[go: up one dir, main page]

CN1315324C - Safe access method and device for digital broadcast television network - Google Patents

Safe access method and device for digital broadcast television network Download PDF

Info

Publication number
CN1315324C
CN1315324C CNB031192238A CN03119223A CN1315324C CN 1315324 C CN1315324 C CN 1315324C CN B031192238 A CNB031192238 A CN B031192238A CN 03119223 A CN03119223 A CN 03119223A CN 1315324 C CN1315324 C CN 1315324C
Authority
CN
China
Prior art keywords
interactive
service
network
authentication
interactive network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB031192238A
Other languages
Chinese (zh)
Other versions
CN1527600A (en
Inventor
虞忠伟
颜宏华
卢建民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB031192238A priority Critical patent/CN1315324C/en
Publication of CN1527600A publication Critical patent/CN1527600A/en
Application granted granted Critical
Publication of CN1315324C publication Critical patent/CN1315324C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

本发明公开了一种数字广播电视系统的安全接入方法,该方法包括:1)建立交互数字广播电视系统;2)在终端部分开机时,交互业务处理单元向交互网络发起接入交互网络认证,交互网络使用交互网络本身的用户接入协议对该终端部分进行用户接入交互网络认证;3)根据用户信息,再对通过接入交互网络认证的终端部分进行用户接入系统认证,将通过用户接入系统认证的终端部分接入数字广播电视系统。本发明同时公开了按上述方法设置的安全接入装置,该装置前端部分包含复合器、加扰器、控制字发生器和业务管理控制单元,终端部分包含解复合器、解扰器和交互业务处理单元。本发明还公开了相应的前端和后端装置。本发明方法及装置,克服了系统完全靠密钥加密而安全性差的缺陷,结构简单,容易实现,系统容易控制。

Figure 03119223

The invention discloses a method for safely accessing a digital broadcast television system. The method includes: 1) establishing an interactive digital broadcast television system; 2) when the terminal part is turned on, the interactive service processing unit initiates an authentication for accessing the interactive network to the interactive network , the interactive network uses the user access protocol of the interactive network itself to authenticate the user's access to the interactive network for the terminal part; The part of the terminal authenticated by the user access system accesses the digital broadcasting television system. The present invention also discloses a security access device set according to the above method. The front part of the device includes a multiplexer, a scrambler, a control word generator and a service management control unit, and the terminal part includes a decomplexer, a descrambler and an interactive service processing unit. The invention also discloses the corresponding front-end and back-end devices. The method and device of the present invention overcome the defect that the system completely relies on key encryption and has poor security, and has simple structure, easy realization and easy control of the system.

Figure 03119223

Description

数字广播电视网络的安全接入方法及装置Method and device for secure access to digital broadcasting television network

技术领域technical field

本发明涉及广播电视网络的接入技术,特别涉及一种数字广播电视网络的安全接入方法及装置。The invention relates to the access technology of the broadcast television network, in particular to a method and device for safely accessing the digital broadcast television network.

背景技术Background technique

现在的广播电视网络大多数在建设初期忽略了安全问题,即使考虑了安全问题,也只是把安全机制建立在物理安全机制上,随着广播电视网络互联程度的扩大,这种安全机制对于网络环境来讲形同虚设。例如:有些地区的有线电视网络和卫星电视网络受到了非法攻击,人们的正常收视受到干扰或中断,对电视网络造成极大的破坏,带来巨大的经济损失,更造成了极其恶劣的社会影响。因此,有必要也应采用逻辑上的措施,例如安全协议、密码技术、安全管理等,以加强接入认证,杜绝非法用户入侵。Most of the current radio and television networks ignore security issues at the initial stage of construction. Even if security issues are considered, the security mechanism is only based on the physical security mechanism. It is useless to say. For example: the cable TV network and satellite TV network in some areas have been illegally attacked, and people's normal viewing has been disturbed or interrupted, which has caused great damage to the TV network, brought huge economic losses, and even caused extremely bad social impact . Therefore, logical measures, such as security protocols, cryptography, and security management, are necessary and should be adopted to strengthen access authentication and prevent illegal user intrusion.

正是为了实现上述目的,解决当前广播网络安全的各种威胁,一种行之有效的方法就是发展数字电视,因为在数字电视系统平台中的条件接入(CA)系统起着核心的安全保护作用。CA系统是指数字广播电视系统的条件接入机制,是保护数字电视内容提供商和广播电视网络运营商合法经营收益的基本运营支撑设施,通过对数字电视节目及信息在电视传输网络前端进行实时加扰,在用户端进行解扰还原,对已付费用户在线授权,可以使付费的电视用户正常收看节目,未付费的电视用户无法收看节目,所以CA系统也是一种以保护电视运营商利益为根本目的而利用加密技术实现的收费控制系统。由于CA系统涉及数字电视前端、传输网络和用户端,也就是说涉及整个广播电视网络,所以它也是可以抵抗因商业或政治目的而被恶意攻击的数字电视的安全系统,其主要安全目标是防止数字电视用户授权装置由于商业目的被盗版者大量伪造或复制,以及阻止非法数字电视节目或信息混入数字广播电视网络中。Just in order to achieve the above purpose and solve various threats to the current broadcast network security, an effective method is to develop digital TV, because the conditional access (CA) system in the digital TV system platform plays the core security protection effect. The CA system refers to the conditional access mechanism of the digital broadcast TV system, and is the basic operation support facility to protect the legitimate operating income of digital TV content providers and broadcast TV network operators. Scrambling, descrambling and restoration at the user end, online authorization for paid users, can enable paid TV users to watch programs normally, and unpaid TV users cannot watch programs, so the CA system is also a way to protect the interests of TV operators. The charging control system implemented by encryption technology for the fundamental purpose. Since the CA system involves the digital TV front end, transmission network and user end, that is to say, it involves the entire broadcast TV network, it is also a security system that can resist digital TV maliciously attacked for commercial or political purposes. Its main security goal is to prevent Digital TV user authorization devices are counterfeited or copied in large numbers by pirates for commercial purposes, and to prevent illegal digital TV programs or information from being mixed into digital broadcast TV networks.

目前的CA系统,是针对单向广播电视网络设计的,其实现方法参见图1,图1为现有单向数字广播电视系统中CA系统的实现框图。如图1所示,现有的数字广播电视系统的前端部分110包含:复合器111、加扰器112、加密器113、加密器114、业务信息(SI)发生器115、用户授权系统116、控制字(CW)发生器117、节目信息管理系统118和用户管理系统119;终端部分(STB)包含:解扰器132、解复合器131、解密器133、解密器134、安全处理器135。终端部分130包含了一个智能卡系统136。The current CA system is designed for a one-way broadcast TV network, and its implementation method is shown in FIG. 1 . FIG. 1 is a block diagram of a CA system in an existing one-way digital broadcast TV system. As shown in Figure 1, the front-end part 110 of existing digital broadcast television system comprises: multiplexer 111, scrambler 112, encryptor 113, encryptor 114, service information (SI) generator 115, user authorization system 116, Control word (CW) generator 117, program information management system 118 and user management system 119; terminal part (STB) includes: descrambler 132, decomplexer 131, descrambler 133, descrambler 134, security processor 135. Terminal section 130 includes a smart card system 136 .

在上述单向数字广播电视系统中,CA系统主要是通过用户接入认证和业务授权来实现,其实现的安全性完全集中在终端,下面给出其具体过程。In the above-mentioned unidirectional digital broadcasting TV system, the CA system is mainly implemented through user access authentication and service authorization, and its security is completely concentrated on the terminal. The specific process is given below.

在前端部分,现有CA系统采用三重密钥机制来对传输节目进行加密:In the front end, the existing CA system uses a triple key mechanism to encrypt the transmission program:

1、用加扰器112,根据控制字(CW)发生器117产生的控制字,对伪随机序列发生器起始触发,产生新的伪随机序列对业务信息进行加扰,控制字是一组随机数,每隔几秒钟随机变化一次,在接收端要在同样的控制字的控制下来解扰;1. Using the scrambler 112, according to the control word generated by the control word (CW) generator 117, the pseudo-random sequence generator is initially triggered to generate a new pseudo-random sequence to scramble the service information. The control word is a set of The random number changes randomly every few seconds, and it needs to be descrambled under the control of the same control word at the receiving end;

2、用加密器114对控制字(CW)发生器117产生的控制字进行加密,放入授权控制信息(ECM);2, encrypt the control word that control word (CW) generator 117 produces with encryptor 114, put into entitlement control information (ECM);

3、用加密器113对用户管理系统119提供的用户管理信息进行加密,形成授权管理信息(EMM)。加密后的信息和节目信息(PSI)经过复合器111复合,形成业务信息,该业务信息经加扰器112加扰后,通过广播网120传输到终端部分130。3. Use the encryptor 113 to encrypt the user management information provided by the user management system 119 to form authorization management information (EMM). The encrypted information and program information (PSI) are combined by the multiplexer 111 to form service information. The service information is scrambled by the scrambler 112 and transmitted to the terminal part 130 through the broadcast network 120 .

在终端部分130,现有CA系统先由解密器134用PDK(用户个人分配密钥)对EMM解密,取出业务密钥(SK),发送给安全处理器135,并判断本终端是否有权接收业务。如果有权,则由解密器133使用业务密钥SK将ECM中的控制字CW解密出来,然后将CW提供给解扰器132使用。解扰器132用该控制字来进行解扰,解扰后的信息发送给解复合器131;否则不能接收业务信息。In the terminal part 130, the existing CA system first uses the decryptor 134 to decrypt the EMM with the PDK (personal distribution key), takes out the service key (SK), sends it to the security processor 135, and judges whether the terminal has the right to receive business. If authorized, the decryptor 133 uses the service key SK to decrypt the control word CW in the ECM, and then provides the CW to the descrambler 132 for use. The descrambler 132 uses the control word to descramble, and the descrambled information is sent to the decomplexer 131; otherwise, the service information cannot be received.

从上面所述的现有CA系统用户接入认证和业务授权方案可以看出,因CA系统受单向网络的限制,使得该方案不仅复杂,而且在安全性方面存在一些缺点:It can be seen from the existing CA system user access authentication and service authorization scheme described above that the CA system is limited by the one-way network, which makes the scheme not only complicated, but also has some disadvantages in terms of security:

1.它的安全性集中依赖于终端的能力,一旦算法被破解,系统作用领域内的任何地方都完全暴露在被盗解的威胁之下。1. Its security relies heavily on the capabilities of the terminal. Once the algorithm is cracked, any place within the system's scope of action will be completely exposed to the threat of stolen solutions.

2.现有的CA系统无法对具体的业务授权进行认证,所以难以防止非法业务。2. The existing CA system cannot authenticate specific business authorization, so it is difficult to prevent illegal business.

3.因现有CA系统结构的单向性,其加解密算法完全与设备绑定,所以盗解者有足够的机会研究完全破解方案,备份算法等辅助措施也无法弥补这一根本缺陷。因此现有CA系统安全性不高。3. Due to the one-way nature of the existing CA system structure, its encryption and decryption algorithms are completely bound to the device, so pirates have enough opportunities to research a complete cracking solution, and auxiliary measures such as backup algorithms cannot make up for this fundamental defect. Therefore, the security of the existing CA system is not high.

欧洲DVB(Digital Video Broadcasting)组织曾经提出过相关交互数字广播电视网络的方案,该方案中,前端部分不仅通过广播网与终端部分相连,同时前端部分还通过交互网络与终端部分相连,应用该方案可以实现广播业务和点播等交互业务,也就是说可以增加数字广播电视网络的交互功能。交互数字广播电视网络可以增加广播电视网络的双向交互功能,同时可以建立起强大的用户及业务管理平台,实现广播电视系统的可运营可管理。虽然目前还没有实际的实现方案,但由于交互数字广播电视网络具有的强大功能,是数字广播电视网络发展的一个方向,具有良好的发展前景。The European DVB (Digital Video Broadcasting) organization once proposed a plan for a related interactive digital broadcast television network. In this plan, the front-end part is not only connected to the terminal part through the broadcast network, but also connected to the terminal part through the interactive network. It can realize interactive services such as broadcasting services and on-demand programs, that is to say, it can increase the interactive functions of digital broadcasting and television networks. The interactive digital radio and television network can increase the two-way interactive function of the radio and television network, and at the same time can establish a powerful user and business management platform to realize the operability and management of the radio and television system. Although there is no actual implementation plan yet, due to the powerful functions of the interactive digital broadcasting television network, it is a direction for the development of the digital broadcasting television network and has a good development prospect.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种数字广播电视网络的安全接入方法及装置,提高数字广播电视网络的安全性。In view of this, the object of the present invention is to provide a method and device for securely accessing a digital broadcasting television network, so as to improve the security of the digital broadcasting television network.

为达到上述目的,本发明的提供了一种数字广播电视系统的安全接入方法,该方法包括以下步骤:In order to achieve the above object, the present invention provides a method for securely accessing a digital broadcast television system, the method comprising the following steps:

1)在数字广播电视系统的前端部分设置业务管理控制单元,在数字广播电视网络系统的终端部分设置交互业务处理单元,1) Set up a service management control unit at the front end of the digital broadcast television system, and set an interactive service processing unit at the terminal part of the digital broadcast television network system,

将所述业务管理控制单元连接到交互网络,将所述交互业务处理单元连接到交互网络,建立交互数字广播电视系统;Connecting the service management control unit to the interactive network, connecting the interactive service processing unit to the interactive network, and establishing an interactive digital broadcasting and television system;

2)在终端部分开机时,交互业务处理单元向交互网络发起接入交互网络认证,交互网络使用交互网络本身的用户接入协议对该终端部分进行用户接入交互网络认证,交互网络将通过用户接入交互网络认证的用户信息发送给前端部分的业务管理控制单元;2) When the terminal part is turned on, the interactive service processing unit initiates the authentication of accessing the interactive network to the interactive network, and the interactive network uses the user access protocol of the interactive network itself to perform user access interactive network authentication on the terminal part, and the interactive network will pass the user The user information for accessing the interactive network authentication is sent to the service management control unit of the front end;

3)业务管理控制单元根据接收的用户信息,对通过用户接入交互网络认证的终端部分进行用户接入系统认证,将通过用户接入系统认证的终端部分接入数字广播电视系统。3) The service management control unit performs user access system authentication on the terminal part that passes the user access interactive network authentication according to the received user information, and connects the terminal part that passes the user access system authentication to the digital broadcasting and television system.

其中,步骤3)所述的用户接入系统认证可以由业务管理控制单元通过将接收的用户信息与自身存储的用户信息进行比较实现的。Wherein, the user access system authentication described in step 3) can be realized by the service management control unit by comparing the received user information with the user information stored by itself.

该方法可以进一步包括:用户接入系统认证通过后,在业务开始或业务切换前,终端部分通过交互网络将自身的用户信息和业务管理信息,发送给前端部分的业务管理控制单元,业务管理控制单元根据该用户信息和业务管理信息进行用户业务授权认证,将认证结果通过交互网络返回给终端部分,终端部分根据认证结果获得业务信息。The method may further include: after the user access system is authenticated, before the service starts or the service is switched, the terminal part sends its own user information and service management information to the service management control unit of the front-end part through the interactive network, and the service management control unit The unit performs user service authorization authentication according to the user information and service management information, and returns the authentication result to the terminal part through the interactive network, and the terminal part obtains service information according to the authentication result.

所述的交互网络可以为无线交互网络,包括:全球移动通信系统GSM网络、或通用分组无线业务GPRS网络,或宽带码分多址WCDMA无线通信网络,或CDMA 2000无线通信网络,或移动宽带无线接入MBWA网络。所述的步骤1)还可以进一步包括:将业务管理控制单元设置为相互连接的业务管理模块和业务控制模块,将业务控制模块与系统原有的复合器相连,同时将业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。The interactive network can be a wireless interactive network, including: Global System for Mobile Communications GSM network, or General Packet Radio Service GPRS network, or wideband code division multiple access WCDMA wireless communication network, or CDMA 2000 wireless communication network, or mobile broadband wireless Access the MBWA network. The step 1) may further include: setting the business management control unit as a business management module and a business control module connected to each other, connecting the business control module with the original compounder of the system, and simultaneously connecting the business control module through authentication interaction The interface is connected with the interactive network, and the service management module is connected with the interactive network through the service interface.

当交互网络为WCDMA网络时,所述的步骤2)可以为:首先终端部分从智能卡系统中读取用户信息,然后终端部分与交互网络建立连接,进行用户注册,同时交互网络中的核心网CN将鉴权请求消息通过终端部分中的交互业务处理单元发送给智能卡系统,智能卡系统根据该消息进行鉴权运算,并将鉴权结果再通过终端部分中的交互业务处理单元发送给CN,CN根据该鉴权结果对终端部分的用户进行接入交互网络认证,将通过接入交互网络认证的用户信息通过认证交互接口发送给前端部分的业务控制模块;将未通过接入交互网络认证的用户信息返回给终端部分的交互业务处理单元。When the interactive network is a WCDMA network, the step 2) can be: first the terminal part reads user information from the smart card system, then the terminal part establishes a connection with the interactive network to register users, and the core network CN in the interactive network simultaneously Send the authentication request message to the smart card system through the interactive service processing unit in the terminal part, the smart card system performs authentication calculation according to the message, and send the authentication result to CN through the interactive service processing unit in the terminal part, CN according to As a result of the authentication, the users of the terminal part are authenticated for accessing the interactive network, and the user information authenticated by the accessing interactive network is sent to the service control module of the front-end part through the authentication interactive interface; Return to the interactive service processing unit of the terminal part.

所述的步骤2),可以通过CN中的AAA认证服务器,按照交互网络本身的无线AAA认证协议进行认证。In step 2), authentication can be performed by the AAA authentication server in the CN according to the wireless AAA authentication protocol of the interactive network itself.

所述的步骤2)还可以进一步包括:终端部分开机时,交互业务处理单元将由智能卡系统接收的用户个人身份号码PIN发送给交互网络,交互网络对该号码进行鉴权。The step 2) may further include: when the terminal is turned on, the interactive service processing unit sends the user's personal identity number PIN received by the smart card system to the interactive network, and the interactive network authenticates the number.

所述的步骤1)进一步包括:将业务管理控制单元设置为相互连接的业务管理模块和业务控制模块,将业务控制模块与系统原有的复合器相连,同时将业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连;当交互网络为WCDMA网络时,所述的用户业务授权认证的具体过程可以为:终端部分将用户信息和业务请求信息,通过交互业务处理单元发送给交互网络中CN的业务GPRS节点SGSN,SGSN将该信息转发到网关GPRS节点GGSN,通过GGSN路由后,通过业务接口将该信息发送给前端部分的业务管理模块,业务管理模块根据业务请求信息完成实时业务切换,同时业务控制模块根据业务请求信息和用户信息判断该用户是否有权限使用该业务,如果有,则将确认授权信息经业务管理模块,由业务接口再通过交互网络返回给终端部分;否则将不执行业务信息返回给终端部分。The step 1) further includes: setting the service management control unit as a service management module and a service control module connected to each other, connecting the service control module with the original compounder of the system, and simultaneously connecting the service control module with the authentication interaction interface. The interactive network is connected, and the service management module is connected with the interactive network through the service interface; when the interactive network is a WCDMA network, the specific process of the user service authorization authentication can be: the terminal part processes the user information and service request information through the interactive service The unit sends to the service GPRS node SGSN of the CN in the interactive network, and the SGSN forwards the information to the gateway GPRS node GGSN. After routing through the GGSN, the information is sent to the front-end service management module through the service interface. The service management module according to the service request information to complete real-time service switching, and at the same time, the service control module judges whether the user has the right to use the service according to the service request information and user information. part; otherwise, the service information will not be executed and returned to the terminal part.

所述返回终端部分的授权信息可以为控制字发生器产生的业务控制字,终端部分根据收到的业务控制字对所请求的业务通过解扰器进行解扰,得到相应业务。The authorization information returned to the terminal part may be a service control word generated by the control word generator, and the terminal part descrambles the requested service through the descrambler according to the received service control word to obtain the corresponding service.

所述的用户业务授权认证过程可以进一步包括:业务控制模块在向终端部分返回确认授权信息的同时,开始对终端部分的用户进行计费。The user service authorization authentication process may further include: the service control module starts charging the user of the terminal part while returning confirmation authorization information to the terminal part.

同时,本发明提供了一种数字广播电视系统的安全接入装置,应用于交互数字广播电视网络,该装置包含前端部分和终端部分,其前端部分包含复合器、加扰器、控制字发生器,复合器与加扰器相连,加扰器与广播网相连,终端部分包含解复合器、解扰器,解复合器与解扰器相连,解扰器与广播网相连;At the same time, the present invention provides a secure access device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. The device includes a front-end part and a terminal part. , the multiplexer is connected to the scrambler, the scrambler is connected to the broadcast network, the terminal part includes a demultiplexer and a descrambler, the decomplexer is connected to the descrambler, and the descrambler is connected to the broadcast network;

所述前端部分,进一步包含业务管理控制单元,该业务管理控制单元用于对从交互网络接收的,且通过了接入交互网络认证的用户信息进行用户接入系统认证,并将认证结果经交互网络返回给终端部分;其中,The front-end part further includes a service management control unit, which is used to perform user access system authentication on the user information received from the interactive network and passed the authentication for access to the interactive network, and pass the authentication result through interactive The network returns to the terminal section; where,

控制字发生器连接在加扰器与交互网络之间,业务管理控制单元连接在复合器与交互网络之间;The control word generator is connected between the scrambler and the interactive network, and the service management control unit is connected between the multiplexer and the interactive network;

所述终端部分,进一步包含交互业务处理单元,该交互业务处理单元用于将从智能卡系统读取的用户信息,发送给交互网络进行接入交互网络认证,并从交互网络接收接入交互网络认证结果和用户接入系统认证结果;其中,The terminal part further includes an interactive service processing unit, which is used to send the user information read from the smart card system to the interactive network for authentication of access to the interactive network, and receive the authentication of access to the interactive network from the interactive network Results and user access system authentication results; where,

交互业务处理单元连接在解扰器与交互网络之间,交互业务处理单元与解复合器相连,且交互业务处理单元与一智能卡系统相连。The interactive service processing unit is connected between the descrambler and the interactive network, the interactive service processing unit is connected with the demultiplexer, and the interactive service processing unit is connected with a smart card system.

所述的业务管理控制单元可以进一步包含:业务管理模块和业务控制模块,所述业务控制模块用于接收由认证交互接口从交互网络发送的,且通过了接入交互网络认证的用户信息,并根据该用户信息进行用户接入系统认证,并将认证结果通过认证交互接口经交互网络返回给终端部分;其中,The service management control unit may further include: a service management module and a service control module, the service control module is used to receive the user information sent from the interaction network by the authentication interaction interface and passed the authentication of the access interaction network, and Perform user access system authentication according to the user information, and return the authentication result to the terminal part through the authentication interaction interface and the interaction network; wherein,

业务管理模块和业务控制模块相互连接,业务控制模块与复合器相连,并且业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。The service management module and the service control module are connected to each other, the service control module is connected to the complex, and the service control module is connected to the interaction network through the authentication interaction interface, and the service management module is connected to the interaction network through the service interface.

本发明还提供了一种数字广播电视系统的安全接入前端装置,应用于交互数字广播电视网络,该装置包含复合器、加扰器、控制字发生器,复合器与加扰器相连,加扰器与广播网相连,The present invention also provides a secure access front-end device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. The device includes a multiplexer, a scrambler, and a control word generator. The scrambler is connected to the broadcast network,

该装置进一步包含业务管理控制单元;用于对从交互网络接收的且通过了接入交互网络认证的用户信息进行用户接入系统认证,并将认证结果经交互网络发送出去;其中,The device further includes a business management control unit; used to perform user access system authentication on the user information received from the interactive network and passed the authentication for accessing the interactive network, and send the authentication result through the interactive network; wherein,

控制字发生器连接在加扰器与交互网络之间,业务管理控制单元连接在复合器与交互网络之间。The control word generator is connected between the scrambler and the interactive network, and the service management control unit is connected between the compounder and the interactive network.

所述的业务管理控制单元可以进一步包含:业务管理模块和业务控制模块;所述业务控制模块用于接收由认证交互接口从交互网络发送的,且通过了接入交互网络认证的用户信息,并根据该用户信息进行用户接入系统认证,并将认证结果通过认证交互接口发送出去;其中,The service management control unit may further include: a service management module and a service control module; the service control module is used to receive the user information sent from the interactive network by the authentication interaction interface and passed the authentication of the access interactive network, and Perform user access system authentication according to the user information, and send the authentication result through the authentication interaction interface; wherein,

业务管理模块和业务控制模块相互连接,业务控制模块与复合器相连,并且业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。The service management module and the service control module are connected to each other, the service control module is connected to the complex, and the service control module is connected to the interaction network through the authentication interaction interface, and the service management module is connected to the interaction network through the service interface.

本发明又提供了一种数字广播电视系统的安全接入终端装置,应用于交互数字广播电视网络,该装置包含解复合器、解扰器,解复合器与解扰器相连,解扰器与广播网相连,The present invention also provides a secure access terminal device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. connected to the broadcast network,

该装置进一步包含交互业务处理单元,用于将从智能卡系统读取的用户信息,发送给交互网络进行接入交互网络认证,并从交互网络接收接入交互网络认证结果和用户接入系统认证结果;其中,The device further includes an interactive service processing unit, which is used to send the user information read from the smart card system to the interactive network for authentication of access to the interactive network, and receive the authentication result of access to the interactive network and the user access system authentication result from the interactive network ;in,

交互业务处理单元连接在解扰器与交互网络之间,交互业务处理单元与解复合器相连,且交互业务处理单元与一智能卡系统相连。The interactive service processing unit is connected between the descrambler and the interactive network, the interactive service processing unit is connected with the demultiplexer, and the interactive service processing unit is connected with a smart card system.

其中,智能卡系统可以为SIM卡系统。Wherein, the smart card system may be a SIM card system.

由本发明的技术方案可见,本发明的这种数字广播电视网络的安全接入方法,是通过交互网络来实现交互数字广播电视的开机接入认证和业务授权认证,克服了原有CA系统完全靠密钥加密而安全性差的缺陷,同时从结构上看,比原有系统简单的多,也就更容易实现。本发明加密机制的核心在于前端的认证和授权,对运营商来说处于可控状态,解决了现有CA系统加密机制的核心在于终端的密钥,对于运营商来说则处于不可控状态的问题。It can be seen from the technical solution of the present invention that the secure access method of the digital broadcast television network of the present invention is to realize the power-on access authentication and service authorization authentication of the interactive digital broadcast television through the interactive network, which overcomes that the original CA system completely relies on Key encryption has the disadvantage of poor security. At the same time, from a structural point of view, it is much simpler than the original system, and it is easier to implement. The core of the encryption mechanism of the present invention lies in the authentication and authorization of the front end, which is in a controllable state for the operator, and solves the problem that the core of the encryption mechanism of the existing CA system lies in the key of the terminal, which is in an uncontrollable state for the operator question.

附图说明Description of drawings

图1为现有单向数字广播电视系统中CA系统的实现示意图;Fig. 1 is the realization schematic diagram of CA system in the existing unidirectional digital broadcasting television system;

图2为发明方法的一个较佳实施例的交互数字广播电视系统示意图;Fig. 2 is a schematic diagram of an interactive digital broadcast television system of a preferred embodiment of the inventive method;

图3为图2所示实施例的终端部分接入交互数字广播电视系统过程示意图;Fig. 3 is a schematic diagram of the process of terminal part accessing the interactive digital broadcasting television system in the embodiment shown in Fig. 2;

图4为图2所示实施例的终端部分业务授权认证过程示意图。FIG. 4 is a schematic diagram of a partial service authorization authentication process of the terminal in the embodiment shown in FIG. 2 .

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下面结合实施例和附图,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the embodiments and accompanying drawings.

本发明提供了一种数字广播电视网络的安全接入方法及装置,其主要方法是建立交互数字广播电视系统,通过交互网络建立双向点到点的交互,实现终端部分的安全接入,其安全接入装置就是按这种方法设置的。本发明使得认证和授权完全由前端的控制中心统一管理,因此使设备完全脱离安全系统,从而使设备平台完全开放,盗解者也就失去了用武之地。The present invention provides a method and device for securely accessing a digital broadcast television network. The main method is to establish an interactive digital broadcast television system, establish bidirectional point-to-point interaction through the interactive network, and realize secure access to the terminal part. The access device is set up in this way. The invention makes authentication and authorization completely managed by the front-end control center, so that the equipment is completely separated from the security system, so that the equipment platform is completely open, and hackers lose their use.

参见图2,图2为发明方法的一个较佳实施例的交互数字广播电视系统示意图。本发明对现有的单向数字广播电视系统进行了改造,形成了本发明的安全接入装置:Referring to Fig. 2, Fig. 2 is a schematic diagram of an interactive digital broadcasting television system according to a preferred embodiment of the inventive method. The present invention transforms the existing one-way digital broadcasting television system to form the security access device of the present invention:

在前端部分210也就是前端装置中,设置了业务管理控制单元213,保留原系统中的复合器211、加扰器212、控制字发生器214;连接复合器211与加扰器212,连接加扰器212与广播网221,将控制字发生器214连接在加扰器212与交互网络222之间,将业务管理控制单元213设置在复合器211与交互网络222之间。In the front-end part 210, that is, in the front-end device, a service management control unit 213 is set, and the compounder 211, the scrambler 212, and the control word generator 214 in the original system are reserved; the compounder 211 and the scrambler 212 are connected, and the The scrambler 212 and the broadcast network 221, the control word generator 214 is connected between the scrambler 212 and the interactive network 222, and the service management control unit 213 is set between the multiplexer 211 and the interactive network 222.

本实施例中,将业务管理控制单元213拆分为相互连接的业务管理模块215和业务控制模块216,将业务控制模块216与复合器211相连,同时将业务控制模块216通过认证交互接口与交互网络222相连,业务管理模块215通过业务接口与交互网络222相连。In this embodiment, the business management control unit 213 is split into a business management module 215 and a business control module 216 that are connected to each other, and the business control module 216 is connected to the compounder 211. The network 222 is connected, and the service management module 215 is connected to the interactive network 222 through a service interface.

本实施例中,没有使用原系统中的两个加密器113和114,当然,如果交户广播电视系统中,不是所有终端部分230都与交互网络222相连,而存在几个没有与交互网络222连接的终端部分230时,应保留这两个加密器,同样没有连接交互网络222的终端部分230也应保留相应的两个解密器。In this embodiment, the two scramblers 113 and 114 in the original system are not used. Of course, if not all terminal parts 230 are connected to the interactive network 222 in the household broadcasting television system, there are several that are not connected to the interactive network 222. When the terminal part 230 is connected, these two encryptors should be reserved, and the terminal part 230 not connected to the interactive network 222 should also retain the corresponding two decryptors.

在终端部分230也就是终端装置中,设置了交互业务处理单元233,保留原系统中的解复合器231、解扰器232;连接解复合器231与解扰器232,连接解扰器232与广播网221,将交互业务处理单元233设置在解扰器232与交互网络222之间,同时连接交互业务处理单元233与解复合器231,并连接交互业务处理单元233与一智能卡系统234,智能卡系统234可以是常用的SIM卡系统。In the terminal part 230, that is, in the terminal device, an interactive service processing unit 233 is set, and the decomplexer 231 and descrambler 232 in the original system are reserved; The broadcasting network 221, the interactive service processing unit 233 is arranged between the descrambler 232 and the interactive network 222, and the interactive service processing unit 233 and the demultiplexer 231 are connected simultaneously, and the interactive service processing unit 233 is connected with a smart card system 234, the smart card System 234 may be a commonly used SIM card system.

本发明中所连接的交互网络222可以是无线交互网络,可以采用主流蜂窝制式:全球移动通信系统(GSM)网络、或通用分组无线业务(GPRS)网络,或宽带码分多址(WCDMA)无线通信网络,或CDMA 2000无线通信网络,也可以是非主流制式的移动宽带无线接入网络(MBWA),但是从技术成熟、成本、可推广性等综合考虑,宜选择蜂窝制式。本实施例中以WCDMA无线通信网络作为无线交互网络制式,来实现的。The connected interactive network 222 in the present invention can be a wireless interactive network, and can adopt mainstream cellular system: Global System for Mobile Communications (GSM) network, or General Packet Radio Service (GPRS) network, or Wideband Code Division Multiple Access (WCDMA) wireless The communication network, or the CDMA 2000 wireless communication network, can also be a non-mainstream mobile broadband wireless access network (MBWA), but considering the maturity of technology, cost, and scalability, it is better to choose the cellular system. In this embodiment, WCDMA wireless communication network is used as the wireless interactive network standard to implement.

因此,如图2所示,本实施例中业务控制模块216通过认证接口与交互网络222中的无线核心网分组域223中的无线AAA认证服务器224相连;业务管理模块215通过业务接口,本实施例中也就是Gi接口,与无线核心网分组域223中的防火墙225相连;交互业务处理单元233与交互网络222中的WCDMA无线接入网228相连。Therefore, as shown in Figure 2, in this embodiment, the service control module 216 is connected to the wireless AAA authentication server 224 in the wireless core network packet domain 223 in the interactive network 222 through the authentication interface; the service management module 215 is connected through the service interface. In the example, the Gi interface is connected to the firewall 225 in the packet domain 223 of the wireless core network; the interactive service processing unit 233 is connected to the WCDMA wireless access network 228 in the interactive network 222 .

参见图3,图3为图2所示实施例的终端部分接入交互数字广播电视系统过程示意图;Referring to FIG. 3, FIG. 3 is a schematic diagram of the process of partial access of the terminal to the interactive digital broadcasting television system in the embodiment shown in FIG. 2;

如图3所示,终端部分接入交互数字广播电视系统的包含两个基本过程为:As shown in Figure 3, the terminal part accessing the interactive digital broadcasting television system includes two basic processes:

第一、用户接入交互网络认证。First, user access interactive network authentication.

当终端部分开机时,首先终端部分从智能卡系统中读取用户信息,然后终端部分与交互网络建立连接,将用户信息发送给交互网络中的CN中的SGSN进行用户注册,并将用户信息发送给WAAA服务器,WAAA服务器将鉴权请求消息通过终端部分中的交互业务处理单元发送给智能卡系统,智能卡系统根据该消息进行鉴权运算,并将鉴权结果再通过终端部分中的交互业务处理单元发送给CN中的WAAA服务器,CN根据中的WAAA服务器该鉴权结果对终端部分进行用户接入交互网络认证。When the terminal part is turned on, first the terminal part reads the user information from the smart card system, then the terminal part establishes a connection with the interactive network, sends the user information to the SGSN in the CN in the interactive network for user registration, and sends the user information to WAAA server, the WAAA server sends the authentication request message to the smart card system through the interactive service processing unit in the terminal part, and the smart card system performs authentication calculation according to the message, and sends the authentication result through the interactive service processing unit in the terminal part To the WAAA server in the CN, the CN authenticates the user's access to the interactive network for the terminal part according to the authentication result of the WAAA server in the CN.

整个认证过程是按照WCDMA网络本身的无线AAA认证协议进行认证的,该过程与WCDMA手机接入WCDMA网络时的开机认证过程相似,只是用户信息有所不同。The entire authentication process is performed according to the wireless AAA authentication protocol of the WCDMA network itself. This process is similar to the boot authentication process when the WCDMA mobile phone accesses the WCDMA network, but the user information is different.

通过认证的用户信息,经认证交互接口发送给前端部分的业务控制模块,未通过认证的用户信息返回给终端部分的交互业务处理单元。The authenticated user information is sent to the service control module of the front-end part through the authentication interactive interface, and the user information not passed the authentication is returned to the interactive service processing unit of the terminal part.

另外,终端部分开机时,交互业务处理单元还可以将由智能卡系统接收的用户个人身份号码(PIN)发送给交互网络,交互网络对该号码进行鉴权。这个过程也与WCDMA网络对WCDMA手机用户个人身份号码(PIN)进行鉴权的过程相同。In addition, when the terminal part is turned on, the interactive service processing unit can also send the user's personal identification number (PIN) received by the smart card system to the interactive network, and the interactive network authenticates the number. This process is also the same as the process of authenticating the WCDMA mobile phone user's personal identification number (PIN) by the WCDMA network.

第二:用户接入系统认证。Second: user access system authentication.

业务控制模块通过将接收的用户信息与自身存储的用户信息做比较以进行用户接入系统认证。The service control module performs user access system authentication by comparing the received user information with the user information stored by itself.

也就是说,业务控制模块对从WAAA服务器通过交互认证接口接收的用户信息进行用户接入系统认证。业务控制模块根据用户信息所指用户的帐单信息、余额信息以及业务控制、负荷控制等,判断该用户能否有权使用系统业务,给出判断信息并再次通过交互认证接口利用交互网络传回用户终端。That is to say, the service control module performs user access system authentication on the user information received from the WAAA server through the interactive authentication interface. The business control module judges whether the user has the right to use the system business according to the user's bill information, balance information, business control, load control, etc. referred to in the user information, gives the judgment information and sends it back through the interactive authentication interface again through the interactive network user terminal.

这样,通过交互网络,终端只要一开机就进行上述认证,防止非法用户。In this way, through the interactive network, the above-mentioned authentication is performed as soon as the terminal is turned on, so as to prevent illegal users.

本实施例中,经过身份认证后的合法终端部分,在获取业务时还需要进行业务授权认证,防止非法业务。即在业务开始和业务切换前,对用户的业务请求进行业务授权认证。In this embodiment, the legal terminal part after identity authentication needs to perform service authorization authentication when obtaining services to prevent illegal services. That is, before the service starts and the service is switched, the service authorization authentication is performed on the user's service request.

图4为图2所示实施例的终端部分业务授权认证过程示意图。FIG. 4 is a schematic diagram of a partial service authorization authentication process of the terminal in the embodiment shown in FIG. 2 .

如图4所示,首先终端部分将用户信息和业务请求信息,通过交互业务处理单元发送给交互网络中CN的业务GPRS节点(SGSN),SGSN将该信息转发到网关GPRS节点(GGSN),GGSN提供路由通过业务接口将该信息发送给前端部分的业务管理模块,业务管理模块将该信息转发给业务控制模块,业务管理模块根据业务请求信息完成实时业务切换,同时业务控制模块根据业务请求信息和用户信息判断该用户是否有权限使用该业务,如果有,则将确认授权信息,也就是控制字发生器产生的业务控制字经业务管理模块,由业务接口再通过交互网络返回给终端部分;否则将不执行业务信息返回给终端部分。终端部分向业务控制模块发回确认信息,同时根据收到的业务控制字对所请求的业务通过解扰器进行解扰,得到相应业务。业务控制模块在向终端部分返回确认授权信息的同时,开始对终端部分的用户进行计费。As shown in Figure 4, first the terminal part sends the user information and service request information to the service GPRS node (SGSN) of the CN in the interactive network through the interactive service processing unit, and the SGSN forwards the information to the gateway GPRS node (GGSN), and the GGSN Provide routing to send the information to the front-end service management module through the service interface, and the service management module forwards the information to the service control module. User information judges whether the user has the right to use the service, and if so, confirms the authorization information, that is, the service control word generated by the control word generator is returned to the terminal part by the service interface through the interactive network through the service management module; otherwise Return the non-execution service information to the terminal part. The terminal part sends back confirmation information to the service control module, and at the same time descrambles the requested service through the descrambler according to the received service control word to obtain the corresponding service. The service control module starts charging the users of the terminal part while returning confirmation authorization information to the terminal part.

用户终端一旦希望终止业务,则发出终止信息,类似于业务授权过程,用户信息和请求终止业务信息,通过交互网络经Gi接口传至业务管理模块,业务管理模块根据请求终止业务信息完成实时业务终止,同时业务控制模块停止对该用户计费,然后将业务终止确认信息经业务管理模块由Gi接口再通过交互网络传回终端部分的用户。Once the user terminal wants to terminate the service, it will send a termination message, similar to the service authorization process, the user information and the request to terminate the service information are transmitted to the service management module through the interactive network through the Gi interface, and the service management module completes the real-time service termination according to the request to terminate the service information , and at the same time, the service control module stops charging the user, and then sends the service termination confirmation information back to the terminal user through the service management module through the Gi interface and then through the interactive network.

由上述的实施例可见,本发明的这种数字广播电视网络的安全接入方法,克服了原有CA系统完全靠密钥加密而安全性差的缺陷,同时系统结构简单,容易实现。本发明中加密机制的核心在于前端的认证和授权,对运营商来说处于可控状态,解决了现有CA系统加密机制的核心在于终端的密钥,对于运营商来说则处于不可控状态的问题。It can be seen from the above embodiments that the secure access method of the digital broadcasting television network of the present invention overcomes the defect that the original CA system completely relies on key encryption and has poor security, and at the same time, the system structure is simple and easy to implement. The core of the encryption mechanism in the present invention lies in the authentication and authorization of the front end, which is in a controllable state for the operator, and solves the problem that the core of the encryption mechanism of the existing CA system lies in the key of the terminal, which is in an uncontrollable state for the operator The problem.

Claims (17)

1、一种数字广播电视系统的安全接入方法,其特征在于,该方法包括以下步骤:1. A secure access method for a digital broadcast television system, characterized in that the method comprises the following steps: 1)在数字广播电视系统的前端部分设置业务管理控制单元,在数字广播电视网络系统的终端部分设置交互业务处理单元,1) Set up a service management control unit at the front end of the digital broadcast television system, and set an interactive service processing unit at the terminal part of the digital broadcast television network system, 将所述业务管理控制单元连接到交互网络,将所述交互业务处理单元连接到交互网络,建立交互数字广播电视系统;Connecting the service management control unit to the interactive network, connecting the interactive service processing unit to the interactive network, and establishing an interactive digital broadcasting and television system; 2)在终端部分开机时,交互业务处理单元向交互网络发起接入交互网络认证,交互网络使用交互网络本身的用户接入协议对该终端部分进行用户接入交互网络认证,交互网络将通过用户接入交互网络认证的用户信息发送给前端部分的业务管理控制单元;2) When the terminal part is turned on, the interactive service processing unit initiates the authentication of accessing the interactive network to the interactive network, and the interactive network uses the user access protocol of the interactive network itself to perform user access interactive network authentication on the terminal part, and the interactive network will pass the user The user information for accessing the interactive network authentication is sent to the service management control unit of the front end; 3)业务管理控制单元根据接收的用户信息,对通过用户接入交互网络认证的终端部分进行用户接入系统认证,将通过用户接入系统认证的终端部分接入数字广播电视系统。3) The service management control unit performs user access system authentication on the terminal part that passes the user access interactive network authentication according to the received user information, and connects the terminal part that passes the user access system authentication to the digital broadcasting and television system. 2、如权利要求1所述的安全接入方法,其特征在于,步骤3)所述的用户接入系统认证是业务管理控制单元通过将接收的用户信息与自身存储的用户信息进行比较实现的。2. The secure access method according to claim 1, characterized in that the user access system authentication described in step 3) is realized by the service management control unit by comparing the received user information with the user information stored by itself . 3、如权利要求1所述的安全接入方法,其特征在于,该方法进一步包括:用户接入系统认证通过后,在业务开始或业务切换前,终端部分通过交互网络将自身的用户信息和业务管理信息,发送给前端部分的业务管理控制单元,业务管理控制单元根据该用户信息和业务管理信息进行用户业务授权认证,将认证结果通过交互网络返回给终端部分,终端部分根据认证结果获得业务信息。3. The secure access method according to claim 1, characterized in that the method further comprises: after the user is authenticated to access the system, before the service starts or the service is switched, the terminal part transmits its own user information and The service management information is sent to the service management control unit of the front-end part. The service management control unit performs user service authorization authentication according to the user information and service management information, and returns the authentication result to the terminal part through the interactive network. The terminal part obtains the service according to the authentication result. information. 4、如权利要求3所述的安全接入方法,其特征在于,所述的交互网络为无线交互网络,包括:全球移动通信系统GSM网络、或通用分组无线业务GPRS网络,或宽带码分多址WCDMA无线通信网络,或CDMA2000无线通信网络,或移动宽带无线接入MBWA网络。4. The secure access method according to claim 3, wherein the interactive network is a wireless interactive network, including: a Global System for Mobile Communications (GSM) network, or a General Packet Radio Service (GPRS) network, or a broadband code division multiple WCDMA wireless communication network, or CDMA2000 wireless communication network, or mobile broadband wireless access MBWA network. 5、如权利要求1或4所述的安全接入方法,其特征在于,所述的步骤1)进一步包括:将业务管理控制单元设置为相互连接的业务管理模块和业务控制模块,将业务控制模块与系统原有的复合器相连,同时将业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。5. The secure access method according to claim 1 or 4, characterized in that said step 1) further comprises: setting the business management control unit as a business management module and a business control module connected to each other, and setting the business control The module is connected with the original compounder of the system, and at the same time, the service control module is connected with the interactive network through the authentication interactive interface, and the service management module is connected with the interactive network through the service interface. 6、如权利要求5所述的安全接入方法,其特征在于,当交互网络为WCDMA网络时,所述的步骤2)为:首先终端部分从智能卡系统中读取用户信息,然后终端部分与交互网络建立连接,进行用户注册,同时交互网络中的核心网CN将鉴权请求消息通过终端部分中的交互业务处理单元发送给智能卡系统,智能卡系统根据该消息进行鉴权运算,并将鉴权结果再通过终端部分中的交互业务处理单元发送给CN,CN根据该鉴权结果对终端部分的用户进行接入交互网络认证,将通过接入交互网络认证的用户信息通过认证交互接口发送给前端部分的业务控制模块;将未通过接入交互网络认证的用户信息返回给终端部分的交互业务处理单元。6. The secure access method according to claim 5, wherein when the interactive network is a WCDMA network, said step 2) is: first, the terminal part reads user information from the smart card system, and then the terminal part and The interactive network establishes a connection and performs user registration. At the same time, the core network CN in the interactive network sends the authentication request message to the smart card system through the interactive service processing unit in the terminal part. The result is then sent to the CN through the interactive service processing unit in the terminal part, and the CN authenticates the user of the terminal part to access the interactive network according to the authentication result, and sends the user information authenticated through the access interactive network to the front end through the authentication interactive interface Part of the business control module; return the user information that has not passed the authentication of the access interactive network to the interactive service processing unit of the terminal part. 7、如权利要求6所述的安全接入方法,其特征在于,所述的步骤2),是通过CN中的AAA认证服务器,按照交互网络本身的无线AAA认证协议进行认证。7. The secure access method according to claim 6, characterized in that said step 2) is to perform authentication through the AAA authentication server in the CN according to the wireless AAA authentication protocol of the interactive network itself. 8、如权利要求6所述的安全接入方法,其特征在于,所述的步骤2)进一步包括:终端部分开机时,交互业务处理单元将由智能卡系统接收的用户个人身份号码PIN发送给交互网络,交互网络对该号码进行鉴权。8. The secure access method according to claim 6, characterized in that said step 2) further comprises: when the terminal part is turned on, the interactive service processing unit sends the user's personal identity number PIN received by the smart card system to the interactive network , the interactive network authenticates the number. 9、如权利要求3所述的安全接入方法,其特征在于,9. The secure access method according to claim 3, characterized in that: 所述的步骤1)进一步包括:将业务管理控制单元设置为相互连接的业务管理模块和业务控制模块,将业务控制模块与系统原有的复合器相连,同时将业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连;The step 1) further includes: setting the service management control unit as a service management module and a service control module connected to each other, connecting the service control module with the original compounder of the system, and simultaneously connecting the service control module with the authentication interaction interface. The interactive network is connected, and the service management module is connected with the interactive network through the service interface; 当交互网络为WCDMA网络时,所述的用户业务授权认证的具体过程为:终端部分将用户信息和业务请求信息通过交互业务处理单元发送给交互网络中CN的业务GPRS节点SGSN,SGSN将该信息转发到网关GPRS节点GGSN,通过GGSN路由后,业务接口将该信息发送给前端部分的业务管理模块,业务管理模块根据业务请求信息完成实时业务切换,同时业务控制模块根据业务请求信息和用户信息判断该用户是否有权限使用该业务,如果有,则将确认授权信息经业务管理模块,由业务接口再通过交互网络返回给终端部分;否则将不执行业务信息返回给终端部分。When the interactive network is a WCDMA network, the specific process of the user service authorization authentication is: the terminal part sends the user information and service request information to the service GPRS node SGSN of the CN in the interactive network through the interactive service processing unit, and the SGSN sends the information Forward it to the gateway GPRS node GGSN. After routing through the GGSN, the service interface sends the information to the service management module of the front-end part. The service management module completes real-time service switching according to the service request information, and the service control module judges the Whether the user has the right to use the service, if yes, the confirmation authorization information will be returned to the terminal part through the service management module and the service interface through the interactive network; otherwise, the service information will not be executed and returned to the terminal part. 10、如权利要求9所述的安全接入方法,其特征在于,所述返回终端部分的授权信息为控制字发生器产生的业务控制字,终端部分根据收到的业务控制字对所请求的业务通过解扰器进行解扰,得到相应业务。10. The secure access method according to claim 9, wherein the authorization information returned to the terminal part is the service control word generated by the control word generator, and the terminal part performs the requested service control word according to the received service control word. The business is descrambled by the descrambler to obtain the corresponding business. 11、如权利要求9所述的安全接入方法,其特征在于,所述的用户业务授权认证过程进一步包括:业务控制模块在向终端部分返回确认授权信息的同时,开始对终端部分的用户进行计费。11. The secure access method according to claim 9, characterized in that, the user service authorization authentication process further comprises: the service control module starts to perform the authentication on the user of the terminal part while returning confirmation authorization information to the terminal part Billing. 12、一种数字广播电视系统的安全接入装置,应用于交互数字广播电视网络,该装置包含前端部分和终端部分,其前端部分包含复合器、加扰器、控制字发生器,复合器与加扰器相连,加扰器与广播网相连,终端部分包含解复合器、解扰器,解复合器与解扰器相连,解扰器与广播网相连;其特征在于:12. A secure access device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. The device includes a front-end part and a terminal part. The front-end part includes a multiplexer, a scrambler, and a control word generator. The multiplexer and The scrambler is connected, the scrambler is connected to the broadcast network, the terminal part includes a decomplexer and a descrambler, the decomplexer is connected to the descrambler, and the descrambler is connected to the broadcast network; it is characterized in that: 所述前端部分,进一步包含业务管理控制单元,该业务管理控制单元用于对从交互网络接收的,且通过了接入交互网络认证的用户信息进行用户接入系统认证,并将认证结果经交互网络返回给终端部分;其中,The front-end part further includes a service management control unit, which is used to perform user access system authentication on the user information received from the interactive network and passed the authentication for access to the interactive network, and pass the authentication result through interactive The network returns to the terminal section; where, 控制字发生器连接在加扰器与交互网络之间,业务管理控制单元连接在复合器与交互网络之间;The control word generator is connected between the scrambler and the interactive network, and the service management control unit is connected between the multiplexer and the interactive network; 所述终端部分,进一步包含交互业务处理单元,该交互业务处理单元用于将从智能卡系统读取的用户信息,发送给交互网络进行接入交互网络认证,并从交互网络接收接入交互网络认证结果和用户接入系统认证结果;其中,The terminal part further includes an interactive service processing unit, which is used to send the user information read from the smart card system to the interactive network for authentication of access to the interactive network, and receive the authentication of access to the interactive network from the interactive network Results and user access system authentication results; where, 交互业务处理单元连接在解扰器与交互网络之间,交互业务处理单元与解复合器相连,且交互业务处理单元与一智能卡系统相连。The interactive service processing unit is connected between the descrambler and the interactive network, the interactive service processing unit is connected with the demultiplexer, and the interactive service processing unit is connected with a smart card system. 13、如权利要求12所述的安全接入装置,其特征在于,所述的业务管理控制单元进一步包含:业务管理模块和业务控制模块,所述业务控制模块用于接收由认证交互接口从交互网络发送的,且通过了接入交互网络认证的用户信息,并根据该用户信息进行用户接入系统认证,并将认证结果通过认证交互接口经交互网络返回给终端部分;其中,13. The secure access device according to claim 12, wherein the service management control unit further comprises: a service management module and a service control module, and the service control module is used to receive the authentication interaction interface from the interactive The user information sent by the network and passed the authentication of the access interactive network, and the user access system authentication is performed according to the user information, and the authentication result is returned to the terminal part through the interactive network through the authentication interactive interface; wherein, 业务管理模块和业务控制模块相互连接,业务控制模块与复合器相连,并且业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。The service management module and the service control module are connected to each other, the service control module is connected to the complex, and the service control module is connected to the interaction network through the authentication interaction interface, and the service management module is connected to the interaction network through the service interface. 14、一种数字广播电视系统的安全接入前端装置,应用于交互数字广播电视网络,该装置包含复合器、加扰器、控制字发生器,复合器与加扰器相连,加扰器与广播网相连,其特征在于:14. A secure access front-end device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. The device includes a multiplexer, a scrambler, and a control word generator. The multiplexer is connected to the scrambler, and the scrambler is connected to the The broadcast network is connected, and it is characterized in that: 该装置进一步包含业务管理控制单元;用于对从交互网络接收的且通过了接入交互网络认证的用户信息进行用户接入系统认证,并将认证结果经交互网络发送出去;其中,The device further includes a business management control unit; used to perform user access system authentication on the user information received from the interactive network and passed the authentication for accessing the interactive network, and send the authentication result through the interactive network; wherein, 控制字发生器连接在加扰器与交互网络之间,业务管理控制单元连接在复合器与交互网络之间。The control word generator is connected between the scrambler and the interactive network, and the service management control unit is connected between the compounder and the interactive network. 15、如权利要求14所述的安全接入前端装置,其特征在于,所述的业务管理控制单元进一步包含:业务管理模块和业务控制模块;所述业务控制模块用于接收由认证交互接口从交互网络发送的,且通过了接入交互网络认证的用户信息,并根据该用户信息进行用户接入系统认证,并将认证结果通过认证交互接口发送出去;其中,15. The secure access front-end device according to claim 14, wherein the service management control unit further comprises: a service management module and a service control module; The user information sent by the interactive network and passed the authentication of the access interactive network, and the user access system authentication is performed according to the user information, and the authentication result is sent through the authentication interaction interface; wherein, 业务管理模块和业务控制模块相互连接,业务控制模块与复合器相连,并且业务控制模块通过认证交互接口与交互网络相连,业务管理模块通过业务接口与交互网络相连。The service management module and the service control module are connected to each other, the service control module is connected to the complex, and the service control module is connected to the interaction network through the authentication interaction interface, and the service management module is connected to the interaction network through the service interface. 16、一种数字广播电视系统的安全接入终端装置,应用于交互数字广播电视网络,该装置包含解复合器、解扰器,解复合器与解扰器相连,解扰器与广播网相连,其特征在于:16. A secure access terminal device for a digital broadcast television system, which is applied to an interactive digital broadcast television network. The device includes a demultiplexer and a descrambler. The demultiplexer is connected to the descrambler, and the descrambler is connected to the broadcasting network. , characterized by: 该装置进一步包含交互业务处理单元,用于将从智能卡系统读取的用户信息,发送给交互网络进行接入交互网络认证,并从交互网络接收接入交互网络认证结果和用户接入系统认证结果;其中,The device further includes an interactive service processing unit, which is used to send the user information read from the smart card system to the interactive network for authentication of access to the interactive network, and receive the authentication result of access to the interactive network and the user access system authentication result from the interactive network ;in, 交互业务处理单元连接在解扰器与交互网络之间,交互业务处理单元与解复合器相连,且交互业务处理单元与一智能卡系统相连。The interactive service processing unit is connected between the descrambler and the interactive network, the interactive service processing unit is connected with the demultiplexer, and the interactive service processing unit is connected with a smart card system. 17、如权利要求16所述的安全接入终端装置,其特征在于:所述的智能卡系统为SIM卡系统。17. The secure access terminal device according to claim 16, wherein the smart card system is a SIM card system.
CNB031192238A 2003-03-05 2003-03-05 Safe access method and device for digital broadcast television network Expired - Fee Related CN1315324C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB031192238A CN1315324C (en) 2003-03-05 2003-03-05 Safe access method and device for digital broadcast television network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB031192238A CN1315324C (en) 2003-03-05 2003-03-05 Safe access method and device for digital broadcast television network

Publications (2)

Publication Number Publication Date
CN1527600A CN1527600A (en) 2004-09-08
CN1315324C true CN1315324C (en) 2007-05-09

Family

ID=34285021

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB031192238A Expired - Fee Related CN1315324C (en) 2003-03-05 2003-03-05 Safe access method and device for digital broadcast television network

Country Status (1)

Country Link
CN (1) CN1315324C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009039692A1 (en) * 2007-09-26 2009-04-02 Zte Corporation A method and system for encrypting a program stream key in the mobile multimedia broadcast service

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100383695C (en) * 2005-05-11 2008-04-23 联想(北京)有限公司 Safety turn-on method in visual range
EP1895770A1 (en) * 2006-09-04 2008-03-05 Nokia Siemens Networks Gmbh & Co. Kg Personalizing any TV gateway
CN101399960B (en) * 2007-09-25 2010-12-01 中兴通讯股份有限公司 Program stream key encryption method and system in broadcast type mobile television service
CN101848049A (en) * 2010-03-18 2010-09-29 鸿富锦精密工业(深圳)有限公司 Information service system based on digital broadcasting
CN102075524B (en) * 2010-12-28 2013-04-17 广东楚天龙智能卡有限公司 Method for developing digital media interactive service through intelligent card
CN103024474B (en) * 2012-11-30 2018-05-04 北京视博数字电视科技有限公司 Broadcast television content receives safely system, method and the gateway device with distribution

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1159272A (en) * 1994-07-25 1997-09-10 麦克罗维西恩公司 Method and device for comprehensive copy protection of video platforms and unprotected source materials
GB2334361A (en) * 1997-09-29 1999-08-18 Nds Ltd A portable subscriber unit for controlling access to television transmissions via wireless communication
US5946322A (en) * 1995-04-21 1999-08-31 Hybrid Networks, Inc. Hybrid access system utilizing credit/done polling protocols
CN1391376A (en) * 2001-06-11 2003-01-15 伊斯曼柯达公司 Electronic content accession via network by hybrid disc for verification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1159272A (en) * 1994-07-25 1997-09-10 麦克罗维西恩公司 Method and device for comprehensive copy protection of video platforms and unprotected source materials
US5946322A (en) * 1995-04-21 1999-08-31 Hybrid Networks, Inc. Hybrid access system utilizing credit/done polling protocols
GB2334361A (en) * 1997-09-29 1999-08-18 Nds Ltd A portable subscriber unit for controlling access to television transmissions via wireless communication
CN1391376A (en) * 2001-06-11 2003-01-15 伊斯曼柯达公司 Electronic content accession via network by hybrid disc for verification

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009039692A1 (en) * 2007-09-26 2009-04-02 Zte Corporation A method and system for encrypting a program stream key in the mobile multimedia broadcast service

Also Published As

Publication number Publication date
CN1527600A (en) 2004-09-08

Similar Documents

Publication Publication Date Title
CN101076109A (en) Two-way CA system of digital TV-set and method for ordering and cancelling programm based on it
CN100562098C (en) Digital television conditional access system and handling process thereof
FR2894757A1 (en) METHOD FOR CONTROLLING ACCESS TO A RUBBER CONTENT
JP4847145B2 (en) Method for managing consumption of digital content in a client domain and apparatus embodying the method
CN101951318B (en) Bidirectional mobile streaming media digital copyright protection method and system
CN1780361A (en) Unit for managing audio/video data and access control method for said data
CN100442839C (en) An information transmission method and device for an interactive digital broadcast television system
CN1643924A (en) Smart card mating protocol
US20070204290A1 (en) Method for Protecting Contents of Broadband Video/Audio Broadcast
US20110213976A1 (en) Method for downloading conditional access system for digital broadcasting
CN1933393A (en) Inter-entity coupling method, apparatus and system for content protection
CN100344160C (en) Method for realizing acquisition of user on-line information
US12095910B2 (en) System for thin client devices in hybrid edge cloud systems
CN100502496C (en) A digital TV user authentication system based on mobile equipment
CN1315324C (en) Safe access method and device for digital broadcast television network
CN109873818A (en) Method and system for preventing illegal access to server
CN103237011A (en) Digital-content encryption transmission method and server side
CN100551034C (en) A kind of mobile multi-media service implementation method and condition receiving system
WO2006012788A1 (en) Subscriber authorizating method and authorizating system
CN1228980C (en) Method for storing encrypted data
CN1668101A (en) A Conditional Access System Converging Internet and CATV Network Environment
US20120051540A1 (en) Conditional access system and method of using conditional access image
CN1867066A (en) Digital television program broadcasting system and method
CN1174620C (en) Impulse pay-per-use method and system for data and multimedia services
CN103747300B (en) A kind of condition receiving system for supporting mobile terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070509

Termination date: 20200305

CF01 Termination of patent right due to non-payment of annual fee