[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2006024234A1 - Method ano apparatus for protecting broadband video and audio broadcast content - Google Patents

Method ano apparatus for protecting broadband video and audio broadcast content Download PDF

Info

Publication number
WO2006024234A1
WO2006024234A1 PCT/CN2005/001379 CN2005001379W WO2006024234A1 WO 2006024234 A1 WO2006024234 A1 WO 2006024234A1 CN 2005001379 W CN2005001379 W CN 2005001379W WO 2006024234 A1 WO2006024234 A1 WO 2006024234A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
packet
content
index
scrambled
Prior art date
Application number
PCT/CN2005/001379
Other languages
French (fr)
Chinese (zh)
Inventor
Jun Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006024234A1 publication Critical patent/WO2006024234A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/238Interfacing the downstream path of the transmission network, e.g. adapting the transmission rate of a video stream to network bandwidth; Processing of multiplex streams
    • H04N21/2389Multiplex stream processing, e.g. multiplex stream encrypting
    • H04N21/23895Multiplex stream processing, e.g. multiplex stream encrypting involving multiplex stream encryption
    • H04N21/23897Multiplex stream processing, e.g. multiplex stream encrypting involving multiplex stream encryption by partially encrypting, e.g. encrypting only the ending portion of a movie
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/438Interfacing the downstream path of the transmission network originating from a server, e.g. retrieving encoded video stream packets from an IP network
    • H04N21/4385Multiplex stream processing, e.g. multiplex stream decrypting
    • H04N21/43853Multiplex stream processing, e.g. multiplex stream decrypting involving multiplex stream decryption
    • H04N21/43856Multiplex stream processing, e.g. multiplex stream decrypting involving multiplex stream decryption by partial decryption, e.g. decrypting a multiplex stream that has been partially encrypted
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/643Communication protocols
    • H04N21/64322IP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present invention relates to broadband video and audio technologies in telecommunication networks, and more particularly to a method and apparatus for protecting broadband video and audio broadcast content. Background of the invention
  • the video and audio streams are encrypted or scrambled before being broadcast to the network, and then the video and audio streams are transmitted to the user over the network, and the user terminal obtains the key from the network and completes the decryption or descrambling of the video and audio streams.
  • the key is broadcast to all user terminals. In order to ensure that the key is not easily cracked, complex key management and encryption algorithms are required, and the key needs to be updated frequently in real time. Therefore, this method has the following disadvantages:
  • the encryption or scrambling algorithm is related to a specific video and audio coding format, and the adaptability is poor.
  • the broadband access technology represented by Digital Subscriber Loop can not only provide data services such as Internet access, but also provide video and audio services including broadband TV services, audio broadcasting services, and on-demand services.
  • the video and audio services are usually based on a set-top box or a computer. After the set-top box or computer accesses the network, the video and audio content from the video/audio broadcast source or the video-on-demand server can be obtained through the network; usually, the on-demand service is carried by the unicast stream, the television class and The audio broadcast service is carried by the multicast stream, and its network model is shown in Figure 1.
  • the present invention provides a method and apparatus for protecting broadband video and audio broadcast content to solve the problem of poor security of broadband video and audio broadcast content in the prior art.
  • the present invention provides the following technical solutions:
  • a method for protecting broadband audio and video broadcast content comprising the following steps:
  • step B Obtain a key locally from the transmitting side according to the index information calculated in step A, and use the key and the scrambled location information calculated in step A to specify a segment of the IP packet that does not include the content of the beginning portion. Content is scrambled;
  • the key is obtained locally from the receiving side according to the index information calculated in step D, and the scrambling segment of the IP packet is descrambled by using the key and the scrambled location information calculated in step D.
  • the local key seed library is set on the sending side or the receiving side respectively, and the index information calculated in step A and step D is key seed index information, and the key seed is obtained from the key seed database by using the key seed index information. And generating a key based on the key seed;
  • the local key pool is set on the sending side or the receiving side respectively, and the index information calculated in steps A and D is key index information, and the key is directly obtained from the key pool by using the key index information.
  • the content of the beginning portion refers to content that changes as the content of the IP message changes, and the length of the extracted content can be set.
  • Wide f video and audio broadcasting systems include:
  • a scrambler (202), receiving video and audio broadcast content output by the video and audio broadcast source, and performing scrambling and transmitting to the broadband network (203);
  • the user terminal (205) descrambles the scrambled video and audio broadcast content.
  • the scrambler (202) includes:
  • the message receiving unit (301) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet.
  • Text processing unit (302) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet.
  • the message processing unit (302) is configured to calculate the scrambled location information and the index information by using the content of the payload start portion, obtain the key by using the index information, and use the key and the scrambled location information to perform the IP packet.
  • the scrambling process is performed, and the scrambled IP packet is sent to the message sending unit (303);
  • the message sending unit (303) is configured to send the scrambled IP packet to the broadband access device through the broadband network.
  • the processing unit (302) includes:
  • a key seed library (401) for storing a key seed for generating a key
  • the key seed index generating module (402) After receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), the key seed index generating module (402) uses the key seed index generation algorithm to generate a key by using the content of the payload start portion. a seed index, and sending the key seed index to the key generation module (403);
  • a key generation module (403), obtaining a key seed from the key seed pool (401) according to the index, and generating a key by using a key generation algorithm;
  • the scramble location generating module (404) after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
  • the scrambling module (405) after receiving the scrambled location information and the key, scrambles the IP packet from the message receiving unit (301) by using a scrambling algorithm according to the key and the scrambled location information. And sending the scrambled IP packet to the message sending unit (303);
  • the user terminal further includes:
  • a key seed library (601) for storing a key seed for generating a key
  • the key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate a key seed index, and send the index to the key generation module (603);
  • the key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
  • the scrambling location generating module (604) is configured to extract the content of the payload starting portion from the IP packet, and generate scrambling location information by using the content of the payload starting portion;
  • the descrambling module (605) performs descrambling processing on the scrambling segment in the IP packet by using the generated key and the start and end location information of the scrambling segment.
  • the message processing unit (302) includes:
  • the key index generation module (502) after receiving the content of the payload start portion of the IP packet from the message receiving unit (301), generates a key index using the content of the payload start portion, and utilizes the secret The key index obtains a key from the keystore;
  • the scramble location generating module (503) is configured to generate scrambled location information by using the content of the payload start portion after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301);
  • the scrambling module (504) performs scrambling on the IP packet from the packet receiving unit (301) by using the obtained key and the scrambled location information, and sends the scrambled IP packet to the packet.
  • the user terminal further includes:
  • a keystore (701) for storing a key
  • the key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and obtain a key from the key pool by using the key index. ;
  • the scrambling location generating module (703) is configured to extract, from the received IP packet, the content of the beginning part of the message payload and generate start and end location information of the message scrambling segment;
  • the descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the captured key and the scrambled location information.
  • a scrambler includes:
  • the message receiving unit (301) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet.
  • a message processing unit (302) configured to calculate a scrambled bit by using content of a payload start portion
  • the information and the index information are used to obtain a key, and the IP packet is scrambled by using the key and the scrambled location information, and the scrambled IP packet is sent to the packet sending unit ( 303);
  • the message sending unit (303) is configured to send the scrambled IP packet to the broadband network.
  • the message processing unit (302) includes:
  • a key seed library (401) for storing a key seed for generating a key
  • the key seed index generating module (402) generates a secret by using a key seed index generation algorithm after receiving the content of the payload start portion of the IP packet from the message receiving unit (301). Key seed index, and send the key seed index to the key generation module (403);
  • the key generation module (403) obtains a key seed from the key seed pool (401) according to the index, and generates a key by using a key generation algorithm;
  • the scramble location generating module (404) after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
  • the scrambling module (405) after receiving the scrambled location information and the key, performs scrambling on the IP packet from the packet receiving unit (301) by using a scrambling algorithm according to the key and the scrambled location information.
  • the scrambled IP packet is sent to the message sending unit (303).
  • the message processing unit (302) includes:
  • the key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received TP message and generate a key seed index, and send the index to the key generation module (603) ;
  • the key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
  • a scrambling location generating module (604), configured to extract a payload starting part from the IP packet And generating the scrambled location information by using the content of the beginning portion of the payload;
  • the descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
  • a user terminal further includes:
  • a key seed library (601) for storing a key seed for generating a key
  • a key seed index generating module (602), configured to extract a content of a payload start part from the received IP packet and generate a key seed index;
  • the key generation module (603) obtains a key seed from the key seed library according to the index and generates a key
  • a scrambling location generating module (604), configured to: extract content of the payload starting part extracted from the received IP packet and generate message scrambling location information;
  • the descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
  • a user terminal further includes:
  • the key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and obtain a key from the keystore by using the key index. .
  • the scrambling location generating module (703) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate message scrambling location information.
  • the descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambled location information.
  • the invention utilizes digital scrambling technology, and the video and audio streams are transmitted in a scrambled manner to ensure that only legitimate terminals can decode and view, and the user cannot directly obtain digital copies of the video and audio streams for viewing by other general terminals.
  • digital scrambling technology By using this digital scrambling technology, the key can be avoided on the network, the risk of the key being cracked, and the additional network bandwidth usage can be reduced.
  • the video frequency coding technology has nothing to do, and directly scrambles the payload of the IP packet, which can be applied to different video and audio coding technologies; does not require complicated key management technology and encryption algorithm, and does not increase the difficulty and cost of the implementation of the terminal set-top box, Reduce the cost of the central office; In addition, if the scrambling algorithm is compromised, the central office and terminal algorithm/key can be remediated in a timely manner through the network.
  • FIG. 1 is a schematic diagram of networking of a broadband video and audio application in the prior art
  • FIG. 2 is a schematic diagram of networking for implementing content protection of broadband video and audio broadcasting according to the present invention
  • FIG. 3 is a schematic structural diagram of a specific embodiment of a scrambler according to the present invention.
  • FIG. 4 is a schematic structural diagram of a specific embodiment of a packet processing unit in a scrambler
  • FIG. 5 is a schematic structural diagram of a second embodiment of a packet processing unit in a scrambler
  • FIG. 6 is a schematic diagram of a descrambling portion of a user terminal.
  • FIG. 7 is a schematic structural diagram of a second embodiment of a descrambling portion of a user terminal
  • FIG. 8 is a schematic flow chart of performing scrambling and descrambling according to the present invention. Mode for carrying out the invention
  • the system of the present invention includes: an audio and video broadcast source 201, a scrambler 202, a broadband network 203, a broadband access device 204, and a user terminal 205.
  • the video and audio broadcast source 201 is configured to generate video and audio broadcast content of each channel, and package the generated video and audio broadcast content into an IP packet for output to the scrambler 202.
  • the scrambler 202 is configured to receive the video.
  • the audio broadcast source 201 outputs an IP packet containing the audio and video broadcast content, and the IP packet is scrambled and transmitted to the broadband network 203; the broadband network 203 transmits the broadcast content output by the video and audio broadcast source; The broadband access device 204 multicasts broadcast content of each channel transmitted by the broadband network 203 to the user terminal; the user terminal 205 is configured to receive video and audio broadcast content of one or more channels, and scramble the content The IP packet is descrambled.
  • User terminal The 205 can be a computer or a set top box.
  • the beginning of the payload of the IP packet may be used to convey certain protocol information, without adding the scrambling side and descrambling side settings.
  • the scrambling segment that scrambles the IP packet mentioned below is a portion of the payload other than the payload start portion, or a portion or portions of the payload other than the payload start portion.
  • the scrambler 202 includes a message receiving unit 301, a message processing unit 302, and a message transmitting unit 303.
  • the message receiving unit 301 extracts the content of the payload start portion of the IP packet, and sends the content of the payload start portion and the IP to the packet processing unit 302.
  • the message processing unit 302 calculates the scrambled location information and the index information by using the content of the payload start portion, obtains the key from the local key pool by using the index information, and uses the key and the scrambled location information to the IP packet.
  • the scrambling process is performed, and the scrambled IP packet is sent to the message sending unit 303.
  • the message sending unit 303 transmits the scrambled IP packet to the broadband access device 304 through the broadband network 203.
  • the message processing unit 302 may include: a key seed library 40], a key seed index generating module 402, a key generating module 403, a scrambling location generating module 404, and a scrambling module 405.
  • the key seed library 401 is configured to save a key seed for generating a key.
  • the key seed index generating module 402 is configured to generate a key seed by using a key seed index generation algorithm by using the content of the payload start part after receiving the content of the payload start part of the IP packet from the message receiving unit 301. Indexing, and sending the key seed index to the key generation module 403.
  • the algorithm can use a proprietary algorithm, such as the Haval+MD5 combination algorithm.
  • the key generation module 403. acquires a key seed from the key seed pool 401 according to the index, and generates a key by using a key generation algorithm.
  • the algorithm can use a proprietary algorithm, such as the Haval+MD5 combination algorithm.
  • the scramble location generating module 404 after receiving the content of the payload start portion of the IP packet from the packet receiving unit 301, uses the scramble location generation algorithm and generates a report by using the content of the payload start portion of the IP packet.
  • the text scrambles the location information, that is, the start and end location information of the scrambling segment.
  • the algorithm can use a proprietary algorithm, such as XOR, HASH and other algorithms combined algorithm.
  • the scrambling module 405 receives the IP packet from the message processing unit 301, the scrambled location information from the scrambled location generating module 404, and the key from the key generation module 403, according to the key and scrambling
  • the location information is scrambled by the scrambling algorithm to the IP packet from the packet receiving unit 301, and the scrambled TP packet is sent to the packet sending unit 303.
  • the scrambling algorithm can use algorithms such as DES, 3DES or AES.
  • the message processing unit 302 may further include: a keystore 501, a key index generation module 502, a scramble location generation module 503, and a scrambling module 504.
  • Key store 501 used to save the key.
  • the key index generating module 502 after receiving the content of the payload start portion of the IP packet from the message receiving unit 301, generates a key index by using the content of the payload start portion, and uses the key index to extract from the The keystore obtains the key.
  • the scramble location generating module 503 is configured to generate a scrambled location by using the content of the payload start portion after receiving the content of the payload start portion of the IP packet from the packet receiving unit 301.
  • Information that is, the start and end position information of the scrambled segment.
  • the scrambling module 504 performs scrambling on the payload scrambling segment of the IP packet from the packet receiving unit 301 by using the extracted key and the start and end position information of the scrambling segment, and scrambles the scrambled segment.
  • the IP packet is sent to the message sending unit 303.
  • the difference between the packet processing unit shown in FIG. 4 and FIG. 5 is that the manner of acquiring the key is different.
  • the message processing unit shown in Fig. 4 uses the index information to first obtain the key seed from the library, and then generates the key, and Fig. 5 uses the index information to directly obtain the key from the library.
  • the present invention is to add an interference handling function on the basis of an existing user terminal that does not support descrambling, and since the user terminal itself already includes a message receiving and video decoding subsystem, the solution in the user terminal in the present invention
  • the scrambler obtains ciphertext message information from the packet receiving subsystem of the user terminal for analysis, and performs descrambling processing on the ciphertext message according to the analysis result, and delivers the processed plaintext message to the video decoding of the user terminal. Subsystem processing.
  • the structure corresponds to the structure of the message processing unit shown in FIG. 4.
  • the user terminal further includes:
  • the key seed store 601 which is the same as the key seed store in the scrambler shown in Fig. 4, is used to store the key seed for generating the key.
  • the key seed index generating module 602 is configured to extract content of the beginning portion of the message payload from the received IP packet, and generate a key seed by using the same algorithm as in the key seed index 402 shown in FIG. The index is sent to the key generation module 603.
  • the key generation module 603 extracts a key seed from the key seed library 601 according to the index and generates a key.
  • the scrambling location generating module 604 is configured to extract the content of the payload start portion from the IP packet, and generate the message scrambling location information, that is, the start and end location information of the scrambling segment, by using the content of the payload start portion.
  • a descrambling module 605 using the generated key and the scrambled location information, that is, scrambling on The start and end position information is used to descramble the received IP packet.
  • the structure corresponds to the scrambling structure shown in FIG. 5.
  • the user terminal includes:
  • the keystore 701 which is the same as the keystore in the scrambler shown in Fig. 5, is used to hold the key.
  • the key index generating module 702 is configured to extract the content of the beginning part of the message payload from the received IP packet to generate a key index, and obtain the key from the key pool by using the key index.
  • the scrambling location generating module 703 is configured to extract the content of the beginning part of the message payload from the received IP packet and generate scrambling location information, that is, start and end location information of the scrambling segment.
  • the descrambling module 704 performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambling segment location information.
  • the same key seed library is saved by the scrambler and the user terminal as an example.
  • the specific processing procedure of adding 4 is as follows:
  • the scrambler extracts some content of the content of the beginning portion of the IP packet payload by the scramble location generation algorithm and the key seed index generation algorithm. These are content that changes as the content of the package changes, rather than fixed content.
  • the corresponding scrambling location information is calculated by the scrambling location generation algorithm, that is, the start and end positions of the message scrambling segment, and the key seed index is generated by the key seed index generation algorithm.
  • the scrambler queries the corresponding key seed from the local key seed repository according to the key seed index.
  • the scrambler calculates the key by the key generation algorithm according to the key seed.
  • the scrambler performs a scrambling process on the specified segment of the IP packet according to the generated key and the scrambled location information by using a predetermined scrambling algorithm.
  • the specific processing of descrambling is as follows: (1) On the receiving side, after receiving the scrambled message, the user terminal extracts some content of the beginning part of the IP packet payload by using the same scrambling location generation algorithm and key seed index generation algorithm as the scrambler. These are the same as those in the scrambling step (1).
  • the corresponding scrambling location information is calculated by the scrambling location generation algorithm, that is, the start and end positions of the message scrambling segment, and the key seed index is generated by the key seed index generation algorithm.
  • the user terminal finds a corresponding key seed in the local key seed library according to the key seed index.
  • the user terminal calculates the key by the key generation algorithm according to the key seed.
  • the user terminal descrambles the designated scrambling segment according to the key and the scrambled location information by using a predetermined descrambling algorithm.
  • the key index generation algorithm is used instead of the key index seed generation algorithm to generate the key index, and then the key index is directly used to obtain the key from the key pool.
  • the disturbance or descrambling process is the same as above.
  • the algorithm and key seed can be implemented by upgrading the terminal software online.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

A method and apparatus for protecting broadband video and audio broadcast content to solve the problem of lower security of the broadband video and audio broadcast content existing in. the prior art. In this method, at the sending side it extracts the content of the the portion at the start of the payload from the IP message and calculates the information of the position scrambled and the index information; it obtains key from home using the index information, and make a process using the key and the information of the position scrambled to scramble the content of the specified clip which does not include the said content at the start in the IP message ;at the receiving side, it extracts the content of the the portion at the start of the payload from the IP message unscrambled and calculates the information of the position scrambled and the index information using the algorithm as scrambling; it obtains key from home at the receiving side using the index information, and make a process using the key and the information of the position scrambled to descramble the clips scrambled of the IP message .

Description

一种保护宽带视音频广播内容的方法及装置  Method and device for protecting broadband video and audio broadcast content
技术领域 Technical field
本发明涉及电信网络中的宽带视音频技术, 尤其涉及一种保护宽带 视音频广播内容的方法及装置。 发明背景  The present invention relates to broadband video and audio technologies in telecommunication networks, and more particularly to a method and apparatus for protecting broadband video and audio broadcast content. Background of the invention
在有线电视网中, 视音频流在广播到网络之前进行加密或加扰, 然 后通过网络将视音频流发送到用户, 用户终端从网络获取密钥并完成视 音频流的解密或解扰。 在这种方法中密钥被广播到所有用户终端, 为了 保证密钥不易被破解, 需要复杂的密钥管理和加密算法, 并且密钥需要 频繁实时更新。 因此, 该方法存在以下缺点:  In a cable television network, the video and audio streams are encrypted or scrambled before being broadcast to the network, and then the video and audio streams are transmitted to the user over the network, and the user terminal obtains the key from the network and completes the decryption or descrambling of the video and audio streams. In this method, the key is broadcast to all user terminals. In order to ensure that the key is not easily cracked, complex key management and encryption algorithms are required, and the key needs to be updated frequently in real time. Therefore, this method has the following disadvantages:
( 1 ) 密钥必须在网上传送, 容易被破解。  (1) The key must be transmitted online and easily cracked.
( 2 ) 密钥需要频繁更新, 占用大量网络带宽。  (2) The key needs to be updated frequently, which takes up a lot of network bandwidth.
( 3 )加解密和密钥管理算法复杂, 成本高昂。  (3) The encryption and decryption and key management algorithms are complex and costly.
( 4 )加密或加扰算法与具体的视音频编码格式相关, 适应性差。 (4) The encryption or scrambling algorithm is related to a specific video and audio coding format, and the adaptability is poor.
( 5 )加解密算法一旦被攻破, 缺少有效的解决措施。 (5) Once the encryption and decryption algorithm is broken, there is no effective solution.
目前以数字用户环路(DSL ) 为代表的宽带接入技术不仅可以提供 互联网访问之类的数据业务, 还可以提供包括宽带电视业务、 音频广播 业务、 点播业务在内的视频和音频业务。 视音频业务通常基于机顶盒或 计算机开展, 机顶盒或计算机接入网络后, 可通过网络获取来自视音频 广播源或视音频点播服务器的视音频内容; 通常点播类业务由单播流承 载, 电视类和音频广播类业务由组播流承载, 其网络模型如图 1所示。  At present, the broadband access technology represented by Digital Subscriber Loop (DSL) can not only provide data services such as Internet access, but also provide video and audio services including broadband TV services, audio broadcasting services, and on-demand services. The video and audio services are usually based on a set-top box or a computer. After the set-top box or computer accesses the network, the video and audio content from the video/audio broadcast source or the video-on-demand server can be obtained through the network; usually, the on-demand service is carried by the unicast stream, the television class and The audio broadcast service is carried by the multicast stream, and its network model is shown in Figure 1.
在宽带网上开展电视业务和音频广播业务的一个重点是要保证内 容安全, 所谓内容安全其中一层含义就是保证用户不能随意对频道内容 进行非法的数字拷贝, 称为防数字拷贝。 而目前在宽带网上对视音频广 播内容没有采取防数字拷贝措施, 用户能够对任一频道内容进行拷贝, 因此其安全性较差。 发明内容 One of the key points in the development of TV services and audio broadcasting services on broadband networks is to ensure content security. One of the meanings of so-called content security is to ensure that users cannot freely access channel content. An illegal digital copy is called an anti-digital copy. At present, there is no anti-digital copying measure for video and audio broadcast content on the broadband network, and the user can copy the content of any channel, so the security is poor. Summary of the invention
本发明提供一种保护宽带视音频广播内容的方法及装置, 以解决现 有技术中宽带视音频广播内容存在安全性较差的问题。  The present invention provides a method and apparatus for protecting broadband video and audio broadcast content to solve the problem of poor security of broadband video and audio broadcast content in the prior art.
为解决上述问题, 本发明提供如下技术方案:  In order to solve the above problems, the present invention provides the following technical solutions:
一种保护宽带视音频广播内容的方法, 所述视音频广播内容由视音 频广播源产生,并采用 IP报文格式通过宽带网络和宽带接入设备传送到 用户终端, 该方法包括如下步骤:  A method for protecting broadband audio and video broadcast content, the video and audio broadcast content being generated by a video audio broadcast source, and transmitted to a user terminal through a broadband network and a broadband access device in an IP message format, the method comprising the following steps:
A、 在发送侧, 从 IP报文中提取净荷开始部分的内容, 并利用净荷 开始部分的内容计算出加扰位置信息和索引信息;  A. On the transmitting side, extract the content of the beginning part of the payload from the IP packet, and calculate the scrambled location information and the index information by using the content of the beginning part of the payload;
B、 根据步骤 A中计算出的索引信息从发送侧本地得到密钥, 并利 用该密钥和步骤 A计算出的加扰位置信息对 IP报文中不包含所述开始 部分的内容的指定段内容进行加扰处理;  B. Obtain a key locally from the transmitting side according to the index information calculated in step A, and use the key and the scrambled location information calculated in step A to specify a segment of the IP packet that does not include the content of the beginning portion. Content is scrambled;
将加扰后的 IP报文传送到接收侧;  Transmitting the scrambled IP packet to the receiving side;
D、在接收侧,从已加扰的 IP报文中提取所述净荷开始部分的内容, 并釆用与加扰时相同的算法计算出加扰位置信息和索引信息;  D. On the receiving side, extract the content of the beginning part of the payload from the scrambled IP packet, and calculate the scrambled location information and the index information by using the same algorithm as that during scrambling;
E、 根据步骤 D中计算出的索引信息从接收侧本地得到密钥, 并利 用该密钥和步骤 D中计算出的加扰位置信息对 IP报文的加扰段进行解 扰处理。  E. The key is obtained locally from the receiving side according to the index information calculated in step D, and the scrambling segment of the IP packet is descrambled by using the key and the scrambled location information calculated in step D.
分别在发送侧或接收侧设置本地密钥种子库,在步骤 A和步骤 D中 计算出的索引信息为密钥种子索引信息, 利用该密钥种子索引信息从密 钥种子库中获得密钥种子, 并根据该密钥种子生成密钥; 或者, 分别在发送侧或接收侧设置本地密钥库, 在步骤 A和步骤 D 中计算出的索引信息为密钥索引信息, 利用该密钥索引信息从密钥库中 直接获得密钥。 The local key seed library is set on the sending side or the receiving side respectively, and the index information calculated in step A and step D is key seed index information, and the key seed is obtained from the key seed database by using the key seed index information. And generating a key based on the key seed; Alternatively, the local key pool is set on the sending side or the receiving side respectively, and the index information calculated in steps A and D is key index information, and the key is directly obtained from the key pool by using the key index information.
所述开始部分的内容是指随 IP报文内容改变而变化的内容,提取内 容的长度可设置。 - 种宽 f视音频广播系统包括: .  The content of the beginning portion refers to content that changes as the content of the IP message changes, and the length of the extracted content can be set. - Wide f video and audio broadcasting systems include:
视音频广播源 (201 ), 用于产生各频道的视音频广播内容; 用户终端 ( 205 ), 用于接收一个或多个频道的视音频广播内容; 宽带网络(203 ), 传输所述视音频广播源输出的广播内容; 宽带接入设备(204 ), 将所述宽带网络传送来的各频道的广播内容 组播到所述用户终端;  An audio and video broadcast source (201) for generating video and audio broadcast content of each channel; a user terminal (205) for receiving video and audio broadcast content of one or more channels; a broadband network (203) for transmitting the video and audio a broadcast content output by the broadcast source; a broadband access device (204), multicasting broadcast content of each channel transmitted by the broadband network to the user terminal;
其特征在于还包括:  It is also characterized by:
加扰器( 202 ), 接收所述视音频广播源输出的视音频广播内容, 并 进行加扰后传送到所述宽带网络( 203 );  a scrambler (202), receiving video and audio broadcast content output by the video and audio broadcast source, and performing scrambling and transmitting to the broadband network (203);
所述用户终端 ( 205 )对加扰的视音频广播内容进行解扰。  The user terminal (205) descrambles the scrambled video and audio broadcast content.
所述加扰器 ( 202 ) 包括:  The scrambler (202) includes:
报文接收单元( 301 ), 用于接收到 IP报文后, 提取 IP报文净荷开 始部分的内容以及净荷加扰段,并将净荷开始部分的内容和该 IP报文发 送给报文处理单元( 302 );  The message receiving unit (301) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet. Text processing unit (302);
报文处理单元( 302 ), 用于利用净荷开始部分的内容计算出加扰位 置信息和索引信息, 利用该索引信息得到密钥, 并利用该密钥和加扰位 置信息对 IP报文进行加扰处理, 并将加扰后的 IP报文发送给报文发送 单元 ( 303 );  The message processing unit (302) is configured to calculate the scrambled location information and the index information by using the content of the payload start portion, obtain the key by using the index information, and use the key and the scrambled location information to perform the IP packet. The scrambling process is performed, and the scrambled IP packet is sent to the message sending unit (303);
报文发送单元( 303 ), 用于将该加扰后的 IP报文通过宽带网络发送 给宽带接入设备。 所述 4艮文处理单元( 302 ) 包括: The message sending unit (303) is configured to send the scrambled IP packet to the broadband access device through the broadband network. The processing unit (302) includes:
密钥种子库(401 ), 用于保存生成密钥的密钥种子;  a key seed library (401) for storing a key seed for generating a key;
密钥种子索引生成模块(402 )在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后 ,利用净荷开始部分的内容采用密钥 种子索引生成算法生成密钥种子索引, 并将该密钥种子索引发送给密钥 生成模块(403 );  After receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), the key seed index generating module (402) uses the key seed index generation algorithm to generate a key by using the content of the payload start portion. a seed index, and sending the key seed index to the key generation module (403);
密钥生成模块 (403 ), 根据所述索引从所述密钥种子库 (401 ) 中 获取密钥种子, 并采用密钥生成算法生成密钥;  a key generation module (403), obtaining a key seed from the key seed pool (401) according to the index, and generating a key by using a key generation algorithm;
加扰位置生成模块(404 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后, 采用加扰位置生成算法并利用该 IP 报文的净荷开始部分的内容生成报文加扰位置信息;  The scramble location generating module (404), after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
加扰模块(405 ), 接收到加扰位置信息和密钥后, 根据该密钥和加 扰位置信息, 釆用加扰算法对来自报文接收单元 (301 ) 的 IP报文进行 加扰处理, 并将加扰后的 IP报文发送给报文发送单元( 303 );  The scrambling module (405), after receiving the scrambled location information and the key, scrambles the IP packet from the message receiving unit (301) by using a scrambling algorithm according to the key and the scrambled location information. And sending the scrambled IP packet to the message sending unit (303);
所述用户终端还进一步包括:  The user terminal further includes:
密钥种子库(601 ), 用于保存生成密钥的密钥种子;  a key seed library (601) for storing a key seed for generating a key;
密钥种子索引生成模块( 602 ), 用于从接收到的 IP报文中提取报文 净荷开始部分的内容并生成密钥种子索引, 并将该索引发送给密钥生成 模块 ( 603 ) ;  The key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate a key seed index, and send the index to the key generation module (603);
密钥生成模块 ( 603 ), 根据所述索引从密钥种子库 (601 ) 中获取 密钥种子并生成密钥;  The key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
加扰位置生成模块( 604 ),用于从 IP报文中提取净荷开始部分的内 容, 并利用净荷开始部分的内容生成加扰位置信息;  The scrambling location generating module (604) is configured to extract the content of the payload starting portion from the IP packet, and generate scrambling location information by using the content of the payload starting portion;
解扰模块( 605 ), 利用生成的密钥和所述加扰段的开始和结束位置 信息对 IP报文中的加扰段进行解扰处理。 所述报文处理单元( 302 ) 包括: The descrambling module (605) performs descrambling processing on the scrambling segment in the IP packet by using the generated key and the start and end location information of the scrambling segment. The message processing unit (302) includes:
密钥库 (501 ), 用于保存密钥;  a keystore (501) for storing a key;
密钥索引生成模块( 502 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后, 利用净荷开始部分的内容生成密钥索 引, 并利用所述密钥索引从所述密钥库获取密钥;  The key index generation module (502), after receiving the content of the payload start portion of the IP packet from the message receiving unit (301), generates a key index using the content of the payload start portion, and utilizes the secret The key index obtains a key from the keystore;
加扰位置生成模块( 503 ), 用于在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容生成加扰 位置信息; .  The scramble location generating module (503) is configured to generate scrambled location information by using the content of the payload start portion after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301);
加扰模块( 504 ), 利用获取的密钥和所述加扰位置信息对来自报文 接收单元 ( 301 )的 IP报文进行加扰处理, 并将加扰后的 IP报文发送给 报文发送单元 ( 303 );  The scrambling module (504) performs scrambling on the IP packet from the packet receiving unit (301) by using the obtained key and the scrambled location information, and sends the scrambled IP packet to the packet. Sending unit (303);
所述用户终端还进一步包括:  The user terminal further includes:
密钥库(701 ), 用于保存密钥;  a keystore (701) for storing a key;
密钥索引生成模块( 702 ),用于从接收到的 IP报文中提取报文净荷 开始部分的内容来生成密钥索引, 并利用所述密钥索引从所述密钥库获 取密钥;  The key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and obtain a key from the key pool by using the key index. ;
加扰位置生成模块( 703 ), 用于从接收到的 IP报文中提取报文净荷 开始部分的内容并生成报文加扰段的开始和结束位置信息; ·  The scrambling location generating module (703) is configured to extract, from the received IP packet, the content of the beginning part of the message payload and generate start and end location information of the message scrambling segment;
解扰模块( 704 ), 利用荻取的密钥和所述加扰位置信息对报文的加 扰段进行解扰处理。  The descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the captured key and the scrambled location information.
一种加扰器包括:  A scrambler includes:
报文接收单元( 301 ), 用于接收到 IP报文后, 提取 IP报文净荷开 始部分的内容以及净荷加扰段,并将净荷开始部分的内容和 IP报文发送 给报文处理单元( 302 );  The message receiving unit (301) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet. Processing unit (302);
报文处理单元( 302 ), 用于利用净荷开始部分的内容计算出加扰位 置信息和索引信息, 利用该索引信息得到密钥, 并利用该密钥和加扰位 置信息对该 IP报文进行加扰处理, 并将加扰后的 IP报文发送给报文发 送单元( 303 ); a message processing unit (302), configured to calculate a scrambled bit by using content of a payload start portion The information and the index information are used to obtain a key, and the IP packet is scrambled by using the key and the scrambled location information, and the scrambled IP packet is sent to the packet sending unit ( 303);
报文发送单元 ( 303 ), 用于将该加扰后的 IP报文发送到宽带网络。 报文处理单元( 302 ) 包括:  The message sending unit (303) is configured to send the scrambled IP packet to the broadband network. The message processing unit (302) includes:
密钥种子库 (401 ), 用于保存生成密钥的密钥种子;  a key seed library (401) for storing a key seed for generating a key;
密钥种子索引生成模块(402 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容采用密钥 种子索引生成算法生成密钥种子索引, 并将该密钥种子索引发送给密钥 生成模块 ( 403 );  The key seed index generating module (402) generates a secret by using a key seed index generation algorithm after receiving the content of the payload start portion of the IP packet from the message receiving unit (301). Key seed index, and send the key seed index to the key generation module (403);
密钥生成模块 ( 403 ), 根据所述索引从所述密钥种子库 (401 ) 中 获取密钥种子, 并采用密钥生成算法生成密钥;  The key generation module (403) obtains a key seed from the key seed pool (401) according to the index, and generates a key by using a key generation algorithm;
加扰位置生成模块(404 ), 在接收到来自报文接收单元 (301 ) 的 IP报文的净荷开始部分的内容后, 采用加扰位置生成算法并利用该 IP 报文的净荷开始部分的内容生成报文加扰位置信息;  The scramble location generating module (404), after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
加扰模块(405 ), 接收到加扰位置信息和密钥后, 根据该密钥和加 扰位置信息, 采用加扰算法对来自报文接收单元(301 ) 的 IP报文进行 加扰处理, 并将加扰后的 IP报文发送给报文发送单元 ( 303 )。  The scrambling module (405), after receiving the scrambled location information and the key, performs scrambling on the IP packet from the packet receiving unit (301) by using a scrambling algorithm according to the key and the scrambled location information. The scrambled IP packet is sent to the message sending unit (303).
报文处理单元( 302 ) 包括:  The message processing unit (302) includes:
密钥种子索引生成模块( 602 ), 用于从接收到的 TP报文中提取报文 净荷开始部分的内容并生成密钥种子索引, 并将该索引发送给密钥生成' 模块 ( 603 ) ;  The key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received TP message and generate a key seed index, and send the index to the key generation module (603) ;
密钥生成模块 ( 603 ), 根据所述索引从密钥种子库 (601 ) 中获取 密钥种子并生成密钥;  The key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
加扰位置生成模块( 604 ), 用于从 IP报文中提取净荷开始部分的内 容, 并利用净荷开始部分的内容生成加扰位置信息; a scrambling location generating module (604), configured to extract a payload starting part from the IP packet And generating the scrambled location information by using the content of the beginning portion of the payload;
解扰模块( 605 ), 利用生成的密钥和所述加扰位置信息对 IP报文进 行解扰处理。  The descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
一种用户终端还包括:  A user terminal further includes:
密钥种子库 (601 ), 用于保存生成密钥的密钥种子;  a key seed library (601) for storing a key seed for generating a key;
密钥种子索引生成模块( 602 ),用于从接收到的 IP报文中提取的净 荷开始部分的内容并生成密钥种子索引;  a key seed index generating module (602), configured to extract a content of a payload start part from the received IP packet and generate a key seed index;
密钥生成模块( 603 ), 根据所述索引从密钥种子库中获取密钥种子 并生成密钥;  The key generation module (603) obtains a key seed from the key seed library according to the index and generates a key;
加扰位置生成模块( 604 ), 用于从接收到的 IP报文中提取的净荷开 始部分的内容并生成报文加扰位置信息;  a scrambling location generating module (604), configured to: extract content of the payload starting part extracted from the received IP packet and generate message scrambling location information;
解扰模块( 605 ), 利用生成的密钥和所述加扰位置信息对该 IP报文 进行解扰处理。  The descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
一种用户终端还包括:  A user terminal further includes:
密钥索引生成模块( 702 ), 用于从接收到的 IP报文中提取报文净荷 开始部分的内容来生成密钥索引, 并利用所述密钥索引从所述密钥库获 取密钥。  The key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and obtain a key from the keystore by using the key index. .
加扰位置生成模块( 703 ),用于从接收到的 IP报文中提取报文净荷 开始部分的内容并生成报文加扰位置信息。  The scrambling location generating module (703) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate message scrambling location information.
解扰模块( 704 ), 利用获取的密钥和所述加扰位置信息对报文的加 扰段进行解扰处理。  The descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambled location information.
本发明利用数字加扰技术, 视音频流以加扰的方式传送, 保证只有 合法的终端才能够解码收看, 用户无法直接获取视音频流的数字拷贝供 其他通用终端收看。 利用这种数字加扰技术, 可避免密钥在网络上的传 播, 降低密钥被破解的风险、 并减少额外的网络带宽占用; 算法与具体 的视频频编码技术无关, 直接对 IP包的净荷进行加扰,可适用于不同的 视音频编码技术; 不需要复杂的密钥管理技术和加密算法, 不增加终端 机顶盒的实现难度和成本、 降低局端成本; 另外如果加扰算法被攻破, 可通过网络同步更新局端和终端算法 /密钥及时补救。 附图简要说明 The invention utilizes digital scrambling technology, and the video and audio streams are transmitted in a scrambled manner to ensure that only legitimate terminals can decode and view, and the user cannot directly obtain digital copies of the video and audio streams for viewing by other general terminals. By using this digital scrambling technology, the key can be avoided on the network, the risk of the key being cracked, and the additional network bandwidth usage can be reduced. Algorithm and specific The video frequency coding technology has nothing to do, and directly scrambles the payload of the IP packet, which can be applied to different video and audio coding technologies; does not require complicated key management technology and encryption algorithm, and does not increase the difficulty and cost of the implementation of the terminal set-top box, Reduce the cost of the central office; In addition, if the scrambling algorithm is compromised, the central office and terminal algorithm/key can be remediated in a timely manner through the network. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为现有技术中宽带视音频应用的组网示意图;  1 is a schematic diagram of networking of a broadband video and audio application in the prior art;
图 2为本发明实现宽带视音频广播内容保护的组网示意图; 图 3为本发明加扰器的具体实施例的结构示意图;  2 is a schematic diagram of networking for implementing content protection of broadband video and audio broadcasting according to the present invention; FIG. 3 is a schematic structural diagram of a specific embodiment of a scrambler according to the present invention;
图 4为为加扰器中报文处理单元的具体实施例一结构示意图; 图 5为为加扰器中报文处理单元的具体实施例二结构示意图; 图 6为用户终端的解扰部分的具体实施例一结构示意图;  4 is a schematic structural diagram of a specific embodiment of a packet processing unit in a scrambler; FIG. 5 is a schematic structural diagram of a second embodiment of a packet processing unit in a scrambler; FIG. 6 is a schematic diagram of a descrambling portion of a user terminal. A schematic structural view of a specific embodiment;
图 7为用户终端的解扰部分的具体实施例二结构示意图;  7 is a schematic structural diagram of a second embodiment of a descrambling portion of a user terminal;
图 8为本发明进行加扰和解扰的流程示意图。 实施本发明的方式  FIG. 8 is a schematic flow chart of performing scrambling and descrambling according to the present invention. Mode for carrying out the invention
参见图 2所示, 本发明的系统包括: 视音频广播源 201、加扰器 202、 宽带网络 203、 宽带接入设备 204、 用户终端 205。 其中, 视音频广播源 201 , 用于产生各频道的视音频广播内容, 并将产生的视音频广播内容 封装为 IP报文输出给加扰器 202; 加扰器 202, 用于接收所述视音频广 播源 201输出的含有视音频广播内容的 IP报文, 并将该 IP报文进行加 扰后传送到所述宽带网络 203; 宽带网络 203 , 传输所述视音频广播源 输出的广播内容; 宽带接入设备 204, 将所述宽带网络 203传送来的各 频道的广播内容组播到所述用户终端; 用户终端 205 , 用于接收一个或 多个频道的视音频广播内容, 并对加扰的 IP报文进行解扰。 用户终端 205可以为计算机, 也可以是一个机顶盒。 Referring to FIG. 2, the system of the present invention includes: an audio and video broadcast source 201, a scrambler 202, a broadband network 203, a broadband access device 204, and a user terminal 205. The video and audio broadcast source 201 is configured to generate video and audio broadcast content of each channel, and package the generated video and audio broadcast content into an IP packet for output to the scrambler 202. The scrambler 202 is configured to receive the video. The audio broadcast source 201 outputs an IP packet containing the audio and video broadcast content, and the IP packet is scrambled and transmitted to the broadband network 203; the broadband network 203 transmits the broadcast content output by the video and audio broadcast source; The broadband access device 204 multicasts broadcast content of each channel transmitted by the broadband network 203 to the user terminal; the user terminal 205 is configured to receive video and audio broadcast content of one or more channels, and scramble the content The IP packet is descrambled. User terminal The 205 can be a computer or a set top box.
需要说明的是, 在本发明中进行数字加扰的核心思路为:  It should be noted that the core idea of digital scrambling in the present invention is:
( 1 ) 只对 IP报文的净荷进行加扰, 加扰技术与具体的净荷内容无 关。  (1) Only the payload of the IP packet is scrambled, and the scrambling technique is independent of the specific payload content.
( 2 ) IP报文净荷的开始部分可能用于传递某些协议信息, 不做加 加扰侧和解扰侧设置。  (2) The beginning of the payload of the IP packet may be used to convey certain protocol information, without adding the scrambling side and descrambling side settings.
( 3 )加扰器和用户终端上需要设置相同的加扰位置生成算法、 密 钥种子索引生成算法以及密钥生成算法和加解扰算法, 并且加扰器和用 户终端上分别保存一个相同的密钥种子库或密钥库。  (3) The same scrambling location generation algorithm, key seed index generation algorithm, key generation algorithm and descrambling algorithm need to be set on the scrambler and the user terminal, and the scrambler and the user terminal respectively save the same Key seed or keystore.
以下提到的对 IP报文进行加扰的加扰段为净荷中除净荷开始部分 以外的部分, 或除净荷开始部分以外净荷中的一部分或几部分。  The scrambling segment that scrambles the IP packet mentioned below is a portion of the payload other than the payload start portion, or a portion or portions of the payload other than the payload start portion.
参见图 3所示, 加扰器 202包括报文接收单元 301、 报文处理单元 302、 报文发送单元 303。 . 报文接收单元 301接收到 IP报文后, 提取 IP报文净荷开始部分的 内容, 并将净荷开始部分的内容和该 IP发送给报文处理单元 302。  Referring to FIG. 3, the scrambler 202 includes a message receiving unit 301, a message processing unit 302, and a message transmitting unit 303. After receiving the IP packet, the message receiving unit 301 extracts the content of the payload start portion of the IP packet, and sends the content of the payload start portion and the IP to the packet processing unit 302.
报文处理单元 302利用净荷开始部分的内容计算出加扰位置信息和 索引信息, 利用该索引信息从本地密钥库得到密钥, 并利用该密钥和加 扰位置信息对该 IP报文中进行加扰处理, 并将加扰后的 IP报文发送给 报文发送单元 303。  The message processing unit 302 calculates the scrambled location information and the index information by using the content of the payload start portion, obtains the key from the local key pool by using the index information, and uses the key and the scrambled location information to the IP packet. The scrambling process is performed, and the scrambled IP packet is sent to the message sending unit 303.
报文发送单元 303将该加扰后的 IP报文通过宽带网络 203发送给宽 带接入设备 304。  The message sending unit 303 transmits the scrambled IP packet to the broadband access device 304 through the broadband network 203.
参见图 4所示, 报文处理单元 302可以包括: 密钥种子库 40】、 密 钥种子索引生成模块 402、 密钥生成模块 403、 加扰位置生成模块 404、 加扰模块 405。 密钥种子库 401 , 用于保存生成密钥的密钥种子。 As shown in FIG. 4, the message processing unit 302 may include: a key seed library 40], a key seed index generating module 402, a key generating module 403, a scrambling location generating module 404, and a scrambling module 405. The key seed library 401 is configured to save a key seed for generating a key.
密钥种子索引生成模块 402, 用于在接收到来自报文接收单元 301 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容采用密钥 种子索引生成算法生成密钥种子索引, 并将该密钥种子索引发送给密钥 生成模块 403。 该算法可采用私有算法, 如 Haval+MD5组合算法。  The key seed index generating module 402 is configured to generate a key seed by using a key seed index generation algorithm by using the content of the payload start part after receiving the content of the payload start part of the IP packet from the message receiving unit 301. Indexing, and sending the key seed index to the key generation module 403. The algorithm can use a proprietary algorithm, such as the Haval+MD5 combination algorithm.
密钥生成模块 403., 根据所述索引从所述密钥种子库 401 中获取密 钥种子, 并采用密钥生成算法生成密钥。 该算法可采用私有算法, 如 Haval+MD5组合算法。  The key generation module 403. acquires a key seed from the key seed pool 401 according to the index, and generates a key by using a key generation algorithm. The algorithm can use a proprietary algorithm, such as the Haval+MD5 combination algorithm.
加扰位置生成模块 404, 在接收到来自报文接收单元 301的 IP报文 的净荷开始部分的内容后,采用加扰位置生成算法并利用该 IP报文的净 荷开始部分的内容生成报文加扰位置信息, 即加扰段的开始和结束位置 信息。 该算法可采用私有算法, 如异或、 HASH等算法的组合算法。  The scramble location generating module 404, after receiving the content of the payload start portion of the IP packet from the packet receiving unit 301, uses the scramble location generation algorithm and generates a report by using the content of the payload start portion of the IP packet. The text scrambles the location information, that is, the start and end location information of the scrambling segment. The algorithm can use a proprietary algorithm, such as XOR, HASH and other algorithms combined algorithm.
加扰模块 405 , 接收到来自报文处理单元 301中的 IP报文、 来自加 扰位置生成模块 404 的加扰位置信息和来自密钥生成模块 403 的密钥 后,根据该密钥和加扰位置信息,采用加扰算法对来自报文接收单元 301 的 IP报文的进行加扰处理, 并将加扰后的 TP报文发送给报文发送单元 303。 加扰算法可采用 DES、 3DES或 AES等算法。  The scrambling module 405 receives the IP packet from the message processing unit 301, the scrambled location information from the scrambled location generating module 404, and the key from the key generation module 403, according to the key and scrambling The location information is scrambled by the scrambling algorithm to the IP packet from the packet receiving unit 301, and the scrambled TP packet is sent to the packet sending unit 303. The scrambling algorithm can use algorithms such as DES, 3DES or AES.
参阅图 5所示, 报文处理单元 302还可以包括: 密钥库 501、 密钥 索引生成模块 502、 加扰位置生成模块 503、 加扰模块 504。  Referring to FIG. 5, the message processing unit 302 may further include: a keystore 501, a key index generation module 502, a scramble location generation module 503, and a scrambling module 504.
密钥库 501, 用于保存密钥。  Key store 501, used to save the key.
密钥索引生成模块 502, 在接收到来自报文接收单元 301的 IP报文 的净荷开始部分的内容后, 利用净荷开始部分的内容生成密钥索引, 并 利用所述密钥索引从所述密钥库获取密钥。  The key index generating module 502, after receiving the content of the payload start portion of the IP packet from the message receiving unit 301, generates a key index by using the content of the payload start portion, and uses the key index to extract from the The keystore obtains the key.
加扰位置生成模块 503 , 用于在接收到来自报文接收单元 301的 IP 报文的净荷开始部分的内容后, 利用净荷开始部分的内容生成加扰位置 信息, 即加扰段的开始和结束位置信息。 The scramble location generating module 503 is configured to generate a scrambled location by using the content of the payload start portion after receiving the content of the payload start portion of the IP packet from the packet receiving unit 301. Information, that is, the start and end position information of the scrambled segment.
加扰模块 504, 利用荻取的密钥和所述加扰段的开始和结束位置信 息对来自报文接收单元 301的 IP报文的净荷加扰段进行加扰处理,并将 加扰后的 IP报文发送给报文发送单元 303。  The scrambling module 504 performs scrambling on the payload scrambling segment of the IP packet from the packet receiving unit 301 by using the extracted key and the start and end position information of the scrambling segment, and scrambles the scrambled segment. The IP packet is sent to the message sending unit 303.
图 4与图 5所示的报文处理单元的区别在于获取密钥的方式不同。 图 4所示的报文处理单元利用索引信息先从库中得到密钥种子, 然后再 生成密钥, 而图 5则利用索引信息直接从库中得到密钥。  The difference between the packet processing unit shown in FIG. 4 and FIG. 5 is that the manner of acquiring the key is different. The message processing unit shown in Fig. 4 uses the index information to first obtain the key seed from the library, and then generates the key, and Fig. 5 uses the index information to directly obtain the key from the library.
图 6和图 7分别为用户终端的解扰部分的两个具体实施例的结构示 意图。 本发明是在在已有的不支持解扰的用户终端基础上增加了解扰处 理功能, 而且由于用户终端本身已经包括报文的接收和视频解码子系 统, 因此, 本发明中用户终端中的解扰器从用户终端的报文接收子系统 中获取密文报文信息进行分析, 并根据分析结果对密文报文进行解扰处 理, 并将处理后的明文报文交给用户终端的视频解码子系统处理。  6 and 7 are structural diagrams of two specific embodiments of the descrambling portion of the user terminal, respectively. The present invention is to add an interference handling function on the basis of an existing user terminal that does not support descrambling, and since the user terminal itself already includes a message receiving and video decoding subsystem, the solution in the user terminal in the present invention The scrambler obtains ciphertext message information from the packet receiving subsystem of the user terminal for analysis, and performs descrambling processing on the ciphertext message according to the analysis result, and delivers the processed plaintext message to the video decoding of the user terminal. Subsystem processing.
参阅图 6所示, 该结构与图 4所示的报文处理单元的结构对应, 用 户终端除了包括现有技术中的基本结构外, 还包括:  Referring to FIG. 6, the structure corresponds to the structure of the message processing unit shown in FIG. 4. In addition to the basic structure in the prior art, the user terminal further includes:
密钥种子库 601 , 与图 4所示加扰器中的密钥种子库相同, 用于保 存生成密钥的密钥种子。  The key seed store 601, which is the same as the key seed store in the scrambler shown in Fig. 4, is used to store the key seed for generating the key.
密钥种子索引生成模块 602, 用于从接收到的 IP报文中提取报文净 荷开始部分的内容, 并利用以及与图 4所示的密钥种子索引 402中相同 的算法生成密钥种子索引, 并将该索引发送给密钥生成模块 603。  The key seed index generating module 602 is configured to extract content of the beginning portion of the message payload from the received IP packet, and generate a key seed by using the same algorithm as in the key seed index 402 shown in FIG. The index is sent to the key generation module 603.
密钥生成模块 603 , 根据所述索引从密钥种子库 601 中荻取密钥种 子并生成密钥。 加扰位置生成模块 604, 用于从 IP报文中提取净荷开始 部分的内容, 并利用净荷开始部分的内容生成报文加扰位置信息, 即加 扰段的开始和结束位置信息。  The key generation module 603 extracts a key seed from the key seed library 601 according to the index and generates a key. The scrambling location generating module 604 is configured to extract the content of the payload start portion from the IP packet, and generate the message scrambling location information, that is, the start and end location information of the scrambling segment, by using the content of the payload start portion.
解扰模块 605 , 利用生成的密钥和所述加扰位置信息, 即加扰的开 始和结束位置信息, 对收到的 IP报文进行解扰处理。 a descrambling module 605, using the generated key and the scrambled location information, that is, scrambling on The start and end position information is used to descramble the received IP packet.
参阅图 7所示, 该结构与图 5所示的加扰结构对应, 用户终端除了 包括现有技术中的基本结构外, 还包括:  Referring to FIG. 7, the structure corresponds to the scrambling structure shown in FIG. 5. In addition to the basic structure in the prior art, the user terminal includes:
密钥库 701 , 与图 5所示加扰器中的密钥库相同, 用于保存密钥。 密钥索引生成模块 702, 用于从接收到的 IP报文中提取报文净荷开 始部分的内容来生成密钥索引, 并利用所述密钥索引从所述密钥库获取 密钥。  The keystore 701, which is the same as the keystore in the scrambler shown in Fig. 5, is used to hold the key. The key index generating module 702 is configured to extract the content of the beginning part of the message payload from the received IP packet to generate a key index, and obtain the key from the key pool by using the key index.
加扰位置生成模块 703 , 用于从接收到的 IP报文中提取报文净荷开 始部分的内容并生成加扰位置信息, 即加扰段的开始和结束位置信息。  The scrambling location generating module 703 is configured to extract the content of the beginning part of the message payload from the received IP packet and generate scrambling location information, that is, start and end location information of the scrambling segment.
解扰模块 704, 利用获取的密钥和所述加扰段位置信息对报文的加 扰段进行解扰处理。  The descrambling module 704 performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambling segment location information.
参阅图 8所示, 以加扰器和用户终端保存均保存相同的密钥种子库 为例, 加 4尤的具体处理过程如下:  Referring to FIG. 8, the same key seed library is saved by the scrambler and the user terminal as an example. The specific processing procedure of adding 4 is as follows:
( 1 )在发送侧, 加扰器通过加扰位置生成算法和密钥种子索引生 成算法提取 IP报文净荷的开始部分的内容的某些内容。这些内容是随包 内容改变而变化的内容, 而非固定内容。  (1) On the transmitting side, the scrambler extracts some content of the content of the beginning portion of the IP packet payload by the scramble location generation algorithm and the key seed index generation algorithm. These are content that changes as the content of the package changes, rather than fixed content.
( 2 ) 通过加扰位置生成算法计算出相应的加扰位置信息, 即报文 加扰段的开始和结束位置, 通过密钥种子索引生成算法生成密钥种子索 引。  (2) The corresponding scrambling location information is calculated by the scrambling location generation algorithm, that is, the start and end positions of the message scrambling segment, and the key seed index is generated by the key seed index generation algorithm.
( 3 ) 加扰器根据密钥种子索引从本地的密钥种子库中查询到对应 的密钥种子。  (3) The scrambler queries the corresponding key seed from the local key seed repository according to the key seed index.
( 4 )加扰器根据密钥种子, 通过密钥生成算法计算出密钥。  (4) The scrambler calculates the key by the key generation algorithm according to the key seed.
( 5 )加扰器根据生成的密钥和加扰位置信息对 IP报文的指定段, 采用预定加扰算法进行加扰处理。  (5) The scrambler performs a scrambling process on the specified segment of the IP packet according to the generated key and the scrambled location information by using a predetermined scrambling algorithm.
解扰的具体处理过程如下: (1)在接收侧, 用户终端收到加扰报文后, 使用与加扰器相同的 加扰位置生成算法和密钥种子索引生成算法提取 IP报文净荷的开始部 分的某些内容, 这些内容与加扰步骤(1) 中的内容相同。 The specific processing of descrambling is as follows: (1) On the receiving side, after receiving the scrambled message, the user terminal extracts some content of the beginning part of the IP packet payload by using the same scrambling location generation algorithm and key seed index generation algorithm as the scrambler. These are the same as those in the scrambling step (1).
(2)通过加扰位置生成算法计算出相应的加扰位置信息, 即报文 加扰段的开始和结束位置, 通过密钥种子索引生成算法生成密钥种子索 引。  (2) The corresponding scrambling location information is calculated by the scrambling location generation algorithm, that is, the start and end positions of the message scrambling segment, and the key seed index is generated by the key seed index generation algorithm.
( 3 ) 用户终端根据密钥种子索引在本地密钥种子库种找到对应的 密钥种子。  (3) The user terminal finds a corresponding key seed in the local key seed library according to the key seed index.
(4)用户终端根据密钥种子, 通过密钥生成算法计算出密钥。 (4) The user terminal calculates the key by the key generation algorithm according to the key seed.
(5) 用户终端根据密钥和加扰位置信息, 采用预定的解扰算法对 指定的加扰段进行解扰。 (5) The user terminal descrambles the designated scrambling segment according to the key and the scrambled location information by using a predetermined descrambling algorithm.
如果加扰器和用户终端均保存相的密钥库, 用密钥索引生成算法代 替密钥索引种子生成算法来生成密钥索引, 然后利用密钥索引从密钥库 中直接获取密钥进行加扰或解扰处理, 其处理过程与上述同理。  If the scrambler and the user terminal both store the key pool of the phase, the key index generation algorithm is used instead of the key index seed generation algorithm to generate the key index, and then the key index is directly used to obtain the key from the key pool. The disturbance or descrambling process is the same as above.
上述数字加扰技术具有以下特点:  The above digital scrambling technology has the following characteristics:
(1)对 IP报文净荷加扰, 与具体的视音频编码技术无关;  (1) scrambling the IP message payload, which has nothing to do with the specific video and audio coding technology;
(2) 没有占用任何额外的带宽;  (2) does not occupy any additional bandwidth;
(3) 多层加密、 多加密算法;  (3) Multi-layer encryption, multiple encryption algorithms;
(4)根据包内容动态加扰, 加扰信息动态交换;  (4) Dynamic scrambling according to the content of the package, dynamic exchange of scrambling information;
(5) 密钥不在网络上进行传递;  (5) The key is not delivered on the network;
(6)加扰器和终端实现技术难度低, 成本也较低;  (6) The scrambler and the terminal achieve low technical difficulty and low cost;
(7) 高安全性, 用户要破解该算法需要同时获取以下信息: 加解 扰算法、 加扰位置生成算法、 密钥种子索引生成算法、 密钥种子库中所 有的密钥种子、 密钥生成算法;  (7) High security, the user needs to obtain the following information to solve the algorithm: plus descrambling algorithm, scrambling location generation algorithm, key seed index generation algorithm, all key seed in key seed library, key generation Algorithm
(8)通过在线升级终端软件的方式, 可实现算法、 密钥种子的及 (8) The algorithm and key seed can be implemented by upgrading the terminal software online.
.CT00/S00ZN3/X3d 丽 90OZ OAV .CT00/S00ZN3/X3d Li 90OZ OAV

Claims

权利要求书 Claim
1、 一种保护宽带视音频广播内容的方法, 所述视音频广播内容由 视音频广播源产生,并采用 IP报文格式通过宽带网络和宽带接入设备传 送到用户终端, 其特征在于该方法包括如下步骤:  A method for protecting broadband audio and video broadcast content, wherein the video and audio broadcast content is generated by an audio and video broadcast source, and is transmitted to a user terminal through a broadband network and a broadband access device in an IP message format, wherein the method is characterized in that the method Including the following steps:
A、 在发送侧, 从 IP报文中提取净荷开始部分的内容, 并利用净荷 开始部分的内容计算出加扰位置信息和索引信息;  A. On the transmitting side, extract the content of the beginning part of the payload from the IP packet, and calculate the scrambled location information and the index information by using the content of the beginning part of the payload;
B、 根据步骤 A中计算出的索引信息从发送侧本地得到密钥, 并利 用该密钥和步骤 A计算出的加扰位置信息对 IP报文中不包含所述开始 部分的内容的指定段内容进行加扰处理;  B. Obtain a key locally from the transmitting side according to the index information calculated in step A, and use the key and the scrambled location information calculated in step A to specify a segment of the IP packet that does not include the content of the beginning portion. Content is scrambled;
C、 将加扰后的 IP报文传送到接收侧;  C. The scrambled IP packet is transmitted to the receiving side;
D、在接收侧,从已加扰的 IP报文中提取所述净荷开始部分的内容, 并采用与加扰时相同的算法计算出加扰位置信息和索引信息;  D. On the receiving side, extract the content of the beginning part of the payload from the scrambled IP packet, and calculate the scrambled location information and the index information by using the same algorithm as that during scrambling;
E、 根据步骤 D中计算出的索引信息从接收侧本地得到密钥, 并利 用该密钥和步骤 D中计算出的加扰位置信息对 IP报文的加扰段进行解 扰处理。  E. The key is obtained locally from the receiving side according to the index information calculated in step D, and the scrambling segment of the IP packet is descrambled by using the key and the scrambled location information calculated in step D.
2、 如权利要求 1 所述的方法, 其特征在于, 分别在发送侧或接收 侧设置本地密钥种子库,在步骤 A和步骤 D中计算出的索引信息为密钥 种子索引信息, 利用该密钥种子索引信息从密钥种子库中获得密钥种 子, 并根据该密钥种子生成密钥;  2. The method according to claim 1, wherein the local key seed library is set on the transmitting side or the receiving side, and the index information calculated in step A and step D is key seed index information, and the The key seed index information obtains a key seed from the key seed library, and generates a key according to the key seed;
或者, 分别在发送侧或接收侧设置本地密钥库, 在步骤 A和步骤 D 中计算出的索引信息为密钥索引信息, 利用该密钥索引信息从密钥库中 直接获得密钥。  Alternatively, the local key pool is set on the sending side or the receiving side respectively, and the index information calculated in steps A and D is key index information, and the key is directly obtained from the key pool by using the key index information.
3、 如权利要求 1或 2所述的方法, 其特征在于, 所述开始部分的 内容是指随 IP报文内容改变而变化的内容, 提取内容的长度可设置。 3. The method according to claim 1 or 2, wherein the content of the start portion refers to content that changes according to the content of the IP message, and the length of the extracted content can be set.
4、 一种宽带视音频广播系统, 包括: 4. A broadband video and audio broadcasting system, comprising:
视音频广播源 (201 ), 用于产生各频道的视音频广播内容; 用户终端 ( 205 ), 用于接收一个或多个频道的视音频广播内容; 宽带网络(203 ), 传输所述视音频广播源输出的广播内容; 宽带接入设备(204 ), 将所述宽带网络传送来的各频道的广播内容 组播到所述用户终端;  An audio and video broadcast source (201) for generating video and audio broadcast content of each channel; a user terminal (205) for receiving video and audio broadcast content of one or more channels; a broadband network (203) for transmitting the video and audio a broadcast content output by the broadcast source; a broadband access device (204), multicasting broadcast content of each channel transmitted by the broadband network to the user terminal;
其特征在于还包括:  It is also characterized by:
加扰器(202 ), 接收所述视音频广播源输出的视音频广播内容, 并 进行加扰后传送到所述宽带网络( 203 );  a scrambler (202), receiving video and audio broadcast content output by the video and audio broadcast source, and performing scrambling and transmitting to the broadband network (203);
所述用户终端 ( 205 )对加扰的视音频广播内容进行解扰。  The user terminal (205) descrambles the scrambled video and audio broadcast content.
5、 如权利要求 4所述的系统, 其特征在于, 所述加扰器(202 ) 包 括:  5. The system of claim 4, wherein the scrambler (202) comprises:
报文接收单元( 301 ), 用于接收到 IP报文后, 提取 IP报文净荷开 始部分的内容以及净荷加扰段,并将净荷开始部分的内容和该 TP报文发 送给 4艮文处理单元( 302 );  The message receiving unit (301) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the TP packet to the packet艮文processing unit (302);
报文处理单元( 302 ), 用于利用净荷开始部分的内容计算出加扰位 置信息和索引信息, 利用该索引信息得到密钥, 并利用该密钥和加扰位 置信息对 IP报文进行加扰处理, 并将加扰后的 IP报文发送给报文发送 单元 ( 303 );  The message processing unit (302) is configured to calculate the scrambled location information and the index information by using the content of the payload start portion, obtain the key by using the index information, and use the key and the scrambled location information to perform the IP packet. The scrambling process is performed, and the scrambled IP packet is sent to the message sending unit (303);
报文发送单元( 303 ), 用于将该加扰后的 IP报文通过宽带网络发送 给宽带接入设备。  The message sending unit (303) is configured to send the scrambled IP packet to the broadband access device through the broadband network.
6、如权利要求 5所述的系统,其特征在于,所述报文处理单元( 302 ) 包括:  The system of claim 5, wherein the message processing unit (302) comprises:
密钥种子库 (401 ), 用于保存生成密钥的密钥种子;  a key seed library (401) for storing a key seed for generating a key;
密钥种子索引生成模块(402 )在接收到来自报文接收单元 (301 ) 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容采用密钥 种子索引生成算法生成密钥种子索引, 并将该密钥种子索'引发送给密钥 生成模块 ( 403 ); The key seed index generating module (402) receives the received message from the message receiving unit (301) After the content of the payload start portion of the IP packet, the key seed index is generated by using the key seed index generation algorithm by using the content of the payload start portion, and the key seed is sent to the key generation module (403). );
密钥生成模块( 403 ), 根据所述索引从所述密钥种子库 (401 ) 中 获取密钥种子, 并采用密钥生成算法生成密钥;  a key generation module (403), obtaining a key seed from the key seed pool (401) according to the index, and generating a key by using a key generation algorithm;
加扰位置生成模块 (404 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后, 采用加扰位置生成算法并利用该 IP 报文的净荷开始部分的内容生成报文加扰位置信息;  The scramble location generating module (404), after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
加扰模块(405 ), 接收到加扰位置信息和密钥后, 根据该密钥和加 扰位置信息, 采用加扰算法对来自报文接收单元 (301 ) 的 IP报文进行 加扰处理, 并将加扰后的 IP报文发送给报文发送单元( 303 );  The scrambling module (405), after receiving the scrambled location information and the key, performs scrambling on the IP packet from the packet receiving unit (301) by using a scrambling algorithm according to the key and the scrambled location information. And sending the scrambled IP packet to the packet sending unit (303);
所述用户终端还进一步包括:  The user terminal further includes:
密钥种子库 (601 ), 用于保存生成密钥的密钥种子;  a key seed library (601) for storing a key seed for generating a key;
密钥种子索引生成模块( 602 ) , 用于从接收到的 IP报文中提取报文 净荷开始部分的内容并生成密钥种子索引, 并将该索引发送给密钥生成 模块 ( 603 ) ;  The key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate a key seed index, and send the index to the key generation module (603);
密钥生成模块 ( 603 ), 根据所述索引从密钥种子库 (601 ) 中获取 密钥种子并生成密钥;  The key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
加扰位置生成模块( 604 ),用于从 IP报文中提取净荷开始部分的内 容, 并利用净荷开始部分的内容生成加扰位置信息;  The scrambling location generating module (604) is configured to extract the content of the payload starting portion from the IP packet, and generate scrambling location information by using the content of the payload starting portion;
解扰模块( 605 ), 利用生成的密钥和所述加扰段的开始和结束位置 信息对 IP报文中的加扰段进行解扰处理。  The descrambling module (605) performs descrambling processing on the scrambling segment in the IP packet by using the generated key and the start and end location information of the scrambling segment.
7、如权利要求 5所述的系统,其特征在于, 所述报文处理单元( 302 ) 包括:  The system of claim 5, wherein the message processing unit (302) comprises:
密钥库 (501 ), 用于保存密钥; 密钥索引生成模块 ( 502 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后, 利用净荷开始部分的内容生成密钥索 引, 并利用所述密钥索引从所述密钥库获取密钥; a keystore (501) for storing a key; The key index generation module (502), after receiving the content of the payload start portion of the IP packet from the message receiving unit (301), generates a key index using the content of the payload start portion, and utilizes the secret The key index obtains a key from the keystore;
加扰位置生成模块( 503 ), 用于在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容生成加扰 位置信息;  a scrambling location generating module (503), configured to generate scrambled location information by using content of a payload start portion after receiving content of a payload start portion of an IP packet from the message receiving unit (301);
加扰模块( 504 ), 利用获取的密钥和所述加扰位置信息对来自报文 接收单元( 301 )的 IP报文进行加扰处理, 并将加扰后的 IP报文发送给 报文发送单元( 303 );  The scrambling module (504) performs scrambling on the IP packet from the packet receiving unit (301) by using the obtained key and the scrambled location information, and sends the scrambled IP packet to the packet. Sending unit (303);
所述用户终端还进一步包括:  The user terminal further includes:
密钥库(701 ), 用于保存密钥;  a keystore (701) for storing a key;
密钥索引生成模块( 702 ), 用于从接收到的 IP报文中提取报文净荷 开始部分的内容来生成密钥索引, 并利用所述密钥索引从所述密钥库荻 取密钥;  The key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and use the key index to extract a secret from the key pool. Key
加扰位置生成模块( 703 ),用于从接收到的 IP报文中提取报文净荷 开始部分的内容并生成报文加扰段的开始和结束位置信息;  The scrambling location generating module (703) is configured to extract, from the received IP packet, the content of the beginning part of the message payload and generate start and end location information of the message scrambling segment;
解扰模块( 704 ), 利用获取的密钥和所述加扰位置信息对报文的加 扰段进行解扰处理。  The descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambled location information.
8、 一种加扰器, 其特征在于包括:  8. A scrambler, comprising:
报文接收单元( 30】), 用于接收到 IP报文后, 提取 IP报文净荷开 始部分的内容以及净荷加扰段,并将净荷开始部分的内容和 IP报文发送 给报文处理单元( 302 );  The message receiving unit (30) is configured to: after receiving the IP packet, extract the content of the beginning part of the IP packet payload and the payload scrambling segment, and send the content of the payload start part and the IP packet to the packet. Text processing unit (302);
报文处理单元( 302 ), 用于利用净荷开始部分的内容计算出加扰位 置信息和索引信息, 利用该索引信息得到密钥, 并利用该密钥和加扰位 置信息对该 IP报文进行加扰处理, 并将加扰后的 IP报文发送给报文发 送单元 ( 303 ); The message processing unit (302) is configured to calculate the scrambled location information and the index information by using the content of the payload start portion, obtain the key by using the index information, and use the key and the scrambled location information to use the IP packet Perform scrambling processing, and send the scrambled IP packet to the packet. Delivery unit (303);
报文发送单元( 303 ), 用于将该加扰后的 IP报文发送到宽带网络。 The message sending unit (303) is configured to send the scrambled IP packet to the broadband network.
9、根据权利要求 8所述的加扰器,其特征在于,报文处理单元( 302 ) 包括: The scrambler according to claim 8, wherein the message processing unit (302) comprises:
密钥种子库 (401 ), 用于保存生成密钥的密钥种子;  a key seed library (401) for storing a key seed for generating a key;
密钥种子索引生成模块(402 ), 在接收到来自报文接收单元(301 ) 的 IP报文的净荷开始部分的内容后,利用净荷开始部分的内容采用密钥 种子索引生成算法生成密钥种子索引, 并将该密钥种子索引发送给密钥 生成模块 ( 403 );  The key seed index generating module (402) generates a secret by using a key seed index generation algorithm after receiving the content of the payload start portion of the IP packet from the message receiving unit (301). Key seed index, and send the key seed index to the key generation module (403);
密钥生成模块 ( 403 ), 根据所述索引从所述密钥种子库 (401 ) 中 获取密钥种子, 并采用密钥生成算法生成密钥;  The key generation module (403) obtains a key seed from the key seed pool (401) according to the index, and generates a key by using a key generation algorithm;
加扰位置生成模块(404 ), 在接收到来自报文接收单元 (301 ) 的 IP报文的净荷开始部分的内容后, 采用加扰位置生成算法并利用该 IP 报文的净荷开始部分的内容生成报文加扰位置信息;  The scramble location generating module (404), after receiving the content of the payload start portion of the IP packet from the packet receiving unit (301), adopts a scrambling location generation algorithm and utilizes the payload start portion of the IP packet The content of the generated message scrambles the location information;
加扰模块( 405 ), 接收到加扰位置信息和密钥后, 根据该密钥和加 扰位置信息, 采用加扰算法对来自报文接收单元 (301 ) 的 IP报文进行 加扰处理, 并将加扰后的 IP报文发送给报文发送单元( 303 )。  After receiving the scrambled location information and the key, the scrambling module (405) performs a scrambling process on the IP packet from the packet receiving unit (301) according to the key and the scrambled location information, The scrambled IP packet is sent to the message sending unit (303).
10、 居权利要求 8所述的加扰器,其特征在于,报文处理单元( 302 ) 包括:  10. The scrambler of claim 8, wherein the message processing unit (302) comprises:
密钥种子索引生成模块( 602 ) , 用于从接收到的 IP报文中提取报文 净荷开始部分的内容并生成密钥种子索引, 并将该索引发送给密钥生成 模块 ( 603 ) ;  The key seed index generating module (602) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate a key seed index, and send the index to the key generation module (603);
密钥生成模块 ( 603 ), 根据所述索引从密钥种子库 (601 ) 中获取 密钥种子并生成密钥;  The key generation module (603) obtains a key seed from the key seed library (601) according to the index and generates a key;
加扰位置生成模块( 604 ), 用于从 IP报文中提取净荷开始部分的内 容, 并利用净荷开始部分的内容生成加扰位置信息; a scrambling location generating module (604), configured to extract a payload starting part from the IP packet And generating the scrambled location information by using the content of the beginning portion of the payload;
解扰模块( 605 ), 利用生成的密钥和所述加扰位置信息对 IP报文进 行解扰处理。  The descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
11、 一种用户终端, 其特征在于还包括:  11. A user terminal, characterized by further comprising:
密钥种子库 (601 ), 用于保存生成密钥的密钥种子;  a key seed library (601) for storing a key seed for generating a key;
密钥种子索引生成模块( 602 ), 用于从接收到的 IP报文中提取的净 荷开始部分的内容并生成密钥种子索引;  a key seed index generating module (602), configured to: extract content of a payload start part extracted from the received IP packet, and generate a key seed index;
密钥生成模块( 603 ), 根据所述索引从密钥种子库中获取密钥种子 并生成密钥;  The key generation module (603) obtains a key seed from the key seed library according to the index and generates a key;
加扰位置生成模块(604 ),用于从接收到的 IP报文中提取的净荷开 始部分的内容并生成报文加扰位置信息;  a scrambling location generating module (604), configured to: extract content of the payload starting part extracted from the received IP packet and generate message scrambling location information;
解扰模块( 605 ), 利用生成的密钥和所述加扰位置信息对该 IP报文 进行解扰处理。  The descrambling module (605) performs descrambling processing on the IP packet by using the generated key and the scrambled location information.
12、 一种用户终端, 其特征在于还包括:  12. A user terminal, characterized by further comprising:
密钥索引生成模块( 702 ) , 用于从接收到的 IP报文中提取报文净荷 开始部分的内容来生成密钥索引, 并利用所述密钥索引从所述密钥库获 取密钥。  The key index generating module (702) is configured to extract a content of a start portion of the message payload from the received IP packet to generate a key index, and obtain a key from the keystore by using the key index. .
加扰位置生成模块( 703 ),用于从接收到的 IP报文中提取报文净荷 开始部分的内容并生成报文加扰位置信息。  The scrambling location generating module (703) is configured to extract the content of the beginning part of the message payload from the received IP packet and generate message scrambling location information.
解扰模块( 704 ), 利用获取的密钥和所述加扰位置信息对报文的加 扰段进行解扰处理。  The descrambling module (704) performs descrambling processing on the scrambled segment of the message by using the acquired key and the scrambled location information.
PCT/CN2005/001379 2004-09-01 2005-09-01 Method ano apparatus for protecting broadband video and audio broadcast content WO2006024234A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB200410075345XA CN100356789C (en) 2004-09-01 2004-09-01 Method and device for protecting broadband audio-video broadcasting content
CN200410075345.X 2004-09-01

Publications (1)

Publication Number Publication Date
WO2006024234A1 true WO2006024234A1 (en) 2006-03-09

Family

ID=35999710

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/001379 WO2006024234A1 (en) 2004-09-01 2005-09-01 Method ano apparatus for protecting broadband video and audio broadcast content

Country Status (2)

Country Link
CN (1) CN100356789C (en)
WO (1) WO2006024234A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5173151B2 (en) * 2006-05-16 2013-03-27 京セラ株式会社 Address generating method and broadcast receiving apparatus
CN101924595B (en) * 2009-06-12 2012-09-12 北京视博数字电视科技有限公司 Audio scrambling method, descrambling method and device thereof
CN107733639B (en) * 2017-08-24 2020-08-04 深圳壹账通智能科技有限公司 Key management method, device and readable storage medium
CN108881022B (en) * 2018-05-30 2020-11-10 中国人民解放军战略支援部队信息工程大学 Network node device and method for scrambling and look-up table forwarding of datagram

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000004549A2 (en) * 1998-07-14 2000-01-27 Koninklijke Philips Electronics N.V. Copy protection by ticket encryption
CN1250994A (en) * 1998-09-14 2000-04-19 朗迅科技公司 Secure transmitting for broadband data information
WO2002009430A2 (en) * 2000-07-21 2002-01-31 General Instrument Corporation System and method for facilitating subscriber access to web enabled services

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002520682A (en) * 1998-07-14 2002-07-09 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Copy protection with ticket encryption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000004549A2 (en) * 1998-07-14 2000-01-27 Koninklijke Philips Electronics N.V. Copy protection by ticket encryption
CN1250994A (en) * 1998-09-14 2000-04-19 朗迅科技公司 Secure transmitting for broadband data information
WO2002009430A2 (en) * 2000-07-21 2002-01-31 General Instrument Corporation System and method for facilitating subscriber access to web enabled services

Also Published As

Publication number Publication date
CN1744707A (en) 2006-03-08
CN100356789C (en) 2007-12-19

Similar Documents

Publication Publication Date Title
US20080063195A1 (en) Method and system for encrypting or decrypting wmv streaming media
US8452008B2 (en) Content distributing method, apparatus and system
US7480385B2 (en) Hierarchical encryption key system for securing digital media
US8385545B2 (en) Secure content key distribution using multiple distinct methods
US20070204290A1 (en) Method for Protecting Contents of Broadband Video/Audio Broadcast
US20110093883A1 (en) System, protection method and server for implementing the virtual channel service
US20060190403A1 (en) Method and Apparatus for Content Protection and Copyright Management in Digital Video Distribution
US20030018917A1 (en) Method and apparatus for delivering digital media using packetized encryption data
AU2005258137A1 (en) Validating client-receivers
JP2007184929A (en) Method of descrambling scrambled content data object
WO2007076652A1 (en) User authorization method for use in digital television conditional access system
WO2008046323A1 (en) Mobile telephone television service protect method, system and apparatus
WO2007109999A1 (en) Method, system, subscriber equipment and multi-media server for digital copyright protection
WO2011120901A1 (en) Secure descrambling of an audio / video data stream
US20060047976A1 (en) Method and apparatus for generating a decrpytion content key
US20050047449A1 (en) Individual video encryption system and method
WO2016189105A1 (en) Management of broadcast encrypted digital multimedia data receivers
WO2008025197A1 (en) System and method for realizing the real time scrambling of the media data
WO2006024234A1 (en) Method ano apparatus for protecting broadband video and audio broadcast content
US20060233368A1 (en) Method for conditional access in a DMTS/DOCSIS enabled set top box environment
US20070011735A1 (en) Open standard conditional access system
WO2000067483A1 (en) Method and apparatus for access control of pre-encrypted on-demand television services
JP2005020218A (en) License information transmission apparatus, license information transmission program, license information transmission method and license information receiver, license information reception program, and license information reception method
WO2009106007A1 (en) Method, system and equipment for realizing media security of iptv multicast service
EP1499062B1 (en) Individual video encryption system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05781846

Country of ref document: EP

Kind code of ref document: A1