[go: up one dir, main page]

CN1914679A - Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium - Google Patents

Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium Download PDF

Info

Publication number
CN1914679A
CN1914679A CNA2005800040116A CN200580004011A CN1914679A CN 1914679 A CN1914679 A CN 1914679A CN A2005800040116 A CNA2005800040116 A CN A2005800040116A CN 200580004011 A CN200580004011 A CN 200580004011A CN 1914679 A CN1914679 A CN 1914679A
Authority
CN
China
Prior art keywords
user
key
identifier
network
key table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2005800040116A
Other languages
Chinese (zh)
Inventor
D·P·凯利
S·B·卢特鲁斯
W·F·J·方蒂恩
F·L·A·J·坎帕曼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Publication of CN1914679A publication Critical patent/CN1914679A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/414Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance
    • H04N21/41407Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance embedded in a portable device, e.g. video client on a mobile phone, PDA, laptop

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Graphics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a device and a method for authorizing a user to get access to content stored in encrypted form on a storage medium(10), said storage medium storing a machine-readable medium identifier(id) and at least one key table(KL) encrypted by use of a key table key(KLK) and storing at least one asset key(AK) for decrypting encrypted content(C). In order to allow a user to provide access to the content to other users in a simple but secure way, a device is proposed comprising: - a connection means(6) for connecting said device to a network(3), - a drive(5) for accessing said storage medium(10), in particular for reading content(C) and said medium identifier(id) from said storage medium(l0), and - a transmitter(7) for transmitting said medium identifier(id) and a user identifier(ui) of a user, who shall be authorized to get access to said content(C) and who is identified to said network(3) by said user indentifier(ui), to an authentication unit(AuC) within said network(3), said medium identifier(id) and said user identifier(ui) being used by said authentication unit(AuC) for generating a key table key(KLK) for said user enabling said user to decrypt at least one predetermined key table(KL).

Description

授权用户获得对以加密形式存储在存储介质上的 内容的访问权的设备和方法Apparatus and method for an authorized user to gain access to content stored in encrypted form on a storage medium

本发明涉及一种用于授权用户获得对以加密形式在存储介质上存储的内容的访问权的设备和对应的方法,所述存储介质存储一个机器可读的介质标识符和至少一个通过使用密钥表密钥加密的密钥表,并存储至少一个用于解密已加密的内容的资产密钥。本发明进一步涉及一种在其中应用所述方法的网络以及一种用于实现所述方法的计算机程序。The present invention relates to a device and corresponding method for authorizing a user to gain access to content stored in encrypted form on a storage medium storing a machine-readable medium identifier and at least one A keytab key-encrypted keytab and stores at least one asset key for decrypting encrypted content. The invention further relates to a network in which the method is applied and a computer program for implementing the method.

欧洲专利申请02078437.7(PHNL020775)描述了一种保护在存储介质上存储的内容不受非授权的访问的方法,所述存储介质是可连接到网络的便携式设备的驱动器可访问的。为了提供针对非授权访问的高水平的保护,网络的验证过程被用来生成一种加密密钥—以下称作资产密钥,以用于对在所述存储介质上存储的内容的加密和解密。特别地,该申请描述了这种方法在移动电话网络中的使用,在移动电话网络中,验证密钥被存储在移动电话使用的SIM卡中。因此,其主要构思是,存储介质含有一个独特的介质标识符,采用移动通信网络验证过程将这个介质标识符转换成实际的资产密钥。这个转换是由用户的SIM卡在移动电话网络中使用时执行的,因此,没有这个SIM卡,就不能读取存储介质的内容。这为用户保护他们的私人内容提供了一种简单而安全的方法,下文也将其称作SIM加密方法。European patent application 02078437.7 (PHNL020775) describes a method of protecting content stored on a storage medium accessible by a drive of a portable device connectable to a network against unauthorized access. In order to provide a high level of protection against unauthorized access, the authentication process of the network is used to generate an encryption key - hereinafter referred to as asset key, for the encryption and decryption of the content stored on the storage medium . In particular, the application describes the use of this method in mobile telephony networks where the authentication key is stored in the SIM card used by the mobile phone. Therefore, the main idea is that the storage medium contains a unique medium identifier, and the mobile communication network authentication process is used to convert this medium identifier into an actual asset key. This conversion is performed by the user's SIM card when used in the mobile phone network, therefore, without this SIM card, the content of the storage medium cannot be read. This provides a simple and secure method for users to protect their private content, hereafter also referred to as the SIM encryption method.

这个方法的一个缺点是,对内容的访问受限于单一用户,更具体来说,受限于单一用户的SIM卡。因此,本发明的一个目的是提供一种允许用户以简单又安全的方式向其他用户提供对内容的访问权的设备和方法。此外,还将使得能够从相同用户拥有的不同设备进行透明访问,例如从具有不同SIM卡的不同移动电话进行透明访问。也将提供一种对应的网络和用于实现所述方法的计算机程序。A disadvantage of this approach is that access to content is limited to a single user, and more specifically, to a single user's SIM card. It is therefore an object of the present invention to provide a device and method which allow a user to provide other users with access to content in a simple and secure manner. Furthermore, it will also enable transparent access from different devices owned by the same user, for example from different mobile phones with different SIM cards. A corresponding network and computer program for implementing the method will also be provided.

按照本发明,这个目的是通过如权利要求1所述的设备实现的,该设备包含:According to the invention, this object is achieved by a device as claimed in claim 1, which device comprises:

—连接装置,用于把所述设备连接到网络;- connecting means for connecting said device to a network;

—驱动器,用于访问所述存储介质,特别是用于从所述存储介质读取内容和所述介质标识符;和- a drive for accessing said storage medium, in particular for reading content and said medium identifier from said storage medium; and

—发送器,用于把所述介质标识符和一个用户的用户标识符发送到所述网络内的一个验证单元,该用户将被授权获得对所述内容的访问并且所述网络是通过所述用户标识符识别该用户的,所述介质标识符和所述用户标识符被所述验证单元用于为所述用户生成一个密钥表密钥,使所述用户能解密至少一个预定的密钥表。- a sender for sending said medium identifier and a user identifier of a user to an authentication unit within said network, the user will be authorized to gain access to said content and said network is via said a user identifier identifying the user, said medium identifier and said user identifier being used by said authentication unit to generate a keytab key for said user enabling said user to decrypt at least one predetermined key surface.

在权利要求9中定义了一个对应的方法。在权利要求11中定义了一个用于实现所述方法的计算机程序。在权利要求10中定义了一个其中应用本发明的网络,该网络包含:A corresponding method is defined in claim 9 . In claim 11 a computer program for implementing said method is defined. A network in which the invention is applied is defined in claim 10, the network comprising:

—第一用户设备,用于授权一个用户的第二用户设备获得对以加密形式在存储介质上存储的内容的访问权,所述存储介质存储一个机器可读的介质标识符和至少一个通过使用密钥表密钥加密的密钥表,并存储至少一个用于解密加密内容的资产密钥,所述第一用户设备包含:- a first user device for authorizing a second user device of a user to obtain access to content stored in encrypted form on a storage medium storing a machine-readable medium identifier and at least one A key table encrypted by a key table key and storing at least one asset key for decrypting encrypted content, the first user equipment includes:

—连接装置,用于把所述设备连接到网络;- connecting means for connecting said device to a network;

—驱动器,用于访问所述存储介质,特别是用于从所述存储介质读取内容和所述介质标识符;和- a drive for accessing said storage medium, in particular for reading content and said medium identifier from said storage medium; and

—发送器,用于把所述介质标识符和一个用户的用户标识符发送到所述网络内的一个验证单元,该用户将被授权获得对所述内容的访问并且所述网络是通过所述用户标识符识别该用户的;- a sender for sending said medium identifier and a user identifier of a user to an authentication unit within said network, the user will be authorized to gain access to said content and said network is via said a user identifier identifying the user;

—验证单元,包含:- Verification unit, comprising:

—接收器,用于接收所述介质标识符和所述用户标识符;- a receiver for receiving said medium identifier and said user identifier;

—密钥生成装置,用于用所述介质标识符和所述用户标识符为所述用户生成一个密钥表密钥,所述密钥表密钥使所述用户能解密所述至少一个密钥表;和- key generating means for generating a key table key for said user using said medium identifier and said user identifier, said key table key enabling said user to decrypt said at least one encryption key table; and

—发送器,用于把所述密钥表密钥发送给所述第一和/或所述第二用户设备;和- a sender for sending said key table key to said first and/or said second user equipment; and

—将被授权获得对以加密形式在存储介质上存储的内容的访问权的用户的第二用户设备,包含:- A second user device of a user to be authorized to gain access to content stored in encrypted form on a storage medium, comprising:

—连接装置,用于把所述设备连接到所述网络;- connecting means for connecting said device to said network;

—接收器,用于从所述验证单元或从所述第一用户设备接收所述密钥表密钥;- a receiver for receiving said keytab key from said verification unit or from said first user equipment;

—驱动器,用于访问所述存储介质,特别是用于从所述存储介质读取内容,并用所接收的密钥表密钥解密至少一个预定的密钥表。- A drive for accessing said storage medium, in particular for reading content from said storage medium, and decrypting at least one predetermined keytab with the received keytab key.

本发明所根据的构思是,用一个网络的验证过程,使一个对在存储介质上存储的内容有访问权的用户能授权其他用户获得对相同内容的访问权。通过使用介质标识符和将被授权的用户的用户标识符,网络的验证单元生成并提供一个密钥表密钥。这个密钥表密钥然后能被要被授权的用户用来解密为这个“新”用户提供的一个被分配的和预定的密钥表,在这个密钥表中,存储着一个用于对用户将获得访问权的内容解密的资产密钥。这样,就能将“新”用户添加到授权列表中,而无需他们的直接介入。这个方法简单易行,却又提供了高水平的安全性,这是因为使用网络的非常安全的验证过程来生成密钥表密钥,以允许访问密钥表、进而允许访问用于解密内容的资产密钥。The invention is based on the idea that, using a network authentication process, a user who has access to content stored on a storage medium can authorize other users to gain access to the same content. Using the medium identifier and the user identifier of the user to be authorized, the authentication unit of the network generates and provides a keytab key. This key table key can then be used by the user to be authorized to decrypt an assigned and predetermined key table provided for the "new" user, in which is stored a The asset key to decrypt the content to which access is granted. This way, "new" users can be added to the authorized list without their direct intervention. This method is simple to implement yet provides a high level of security because the keytab keys are generated using the network's very secure authentication process to allow access to the keytab and thus to the keys used to decrypt the content. asset key.

按照本发明所提出的网络,最好是诸如GSM或UMTS网络的通信网络,包含至少两个用户设备和一个用于在用户连接到网络时验证用户的验证单元,所述用户设备可以都属于相同的用户,或者可以分属不同的用户。用于验证用户的验证过程非常安全,是因为如果破坏了移动通信网络中的验证算法,就会使得用户能够打由其它用户付费的电话。因此,这样一个验证算法的保护水平是非常高的,当用该验证算法来生成按照本发明建议的密钥表密钥时,该算法被认为足以保护用户的数据。此外,所述验证单元也被用于生成如上述欧洲专利申请02 078 437.7(PHNL020775)中所述的资产密钥。在此引入该文件中对这个方法的描述,以作参考。The proposed network according to the invention, preferably a communication network such as a GSM or UMTS network, comprises at least two user equipments, which may all belong to the same users, or can belong to different users. The authentication process used to authenticate the user is very secure because breaking the authentication algorithm in the mobile communication network will allow the user to make calls paid by other users. Therefore, the protection level of such an authentication algorithm is very high, which is considered sufficient to protect the user's data when it is used to generate the keytab keys proposed according to the present invention. Furthermore, said verification unit is also used to generate an asset key as described in the above-mentioned European patent application 02 078 437.7 (PHNL020775). The description of this method in that document is incorporated herein by reference.

本发明的优选实施例在从属权利要求中限定。按照一个实施例,该设备进一步包含一个用于从网络为要被授权的用户接收密钥表密钥的接收器,和可用于把所接收的密钥表密钥发送到所述用户的发送器。因此,想授权另一个用户拥有对内容的访问权的用户与网络通信以便获得所述另一个用户的新的密钥表密钥,然后该用户接收到所述密钥表密钥并且将其例如通过SMS或任何其它的电子消息的形式转发给所述另一个用户。因而在生成新密钥表密钥的过程中不涉及所述要被授权的用户。Preferred embodiments of the invention are defined in the dependent claims. According to one embodiment, the device further comprises a receiver for receiving a keytab key from the network for a user to be authorized, and a transmitter operable to send the received keytab key to said user . Thus, a user who wants to authorize another user to have access to content communicates with the network to obtain a new keytab key for the other user, which user then receives the keytab key and converts it, e.g. forwarded to said other user by SMS or any other form of electronic message. The user to be authorized is thus not involved in the generation of the new keytab key.

按照另一个实施例,也可以直接从网络向要被授权的用户提供新的密钥表密钥。为标识这个用户,网络可以使用已经由第一用户连同一个介质标识符一起向验证单元提供的用于生成密钥表密钥的用户标识符。According to another embodiment, the user to be authorized can also be provided with a new keytab key directly from the network. To identify this user, the network may use the user identifier for generating the keytab key that has been provided by the first user to the authentication unit together with a medium identifier.

按照另一个实施例,存储装置不但存储一个单一密钥表,而且存储多个密钥表,例如每个用户一个密钥表。此外,可以向每个密钥表分配一个用户检查标识符,该设备在解密之前先检查用户检查标识符,以发现分配给所述用户的正确的密钥表。这就避免了要解密多个(甚至全部的)密钥表才能为用户找到正确的密钥表。用户检查标识符例如可以与向网络标识用户的用户标识符相同,例如,如在另一个从属权利要求中所述的那样,在应用于移动通信网络中时,用户检查标识符是所述用户的国际移动用户身份(IMSI)或电话号码。According to another embodiment, the storage means not only store a single key table, but also store multiple key tables, eg one key table for each user. Furthermore, each key table may be assigned a user check identifier which the device checks prior to decryption to find the correct key table assigned to said user. This avoids having to decrypt multiple (or even all) keytabs to find the correct keytab for the user. The user check identifier may for example be the same as the user identifier which identifies the user to the network, e.g. when applied in a mobile communication network, the user check identifier is said user's International Mobile Subscriber Identity (IMSI) or phone number.

如果需要隐藏用户的身份,也可以(例如以非常简单的方式通过与用户的密钥表密钥的XOR函数)对这个用户检查标识符加密。这又意味着这个加密的用户检查标识符需要被解密,特别是为多个或全部的表解密。然而,这个操作非常简单,并且不太费时。由于每个用户检查标识符被用不同的密钥(不同用户的密钥表密钥)加密,要确定潜在的用户检查标识符并不容易,因此即使连例如使用符号XOR函数这样一个简单算法,也是足够安全的。If it is necessary to hide the user's identity, this user check identifier can also be encrypted (for example in a very simple manner by an XOR function with the user's keytab key). This in turn means that this encrypted user check identifier needs to be decrypted, especially for multiple or all tables. However, this operation is very simple and not too time-consuming. Since each user check identifier is encrypted with a different key (a different user's keytab key), it is not easy to identify potential user check identifiers, so even with a simple algorithm such as using the symbolic XOR function, It is also safe enough.

为了察看正确的密钥表是否已经被解密并且解密是否正确地执行,每个密钥表可进一步含有一个按照本发明提出的解密检查标识符。为了所述检查,可以在用户设备中提供一个适当的解密检查装置。此外,可以提供一些随机生成的填充字段,以便使黑客攻击更加困难。在一个优选实施例中,用户检查标识符也被用作解密检查标识符,例如,一次在外部不加密的,以便鉴别所述用户属于该密钥表,以及两次在密钥表内部(即加密的),以检查解密是否正确。In order to see whether the correct key table has been decrypted and whether the decryption was performed correctly, each key table may further contain a decryption check identifier proposed according to the invention. For said checking, a suitable decryption checking device can be provided in the user equipment. Additionally, some randomly generated padding fields can be provided to make hacking more difficult. In a preferred embodiment, the user check identifier is also used as the decryption check identifier, e.g. once externally unencrypted to authenticate that the user belongs to the keytab, and twice inside the keytab (i.e. encrypted) to check that the decryption was correct.

在一个简单实施例中,在存储介质上只提供一个密钥表,并且想要授权第二用户的第一个用户将其自己的密钥表密钥提供给第二用户,使他能解密相同的密钥表。或者,可以在存储介质上为每个用户提供一个单独的密钥表,每个都被不同的密钥表密钥加密过。为了生成这样的密钥表,按照另一个实施例提供适当的密钥表生成装置。第一用户因此用一个密钥表密钥来加密资产密钥(该资产密钥允许对其他用户将获得访问权的内容进行解密),并因此生成一个密钥表,密钥表然后被所述访问装置存储在存储介质上。In a simple embodiment, only one keytab is provided on the storage medium, and a first user who wants to authorize a second user provides his own keytab key to the second user, enabling him to decrypt the same key table. Alternatively, each user may be provided with a separate keytab on the storage medium, each encrypted with a different keytab key. In order to generate such a key table, suitable key table generating means are provided according to another embodiment. The first user thus encrypts the asset key (which allows the decryption of content to which other users will gain access) with a keytab key and thus generates a keytab which is then used by said The access means are stored on a storage medium.

因此,按照本发明的一个优选的方面,每一项内容都以其自己的资产密钥加密,资产密钥可以是任何随机的密钥;这些资产密钥被存储在一个密钥表中。第一用户用已知的SIM加密方法(例如用他的SIM卡)来获得他的密钥表密钥,这是被用来加密密钥表的密钥。被加密的资产密钥和密钥表被存储在介质上。如果第一用户希望访问资产密钥,他需要再次使用SIM加密方法来获得他的密钥表密钥。其他用户用SIM加密方法获得其它密钥,这是因为他们的SIM是不同的。如果第一用户希望第二用户能访问内容,则第一用户用第二用户的SIM衍生的密钥(SIM derived key)中的资产密钥来加密密钥表。现在,在介质上存储了第二个加密的密钥表,而不是SIM衍生的密钥本身。Therefore, according to a preferred aspect of the present invention, each item of content is encrypted with its own asset key, which can be any random key; these asset keys are stored in a key table. The first user obtains his keytab key with known SIM encryption methods (eg with his SIM card), which is the key used to encrypt the keytab. Encrypted asset keys and keytabs are stored on media. If the first user wishes to access the asset key, he needs to use the SIM encryption method again to obtain his keytab key. Other users obtain other keys with SIM encryption because their SIMs are different. If the first user wants the second user to have access to the content, the first user encrypts the key table with the asset key in the second user's SIM derived key (SIM derived key). A second encrypted keytab is now stored on the media instead of the SIM-derived key itself.

优选地,如上所述,本发明应用于移动通信网络,并且用户设备是移动电话。然后采用用于向网络验证移动通信设备的验证算法来生成密钥表密钥,并且优选也生成资产密钥(实际上任何随机密钥都行)。Preferably, as described above, the invention is applied to a mobile communication network and the user equipment is a mobile phone. The authentication algorithm used to authenticate the mobile communication device to the network is then employed to generate a keytab key and preferably an asset key (actually any random key will do) as well.

当网络是移动通信网络时,要被授权的用户的归属位置寄存器(HLR-home location register)的验证单元,被用于为所述用户生成密钥表密钥,以便向验证单元传送介质标识符和用户标识符。而且为了把所生成的密钥表密钥传送到用户设备也可以实施一个安全通道。优选地,也以与生成密钥表密钥类似的方式用验证过程来为该安全通道生成密钥。When the network is a mobile communication network, the authentication unit of the home location register (HLR-home location register) of the user to be authorized is used to generate a key table key for said user in order to transmit the medium identifier to the authentication unit and user identifier. Also a secure channel may be implemented for transferring the generated keytab keys to the user equipment. Preferably, an authentication process is also used to generate keys for the secure channel in a similar manner to the generation of keytab keys.

移动网络运营者最好也以一种服务的形式提供上述过程。也可以以网络对待漫游用户的相同方式,授权来自不同网络的用户。此外,通过提供这个服务、但不支持来自其它网络的用户,该网络也能鼓励不同网络的用户预订这个网络。Preferably, the mobile network operator also provides the above process in the form of a service. Users from different networks can also be authorized in the same way that the network treats roaming users. Furthermore, by providing this service but not supporting users from other networks, the network can also encourage users of different networks to subscribe to this network.

附图说明Description of drawings

现在将参照以下附图更详细地解释本发明:The invention will now be explained in more detail with reference to the following drawings:

图1表示按照本发明的一个记录载体的实施例;Figure 1 shows an embodiment of a record carrier according to the invention;

图2表示按照本发明的一个网络的实施例;Figure 2 shows an embodiment of a network according to the invention;

图3表示按照本发明的方法的流程图;Figure 3 represents a flow chart of the method according to the invention;

图4表示按照本发明的一个用户设备的实施例。Figure 4 shows an embodiment of a user equipment according to the invention.

具体实施方式Detailed ways

图1表示按照本发明的一个存储介质10并表示在这样的记录载体上存储了什么。为了以下的说明,假设一个第一用户设备的特定用户能访问以加密的形式存储在记录载体10上的内容,记录载体例如是光学记录载体,诸如CD、DVD或BD,所述记录载体是用户设备可读的,用户设备例如可以是具有一个用于访问记录载体10的驱动器的便携式移动电话。进一步假设,记录载体10除了存储加密的内容外,还存储机器可读的介质标识符id和至少一个密钥表KL,密钥表KL通过使用密钥表密钥KLK而被加密,并且存储至少一个资产密钥AK。所述资产密钥AK已经被用于加密内容C,因此是用户解密加密的内容C所需。Figure 1 shows a storage medium 10 according to the invention and shows what is stored on such a record carrier. For the purposes of the following description it is assumed that a particular user of a first user device has access to content stored in encrypted form on a record carrier 10, for example an optical record carrier such as a CD, DVD or BD, which is a user Device readable, the user device may for example be a portable mobile phone having a drive for accessing the record carrier 10 . It is further assumed that the record carrier 10 stores, in addition to storing encrypted content, a machine-readable medium identifier id and at least one key table KL which is encrypted using a key table key KLK and which stores at least An asset key AK. The asset key AK has been used to encrypt the content C and is therefore required for the user to decrypt the encrypted content C.

也可以有多于一个的密钥表KL被存储在记录载体10上,特别地,每个单独用户有一个密钥表KL,并且每个密钥表KL可以被不同的密钥表密钥KLK加密。此外,每个密钥表KL可以存储多于一个的资产密钥AK,用于解密在记录载体10上存储的内容C的不同部分。此外,可以向每个密钥表分配一个用于寻找正确的密钥表KL的用户检查标识符UC,以及/或者每个密钥表可以包含一个用于察看一个密钥表KL是否已经被正确地解密的解密检查标识符DC,这两种标识符将在下文做更详细的解释。It is also possible for more than one key table KL to be stored on the record carrier 10, in particular one key table KL for each individual user, and each key table KL can be stored by a different key table key KLK encryption. Furthermore, each key table KL may store more than one asset key AK for decrypting different parts of the content C stored on the record carrier 10 . Furthermore, each key table may be assigned a user check identifier UC for finding the correct key table KL, and/or each key table may contain a user check identifier UC for checking whether a key table KL has been corrected. The decryption check identifier DC which is deciphered directly, these two identifiers will be explained in more detail below.

图2表示按照本发明的一个网络的实施例,例示了本发明的一般用途。图3以流程图的形式表示按照本发明的方法的步骤。在图2中所示的网络中,作为一个例子显示了一个移动电话网络,特别是GSM网络3,在这里是两个移动电话的两个用户设备1、2可连接到该网络,并能通过网络互相通信以及与其他用户通信。移动电话1、2每个包含一个SIM卡读卡器4,用于读取SIM卡20。在SIM卡20上存储一个验证密钥,这是一个与GSM网络3的验证中心AuC共享的秘密密钥,用于在移动电话1、2连接到网络3时验证移动电话1、2。移动电话1、2进一步包含一个驱动器5,用于在可移动存储介质10上读取数据和/或存储数据,驱动器例如是小型光盘驱动器。用户设备1、2进一步包含用于连接到网络3的连接装置6,它包括一个用于发送数据的发送器7和一个用于接收数据的接收器8。Figure 2 shows an embodiment of a network according to the invention, illustrating the general utility of the invention. FIG. 3 shows the steps of the method according to the invention in the form of a flowchart. In the network shown in FIG. 2, a mobile telephone network, in particular a GSM network 3, is shown as an example, to which two user equipments 1, 2 of two mobile telephones can be connected here and can communicate via Networks communicate with each other and with other users. The mobile phones 1 , 2 each contain a SIM card reader 4 for reading a SIM card 20 . An authentication key is stored on the SIM card 20 , which is a secret key shared with the authentication center AuC of the GSM network 3 for authenticating the mobile phone 1 , 2 when it is connected to the network 3 . The mobile phone 1, 2 further comprises a drive 5 for reading data and/or storing data on a removable storage medium 10, for example a compact disc drive. The user equipment 1, 2 further comprises connection means 6 for connecting to the network 3, comprising a transmitter 7 for sending data and a receiver 8 for receiving data.

如上文提及的欧洲专利申请02 078 437.7(PHNL020775)中所述,移动通信网络验证过程被用来将记录载体10的独特标识符(例如在记录载体10上的特定区域中存储的序列号)转换成用于对在记录载体10上存储的内容C(或内容C的部分)加密的资产密钥AK。这个转换由SIM卡2执行,或者由验证中心AuC执行,因此,没有这个SIM卡,内容就不能被解密和读取。这为用户保护他们的私人内容提供了一种简单而安全的方法。如果用户现在希望允许其他用户访问他的内容或能透明地从他自己所有的其他设备进行访问,则执行以下过程。As described in the above-mentioned European patent application 02 078 437.7 (PHNL020775), the mobile communication network authentication process is used to assign a unique identifier of the record carrier 10 (such as a serial number stored in a specific area on the record carrier 10) into an asset key AK for encrypting the content C (or part of the content C) stored on the record carrier 10 . This conversion is performed by the SIM card 2, or by the authentication center AuC, so that the content cannot be decrypted and read without this SIM card. This provides an easy and secure way for users to protect their private content. If the user now wishes to allow other users to access his content or transparently from other devices he owns, follow the procedure below.

在第一步骤S1,从记录载体读取独特标识符id。然后(S2),将这个介质标识符id和将要被第一用户授权获得对第一用户的内容的特定部分的访问权的一个第二用户的用户标识符ui,发送到网络3的验证中心AuC。其中(S3),由一个密钥生成器31从该介质标识符id和用户标识符ui生成一个密钥表密钥KLK,例如在密钥表的形式为密钥锁(key lockers)的情况下,密钥表密钥KLK是个密钥锁密钥(key lockerkey)。然后,所生成的密钥表密钥KLK,可以被只发送回第一用户设备1(S4),或者既发送到第一用户设备1又发送到第二用户设备2(S8)。In a first step S1 a unique identifier id is read from the record carrier. Then (S2), this medium identifier id and the user identifier ui of a second user who will be authorized by the first user to gain access to a specific part of the first user's content are sent to the authentication center AuC of the network 3 . Wherein (S3), a key table key KLK is generated from the medium identifier id and the user identifier ui by a key generator 31, for example in the case of key table in the form of key locks (key lockers) , the key table key KLK is a key locker key (key lockerkey). Then, the generated key table key KLK can be sent back to the first user equipment 1 only (S4), or to both the first user equipment 1 and the second user equipment 2 (S8).

在第一种情况中,第一用户设备1现在通过使用所接收的密钥表密钥KLK为第二用户设备2生成一个密钥表KL2(S5),即要给予第二用户的、用于访问由所述密钥表密钥KLK加密的内容的资产密钥。然后第二用户2被授权获得该密钥表密钥KLK,用于解密来自第一用户的新生成的密钥表KL2(S6)。通过使用密钥表密钥KLK,他就能解密密钥表KL2,从其中读取资产密钥,并用资产密钥来解密内容。这样,用户2无需直接介入,就被加入到授权列表中。In the first case, the first user equipment 1 now generates a key table KL2 for the second user equipment 2 by using the received key table key KLK (S5), i.e. the key table to be given to the second user for Asset keys to access content encrypted by the keytab key KLK. The second user 2 is then authorized to obtain this key table key KLK for decrypting the newly generated key table KL2 from the first user (S6). By using the key table key KLK, he can decrypt the key table KL2, read the asset key from it, and use the asset key to decrypt the content. In this way, user 2 is added to the authorization list without direct intervention.

在第二种情况中,密钥表密钥KLK也直接被传递到第二用户(S8),第一用户设备1现在也通过使用所接收的密钥表密钥KLK为第二用户2生成一个密钥表KL2(S9)(与步骤S5相同)。但是,第二用户2之后立即就可以通过使用这个密钥表密钥KLK而直接地解密新的密钥表KL2(S10)。In the second case, the key table key KLK is also passed directly to the second user (S8), the first user device 1 now also generates a Key table KL2 (S9) (same as step S5). However, the second user 2 can directly decrypt the new key table KL2 immediately thereafter by using this key table key KLK (S10).

进一步的可能性是,一个第二用户具有一个他没有访问权的记录载体。但是它可以通过网络请有访问权的用户也给予他访问权。因此,第一用户可以通过网络将他的密钥表密钥提供给第二用户,由此授权第二用户通过使用相同的密钥表密钥而访问自己的密钥表。在这种情况中,只需要有一个单一的密钥表被存储在记录载体就够了,该记录载体由被第一用户1授权的所有用户使用。A further possibility is that a second user has a record carrier to which he has no access rights. But it can ask users who have access rights to give him access rights through the network. Thus, a first user may provide his keytab key to a second user over the network, thereby authorizing the second user to access his own keytab by using the same keytab key. In this case it is sufficient to have a single key table stored on the record carrier which is used by all users authorized by the first user 1 .

如上文所述的那样,每个密钥表KL优选还包含一个解密检查标识符DC(参看图1),用于指示对密钥表的解密工作是正确的。为了检查这个,用户设备包含一个解密检查单元9-如图4所示的用户设备1的实施例中所示的那样。此外,密钥表还可以包括一些随机生成的填充字段,以便给黑客攻击增加困难。当用户试图访问记录载体时,应当用SIM映射将独特标识符ui转换成一个资产密钥,这是一个用于解密一个密钥表的潜在密钥。用这个潜在密钥来解密在记录载体上出现的密钥表,产生一个实际的资产密钥。然而,如果用户不被授权,则他的SIM将生成一个密钥表密钥,然而这个密钥表密钥并不能正确地解密任何密钥表,这从解密检查标识符就能容易地看出。As mentioned above, each key table KL preferably also contains a decryption check identifier DC (cf. FIG. 1 ) for indicating that the decryption of the key table was correct. To check this, the user equipment comprises a decryption checking unit 9 - as shown in the embodiment of the user equipment 1 shown in Fig. 4 . In addition, the keytab can also include some randomly generated padding fields to make hacking more difficult. When a user tries to access the record carrier, SIM mapping should be used to convert the unique identifier ui into an asset key, which is a potential key for decrypting a key table. This latent key is used to decrypt the key table present on the record carrier, yielding an actual asset key. However, if the user is not authorized, his SIM will generate a keytab key, however this keytab key does not decrypt any keytab correctly, as can be easily seen from the decryption check identifier .

优选地,如上所述,密钥表是一个密钥锁,以便能为每个用户存储不同的权利,并且将某些内容对一些用户隐藏起来。密钥表也可以是都(对每个用户来说)位于一个密钥锁内。密钥锁密钥于是是记录载体上的一个隐藏密钥。Preferably, as mentioned above, the key table is a key lock to be able to store different rights for each user and to hide certain content from some users. The keytabs can also be all (for each user) in one key lock. The key lock key is then a hidden key on the record carrier.

此外,也如图4的实施例中所示,用户设备可以包括一个用户检查单元11,用于检查最好被存储在记录载体上并分配给每个密钥表的对应的用户检查标识符uc。该用户检查标识符uc被用来为一个用户寻找正确的密钥表,这样就能避免为了寻找正确的密钥表而对每个可获得的密钥表解密。例如,用户的SIM卡含有一个用来向移动网络标识用户的标识符,这在GSM中被称做国际移动用户身份(IMSI),它可以被利用。或者,可以使用用户的电话号码。此外,如果希望隐藏用户身份,也可以以非常简单的方式(例如与一个密钥的XOR(异或))对这个用户检查标识符uc加密。这意味着每个用户检查标识符需要再次通过较简单的XOR运算被解密。由于每个用户检查标识符优选地与一个不同的密钥进行异或运算(XORed),要确定潜在的用户检查标识符并不容易,因此这个方法可以足够安全地隐藏用户的身份。Furthermore, as also shown in the embodiment of Fig. 4, the user equipment may comprise a user checking unit 11 for checking a corresponding user checking identifier uc, preferably stored on the record carrier and assigned to each key table. . The user check identifier uc is used to find the correct key table for a user, thus avoiding the need to decrypt every available key table in order to find the correct key table. For example, the user's SIM card contains an identifier that identifies the user to the mobile network, known in GSM as the International Mobile Subscriber Identity (IMSI), which can be utilized. Alternatively, the user's phone number can be used. Furthermore, this user check identifier uc can also be encrypted in a very simple manner (eg XOR with a key) if it is desired to hide the user identity. This means that each user check identifier needs to be decrypted again by a simpler XOR operation. Since each user check identifier is preferably XORed with a different key, it is not easy to identify potential user check identifiers, so this method is sufficiently secure to hide the user's identity.

优选地,希望授权其他用户的用户也为每个新用户生成一个新密钥表。因此,在每个用户设备1中也提供一个密钥表生成单元12,如图4中所示的那样。Preferably, users wishing to authorize other users also generate a new keytab for each new user. Therefore, a key table generation unit 12 is also provided in each user equipment 1, as shown in FIG. 4 .

如上述欧洲专利申请02 078 437.7(PHNL020775)中所述的那样,创建内容的用户将被授权。向授权列表增加另外的用户,可以通过网络完成。因此,最好在用户设备与要被授权的用户的GSM中的网络(特别是归属位置寄存器HLR)之间提供安全的连接。同样,用户的电话号码或用户的IMSI都能被用作用户标识符。当然,也可使用把用户唯一性地向网络标识的其它用户标识符。Users who create content will be authorized as described in the aforementioned European Patent Application 02 078 437.7 (PHNL020775). Adding additional users to the authorized list can be done over the network. Therefore, preferably a secure connection is provided between the user equipment and the network in GSM of the user to be authorized, in particular the home location register HLR. Likewise, the user's phone number or the user's IMSI can be used as the user identifier. Of course, other user identifiers that uniquely identify the user to the network may also be used.

上述的验证过程,也能被用来以类似的方式为用户设备与网络之间的安全通道生成密钥。The authentication process described above can also be used to generate keys for the secure channel between the user equipment and the network in a similar manner.

移动网络运营者优选地也以一种服务的形式提供上述过程。也可以以网络对待漫游用户的相同方式,授权来自不同网络的用户。然而,通过提供这个服务、但不支持来自其它网络的用户,该网络也能鼓励当前用户的朋友或家人预订他们的网络。The mobile network operator preferably also provides the above procedure as a service. Users from different networks can also be authorized in the same way that the network treats roaming users. However, by offering this service but not supporting users from other networks, the network can also encourage friends or family of the current user to subscribe to their network.

本发明提供一种简单易行的方法,用于在获得对属于特定用户的内容的访问权的授权列表上增加另外的用户。在这个具有高度安全性的过程中使用了网络验证过程。The present invention provides a simple and easy method for adding additional users to the authorized list for gaining access to content belonging to a particular user. A web verification process is used in this highly secure process.

Claims (11)

1.用于授权用户获得对以加密形式在存储介质(10)上存储的内容的访问权的设备,所述存储介质存储一个机器可读的介质标识符(id)和至少一个通过使用密钥表密钥(KLK)加密的密钥表(KL),并存储至少一个用于解密加密内容(C)的资产密钥(AK),所述设备包含:1. A device for authorizing a user to gain access to content stored in encrypted form on a storage medium (10) storing a machine-readable medium identifier (id) and at least one pass-use key A key table (KL) encrypted by a table key (KLK) and storing at least one asset key (AK) for decrypting encrypted content (C), said device comprising: 连接装置(6),用于把所述设备连接到网络(3);connecting means (6) for connecting said device to a network (3); 驱动器(5),用于访问所述存储介质(10),特别是用于从所述存储介质(10)读取内容(C)和所述介质标识符(id);和a drive (5) for accessing said storage medium (10), in particular for reading content (C) and said medium identifier (id) from said storage medium (10); and 发送器(7),用于把所述介质标识符(id)和一个用户的用户标识符(ui)发送到所述网络(3)内的一个验证单元(AuC),该用户将被授权获得对所述内容(C)的访问权并且所述网络(3)通过所述用户标识符(ui)识别该用户,所述介质标识符(id)和所述用户标识符(ui)被所述验证单元(AuC)用于为所述用户生成一个密钥表密钥(KLK),以使所述用户能解密至少一个预定的密钥表(KL)。Transmitter (7) for sending said medium identifier (id) and a user identifier (ui) of a user to an authentication unit (AuC) within said network (3) that the user will be authorized to obtain access to said content (C) and said network (3) identifies the user by said user identifier (ui), said medium identifier (id) and said user identifier (ui) are identified by said The authentication unit (AuC) is used to generate a key table key (KLK) for the user, so that the user can decrypt at least one predetermined key table (KL). 2.权利要求1中所述的设备,进一步包含接收器(8),用于从所述网络(3)为所述用户接收所述密钥表密钥(KLK),并且其中,所述发送器(7)可用于把所述所接收的密钥表密钥(KLK)发送到所述用户。2. The device as claimed in claim 1, further comprising a receiver (8) for receiving said key table key (KLK) from said network (3) for said user, and wherein said sending A device (7) is operable to send said received keylist key (KLK) to said user. 3.权利要求1中所述的设备,其中,所述存储装置(10)存储多个密钥表(KL),特别是每个用户一个的密钥表,其中,向每个密钥表分配一个用户检查标识符(uc),并且,其中所述设备进一步包含一个用户检查装置(11),用于根据所述用户检查标识符(uc)检查哪个密钥表(KL)被分配给所述用户。3. The device as claimed in claim 1, wherein said storage means (10) store a plurality of key tables (KL), in particular one key table per user, wherein each key table is assigned a user check identifier (uc), and wherein said device further comprises a user check means (11) for checking which key table (KL) is assigned to said user. 4.权利要求1中所述的设备,其中所述至少一个密钥表(KL)进一步包含一个解密检查标识符(DC),并且,其中所述设备进一步包含一个解密检查装置(9),用于根据所述解密检查标识符(DC)检查是否一个密钥表(KL)已经被正确解密。4. The apparatus described in claim 1, wherein said at least one key table (KL) further comprises a decryption check identifier (DC), and, wherein said apparatus further comprises a decryption check means (9), with to check whether a key table (KL) has been correctly decrypted according to the decryption check identifier (DC). 5.权利要求1中所述的设备,进一步包含密钥表生成装置(12),用于通过用一个密钥表密钥(KLK)对一个或多个资产密钥(AK)加密而生成一个密钥表(KL),其中所述驱动器(5)可用于在所述存储介质(10)上存储所述密钥表(KL)。5. The apparatus described in claim 1, further comprising key table generating means (12) for generating a key table key (KLK) by encrypting one or more asset keys (AK) with a key table key (KLK) A key table (KL), wherein said drive (5) is operable to store said key table (KL) on said storage medium (10). 6.权利要求1中所述的设备,其中所述设备是移动通信设备,特别是移动电话,其中所述网络是移动通信网络,并且其中所述验证单元(AuC)用一个用于验证移动通信设备的验证算法来生成所述密钥表密钥(KLK)。6. The device as claimed in claim 1, wherein said device is a mobile communication device, in particular a mobile phone, wherein said network is a mobile communication network, and wherein said authentication unit (AuC) uses a The device's authentication algorithm to generate the keylist key (KLK). 7.权利要求6中所述的设备,其中所述用户标识符(id)是所述用户的国际移动用户身份或电话号码。7. The device as claimed in claim 6, wherein said user identifier (id) is an International Mobile Subscriber Identity or a telephone number of said user. 8.权利要求6中所述的设备,其中所述发送器(7)可用于利用所述网络(3)把所述介质标识符(id)和所述用户标识符(ui)发送到所述用户的归属位置寄存器的验证单元(Auc)。8. The device as claimed in claim 6, wherein said transmitter (7) is operable to transmit said medium identifier (id) and said user identifier (ui) to said Authentication unit (Auc) of the subscriber's home location register. 9.用于授权用户获得对以加密形式在存储介质(10)上存储的内容的访问权的方法,所述存储介质存储一个机器可读的介质标识符(id)和至少一个通过使用密钥表密钥(KLK)加密的密钥表(KL),并存储至少一个用于解密加密内容(C)的资产密钥(AK),所述方法包含以下步骤:9. Method for authorizing a user to gain access to content stored in encrypted form on a storage medium (10) storing a machine-readable medium identifier (id) and at least one pass-use key A key table (KL) encrypted by the table key (KLK), and storing at least one asset key (AK) for decrypting the encrypted content (C), the method includes the following steps: 把所述设备连接到网络(3);connecting said device to a network (3); 把所述介质标识符(id)和一个用户的用户标识符(ui)发送到所述网络(3)内的一个验证单元(AuC),该用户将被授权获得对所述内容(C)的访问权并且所述网络(3)通过所述用户标识符(ui)识别该用户,所述介质标识符(id)和所述用户标识符(ui)被所述验证单元(AuC)用于为所述用户生成一个密钥表密钥(KLK),以使所述用户能解密至少一个预定的密钥表(KL)。sending said medium identifier (id) and a user identifier (ui) of a user to an authentication unit (AuC) within said network (3), which user will be authorized to obtain access to said content (C) access rights and said network (3) identifies the user by said user identifier (ui), said medium identifier (id) and said user identifier (ui) are used by said authentication unit (AuC) for The user generates a key table key (KLK) to enable the user to decrypt at least one predetermined key table (KL). 10.一种网络,包含:10. A network comprising: -第一用户设备(1),用于授权一个用户的第二用户设备获得对以加密形式在存储介质(10)上存储的内容的访问权,所述存储介质存储一个机器可读的介质标识符(id)和至少一个通过使用密钥表密钥(KLK)加密的密钥表(KL),并存储至少一个用于解密加密内容(C)的资产密钥(AK),所述第一用户设备包含:- a first user device (1) for authorizing a second user device of a user to obtain access to content stored in encrypted form on a storage medium (10) storing a machine-readable medium identification identifier (id) and at least one key table (KL) encrypted by using a key table key (KLK), and store at least one asset key (AK) for decrypting encrypted content (C), the first User equipment includes: —连接装置(6),用于把所述设备连接到网络(3);- connecting means (6) for connecting said device to a network (3); —驱动器(5),用于访问所述存储介质(10),特别是用于从所述存储介质(10)读取内容(C)和所述介质标识符(id);和- a drive (5) for accessing said storage medium (10), in particular for reading content (C) and said medium identifier (id) from said storage medium (10); and —发送器(7),用于把所述介质标识符(id)和一个用户的用户标识符(ui)发送到所述网络(3)内的一个验证单元(AuC),该用户将被授权获得对所述内容(c)的访问权并且所述网络(3)通过所述用户标识符(ui)识别该用户;- sender (7) for sending said medium identifier (id) and a user identifier (ui) of a user to an authentication unit (AuC) within said network (3), the user to be authorized gaining access to said content (c) and said network (3) identifying the user by said user identifier (ui); —验证单元(AuC),包含:- Authentication Unit (AuC), consisting of: —接收器(30),用于接收所述介质标识符(id)和所述用户标识符(ui);- a receiver (30) for receiving said medium identifier (id) and said user identifier (ui); —密钥生成装置(31),用于用所述介质标识符(id)和所述用户标识符(ui)为所述用户生成一个密钥表密钥,所述密钥表密钥使所述用户能解密所述至少一个密钥表;和- Key generating means (31) for generating a key table key for said user with said medium identifier (id) and said user identifier (ui), said key table key enabling all said user can decrypt said at least one key table; and —发送器(32),用于把所述密钥表密钥发送给所述第一和/或所述第二用户设备;和- a sender (32) for sending said key table key to said first and/or said second user equipment; and —将被授权获得对以加密形式在存储介质上存储的内容的访问权的用户的第二用户设备(2),包含:- A second user device (2) of a user who will be authorized to gain access to content stored on the storage medium in encrypted form, comprising: —连接装置(6),用于把所述设备连接到所述网络;- connecting means (6) for connecting said device to said network; —接收器(8),用于从所述验证单元或从所述第一用户设备接收所述密钥表密钥;- a receiver (8) for receiving said keytab key from said authentication unit or from said first user equipment; —驱动器(5),用于访问所述存储介质,特别是用于从所述存储介质读取内容,并用所接收的密钥表密钥解密至少一个预定的密钥表。- A drive (5) for accessing said storage medium, in particular for reading content from said storage medium, and decrypting at least one predetermined key table with the received key table key. 11.计算机程序,包含程序代码装置,用于当所述计算机程序在计算机上运行时使计算机执行如权利要求9中所述的方法的步骤。11. Computer program comprising program code means for causing a computer to carry out the steps of the method as claimed in claim 9 when said computer program is run on a computer.
CNA2005800040116A 2004-02-04 2005-01-26 Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium Pending CN1914679A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP04100409.4 2004-02-04
EP04100409 2004-02-04

Publications (1)

Publication Number Publication Date
CN1914679A true CN1914679A (en) 2007-02-14

Family

ID=34833726

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2005800040116A Pending CN1914679A (en) 2004-02-04 2005-01-26 Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium

Country Status (5)

Country Link
EP (1) EP1714280A1 (en)
JP (1) JP2007525123A (en)
KR (1) KR20060122906A (en)
CN (1) CN1914679A (en)
WO (1) WO2005076270A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105493436A (en) * 2013-08-29 2016-04-13 瑞典爱立信有限公司 Method, content owner device, computer program, and computer program product for distributing content items to authorized users

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2550560C (en) 2005-06-17 2015-07-21 Kabushiki Kaisha Toshiba Information provision system, provision information copying device, user terminal device and user management device
NZ586279A (en) * 2007-12-21 2012-08-31 Cocoon Data Holdings Ltd System and method for securing data distributed by a first user to at least one recipient user

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0823315A (en) * 1994-07-08 1996-01-23 Sony Corp Information presetting system
JPH0934841A (en) * 1995-07-21 1997-02-07 Fujitsu Ltd Online media decryption system and method
EP1237324A4 (en) * 1999-12-02 2008-12-10 Sanyo Electric Co MEMORY CARD AND DATA DISTRIBUTION SYSTEM INVOLVING SUCH A CARD
TWI226776B (en) * 2000-12-18 2005-01-11 Koninkl Philips Electronics Nv Secure super distribution of user data
JP2002328846A (en) * 2001-02-20 2002-11-15 Sony Computer Entertainment Inc Copy management system, computer readable storage medium in which information processing program of client terminal is stored, computer readable storage medium in which information processing program of management server is stored, information processing program of client terminal, information processing program of management server, copy managing method, information processing method of client terminal and information processing method of managing server
JP2003085084A (en) * 2001-09-12 2003-03-20 Sony Corp Contents delivery system and method, portable terminal, delivery server, and recording medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105493436A (en) * 2013-08-29 2016-04-13 瑞典爱立信有限公司 Method, content owner device, computer program, and computer program product for distributing content items to authorized users
CN105493436B (en) * 2013-08-29 2019-09-10 瑞典爱立信有限公司 For distributing method, the Content owner's equipment of content item to authorized user

Also Published As

Publication number Publication date
EP1714280A1 (en) 2006-10-25
JP2007525123A (en) 2007-08-30
WO2005076270A1 (en) 2005-08-18
KR20060122906A (en) 2006-11-30

Similar Documents

Publication Publication Date Title
US7738660B2 (en) Cryptographic key split binding process and apparatus
US9544135B2 (en) Methods of and systems for facilitating decryption of encrypted electronic information
US6608901B2 (en) Cryptographic key split combiner
US7974410B2 (en) Cryptographic key split combiner
US20050235143A1 (en) Mobile network authentication for protection stored content
CN104796265A (en) Internet-of-things identity authentication method based on Bluetooth communication access
CN1734463A (en) Information providing method, information providing system, and relay device
CN107222483A (en) A kind of method of the electronic document network memory management of many access levels
CN108881960B (en) Intelligent camera safety control and data confidentiality method based on identification password
CN1910531B (en) Method and system for key control of data resources and related network
CN101394280B (en) Mobile terminal and data service message protecting method
CN101621794A (en) Method for realizing safe authentication of wireless application service system
KR100826522B1 (en) Dynamic Encryption Device and Method in Mobile Communication System
WO1998036520A1 (en) Cryptographic key split combiner
CN1914679A (en) Device and method for authorizing a user to get access to content stored in encrypted form on a storage medium
AU3620400A (en) Voice and data encryption method using a cryptographic key split combiner
KR100808654B1 (en) Secure data transmission
CN1324485C (en) Portable security information access system and method
CN116647415B (en) Terminal bidirectional authentication method, device and cross-network and cross-domain data exchange system
FR2869176A1 (en) METHOD OF VERIFYING IN A RADIO TERMINAL THE AUTHENTICITY OF DIGITAL CERTIFICATES AND AUTHENTICATION SYSTEM
JP3721176B2 (en) Authentication system and encrypted communication system
CN1588845A (en) User password dynamic forming and registing system and its using method
CN118802317A (en) A method for hosting identity information based on trusted digital identity
JP2005252444A (en) Encryption method, decryption method and control program of file
JP2001036718A (en) Fax apparatus and fax image reproducing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication