a second encryption file; and finally, combining the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file. On the basis of encrypting the media file, the invention provides an encryption protection scheme of the application configuration data attached to the encrypted media file by the service application, thereby not only protecting the media content in the encrypted media file, but also protecting the application configuration data; by encrypting the encryption parameters of the media file by using the application configuration data, tampering with the application configuration data will also cause damage to the encrypted media file, resulting in more comprehensive protection of the media file.
Description
Technical Field
The present invention relates to the field of data encryption technologies, and in particular, to a method, a system, a device, and a storage medium for encrypting media data.
Background
The ISO/IEC 14496-12 standard document published by the International Organization for Standardization (ISO) defines the ISO BMFF (ISO Base Media File Format) Media File Format, which describes structure data of Media samples including audio Media and video Media, and describes a method of expressing Media by combining the structure data and the Media sample data.
The ISO/IEC 23001-7 standard file published by ISO defines a CENC (common ENCryption in ISO BMFF files) universal ENCryption scheme based on ISO BMFF media file format extension, the scheme describes a set of structure data, is used for describing an ENCryption process of encrypting media sample data including audio media and video media in the ISO BMFF media file format, and describes a method for carrying out ENCryption protection on the ISO BMFF media file by using the ENCryption structure data.
In general, while providing encrypted media to users in ISO BMFF format, business application systems often attach some business application related configuration data so that the application configuration data is transmitted to the users along with the media files. Although, when ISO BMFF media is cryptographically protected using CENC scheme, protection of media sample data can be obtained; however, since there is no encryption method defined for application-related configuration data different from the media sample data, the business assistance information attached to the ISO BMFF media by the business application is not properly protected.
Disclosure of Invention
In view of the problems in the prior art, an object of the present invention is to provide a method, a system, a device, and a storage medium for encrypting media data, which encrypt application configuration data, and when the application configuration data is tampered with, the encrypted media file is also damaged, thereby protecting the media data more comprehensively.
The embodiment of the invention provides a media data encryption method, wherein media data to be encrypted comprises media files and application configuration data, and the method comprises the following steps:
s100: encrypting the media file to obtain a first encrypted file;
s200: encrypting the application configuration data to obtain encrypted application configuration data;
s300: adjusting encryption parameters in the first encrypted file by using unencrypted application configuration data to obtain a second encrypted file;
s400: and merging the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file.
Optionally, the step S100 includes the following steps:
s101: expanding the media file into a structured document about the blocks;
s102: acquiring the number of media tracks and media track description information from the structured document, and providing a first encryption key and a first key identifier for each media track;
s103: encrypting the media sample data in each media track by using a first encryption key, and recording a first initial vector used when each frame of media sample data is encrypted;
s104: marking each piece of encrypted media track description information in the structured document as encrypted, recording a first encryption key identifier and a first initial vector corresponding to a first encryption key in the media track description information, and taking the processed structured document as the first encrypted file.
Optionally, after the step S104 records the first encryption key identifier and the first initial vector in the media track description information, the method further includes the following steps:
and serializing and storing the processed structured document into a media file as a first encrypted file.
Optionally, the step S200 includes the following steps:
s201: dividing application configuration data into first configuration data, second configuration data and third configuration data, wherein the first configuration data comprises configuration data which is allowed to be read and rewritten in transmission, the second configuration data comprises configuration data which is allowed to be read but not allowed to be rewritten in transmission, and the third configuration data comprises configuration data which is not allowed to be read and not allowed to be rewritten in transmission;
s202: providing a second encryption key, a second key identification and a second initial vector for encrypting the third configuration data, and adding the second key identification and the second initial vector to the second configuration data;
s203: extracting fingerprint data of the second configuration data, and adding the fingerprint data to third configuration data;
s204: encrypting the third configuration data using the second encryption key and the second initial vector;
s205: and merging the first configuration data obtained in the step S201, the second configuration data obtained in the step S202 and the third configuration data obtained in the step S204 to obtain encrypted application configuration data.
Optionally, in the step S202, a step of providing a padding data block and adding the padding data block to the third configuration data is further included;
in step S203, the extracted fingerprint data is fingerprint data of data spliced with the padding data blocks in the second configuration data and the third configuration data.
Optionally, the step S300 includes the following steps:
s301: selecting encryption parameters of a first encrypted file during encryption as data to be adjusted, wherein the encryption parameters comprise a first key identifier and/or a first initial vector;
s302: and performing reversible scrambling calculation on the data to be adjusted by using the third configuration data obtained in the step S204, taking a result after the scrambling calculation as an adjusted encryption parameter, and replacing the encryption parameter recorded in the first encryption file by using the adjusted encryption parameter.
Optionally, in step S300, the performing a reversible disturbance calculation includes the following steps:
extracting fingerprint data of the third configuration data obtained in step S204 as a third encryption key;
and encrypting the data to be adjusted by adopting a third encryption key.
Optionally, the step S400 includes the following steps:
s401: constructing the encrypted application configuration data into an application configuration data block compatible with the data block format of the media file;
s402: and adding the application configuration data block into the second encrypted file to obtain a media data encrypted file.
The embodiment of the invention also provides a media data encryption system, which is applied to the media data encryption method, and the system comprises:
the media file encryption module is used for encrypting the media file to obtain a first encrypted file;
the application configuration data encryption module is used for encrypting the application configuration data to obtain encrypted application configuration data;
the encryption parameter adjusting module is used for adjusting the encryption parameters in the first encrypted file by adopting unencrypted application configuration data to obtain a second encrypted file;
and the encrypted data merging module is used for merging the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file.
An embodiment of the present invention further provides a media data encryption device, including:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the media data encryption method via execution of the executable instructions.
An embodiment of the present invention further provides a computer-readable storage medium for storing a program, where the program implements the steps of the media data encryption method when executed.
The media data encryption method, system, equipment and storage medium provided by the invention have the following advantages:
on the basis of encrypting the ISO BMFF media file, the invention provides an encryption protection scheme of application configuration data attached to the encrypted media file by business application, thereby not only protecting the media content in the encrypted media file, but also protecting the application configuration data; the invention uses the application configuration data to participate in adjusting and disturbing the encryption parameters of the encrypted media file, and the tampering of the protected application configuration data can also cause the damage of the encrypted ISO BMFF media file, thereby protecting the media file more comprehensively.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
FIG. 1 is a flow chart of a method for encrypting media data according to an embodiment of the invention;
FIG. 2 is a flow diagram of encrypting a media file according to one embodiment of the invention;
FIG. 3 is a flow chart of encrypting application configuration data according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a media data encryption system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a media data encryption device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer storage medium according to an embodiment of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their repetitive description will be omitted.
First, a brief description will be given here of the format of a media file in the ISO BMFF format.
In the ISO BMFF standard, a media file is tiled with blocks (boxes) as objects, a block is a continuous piece of binary data having a definite byte length (byte length) and defining a block type (box type), and sub-blocks of a specific type are allowed to be placed inside some blocks according to the definition of the block type. The ISO BMFF standard defines a set of block types nested in a hierarchical manner, and by using the set of block types, a series of media-related concepts related to a movie, such as a media sample (media sample), a media sample group (media sample chunk), a media track (media track), a movie block (movie box), a movie fragment (movie fragment), a random access point (random access point), and a sample description (sample description), can be accurately described, and data blocks corresponding to the set of concepts are recorded and stacked together to form an ISO BMFF file related to the movie. Generally, in the ISO BMFF file, there is no restriction on the stacking order among sub-blocks within a co-located block if there is no special requirement.
In the ISO BMFF file, a four-byte block type identifier is used to define the internal structure of a block, which is defined by a set of standard-defined attribute sets and/or a set of standard-allowed sub-blocks. Sub-blocks within a block still must use block type identification to define the type of sub-block, but the attributes within the block do not have corresponding attribute identifiers, but rather the specific binary layout location and binary layout format is arranged according to the semantic description in a standard file.
For convenience of description, the present invention describes a method for locating a block or an attribute in an ISO BMFF file by using a Path expression defined in an XPath (XML Path Language, one of series standards of W3C about XML) standard, but any equivalent method other than XPath may be used to describe the selection or location of the block or the attribute, for example, a Path expression similar to an NTFS file system, a Selector expression similar to a CSS Selector, and the like, which is not limited herein.
The XPath positioning expression of each block and each attribute can be derived according to ISO BMFF standards, for example, a node expression/mdat can be used to represent a block stored in a file by media sample data, or a node array expression// trak [1] with index subscript can be used to represent a first media track block in the file, or a node attribute expression// trak [1]// stsz/@ sample _ count can be used to represent this attribute, which records the number of frames of the media sample of the first media track, and so on.
The CENC standard is briefly introduced below as to the manner in which media files in ISO BMFF format are encrypted.
The CENC standard expands a set of new block types on the basis of the ISO BMFF standard, which are specially used for describing media encryption related concepts, and records data blocks corresponding to the set of concepts, and encrypted media sample data can be recorded in an ISO BMFF file using the CENC standard block types.
Encryption schemes are recorded in the CENC standard at the attribute// trak [ n ]// schm/@ scheme _ type, attribute// trak [ n ]// saiz/@ aux _ info _ type, and attribute// trak [ n ]// saio/@ aux _ info _ type, etc., and several encryption schemes are listed in the standard: cenc, cbc1, cens, cbcs, and the like.
The CENC standard uses Key Identifiers (KIDs) to uniquely describe a Key used to encrypt data, the default Key Identifier used to encrypt the nth media track is recorded at the attribute// trak [ n ]// ten/@ default _ KID, the specific Key Identifier used to encrypt all media samples of the nth media track is recorded at the position// trak [ n ]// sgpd/seg [. ]/@ KID, and all Key identifiers have a record at the position// pssh/@ KID [ ].
According to the CENC standard, a default encryption Initial Vector (IV) for the nth media track may be recorded at// trak [ n ]// ten/@ default _ constant _ IV. The IV commonly used by the frame media samples in each media sample group during encryption can be recorded at// trak [ n ]// sgpd/seg [ + ]/@ const _ IV according to the CENC standard, and the default IV of the media track is not valid when the group of IV is recorded. The IV used in encryption for each frame of media sample may be recorded at// trak [ n ]/sens/@ InitializationVector [ ] according to the CENC standard, and the IV shared within the above-mentioned group of media samples is no longer valid when these IV's are recorded.
The CENC standard does not directly describe the method of obtaining a key by a key identification, but rather defines the pssh block type and suggests that the protection system implements a method of converting a key identification into a key using the pssh block.
The semantic description of the pssh block type defined in the CENC standard is excerpted as follows:
wherein the FullBox is a type of Box defined in ISO BMFF having an integer version attribute of one byte and an integer flags attribute of three bytes. The Box, i.e., a block defined in ISOBMFF, is a piece of continuous data having an integer type length attribute of four bytes and a type attribute of four bytes.
The SystemID attribute takes 16 bytes, and a specific protection system is suggested to check whether the system should process the Universally Unique Identifier (UUID) of the pssh block.
When the flags attribute is greater than 0, a KID _ count attribute occupying four bytes records the number of key identifications stored next in the pssh block, and then each key identification KID is listed in sequence, wherein each KID occupies 16 bytes.
The DataSize attribute takes four bytes, records the byte length of the following Data attribute, and suggests to store any Data related to a specific protection system, such as an authorized resource locator for acquiring a key.
Through the above analysis of the CENC standard and the ISO BMFF standard, if the media encryption parameters encrypted by the CECN are adjusted by using the application configuration data related to the business application or a part thereof, that is, the encryption parameters are scrambled according to a certain algorithm rule, then the configuration data involved in the adjustment or a part thereof is encrypted and attached to the ISO BMFF file with the adjusted encryption parameters, more effective encryption protection of the application configuration data and the media file can be realized.
In order to solve the technical problem in the prior art, as shown in fig. 1, an embodiment of the present invention provides a media data encryption method, where the method includes the following steps:
s100: encrypting the media file to obtain a first encrypted file;
s200: encrypting the application configuration data to obtain encrypted application configuration data;
s300: adjusting encryption parameters in the first encrypted file by using unencrypted application configuration data to obtain a second encrypted file;
s400: and merging the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file.
The invention provides an encryption protection scheme of application configuration data attached to an encrypted media file by service application on the basis of encrypting an ISO BMFF media file, firstly, the media file is encrypted through the step S100, and then the application configuration data is encrypted through the step S200, thereby not only protecting the media content in the encrypted media file, but also protecting the application configuration data; further, the present invention uses the application configuration data to adjust and scramble the encryption parameters of the encrypted media file in step S300, and tampering with the protected application configuration data will also result in the destruction of the encrypted ISO BMFF media file, so that the protection of the media file is more comprehensive.
The following further describes a specific implementation manner of each step in the media data encryption method according to the present invention with reference to a specific example, and it is understood that the specific implementation manner listed herein is only an example and is not intended to limit the scope of the present invention.
As shown in fig. 2, the step S100 includes the following steps:
s101: expanding the media file into a structured document about the blocks; specifically, in this embodiment, the media file is in ISO BMFF format, i.e., the media file in the target ISO BMFF format is parsed and expanded into a hierarchical structured document about blocks (Box);
the first chunk of the structured document is the root chunk, which is represented using XPath. Generally, there is one/moov or/moof block under the root block to describe the media structure data of this document; in addition, a/mdat block is arranged below the root block to record media sample data of the document, and the structure of the media sample data is in a/moov block or/moof block; the structure data of a media track, such as an audio media track or a video media track, is described by/moov/trak or/moof/trak, and the block of the structure description data of the nth media track is abbreviated as// trak [ n ] in an XPath expression.
S102: acquiring the number of media tracks and media track description information from a structured document, and preparing a pair of a first encryption Key (Key) and a first Key Identifier (KID) for each media track;
in this embodiment, the obtaining of the first encryption Key and the first Key identifier may use a Key management system, and request the Key management system to obtain a pair of Key and KID for encryption of all media tracks, or count the number of media tracks, and request the Key management system to obtain a pair of Key and KID for encryption of each media track, that is, the first encryption Key and the first Key identifier may be in a one-to-one correspondence relationship with the media tracks, or may be in a one-to-many relationship.
S103: encrypting the media sample data in each media track by using a prepared first encryption key, additionally recording a first Initial Vector (IV) used when each frame of media sample data is encrypted in the encryption process, wherein the first encryption key corresponds to a first key identifier, and after knowing the encrypted first key identifier, a receiver can find the adopted first encryption key according to the corresponding relation between the encryption key and the key identifier agreed with a sender before;
here, various Protection schemes (Protection Scheme) may be used to encrypt media sample data in each media track and record an IV that participates in encryption when encrypting each frame of media sample data. The various protection schemes that can be used are, according to the CENC standard, the AES-CTR scheme (code CENC), the AES-CBC scheme (code CBC1), the AES-CTR scheme for sub-sample mode encryption (code cens) and the AES-CBC scheme for sub-sample mode encryption (code CBCs). During encryption, each media track may select the same protection scheme, or each media track may select a different protection scheme.
In addition, the embodiment may also use a protection scheme other than the CENC standard, for example, the SM4 algorithm is used to replace the AES algorithm in the AES-CTR scheme to construct a new SM4-CTR scheme (the code smct may be set), and as such, the SM4-CBC scheme (the code smcb may be set), the SM4-CTR scheme for sub-sample mode encryption (the code smts may be set), the SM4-CBC scheme for sub-sample mode encryption, and the like (the code smbs may be set) may be correspondingly constructed.
The encrypted data directly covers or replaces each frame of media sample data corresponding to each media track before the original encryption, namely the encrypted media sample data is used for reconstructing the media sample data in the original/mdat block, the byte length and the starting byte position of each frame of media sample data are not changed in the encryption process, and only the content of the media sample data is changed.
By adopting the encryption process of step S103, the encryption of each frame of media sample data in the media data is realized, i.e. the content of the media file itself is protected. The encryption method may select various protection schemes listed above, but the present invention is not limited thereto.
S104: after the media track in the structured document is encrypted, marking the description information of each encrypted media track in the structured document as encrypted, and recording a first key identifier KID applied in the encryption operation of the media track and a first initial vector IV corresponding to each frame of media sample data in the encryption description information of the media track; therefore, in the encrypted description information obtained by decryption, the receiver obtains the first key identifier KID instead of the direct first encryption key, and finds the adopted first encryption key according to the corresponding relationship between the encryption key and the key identifier agreed by the sender before, thereby further protecting the security of the media track information.
According to the CENC standard, the description information of each encrypted media track is marked as a protected state, at this time, the content of the stream format description block of the media sample of the media track needs to be changed, and meanwhile, a sub-block sinf needs to be added to the stream format description block of the media sample to describe the detailed information of the protection scheme. For example, if an audio media track is encrypted, the block type (e.g., type mp4a) of the stream format description block of the media sample of the original audio media track is changed to enca, and the block type of the stream format description block of the original audio media sample is recorded in the enca/sinf/frma/@ data _ format attribute, the original stream format description block// trak [ n ]/mdia/minf/stbl/stsd/mp4a is changed to a new stream format description block// trak [ n ]// stsd/enca, and the value provided with the attribute enca/sinf/frma data _ format is mp4 @ 4 a. For another example, if a video media track is encrypted, for example, the original video media sample stream format description block is// trak [ n ]// stsd/avc1, the modified original video media sample stream format description block is// trak [ n ]// stsd/encv, and the value with attribute encv/sinf/frma @ data _ format is av 1. Default encryption parameter information of samples in the encrypted track, such as whether the media track is encrypted, a default KID of the track, a byte size of each IV, or a default first initial vector IV of the track, is recorded in detail in the media track encryption description block sinf/schi/ten.
According to the CENC standard, it is necessary to record various encryption process details other than the encrypted first encryption Key for each encryption-processed media track, for example, it is necessary to add a series of sub-blocks for the// trak [ n ]// stbl block: sample group description block sgpd, description block sbgp where the sample is bound to the group, sample assistance data size block saiz, sample assistance data location saio, etc., and add sub-block senc for// trak [ n ]. The encryption scheme is recorded at the attribute// trak [ n ]// schm/@ scheme _ type, and there is a record at each saiz/@ aux _ info _ type and each saio/@ aux _ info _ type. Recording the encrypted KID of each sample group in the attribute array of sgpd/seg [ + ]/@ KID, recording the default IV used by each sample group in the attribute array of sgp/seg [ + ]/@ const _ IV, and recording the encrypted IV of each frame of sample data in the array of senc/@ InitializationVector [ ].
In this embodiment, all the unique first key identifications KID described above may be recorded in the/moov/pssh/KID [ ] array according to the KID attribute in the pssh block of the CENC standard, and the number of the unique first key identifications KID may be recorded on the/moov/pssh/@ KID _ count.
The encrypted structured document obtained in step S104 may be directly used as the first encrypted file, or the file obtained after further processing in step S105 may be used as the first encrypted file.
S105: further, the structured document processed as described above may be serialized and stored as a file in a file system. This step is an optional step, and the structured document obtained in step S104 may be further sorted, so as to facilitate the subsequent operation in step S300.
Here, the media data block/mdat and the media structure data description block/moov may be stored in a plurality of fragmented ISO BMFF files, respectively, or the media data block/mdat and the media structure data description block/moov may be stored in the same ISO BMFF file in a pieced manner.
When the media data block/mdat and the media structure data description block/moov are stored together, the/moov is stored first, and then the/mdat is stored. This storage allows the media structure description data to be read preferentially, thereby allowing the application to quickly learn the structured information of the media content in the ISO BMFF file.
By adopting the processes of steps S101 to S104, or adopting the processes of steps S101 to S105, an encrypted media file, i.e., a first encrypted file, can be obtained for the subsequent operation of step S300. The embodiment can protect the security of the media file by encrypting the media sample data in each media track in the media file.
As shown in fig. 3, the step S200 may include the steps of:
s201: firstly, dividing application configuration data into first configuration data, second configuration data and third configuration data, wherein the division of the three types of configuration data is based on different protection requirements of the configuration data, specifically, the protection requirement of the third configuration data is higher than that of the second configuration data, and the protection requirement of the second configuration data is higher than that of the first configuration data;
in this embodiment, the application configuration data that needs to be appended to the media file in the target ISO BMFF format is divided into three classes according to actual business needs: the system comprises open configuration data, public configuration data and protective configuration data, wherein the open configuration data correspond to the first configuration data, the public configuration data correspond to the second configuration data, and the protective configuration data correspond to the third configuration data;
here, the service application may distinguish the configuration data to be added to the target ISO BMFF file according to the needs of its own service and input the configuration data into the system implementing the method distinctively, for example, after distinguishing the three types of configuration data, the service application adds different labels to the different types of configuration data to distinguish them, and when processing is performed in step S201, the type of data may be identified according to the labels. Specifically, the method comprises the following steps:
the open configuration data, namely the first configuration data, is configuration data which is allowed to be rewritten in the process of transmitting the encrypted file, namely the content of the data can be allowed to be changed without decryption in the process of transmitting the encrypted file, and the encrypted file cannot be damaged; for example, the code of the first configuration data may be set to cfop, although the invention is not limited thereto.
The public configuration data, i.e. the second configuration data, is configuration data which is allowed to be read but not to be rewritten in the process of transmitting the encrypted file, i.e. the original content can be read without decryption in the process of transmitting the part of data, but any change to the part of data will cause damage to the encrypted file, and the protected multimedia content cannot be decrypted from the damaged encrypted file; the code of the second configuration data may be set to cfpb, for example, although the invention is not limited thereto.
The protective configuration data, i.e. the third configuration data, is data that is not allowed to be read and written during the transmission of the encrypted file, i.e. the original content cannot be read without decryption during the transmission, and any change to this part of data will cause a damage to the encrypted file that cannot be decrypted. The code of the third configuration data may be set to cfpt, for example, but the present invention is not limited thereto.
S202: preparing a pair of a second encryption Key and a second Key identifier KID for encrypting the application configuration data, obtaining a random second initial vector IV, and adding the second Key identifier KID and the second initial vector IV to the second configuration data.
Here, similarly to the above, the provision of the second encryption Key and the second Key identification may use a Key management system to which a request is made to obtain a pair of the second encryption Key and the second Key identification KID for encryption of the configuration data. Here, the second encryption Key and the second Key identification KID of the encrypted configuration data cannot be shared with the first encryption Key and the first Key identification KID used in S100 for encrypting the media track in the target ISO BMFF media file, and a first encryption Key and a first Key identification KID different from those used for encrypting the media track are required.
Here, the name of the encryption algorithm to be used for the encryption process of the third configuration data may be appended to the second configuration data to guide the decryption operation of the third configuration data.
In addition, in order to further increase the difficulty of breaking the fingerprint data of the second configuration data (the fingerprint data of the second configuration data is introduced in the subsequent step S203), in step S202, a random padding data block PAD is obtained, and the padding data block PAD is added to the third configuration data.
S203: fingerprint data of the second configuration data is extracted, or the second configuration data is once hashed using a hash algorithm to obtain fingerprint data of the second configuration data, and the fingerprint data is added to the third configuration data. The fingerprint data herein refers to a digital fingerprint, i.e. a fingerprint obtained by converting the second configuration data into a further string of values, which can only be calculated from the original second configuration data, but which cannot be derived from the further string of values, i.e. the fingerprint data. When the receiving party receives the configuration data, the received second configuration data can be converted in the same way to obtain a string of numerical values, and the string of numerical values is compared with the received fingerprint data, so that whether the second configuration data is tampered or not can be determined.
Further, as described above, in order to improve the difficulty of cracking the fingerprint data of the second configuration data, a padding data block PAD is provided, data spliced with the padding data block PAD is extracted from the third configuration data, and when the fingerprint data of the second configuration data is extracted by combining the part of data with the second configuration data, the fingerprint data of the data spliced with the padding data block PAD in the second configuration data and the third configuration data is extracted, so that the fingerprint data of the second configuration data disturbed by the padding data block PAD is obtained. When verifying whether the second configuration data is tampered, firstly, data spliced with the padding data block PAD is extracted from the third configuration data, fingerprint data of the data spliced with the padding data block PAD is calculated, and the fingerprint data is compared with the received fingerprint data, so that whether the second configuration data is tampered can be determined.
Here, the MD5 fingerprint may be extracted from the second configuration data using MD5(Message Digest Algorithm MD 5), the SHA-1 fingerprint may be extracted from the second configuration data using SHA-1(Secure Hash Algorithm 1), and other Hash algorithms may be used to extract the fingerprint, which are not listed here.
Here, the name of the hash algorithm for extracting the fingerprint data of the second configuration data may be added to the second configuration data as a part thereof, and then the fingerprint may be extracted for the second configuration data.
Since the second configuration data is dominated by text data, when the second configuration data needs to contain binary data, the binary data is converted into text data using a text encoding format, for example using BASE64 encoding or HEX encoding to obtain a text representation of the binary data. The benefit of using textual data is readily apparent, since it is public configuration data, the content of the public configuration data can be quickly known without applying excessive editing, parsing operations.
In this embodiment, the second configuration data of the text expression is organized in the form of an attribute set, each attribute configuration information is separated using a line break, and each attribute configuration information is recorded using the form of "attribute name is attribute value". The following is an exemplary piece of content illustrating the second configuration data of the textual expression:
alpha version availability assessment conference for Title X items
User=XieZhigang
KID=D7A8C0FBC8CBA3BAD0BBD6BEB8D65869
IV=E8B0A25A6869E5BF9747616E67E992A2
METHOD=AES-CBC-128
HASH=SHA-1
The first two lines of content of the above example text are the second configuration data of the original input related to a certain business application, and the following properties of KID, IV, HASH, etc. are the KID property, IV property, encryption algorithm (METHOD) property and HASH Algorithm (HASH) property added in the steps S202 and S203. The above examples are merely illustrative of one possible type of public configuration data, and the representation, attribute names, and configuration contents that may be listed in a specific application are not limited by the above example text.
Exemplarily, it is assumed that the randomly generated PAD data block PAD is a 16-byte binary data block, whose 16-ary code is expressed as: 6C 45D 18E D77268664C 98B 5B 316 CC 3B 22.
Fingerprinting the data of the above example text and PAD together using the SHA-1 algorithm to obtain a 16-ary coded representation of the hash value of SHA-1 is: 8C 253681E 8EF 338B C91024 CB CF 39F 86A EA 03E 029.
When this hash value is recorded in the protective configuration data, it can be verified whether the second configuration data was tampered with during transmission, when only the third configuration data is decrypted and no attempt is made to decrypt the ISO BMFF media track.
S204: and encrypting the third configuration data obtained after the step S203 by using the second encryption Key and the second initial vector IV in the step S202.
S205: the first configuration data obtained after step S201, the second configuration data obtained after step S202, and the encrypted third configuration data obtained after step S204 are combined together, that is, the encrypted application configuration data of step S200 is formed.
Further, the step S300 includes the steps of:
s301: selecting the encryption parameters in the first encrypted file in the step S100 as data to be adjusted, where the encryption parameters to be adjusted may include a first key identifier KID, a first initial vector IV, or both the first key identifier KID and the first initial vector IV;
the step S301 may select the first key identifier KID in the first encrypted file as the data to be adjusted. When the first key identifier KID of the encrypted media track in the first encrypted file is used as the data to be adjusted, selecting all the positions where the first key identifier KID is recorded in step S104, specifically: attribute arrays such as// ten [ ]/@ default _ KID,// sgpd [ ]/@ KID, and// pssh/@ KID [ ] and the like.
Still alternatively, the step S301 may select the first initial vector IV in the first encrypted file as the data to be adjusted. When the first initial vector IV of the encrypted media track in the first encrypted file is used as the data to be adjusted, selecting all the positions of the initial vector IV recorded in the step S104, specifically: attribute arrays such as// ten [ ]/@ default _ constant _ IV,// sgpd [ ]/@ contin _ IV, and// sen [ ]/@ InitializationVector [ ]. Generally, when the first initial vector IV is selected as the data to be adjusted, it is not suitable for use in the case of the CTR-type encryption scheme, that is, when// schm [. or/@ scheme _ type uses cenc or cens or an encryption scheme such as smct or smts as described in step S103, the first initial vector IV should not be selected as the data to be adjusted. In addition, when the first initial vector IV is used as the data to be adjusted, the amount of data to be adjusted will also be much larger than the amount of data to be adjusted when the first key identification KID is used as the data to be adjusted.
Or the first key identification KID and the first initial vector IV may be selected simultaneously as the data to be adjusted. The present invention will not be described in detail.
S302: performing reversible scrambling calculation on the data to be adjusted selected in the step S301 by using the original protective configuration data to be encrypted in the step S204, and writing a result after the scrambling calculation back to a storage location of the selected data to be adjusted;
here, in the reversible disturbance calculation in step S302, for example, a fingerprint may be extracted from the third configuration data in step S204 by using the same hash algorithm as the hash algorithm in step S203, the first 16 bytes of the fingerprint may be intercepted as the third encryption Key, and the selected data to be adjusted may be encrypted. At this time, the encryption algorithm can be selected from various symmetric encryption algorithms such as an XOR (exclusive OR) algorithm, an AES-ECB algorithm, an SM4-ECB algorithm and the like, and the invention is not described in detail any more.
After the step S302, the second encrypted file with the adjusted encryption parameters is obtained, because part of the encryption parameters have been scrambled, the second encrypted file cannot be directly used to decrypt the media sample data in the media track.
Therefore, the media data encryption method of the embodiment further improves the security of the encryption of the media file, and in addition, when the application configuration data is tampered, the encrypted media file is damaged and cannot be decrypted correctly. When a receiving end receives media data, if the media file needs to be encrypted, firstly, the application configuration data needs to be decrypted to obtain decrypted application configuration data, then, a corresponding third encryption key is generated according to the application configuration data, encryption parameters of the media file are decrypted, and then, the media file is decrypted by using the encryption parameters (a first key identifier and/or a first initial vector) of the decrypted media file to obtain the decrypted media file. Therefore, the invention not only can realize the encryption protection of the application configuration data, but also can further strengthen the encryption protection of the media file by combining the disturbance of the application configuration data to the encryption parameters of the media file.
Further, the step S400 includes the steps of:
s401: constructing the encrypted application configuration data obtained in the step S200 into an application configuration database compatible with a database format of a media file; in this embodiment, the media file is in ISO BMFF format, so an application configuration data block is constructed in ISO BMFF block format;
here, a block accommodating the first configuration data is constructed, a block accommodating the second configuration data is constructed, cfpb is used as a block type identifier, a block accommodating the third configuration data is constructed, cfpt is used as a block type identifier, a block accommodating the three blocks cfop, cfpb and cfpt is constructed, and cfbg is used as a block type identifier, where cfop, cfpb, cfpt and cfbg are only used for reference and distinction, and the present invention does not limit which four characters are specifically taken as values.
At this time, first configuration data is recorded in the cfbg/cfop block, second configuration data is recorded in the cfbg/cfpb block, and third configuration data is recorded in the cfbg/cfpt block.
Further, according to the step S203, the attribute cfbg/cfpb/@ KID records a second encryption key KID for encrypting the third configuration data, the attribute cfbg/cfpb/@ IV records a second initial vector IV for encrypting the third configuration data, the attribute cfbg/cfpb/@ metal records an encryption algorithm for encrypting the third configuration data, and the attribute cfbg/cfpb/@ HASH records a HASH algorithm for fingerprinting the second configuration data.
Further, an attribute cfpt/@ PAD may be constructed in the cfbg/cfpt chunk for recording the random padding data chunk PAD of S202, and an attribute cfpt/@ signature may be constructed in the cfbg/cfpt chunk for recording the hash value of S203.
Here, the third configuration data may be fingerprinted directly using the hashing algorithm recorded by the cfbg/cfpb/@ HASH attribute to the third encryption Key of the reversible disturbance computation of S302, or the hashing algorithm used to record the third encryption Key generating the reversible disturbance computation may be constructed by the attribute cfpt/@ HASH in the cfbg/cfpt block.
Further, an attribute cfpt/@ selector may be constructed in the cfbg/cfpt block to record the method of selecting the encryption parameter to be adjusted in step S301, for example, cfpt/@ selector ═ KID, which indicates that the adjusted encryption parameter is the first encryption key, or cfpt/@ selector ═ IV, which indicates that the adjusted encryption parameter is the first initial vector.
Furthermore, if any of the above-mentioned constructions for the cfpb and cfpt blocks affects or causes a change in the content of the second configuration data or the third configuration data, it is necessary to jump to step S300 again and perform a readjustment after the data change on the primary encrypted file before the adjustment.
S402: and incorporating the application configuration data block constructed in the step S401 into the second encrypted file in the step S300 to obtain a final encrypted file, i.e. an encrypted file of the finally obtained media data.
In this embodiment, the application configuration data block obtained in step S401 is incorporated into the pssh block of the ISO BMFF file. When the data blocks are put into the pssh blocks, the corresponding first configuration data blocks are/moov/pssh/cfbg/cfop, the corresponding second configuration data blocks are/moov/pssh/cfbg/cfpb, and the corresponding third configuration data blocks are/moov/pssh/cfbg/cfpt.
Further, the data block in S401 is included in the moov block of the ISO BMFF file. When the data blocks are contained in the moov blocks, the corresponding first configuration data blocks are/moov/cfbg/cfop, the corresponding second configuration data blocks are/moov/cfbg/cfpb, and the corresponding third configuration data blocks are/moov/cfbg/cfpt.
S403: after step S402, the encryption of the media data including the media file and the application configuration data is completed, and optionally, the final-level encrypted file obtained after step S402 may be further serialized and stored as a file in a file system, or distributed to a network, or written out to a network port.
After receiving the media file, the receiving end firstly queries a second encryption key according to a second key identifier and a second initial vector recorded in the second configuration data because the second configuration data is unencrypted, decrypts the application configuration data according to the second encryption key and the second initial vector to obtain the application configuration data, then calculates a third encryption key by using third configuration data of the application configuration data according to a scrambling algorithm of recorded encryption parameters of the media file, decrypts the encryption parameters of the media file according to the third encryption key, the encryption parameters obtained after decryption can be a first key identifier and/or a first initial vector, then queries a first encryption key according to the first key identifier, and decrypts the media sample data of each media track in the media file by using the first encryption key and the first initial vector, and obtaining the decrypted media file after decryption.
In addition, because the third configuration data records fingerprint data of the data spliced with the random padding data blocks in the second configuration data and the third configuration data, after the application configuration data is decrypted, the fingerprint data of the data spliced with the random padding data blocks in the second configuration data and the third configuration data can be extracted, then the data spliced with the random padding data blocks in the third configuration data is extracted, according to the recorded fingerprint data extraction method, the fingerprint data of the data spliced with the random padding data blocks in the second configuration data and the third configuration data is calculated and compared with the fingerprint data recorded in the third configuration data, if the fingerprint data is consistent, the second configuration data is not tampered, and if the fingerprint data is inconsistent, the second configuration data is tampered. Therefore, the media data encryption method of this embodiment can protect not only the security of the third configuration data that is not allowed to be read and written, but also the security of the second configuration data that is not allowed to be rewritten.
As shown in fig. 4, an embodiment of the present invention further provides a media data encryption system, which is used to implement the above media data encryption method, and the system includes:
the media file encryption module M100 is configured to encrypt a media file to obtain a first encrypted file;
the application configuration data encryption module M200 is configured to encrypt the application configuration data to obtain encrypted application configuration data;
an encryption parameter adjusting module M300, configured to adjust an encryption parameter in the first encrypted file by using unencrypted application configuration data to obtain a second encrypted file;
and an encrypted data merging module M400, configured to merge the encrypted application configuration data and the second encrypted file into a media data encrypted file.
Therefore, the invention provides an encryption protection scheme of application configuration data attached to an encrypted media file by service application on the basis of encrypting an ISO BMFF media file, firstly, the media file is encrypted by the media file encryption module M100, and then the application configuration data is encrypted by the application configuration data encryption module M200, so that not only is the media content in the encrypted media file protected, but also the application configuration data is protected; further, according to the present invention, the encryption parameter adjusting module M300 uses the application configuration data to adjust and scramble the encryption parameters of the encrypted media file, and tampering with the protected application configuration data will also cause damage to the encrypted ISO BMFF media file, so that the media file is more completely protected.
When the respective function modules of the media data encryption system realize the respective corresponding functions, the steps of the embodiment of the media data encryption method may be adopted for implementation, for example, the media file encryption module M100 may encrypt the media file according to the steps S101 to S104 or steps S101 to S105, the application configuration data encryption module M200 may encrypt the media file according to the steps S201 to S205, the encryption parameter adjustment module M300 may adjust the encryption parameters of the media file according to the steps S301 to S302, and the encrypted data combination module M400 may combine the encrypted application configuration data and the second encrypted file as the media data encrypted file according to the steps S401 to S402 or steps S401 to S403. It should be understood that the specific embodiments of the media data encryption method described above are only examples, and are not intended to limit the scope of the present invention.
The embodiment of the invention also provides media data encryption equipment, which comprises a processor; a memory having stored therein executable instructions of the processor; wherein the processor is configured to perform the steps of the media data encryption method via execution of the executable instructions.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 5. The electronic device 600 shown in fig. 5 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 that connects the various system components (including the storage unit 620 and the processing unit 610), a display unit 640, and the like.
Wherein the storage unit stores program code executable by the processing unit 610 to cause the processing unit 610 to perform steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
An embodiment of the present invention further provides a computer-readable storage medium for storing a program, where the program implements the steps of the media data encryption method when executed. In some possible embodiments, aspects of the present invention may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of this specification, when the program product is run on the terminal device.
Referring to fig. 6, a program product 800 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In summary, compared with the prior art, the media data encryption method, system, device and storage medium provided by the present invention have the following advantages:
on the basis of encrypting the ISO BMFF media file, the invention provides an encryption protection scheme of application configuration data attached to the encrypted media file by business application, thereby not only protecting the media content in the encrypted media file, but also protecting the application configuration data; the invention uses the application configuration data to participate in adjusting and disturbing the encryption parameters of the encrypted media file, and the tampering of the protected application configuration data can also cause the damage of the encrypted ISO BMFF media file, thereby protecting the media file more comprehensively.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (11)
1. A method for encrypting media data, wherein the media data to be encrypted includes media files and application configuration data, the method comprising the steps of:
s100: encrypting the media file to obtain a first encrypted file;
s200: encrypting the application configuration data to obtain encrypted application configuration data;
s300: adjusting encryption parameters in the first encrypted file by using unencrypted application configuration data to obtain a second encrypted file;
s400: merging the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file;
the step S300 includes the steps of:
selecting encryption parameters of a first encrypted file during encryption as data to be adjusted, wherein the encryption parameters comprise a first key identifier and/or a first initial vector;
and performing reversible scrambling calculation on the data to be adjusted by using the unencrypted application configuration data, taking a result after the scrambling calculation as an adjusted encryption parameter, and replacing the encryption parameter recorded in the first encryption file by using the adjusted encryption parameter.
2. The media data encryption method according to claim 1, wherein the step S100 comprises the steps of:
s101: expanding the media file into a structured document about the blocks;
s102: acquiring the number of media tracks and media track description information from the structured document, and providing a first encryption key and a first key identifier for each media track;
s103: encrypting the media sample data in each media track by using a first encryption key, and recording a first initial vector used when each frame of media sample data is encrypted;
s104: marking each piece of encrypted media track description information in the structured document as encrypted, recording a first encryption key identifier and a first initial vector corresponding to a first encryption key in the media track description information, and taking the processed structured document as the first encrypted file.
3. The media data encryption method according to claim 2, wherein, after the step S104 of recording the first encryption key identification and the first initial vector in the media track description information, the method further comprises the steps of:
and serializing and storing the processed structured document into a media file as a first encrypted file.
4. The media data encryption method according to claim 1, wherein the step S200 comprises the steps of:
s201: dividing application configuration data into first configuration data, second configuration data and third configuration data, wherein the first configuration data comprises configuration data which is allowed to be read and rewritten in transmission, the second configuration data comprises configuration data which is allowed to be read but not allowed to be rewritten in transmission, and the third configuration data comprises configuration data which is not allowed to be read and not allowed to be rewritten in transmission;
s202: providing a second encryption key, a second key identification and a second initial vector for encrypting the third configuration data, and adding the second key identification and the second initial vector to the second configuration data;
s203: extracting fingerprint data of the second configuration data, and adding the fingerprint data to third configuration data;
s204: encrypting the third configuration data using the second encryption key and the second initial vector;
s205: and merging the first configuration data obtained in the step S201, the second configuration data obtained in the step S202 and the third configuration data obtained in the step S204 to obtain encrypted application configuration data.
5. The media data encryption method according to claim 4, wherein the step S202 further comprises the steps of providing a padding data block, adding the padding data block to the third configuration data;
in step S203, the extracted fingerprint data is fingerprint data of data spliced with the padding data blocks in the second configuration data and the third configuration data.
6. The media data encryption method according to claim 4, wherein the performing reversible scrambling calculation on the data to be adjusted by using the unencrypted application configuration data includes performing reversible scrambling calculation on the data to be adjusted by using the third configuration data to be encrypted in step S204, using the result of the scrambling calculation as the adjusted encryption parameter, and replacing the encryption parameter recorded in the first encryption file by using the adjusted encryption parameter.
7. The media data encryption method according to claim 6, wherein the step S300 of performing the reversible scrambling calculation includes the steps of:
extracting fingerprint data of the third configuration data obtained in step S204 as a third encryption key;
and encrypting the data to be adjusted by adopting a third encryption key.
8. The media data encryption method according to claim 1, wherein the step S400 comprises the steps of:
s401: constructing the encrypted application configuration data into an application configuration data block compatible with the data block format of the media file;
s402: and adding the application configuration data block into the second encrypted file to obtain a media data encrypted file.
9. A media data encryption system applied to the media data encryption method according to any one of claims 1 to 8, the system comprising:
the media file encryption module is used for encrypting the media file to obtain a first encrypted file;
the application configuration data encryption module is used for encrypting the application configuration data to obtain encrypted application configuration data;
the encryption parameter adjusting module is used for adjusting the encryption parameters in the first encrypted file by adopting unencrypted application configuration data to obtain a second encrypted file;
the encrypted data merging module is used for merging the encrypted application configuration data and the second encrypted file to be used as a media data encrypted file;
the method for adjusting the encryption parameters in the first encrypted file by using the unencrypted application configuration data to obtain a second encrypted file comprises the following steps:
selecting encryption parameters of a first encrypted file during encryption as data to be adjusted, wherein the encryption parameters comprise a first key identifier and/or a first initial vector;
and performing reversible scrambling calculation on the data to be adjusted by using the unencrypted application configuration data, taking a result after the scrambling calculation as an adjusted encryption parameter, and replacing the encryption parameter recorded in the first encryption file by using the adjusted encryption parameter.
10. A media data encryption device, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the media data encryption method of any one of claims 1 to 8 via execution of the executable instructions.
11. A computer-readable storage medium storing a program, wherein the program is configured to implement the steps of the media data encryption method according to any one of claims 1 to 8 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811288858.7A CN109495459B (en) | 2018-10-31 | 2018-10-31 | Media data encryption method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811288858.7A CN109495459B (en) | 2018-10-31 | 2018-10-31 | Media data encryption method, system, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109495459A CN109495459A (en) | 2019-03-19 |
| CN109495459B true CN109495459B (en) | 2021-05-28 |
Family
ID=65691769
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811288858.7A Active CN109495459B (en) | 2018-10-31 | 2018-10-31 | Media data encryption method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109495459B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110990848A (en) * | 2019-11-18 | 2020-04-10 | 上海易点时空网络有限公司 | Sensitive word encryption method and device based on hive data warehouse and storage medium |
| CN111093097A (en) * | 2019-12-20 | 2020-05-01 | 北京云享智胜科技有限公司 | Stream media data encryption and decryption method and device, electronic equipment and storage medium |
| CN113094736A (en) * | 2021-06-04 | 2021-07-09 | 工业信息安全(四川)创新中心有限公司 | Identity card number encryption method, identity card number decryption method, identity card number encryption system and identity card number decryption system |
| CN114286116B (en) * | 2021-12-10 | 2023-07-21 | 深圳市洲明科技股份有限公司 | Media data playing method, device and system |
| CN114826590B (en) * | 2022-05-19 | 2023-03-24 | 北京海泰方圆科技股份有限公司 | Packet mode encryption method, packet mode decryption method, packet mode encryption device, packet mode decryption device and packet mode decryption equipment |
| CN116455560B (en) * | 2023-06-16 | 2023-08-29 | 北京智芯微电子科技有限公司 | Data encryption method, data decryption method, device, equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632565A (en) * | 2018-05-25 | 2018-10-09 | 苏州科达科技股份有限公司 | Transmission method, playback method, device and the conference facility of video code flow |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8904191B2 (en) * | 2009-01-21 | 2014-12-02 | Microsoft Corporation | Multiple content protection systems in a file |
| US9871771B2 (en) * | 2014-11-25 | 2018-01-16 | Ncr Corporation | Cryptographic security profiles |
| US10158894B2 (en) * | 2015-12-15 | 2018-12-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Edge media router device for facilitating distribution and delivery of media content having end-to-end encryption |
| CN108229112B (en) * | 2016-12-22 | 2022-06-03 | 阿里巴巴集团控股有限公司 | Protection application program, and running method and device of application program |
| CN107911715B (en) * | 2017-11-22 | 2021-04-16 | 中山大学 | H.264/AVC video format compatible encryption method based on CAVLC coding |
-
2018
- 2018-10-31 CN CN201811288858.7A patent/CN109495459B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632565A (en) * | 2018-05-25 | 2018-10-09 | 苏州科达科技股份有限公司 | Transmission method, playback method, device and the conference facility of video code flow |
Non-Patent Citations (1)
| Title |
|---|
| "Automatic Welding Seam Tracking and Identification";Xinde Li;《IEEE Transactions on Industrial Electronics》;20170418;第64卷(第9期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109495459A (en) | 2019-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109495459B (en) | Media data encryption method, system, device and storage medium | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| CN111709038B (en) | File encryption and decryption method, distributed storage system, device and storage medium | |
| US8301884B2 (en) | Method of managing metadata | |
| EP2813967B1 (en) | Apparatus and method for managing digital copyright for epub-based content, and apparatus and method for providing epub-based content according to user authority | |
| US8473740B2 (en) | Method and system for secured management of online XML document services through structure-preserving asymmetric encryption | |
| JP5730786B2 (en) | Multiple content protection systems in one file | |
| US20140143553A1 (en) | Method and Apparatus for Encapsulating and Encrypting Files in Computer Device | |
| CN109635586B (en) | Media file encryption key management method, system, device and storage medium | |
| US9342666B2 (en) | Providing security support for digital rights management in different formats | |
| US10970403B1 (en) | Forensic investigation tool | |
| CN104255009A (en) | Systems and methods for segment integrity and authenticity for adaptive streaming | |
| CN111698576B (en) | Information encryption method, decryption method, server, client, and medium | |
| CN105162588A (en) | Media file encryption/decryption methods and device | |
| EP4020265A1 (en) | Method and device for storing encrypted data | |
| CN112307515A (en) | Database-based data processing method and device, electronic equipment and medium | |
| CN110968885A (en) | Model training data storage method and device, electronic equipment and storage medium | |
| US20220345292A1 (en) | Method and device for encryption of video stream, communication equipment, and storage medium | |
| CN112883397A (en) | Data storage method, data reading method, device, equipment and storage medium | |
| Simpson et al. | Electronic Record Key Management for Digital Rights Management | |
| KR101945687B1 (en) | Electronic document managing system using hybrid cloud and method for thereof | |
| EP1552420A1 (en) | Method for managing metadata | |
| US20130058487A1 (en) | Method of building optional blocks | |
| CN115563638B (en) | Data processing method, system, device and storage medium | |
| US20130036474A1 (en) | Method and Apparatus for Secure Data Representation Allowing Efficient Collection, Search and Retrieval |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |