CN201830399U - Front end and client of conditional access system - Google Patents

Front end and client of conditional access system Download PDF

Info

Publication number
CN201830399U
CN201830399U CN201020249906.4U CN201020249906U CN201830399U CN 201830399 U CN201830399 U CN 201830399U CN 201020249906 U CN201020249906 U CN 201020249906U CN 201830399 U CN201830399 U CN 201830399U
Authority
CN
China
Prior art keywords
key
content
client
unit
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN201020249906.4U
Other languages
Chinese (zh)
Inventor
张晶
李东
王天星
韩坚
王文军
李伟东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shibo Digital TV Technology Co Ltd
Original Assignee
Beijing Shibo Digital TV Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shibo Digital TV Technology Co Ltd filed Critical Beijing Shibo Digital TV Technology Co Ltd
Priority to CN201020249906.4U priority Critical patent/CN201830399U/en
Application granted granted Critical
Publication of CN201830399U publication Critical patent/CN201830399U/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The utility model provides a front end and a client of a conditional access system. The front end comprises a content providing end and an operation end, wherein the operation end is connected with a content providing end and is used for receiving scrambled program contents transmitted by the content providing end, content control messages CCM and a service key SK' encrypted by a public key of a client identity key; the received scrambled program contents and the CCM are transmitted to the client; and the encrypted service key SK' is further encrypted by a user key UK of the client when a product corresponding to a sent program message +2 at the operation end is entitled so as to obtain a second encrypted service key ESK, the ESK is utilized to generate a product entitlement message PEM and the ESK. Through the embodiment of the utility model, two-step control and protection on the program can be realized by a program provider and an operator.

Description

Conditional access system front end and client
Technical Field
The utility model discloses a conditional access system of digital television, especially about conditional access system front end and terminal.
Background
As is known, a Conditional Access System (CAS) is a System for controlling a user to receive a tv broadcast service, i.e. the user can only watch authorized broadcast services, and the most basic purpose of the CAS is that an operator performs authorization control and authorization management on the user in a tv System, thereby implementing paid services of a digital tv System.
In a digital television system, an operator encrypts a television program to be broadcast by using a conditional access system and transmits the encrypted television program in a network, and only a user authorized by the operator can watch the encrypted television program at a receiving end (user). The operator can use the conditional access system to provide various value-added services such as pay television programs, video on demand, information services, internet and the like.
People are realizing the utility model discloses an in-process discovery prior art's defect lies in: because the program is provided by the content provider and the authorization of the program is controlled by the operator, the program provider cannot accurately know the authorization status after providing the program and cannot know the charging status of the program by the operator, so the program cannot be controlled and managed; and also does not facilitate protection of the program content.
SUMMERY OF THE UTILITY MODEL
An object of the embodiment of the utility model is to provide a condition receiving system front end and customer end carry out the two-stage control to the program through program provider and operator to realized program provider and operator to the two-stage control and the protection of program, thereby guaranteed program provider effectively to the control and the management of program content.
In order to achieve the above object, an embodiment of the present invention provides a conditional access system front end, which includes:
a content provider, configured to generate a content key CK, and scramble program content using the generated content key CK to obtain scrambled program content; the system is used for generating a service key SK, encrypting the content key CK by using the service key SK and generating content control information CCM; encrypting the service key SK by using the public key of the client identity key to obtain an encrypted service key SK'; transmitting the scrambled program content, the content control information CCM and the encrypted service key SK' to the operator; wherein, the content control information CCM includes program information and a content key CK' encrypted by the service key SK;
the operation terminal is connected with the content provider and is used for receiving the scrambled program content, the content control information CCM and the service key SK' encrypted by the public key of the client identity key, which are transmitted by the content provider; transmitting the received scrambled program content and content control information CCM to a client; and is used for further encrypting the encrypted service key SK' by using the user key UK of the client when the operator sends the authorization of the product corresponding to the program information to obtain a secondary encrypted service key ESK, generating product authorization information PEM by using the ESK, and transmitting the product authorization information PEM to the client; wherein, the product authorization information comprises authorization information and ESK.
In order to achieve the above object, an embodiment of the present invention provides a client, where the client includes:
the second receiving unit is used for receiving product authorization information PEM sent by an operator of the conditional access system, wherein the product authorization information PEM comprises authorization information and a secondary encrypted service key ESK; the ESK is a key obtained by further encrypting the encrypted service key SK' by a user key of the client;
the first decryption unit is connected with the second receiving unit and used for decrypting the ESK by using a user key UK of the client and a private key of a client identity key to obtain the service key SK;
a third receiving unit, configured to receive content control information CCM sent by an operator of a conditional access system, where the content control information CCM includes program information and a content key CK' encrypted by a service key SK;
a second decryption unit, connected to the third receiving unit, configured to decrypt the encrypted content key CK' by using the service key SK to obtain a content key CK;
and the descrambling unit is connected with the second decryption unit and used for descrambling the scrambled program content by using the content key CK obtained by the second decryption unit so as to obtain the program content.
The utility model discloses embodiment's beneficial effect lies in, carries out the two-stage control to the program through program provider and operator to realized program provider and operator to the two-stage control and the protection of program, thereby guaranteed program provider effectively to the control and the management of program content.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a schematic diagram of a front end configuration of a conditional access system according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of a content provider in a front end of a conditional access system according to embodiment 1 of the present invention;
fig. 3 is a schematic view of an operation side of a front end of a conditional access system according to embodiment 1 of the present invention;
fig. 4 is a schematic configuration diagram of a client of the conditional access system according to embodiment 2 of the present invention;
fig. 5 is a schematic diagram of the first decryption unit in embodiment 2 of the present invention;
fig. 6 is a flowchart of an implementation method of the conditional access system according to embodiment 3 of the present invention;
fig. 7 is a flowchart of an implementation method of the conditional access system according to embodiment 4 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
The embodiment of the present invention provides a conditional access system front end, as shown in fig. 1, the front end includes a content provider 101 and an operator 102; wherein,
a content provider 101, configured to generate a content key CK, and scramble program content with the generated content key CK to obtain scrambled program content; the system is used for generating a service key SK, encrypting the content key CK by using the service key SK and generating content control information CCM; encrypting the service key SK by using the public key of the client identity key to obtain an encrypted service key SK'; transmitting the scrambled program content, the content control information CCM and the encrypted service key SK' to the operator; wherein, the content control information CCM includes program information and a content key CK' encrypted by the service key SK;
an operator 102, connected to the content provider 101, for receiving the scrambled program content, the content control information CCM, and the service key SK' encrypted by the public key of the client identity key, which are transmitted by the content provider 101; transmitting the received scrambled program content and content control information CCM to a client; and is used for further encrypting the encrypted service key SK' by using the user key UK of the client when the operator sends the authorization of the product corresponding to the program information to obtain a secondary encrypted service key ESK, generating product authorization information PEM by using the ESK, and transmitting the product authorization information PEM to the client; wherein, the product authorization information comprises authorization information and ESK.
As shown in fig. 2, the operator terminal 102 includes:
a first receiving unit 201, configured to receive the scrambled program content, the content control information CCM, and the service key SK' encrypted by the public key of the client identity key, which are transmitted by the content provider 101; the content control information CCM includes program information and a content key CK' encrypted by the service key SK;
a first sending unit 202 connected to the first receiving unit 201, for transmitting the scrambled program content and the content control information CCM received by the first receiving unit 201 to the client;
the first encryption unit 203 is connected to the first receiving unit 201, and is configured to further encrypt the encrypted service key SK' by using the user key UK of the client when the operator sends the authorization of the product corresponding to the program information, so as to obtain a twice-encrypted service key ESK;
a first information generating unit 204, connected to the first encrypting unit 203 and the first sending unit 202, for generating a product authorization information PEM by using the ESK obtained by the first encrypting unit 203, where the product authorization information PEM includes authorization information and ESK;
the first sending unit 202 is also used to transmit the product authorization information PEM to the client.
In addition, as shown in fig. 2, the operator may further include a first storage unit 205, configured to store a user key UK corresponding to the client; in addition, the scrambled program content received from the first receiving unit 201, the content control information CCM, and the service key SK' encrypted by the public key of the client identity key may also be stored.
In this embodiment, the authorization information in the product authorization information PEM may include information such as the start time, the end time, and whether recording is allowed.
In this embodiment, the operator 102 may be implemented by a server, which generates the product authorization information PEM when the client sends authorization of a product corresponding to the program information, and transmits the scrambled program content and the content control information CCM received from the content provider 101 to the client, unlike the prior art, the operator does not need to generate the authorization control information ECM.
As shown in fig. 3, the content provider 101 includes:
a first key generation unit 301 for generating a content key CK;
a scrambling unit 302, connected to the first key generating unit 301, for scrambling the program content with the content key CK generated by the first key generating unit 301 to obtain a scrambled program content;
a second key generation unit 303, configured to generate a service key SK;
a second encryption unit 304, connected to the second key generation unit 303, for encrypting the content key CK with the traffic key SK generated by the second key generation unit 303 and generating content control information CCM;
a third encryption unit 305, connected to the second key generation unit 303, configured to encrypt the service key SK by using a public key of a client identity key obtained in advance, so as to obtain an encrypted service key SK';
and a second sending unit 306, connected to the second encryption unit 304 and the third encryption unit 305, for transmitting the scrambled program content, the content control information CCM, and the encrypted service key SK' to the operator.
In addition, as shown in fig. 3, the content provider 101 may further include a second storage unit 307, configured to store a public key KID-C of a client identity key obtained in advance, where the public key KID-C of the client identity key may be obtained from a Digital Rights Management (DRM) vendor or a certificate authority, and is not described herein again.
In this embodiment, the content key CK and the service key SK may be generated by any conventional method, which is not described herein again.
It can be known from the above content that the content provider can adopt the server to realize, the content provider carries on the first level protection to the program content through the content provider, namely realize through the public key of content cipher key CK, service cipher key SK and customer end identity cipher key (KID-C) produced, and produce the content control information CCM by the content provider; and the operator can generate product authorization information PEM through the operator terminal to realize the second-level protection of the program content.
The embodiment shows that the program provider and the operator perform two-stage control on the program, so that the two-stage control and protection of the program provider and the operator on the program are realized, and the control and management of the program provider on the program content are effectively ensured.
Example 2
The embodiment of the utility model provides a client, as shown in FIG. 4, this client includes:
a second receiving unit 401, configured to receive product authorization information PEM sent by an operator of the conditional access system, where the product authorization information PEM includes authorization information and a service key ESK encrypted twice; the ESK is a key obtained by further encrypting the encrypted service key SK' by a user key UK of the client;
a first decryption unit 402, connected to the second receiving unit 401, configured to decrypt the ESK with the user key UK of the client and the private key of the client identity key to obtain the service key SK;
a third receiving unit 403, configured to receive content control information CCM sent by an operator of the conditional access system, where the content control information CCM includes program information and a content key CK' encrypted by a service key SK;
a second decryption unit 404, connected to the third receiving unit 403, for decrypting the encrypted content key CK' by using the service key SK to obtain a content key CK;
and a descrambling unit 405, connected to the second decryption unit 404, for descrambling the scrambled program content by using the content key CK obtained by the second decryption unit 404 to obtain the program content.
As shown in fig. 4, the client may further include a playing unit 407 for playing the descrambled program content.
In addition, as shown in fig. 4, the client may further include a third storage unit 406, configured to store the user key UK and a private key of the client identity key; in addition, the service key SK obtained by the first decryption unit 402 may also be stored.
As shown in fig. 5, the first decryption unit 402 may include:
a third decryption unit 501, configured to decrypt, using the user key UK, the ESK received by the second receiving unit 401 to obtain an encrypted service key SK';
the fourth decryption unit 502 is connected to the third decryption unit 501, and is configured to decrypt the encrypted service key SK' with the private key of the client identity key to obtain the service key SK.
The second decryption unit 404 may decrypt using a symmetric algorithm, the third decryption unit 501 may decrypt using a symmetric algorithm, and the fourth decryption unit 502 may decrypt using an asymmetric algorithm.
In this embodiment, the client may be a terminal device that receives a digital television program, and decrypts and descrambles the received television program, and specifically may be a digital television set-top box and a smart card.
It can be seen from the above embodiments that the program is controlled by the program provider and the operator at the front end of the conditional access system in two stages, so that the program provider and the operator realize two-stage control and protection of the program, and the client obtains the corresponding content key by processing the corresponding product authorization information and the content control information, descrambles the program by using the content key, and enables the user to watch the program.
The following describes an implementation flow of the front end and the client of the conditional access system according to an embodiment of the present invention with reference to the accompanying drawings, as shown in fig. 6:
at the conditional access system front end:
at the content provider:
step 601, a content provider generates a content key CK, and scrambles program content by using the content key CK to obtain scrambled program content;
step 602, the content provider generates the service key SK, encrypts the content key CK by using the generated service key SK, and generates content control information CCM; wherein, the content control information CCM includes program information and a content key CK' encrypted by the service key SK;
step 603, encrypting the service key SK by using the public key of the obtained client identity key to obtain an encrypted service key SK';
step 604, transmitting the scrambled program content, the content control information CCM and the encrypted service key SK' to the operator; wherein the information may not be transmitted simultaneously.
At the operation end:
step 605, the operator receives the scrambled program content, the content control information CCM and the service key SK' encrypted by the public key of the client identity key, which are transmitted by the content provider;
step 606, transmitting the received scrambled program content and content control information CCM to the client;
step 607, when the operator sends the authorization of the product corresponding to the program information, the operator further encrypts the encrypted service key SK' by using the user key UK of the client to obtain a secondary encrypted service key ESK;
step 608, generating a product authorization information PEM by using the ESK, wherein the product authorization information PEM includes authorization information and the ESK;
in step 609, the generated product authorization information PEM is transmitted to the client.
At a conditional access system terminal:
a client:
as shown in fig. 7:
step 701, a client receives product authorization information (PEM) sent by an operator of a conditional access system, wherein the PEM comprises authorization information and a secondary Encrypted Service Key (ESK); the ESK is a key obtained by further encrypting the encrypted service key SK' by the user key UK of the client;
step 702, decrypting the ESK by using the user key UK of the client and the private key of the client identity key to obtain the service key SK;
the received ESK may be decrypted by using the user key UK to obtain an encrypted service key SK ', and then the encrypted service key SK' is decrypted by using the private key of the client identity key to obtain the service key SK.
Step 703, receiving content control information CCM sent by an operator of the conditional access system, where the content control information CCM includes program information and a content key CK' encrypted by a service key SK;
step 704, decrypting the encrypted content key CK' by using the pre-obtained service key SK to obtain a content key CK;
step 705, descrambling the received scrambled program content with the content key CK to obtain the program content;
step 706, the program content is played.
It can be seen from the above embodiments that the program is controlled by the program provider and the operator at the front end of the conditional access system in two stages, so that the program provider and the operator realize two-stage control and protection of the program, and the client obtains the corresponding content key by processing the corresponding product authorization information and the content control information, descrambles the program by using the content key, and enables the user to watch the program.
The above-mentioned embodiments, further detailed description of the objects, technical solutions and advantages of the present invention, it should be understood that the above description is only the embodiments of the present invention, and is not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (5)

1. A conditional access system front-end, the front-end comprising:
the content providing terminal is used for generating a content key CK and scrambling the program content by using the generated content key CK to obtain scrambled program content; the system is used for generating a service key SK, encrypting the content key CK by using the service key SK and generating content control information CCM; encrypting the service key SK by using the public key of the client identity key to obtain an encrypted service key SK'; transmitting the scrambled program content, content control information CCM including program information and a content key CK 'encrypted by a service key SK, and an encrypted service key SK' to the operator;
the operation terminal is connected with the content provider and is used for receiving the scrambled program content, the content control information CCM and the service key SK' encrypted by the public key of the client identity key, which are transmitted by the content provider; transmitting the received scrambled program content and content control information CCM to a client; and the system is used for further encrypting the encrypted service key SK' by using the user key UK of the client when the operator sends the authorization of the product corresponding to the program information to obtain a secondary encrypted service key ESK, generating product authorization information PEM comprising authorization information and the ESK by using the ESK, and transmitting the product authorization information PEM to the client.
2. The conditional access system front-end of claim 1, wherein the operator end comprises:
a first receiving unit, configured to receive scrambled program content, content control information CCM, and a service key SK' encrypted by a public key of a client identity key, which are transmitted by the content provider;
a first sending unit, connected to the first receiving unit, for transmitting the scrambled program content and content control information CCM received by the first receiving unit to a client;
the first encryption unit is connected with the first receiving unit and is used for further encrypting the encrypted service key SK' by using a user key UK of the client when the client sends the authorization of the product corresponding to the program information so as to obtain a secondary encrypted service key ESK;
the first information generation unit is connected with the first encryption unit and the first sending unit and used for generating product authorization information (PEM) by using the ESK;
the first sending unit is also used for transmitting the product authorization information PEM to the client.
3. The conditional access system front-end of claim 1, wherein the content provider comprises:
a first key generation unit for generating a content key CK;
a scrambling unit, connected to the first key generating unit, for scrambling the program content with the content key CK generated by the first key generating unit to obtain a scrambled program content;
a second key generation unit, configured to generate the service key SK;
a second encryption unit, connected to the second key generation unit, for encrypting the content key CK by using the service key SK generated by the second key generation unit and generating the content control information CCM;
the third encryption unit is connected with the second key generation unit and used for encrypting the service key SK by using the public key of the client identity key so as to obtain an encrypted service key SK';
and the second sending unit is connected with the second encryption unit and the third encryption unit and is used for transmitting the scrambled program content, the content control information CCM and the encrypted service key SK' to the operator.
4. A client, the client comprising:
the second receiving unit is used for receiving product authorization information PEM which is sent by an operator of the conditional access system and comprises authorization information and a service key ESK obtained after the encrypted service key SK' is further encrypted by a user key of the client;
the first decryption unit is connected with the second receiving unit and used for decrypting the ESK by using a user key UK of the client and a private key of a client identity key to obtain the service key SK;
a third receiving unit, configured to receive content control information CCM sent by an operator of the conditional access system, where the content control information CCM includes program information and a content key CK' encrypted by a service key SK;
a second decryption unit, connected to the third receiving unit, configured to decrypt the encrypted content key CK' by using the service key SK to obtain a content key CK;
and the descrambling unit is connected with the second decryption unit and used for descrambling the scrambled program content by using the content key CK obtained by the second decryption unit so as to obtain the program content.
5. The client according to claim 4, wherein the first decryption unit comprises:
a third decryption unit, configured to decrypt, using the user key UK, the ESK received by the second receiving unit, so as to obtain an encrypted service key SK';
and the fourth decryption unit is connected with the third decryption unit and used for decrypting the encrypted service key SK' by using a private key of the client identity key so as to obtain the service key SK.
CN201020249906.4U 2010-06-25 2010-06-25 Front end and client of conditional access system Expired - Lifetime CN201830399U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201020249906.4U CN201830399U (en) 2010-06-25 2010-06-25 Front end and client of conditional access system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201020249906.4U CN201830399U (en) 2010-06-25 2010-06-25 Front end and client of conditional access system

Publications (1)

Publication Number Publication Date
CN201830399U true CN201830399U (en) 2011-05-11

Family

ID=43968912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201020249906.4U Expired - Lifetime CN201830399U (en) 2010-06-25 2010-06-25 Front end and client of conditional access system

Country Status (1)

Country Link
CN (1) CN201830399U (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297397A (en) * 2012-02-29 2013-09-11 华为技术有限公司 Digital information sending method and receiving method, digital information sending device and receiving device and digital information distribution system
CN105959738A (en) * 2016-06-22 2016-09-21 北京数字太和科技有限责任公司 Bidirectional conditional access system and method
CN106559682A (en) * 2016-11-15 2017-04-05 深圳国微技术有限公司 A kind of method and device of DTV finger water-print protection

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297397A (en) * 2012-02-29 2013-09-11 华为技术有限公司 Digital information sending method and receiving method, digital information sending device and receiving device and digital information distribution system
CN105959738A (en) * 2016-06-22 2016-09-21 北京数字太和科技有限责任公司 Bidirectional conditional access system and method
CN105959738B (en) * 2016-06-22 2018-11-30 北京数字太和科技有限责任公司 A kind of bidirectional conditional reception system and method
CN106559682A (en) * 2016-11-15 2017-04-05 深圳国微技术有限公司 A kind of method and device of DTV finger water-print protection
CN106559682B (en) * 2016-11-15 2019-07-16 深圳国微技术有限公司 A kind of method and device of DTV finger water-print protection

Similar Documents

Publication Publication Date Title
US7466826B2 (en) Method of secure transmission of digital data from a source to a receiver
KR100917720B1 (en) Method for secure distribution of digital data representing a multimedia content
CN101076109B (en) Two-way CA system of digital TV-set and method for ordering and cancelling programm based on it
CN102202233B (en) Video push method, system and terminal equipment
KR100556829B1 (en) Method of Providing Efficient Pay Services Using Session-Key
US9191621B2 (en) System and method to record encrypted content with access conditions
US20140281537A1 (en) Protection of control words employed by conditional access systems
WO2018157724A1 (en) Method for protecting encrypted control word, hardware security module, main chip and terminal
KR100556828B1 (en) Method of Service Subscription and Encryption Key Distribution based on Public-Key Encryption Algorithm in Digital CATV System
CN201830399U (en) Front end and client of conditional access system
CN201515456U (en) Safe device, set-top box and receiving terminal for digital television receiving terminals
CN100521771C (en) A conditional reception system merging Internet and cable television network environments
CN101521668B (en) Method for authorizing multimedia broadcasting content
CN111277802B (en) Video code stream processing method, device, equipment and storage medium
Hou et al. Based on cryptosystem secure communication between set-top box and smart card in DTV broadcasting
CN101720013A (en) Anti-decryption set-top box conditional receiving method
KR20100069373A (en) Conditional access system and method exchanging randon value
KR20070081404A (en) Broadcast transmitting system and broadcast receiving apparatus
US8369524B2 (en) Simplified method for renewing symmetrical keys in a digital network
Kim Secure communication in digital TV broadcasting
KR20110090839A (en) Preventing the use of modified receiver firmware in receivers of a conditional access system
KR101137631B1 (en) Cas system and cas method for iptv
KR100950458B1 (en) Mobile broadcasting conditional access system based on memory card
CN107948727B (en) Digital television program stream transmission system and method based on quantum encryption
JP2007281813A (en) Encryption communication method, content distribution server, terminal equipment, encryption communication system, encryption communication program, and recording medium

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20110511