[go: up one dir, main page]

WO2010012148A1 - Method and apparatus for safely communicating based on broadcast or multicast - Google Patents

Method and apparatus for safely communicating based on broadcast or multicast Download PDF

Info

Publication number
WO2010012148A1
WO2010012148A1 PCT/CN2009/000521 CN2009000521W WO2010012148A1 WO 2010012148 A1 WO2010012148 A1 WO 2010012148A1 CN 2009000521 W CN2009000521 W CN 2009000521W WO 2010012148 A1 WO2010012148 A1 WO 2010012148A1
Authority
WO
WIPO (PCT)
Prior art keywords
content
encrypted
broadcast
multicast
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2009/000521
Other languages
French (fr)
Chinese (zh)
Inventor
胡志远
王楠
万志坤
骆志刚
金晓蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel Lucent SAS
Original Assignee
Alcatel Lucent SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Lucent SAS filed Critical Alcatel Lucent SAS
Publication of WO2010012148A1 publication Critical patent/WO2010012148A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/414Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance
    • H04N21/41407Specialised client platforms, e.g. receiver in car or embedded in a mobile appliance embedded in a portable device, e.g. video client on a mobile phone, PDA, laptop
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key
    • H04N21/63345Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key by transmitting keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/167Systems rendering the television signal unintelligible and subsequently intelligible
    • H04N7/1675Providing digital key or authorisation information for generation or regeneration of the scrambling sequence

Definitions

  • the present invention relates to a method and apparatus for communicating in a communication network, and more particularly to a method and apparatus for secure communication based on broadcast or multicast in a communication network. Background technique
  • CBS Cell Broadcast Services
  • CBCH Cell Broadcast CHannel
  • the CBS may be a short message service (hereinafter referred to as SMS) based on a Cell Broadcast CHannel (CBCH) in a cell radio channel.
  • SMS Short message service
  • CBCH Cell Broadcast CHannel
  • the existing short messages sent in the CBCH are transmitted in plaintext, that is, in an unencrypted form. Therefore, the CBS currently broadcasting based on the cell broadcast channel through the short message cannot distinguish between the subscribed user and the unsigned user. In other words, the secure communication with the subscribed user cannot be performed.
  • GBA Generic Bootstrapping Architecture
  • the invention provides that the broadcast or multicast server encrypts the content to be sent to generate the encrypted processed content, and then sends the encrypted processed content to one or more user devices based on broadcast or multicast; each user device The encrypted processed content based on the broadcast or multicast transmission from the broadcast or multicast server is received, and the received encrypted processed content is decrypted to restore the original unencrypted content.
  • a broadcast or multicast server in a communication network for performing one or more corresponding user equipments for use with one or more users based on broadcast or multicast.
  • a method for secure communication comprising the steps of: a. encrypting content to be sent to generate encrypted processed content; b. transmitting the encrypted processed content to a broadcast or multicast based on broadcast or multicast Describe one or more user devices.
  • a method for secure communication based on a broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network comprising the following steps: A. Receiving Encrypted processed content based on broadcast or multicast transmission from the broadcast or multicast server; B. Decrypting the received encrypted processed content to restore the original unencrypted processed content.
  • a broadcast or multicast server in a communication network for securely communicating with one or more respective user devices used by one or more users based on broadcast or multicast.
  • the device comprising: an encryption processing device, configured to perform encryption processing on the content to be sent to generate encrypted processed content; and an encrypted content transmitting device, configured to broadcast the encrypted content based on broadcast or more Broadcast to the one or more user devices.
  • an apparatus for secure communication based on a broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network comprising: an encrypted content receiving apparatus, And an encryption processing device for receiving the encrypted or processed content received from the broadcast or multicast server; and performing decryption processing on the received encrypted processed content to restore the original Unencrypted content.
  • the method or apparatus provided by the present invention makes up for the current communication network based on broadcast or The technical gap between multicast and contracted users for secure communication, which saves a large amount of communication resources in the communication network by adopting point-to-multipoint communication, and can ensure secure communication between the operator and the contracted user, and ensure correct billing.
  • the method and apparatus provided by the present invention do not require major changes to existing secure communication standards, security modules, and secure communication devices, so that the present invention is low in cost, easy to deploy, and has good commercial prospects.
  • FIG. 1 is a schematic diagram of a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b, in accordance with an embodiment of the present invention
  • FIG. 2 is a flow chart of a method for broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, in accordance with an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b according to another embodiment of the present invention
  • FIG. 4 is a flow chart of a method for broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, in accordance with another embodiment of the present invention
  • FIG. 5 is a block diagram showing an apparatus for performing broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, and a working process thereof, according to still another embodiment of the present invention
  • Fig. 6 is a block diagram showing an apparatus for performing broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a and a working process thereof according to still another embodiment of the present invention. detailed description
  • the communication network is a wireless communication network, such as a 3G wireless communication network.
  • the network includes a broadcast server 1 for secure communication using a short message service based on CBS, mobile terminals 2a and 2b, and a content providing server (Content Provider, CP for short) 3 connected to the broadcast server 1, and an unoperated operation
  • the merchant signs a mobile terminal 2c for secure communication.
  • the Short Message Gateway (SMG) or Short Message Service Center (SMSC), and the base station, relay station, etc., through which the broadcast server 1 and the mobile terminal communicate securely through short messages are omitted. And other communication devices.
  • SMG Short Message Gateway
  • SMSC Short Message Service Center
  • the present invention is not limited to the 3G wireless communication network shown in FIG. 1 and the network topology, such as other 2G 2.5G wireless communication networks and other network topologies, and other supporting broadcasts or The present invention is equally applicable to a multicast communication network, and the applicant will also present in the specification an embodiment in which the present invention is applied to other scenarios.
  • 2 is a flow chart of a method for broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a, in accordance with an embodiment of the present invention.
  • the broadcast server 1 may be composed of a Cell Broadcast Center and a Cell Broadcast Equipment, and is used to broadcast the encrypted content to each mobile terminal through a cell broadcast channel.
  • the broadcast server 1 broadcasts the content encrypted by the content key to the mobile terminal, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, which can be directly
  • the process of decrypting the content encrypted by the content key is detailed.
  • the content providing server 3 supplies the content that needs to be provided to the subscriber to the broadcast server 1, the content may be weather forecast, business news, traffic information, etc. as described above, and the content provided to each subscriber is the same.
  • the broadcast server 1 acquires the content to be sent to the subscriber.
  • step S10 the broadcast server 1 encrypts the content to be sent to the subscriber to generate the encrypted processed content.
  • the broadcast server 1 acquires a content key for encrypting the content, wherein the content key K sms may be based on a symmetric key (ie, the encryption key is the same as the decryption key, or is encrypted by encryption)
  • the key can be derived from the decryption key), or it can be based on an asymmetric key (ie, the encryption key is different from the decryption key, and cannot be pushed according to the encryption key) Export the decryption key).
  • asymmetric key ie, the encryption key is the same as the decryption key, or is encrypted by encryption
  • the key can be derived from the decryption key), or it can be based on an asymmetric key (ie, the encryption key is different from the decryption key, and cannot be pushed according to the encryption key) Export the decryption key).
  • the broadcast server 1 does not currently need to provide the content key K sms to the mobile terminal:
  • the symmetric content key K sms is generated by the broadcast server 1 in advance and has been provided to the mobile terminal, for example, has been solidified in the SIM (Subscriber Identity Model) card or the mobile terminal of the user, and the key is pre- If there is a broadcast server 1, the broadcast server 1 acquires the pre-stored content key K sms ;
  • the symmetric content key K sms is supplied to the broadcast server 1 by the content providing server 3. And also the content providing server 3 K sms key by the content provided to the mobile terminal.
  • the broadcast server 1 has a weak management and control function for the key;
  • step S102 the broadcast server 1 encrypts the content to be transmitted using the acquired content key K sms to generate the content encrypted by the content key K sms .
  • a specific technique for encrypting a plaintext using a key to obtain a ciphertext is well known to those skilled in the art, and the present invention does not describe it.
  • step S11 the broadcast server 1 transmits the content encrypted by the content key K sms to the mobile terminal 2a based on the broadcast.
  • step S20 the mobile terminal 2a receives the encrypted processed content based on the broadcast transmission from the broadcast server 1.
  • the broadcast server 1 puts the content encrypted by the content key K into a short message, and provides the cell base station to which the mobile terminal 2a belongs through the short message gateway or the short message service center, and the cell of the cell base station in the cell Broadcasting the short message on the broadcast channel (CBCH); the mobile terminal 2a receives a short message containing the content encrypted by the content key K on the cell broadcast channel, and proposes to encrypt the content key K sms content.
  • the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive a short message containing the content encrypted by the content key K sms on the cell broadcast channel.
  • the broadcast mode of the broadcast server 1 to broadcast the encrypted content to the mobile terminal is not limited to the embodiment, and those skilled in the art can make appropriate adjustments according to the actual wireless network under the teaching of the present invention. These modifications are intended to be within the scope of the appended claims.
  • step S22 the mobile terminal 2a performs the encrypted processing on the received The content is decrypted to restore the original unencrypted content
  • step S21 the mobile terminal 2a acquires content decryption information corresponding to the content key Ksms .
  • the content key K sms is a symmetric key
  • the content key K sms is equivalent to its corresponding content decryption information
  • the content key K sms is an asymmetric key
  • the key corresponding to the work should be obtained. Therefore, corresponding to the two cases A and B listed above:
  • the previously generated symmetric content key K sms has been provided by the broadcast server 1 to the mobile terminal 2a before the secure communication, for example, in the user's SIM card or mobile terminal, and the mobile terminal 2a obtains the pre-stored content secret.
  • Key K sms has been provided by the broadcast server 1 to the mobile terminal 2a before the secure communication, for example, in the user's SIM card or mobile terminal, and the mobile terminal 2a obtains the pre-stored content secret.
  • step S22 the mobile terminal 2a receives the content encrypted by the content key K sms based on the broadcast transmission from the broadcast server 1 based on the content decryption information corresponding to the content key K sms acquired in step S21. Decrypt to restore the original unencrypted content.
  • the mobile terminal 2b of the subscriber who subscribes to the same content also obtains the content decryption information corresponding to the content key K sms in the step similar to step S21, which performs the above similar step S22, so that it can also obtain the original The content processed by the encryption; further, the user of the mobile terminal 2c cannot decrypt the received K sms- encrypted content because it is not the subscriber of the content, and does not obtain the content decryption information corresponding to the content key K sms The security of communication between the broadcast server 1 and the mobile terminals 2a and 2b is ensured.
  • the mobile terminals 2a and 2b may belong to the same base station cell or may belong to different cells.
  • the above first embodiment broadcasts the content encrypted by the content key to the mobile terminal by the broadcast server 1, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, and can directly encrypt the content encrypted by the content key.
  • decryption is described in detail.
  • the broadcast server further adopts an encryption technology for the content key, which acquires the encrypted auxiliary information corresponding to each user, and encrypts the content key according to the encrypted auxiliary information, and then Encrypted auxiliary information encrypted content
  • an encryption technology for the content key which acquires the encrypted auxiliary information corresponding to each user, and encrypts the content key according to the encrypted auxiliary information, and then Encrypted auxiliary information encrypted content
  • FIG. 3 is a schematic diagram showing a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b according to another embodiment of the present invention.
  • the communication network further includes a Bootstrapping Server Function-Push (BSF Push) 4 connected to the broadcast server 1 and the bootstrapping service, based on the topology shown in FIG.
  • the Home Location Register (HLR/Home Subscriber Server, referred to as HSS) 5 is connected to the push function 4.
  • the broadcast server 1 may include two parts, and a part is a cell broadcast service system (CBS System) composed of a cell broadcast center and a cell broadcast equipment, which is used to encrypt the content key.
  • CBS System cell broadcast service system
  • the content is broadcast to each mobile terminal through a cell broadcast channel; and a part is a cell broadcast service subscriber manager (CBS Subscriber Management), which encrypts the content key according to the encrypted auxiliary information, and encrypts the encrypted content key.
  • CBS Subscriber Management cell broadcast service subscriber manager
  • Subscribed users who provide SMS broadcast services via SMS or other means via the Upa interface.
  • FIG. 4 is a flow chart of a method for broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a, in accordance with another embodiment of the present invention.
  • the broadcast server 1 acquires a content key for encrypting the content.
  • the broadcast server 1 can be based on a random number generated at the time and the identification information of the content providing server 3, based on the symmetry.
  • a key algorithm such as DES (Data Encryption Standard), AES (Advanced Encryption), etc. generates a content key K sms based on symmetric encryption.
  • the broadcast server 1 performs a similar procedure to the first embodiment described above, in S 102 ', encrypts the content provided by the content providing server 3 according to K sms , and then in step sir, passes the content key K sms
  • the encrypted content is sent to the mobile terminal 2a based on the broadcast.
  • the broadcast server 1 puts the content encrypted by the content key K sms into the short message and provides it to the short message gateway or the short message service center.
  • the cell base station broadcasts the short message on a cell broadcast channel (CBCH) in the cell;
  • the mobile terminal 2a receives the content-containing key on the cell broadcast channel K sms , a short message of the encrypted content, and from which the content is encrypted by the content key K sms .
  • the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive the short message containing the content encrypted by the content key K sms on the cell broadcast channel. .
  • step S20 the mobile terminal 2a receives the encrypted content based on the broadcast transmission based on the content key K sms from the broadcast server 1.
  • step S20" the mobile terminal 2b receives the encrypted content transmitted by the broadcast server based on the content key K sms .
  • the non-subscriber mobile terminal 2c can also The encrypted content is received.
  • step S12 the broadcast server 1 acquires the encrypted auxiliary information corresponding to the user a to which the mobile terminal 2a belongs and the user b to which the mobile terminal 2b belongs, and the encrypted auxiliary information is used to encrypt the content.
  • the key K sms is encrypted.
  • the encryption assistance information is based on an asymmetric key technology.
  • the encryption assistance information corresponding to the user a is the public key of the user a, and at the same time, the user a owns the mobile terminal 2a.
  • the broadcast server 1 acquires the respective public keys of the users a and b.
  • the broadcast server 1 locally stores the public key, it directly reads the public key; in another case, the public key is provided to the broadcast by the content providing server 3 or by another security management server. Server 1.
  • the encrypted auxiliary information is a symmetric encryption key associated with the identity of users a and b, and users a and b can generate the same encryption secret based on their user identity on their mobile terminal. Key or corresponding decryption assistance information.
  • the broadcast server 1 requests the push information of the universal bootstrapping architecture of the user a and the user b through the Zpn interface to the bootstrap service push function (BSF) 4 based on the GBA push technology.
  • BSF bootstrap service push function
  • the push information includes identity related information for generating an encryption key Ks NAF/Ks ext NAF, Ks int NAF, AUTN and RAND in the user's quintuple authentication vector, and is used to identify U/M which is GBA_U or GBA_ME. , the life cycle of the key, the ID of the broadcast server, the private identity ID of the user, the MAC, and so on.
  • the bootstrap service push function 4 does not have the identity information of the user a and/or b locally, then it is also Pentad authentication vector over Z h interfaces to the home location register users a and / or b belongs / home subscriber server 5 requests and obtains user CK (Cipher Key), IK ( Integrity Key), RAND, RES, AUTN information And generating push information of the general bootstrapping architecture of the user a and/or b according to the CK and IK information, and then providing the push information of the users a and b to the broadcast server 1.
  • CK Cipher Key
  • IK Integrity Key
  • step S122' the broadcast server 1 generates the respective encryption keys K cbs of the users a and b based on the acquired Ks_NAF/Ks_ext_NAF and Ks int NAF information of the users a and b.
  • step S13 the broadcast server 1 encrypts the content key K sms according to the acquired encryption auxiliary information of the users a and b, for example, its public key or its encryption key K ebs , respectively.
  • the content key K sms ' encrypted with the corresponding encrypted auxiliary information of each of the users a and b is generated.
  • step S14 the broadcast server 1 transmits the content key K sms encrypted with the corresponding encrypted auxiliary information of the users a and b to the mobile terminals 2a and 2b of the users a and b, respectively.
  • the broadcast server 1 transmits the content key K sms ' encrypted by the encrypted auxiliary information corresponding to the users a and b to the user & b respectively by the short message gateway or the short message service center.
  • step S21 and in step S21" (not shown), the mobile terminals 2a and 2b each acquire content decryption information that works in cooperation with the content key Ksms .
  • the mobile terminal 2b performs similar steps.
  • the mobile terminal 2a receives the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a from the broadcast server 1, and acquires the decryption auxiliary information working in cooperation with the encrypted auxiliary information. .
  • the encrypted auxiliary information is based on an asymmetric key technology, for example, is the public key of the user a, and the mobile terminal 2a obtains the private key corresponding to the public key. as a decryption auxiliary information to a public key encryption of content key by K sms, decrypt.
  • the encrypted auxiliary information is a symmetric encryption key K cbs related to the identity of the user a, and the user a can generate the same on the mobile terminal 2a thereof.
  • Encryption key or corresponding decryption assistance information is obtained in step S2111, the mobile terminal 2a generates the quintuple authentication vector CK in the same manner as the HLR/HSS according to the GBA Push information obtained from the bootstrap service push function (BSF) 4 based on the GBA psuh technology. (Cipher Key), IK (Integrity Key), RAND, RES, AUTN information, and then generate Ks NAF/Ks ext NAF, Ks int NAF information in the same way as BSF Push.
  • BSF bootstrap service push function
  • step S2112' the mobile terminal 2a generates a symmetric encryption key K ebs or a decryption key working therewith based on the identity related information Ks NAF/Ks ext NAF . Ks int NAF .
  • the method of generating the encryption key K ebs should correspond to the method in which the broadcast server 1 generates the encryption key K ebs ; or it generates a decryption key method that cooperates with K cbs , Corresponding to the method in which the broadcast server 1 generates the encryption key K cbs , to ensure that the generated encryption key K ebs , or the decryption key working therewith , coincides with the encryption key K ebs used by the broadcast server 1.
  • the consistency can be determined in advance by the user and its operator and the broadcast server, for example, being solidified in the user's SIM card or negotiated before each communication.
  • the process of the above mobile terminal 2a performing authentication and interaction with the bootstrap service push function 4 to obtain the push information of the general bootstrap architecture is similar to the process in the general bootstrap architecture for one-to-one secure communication in the prior art. See 3GPP TS 33.223 V800.
  • the present invention utilizes the existing universal use by the above-mentioned interaction between the broadcast server 1 and the mobile terminal and the bootstrap service push function 4.
  • Bootstrap architecture (GBA) push technology which does not make major modifications to existing standards, methods and devices, can save a lot of cost. Then, the solution can be accepted by the market and has good business prospects.
  • step S212' the mobile terminal 2a decrypts the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a according to the acquired decryption auxiliary information, and acquires the content key K sms ' as a corresponding Content decryption information.
  • step S22 ' the mobile terminal 2a based on the content key K sms', based on the content of the key K sms, encrypted content is decrypted to restore the original unencrypted content processing.
  • the mobile terminal 2b of the subscriber b of the content performs a similar procedure. Since the broadcast server 1 also transmits the content key K sms encrypted by the encrypted auxiliary information corresponding to the user b to the mobile terminal 2b, The mobile terminal 2b can acquire the decryption auxiliary information that works in conjunction with the encrypted auxiliary information corresponding to the user b, and solve the content key K sms , and then decrypt the encrypted content according to the content key K sms to restore the original Encrypted content.
  • the mobile terminal 2c of the user c who does not subscribe to the content cannot receive the content key K sms encrypted by the encryption auxiliary information corresponding thereto , so that the content key K encrypted by the encrypted auxiliary information corresponding to other users cannot be obtained. Sms , if decrypted, it cannot obtain the content key K sms , and then the content encrypted according to the content key K sms cannot be decrypted, and the original unencrypted content cannot be obtained. In this way, the security of the content communication between the broadcast server 1 and the mobile terminals 2a and 2b of the content subscription users a and b is ensured.
  • the key (Key) used for encryption such as the content key and the encryption auxiliary information, in the present invention includes all algorithms for encrypting plaintext into ciphertext, or algorithms and their parameters, etc.
  • the key (Key) used for decryption such as the content decryption information and the decryption auxiliary information, also includes all algorithms for decrypting the ciphertext encrypted by the corresponding encryption key into plaintext, or an algorithm and its parameters, etc. Wait.
  • the specific encryption principles and methods are well known to those skilled in the art, and should fall within the scope of protection of the present invention.
  • the content to be transmitted by the broadcast server 1 is completely encrypted.
  • the broadcast server 1 hashes the content to be sent based on a predetermined hash algorithm (heap algorithm), obtains a content digest of the content to be sent, and encrypts the content digest according to the content key K sms ; and then, the broadcast server 1 Broadcasting the content to be transmitted to each mobile terminal in clear text, and broadcasting the content summary encrypted by the content key K sms to each mobile terminal.
  • a predetermined hash algorithm herein, the broadcast server 1 Broadcasting the content to be transmitted to each mobile terminal in clear text, and broadcasting the content summary encrypted by the content key K sms to each mobile terminal.
  • the mobile terminal receives the content information broadcasted in clear text, and generates a digest of the received content information according to the same hash algorithm; the mobile terminal further receives the content digest encrypted by the content key K sms , and according to the above A similar process in one or the second embodiment acquires content decryption information that works in conjunction with the content key K sms of the broadcast server 1 to decrypt the content digest; finally, the mobile terminal compares the decrypted content digest with the self-foundation Whether the content digest generated by the received content information is the same, to determine that the content information it receives is transmitted by the broadcast server 1, and is not changed during the transmission.
  • the present invention is equally applicable to secure communication based on multicast (multicast) of a wireless communication network.
  • multicast multicast
  • the multicast server before the multicast server sends the encrypted content to multiple user equipments based on multicast, it should first establish a multicast channel with the multiple user equipments, and then the encrypted processing will be performed in the multicast channel.
  • the content is sent to the plurality of user equipments; correspondingly, the user equipment should also first establish a multicast channel with the multicast server, and then receive the encrypted processed content from the multicast server in the multicast channel.
  • Other encryption/decryption processes are similar to those described in the previous section and will not be described here.
  • the broadcast server 1 includes means 10 for securely communicating with a plurality of users or a plurality of corresponding mobile terminals based on the broadcast, the device 10 comprising an encryption processing device 101 and an encrypted content transmitting device 102, the encryption processing device 101 further comprising Content key acquisition means 1011.
  • the mobile terminal 2a includes means 20 for secure communication with the broadcast server 1 based on the broadcast, the device 20 comprising an encrypted content receiving device 201, a second obtaining device 202 and a decryption processing device 203.
  • the broadcast server 1 may be composed of a Cell Broadcast Center and a Cell Broadcast Equipment, which are used to broadcast the encrypted content to each mobile terminal through a cell broadcast channel.
  • the broadcast server 1 broadcasts the content encrypted by the content key to the mobile terminal, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, which can be directly
  • the apparatus for decrypting the content encrypted by the content key and its working process are described in detail.
  • the content providing server 3 supplies the content that needs to be provided to the subscriber to the broadcast server 1, the content may be a weather forecast or the like as described above, and the contents provided to the respective subscribers are the same.
  • the broadcast server 1 acquires the content to be sent to the subscriber.
  • the encryption processing means 101 performs encryption processing on the content to be transmitted to the subscriber to generate the encrypted processed content.
  • the content key acquisition means 1011 acquires the content key K sms for encrypting the content.
  • the content key K sms may be based on a symmetric key (ie, the encryption key is the same as the decryption key, or the decryption key may be derived by using the encryption key), or may be based on an asymmetric key (ie, encryption key and decryption)
  • the key is different, and the decryption key cannot be derived based on the encryption key).
  • the symmetric content key K sms is generated by the broadcast server 1 in advance and has been provided to the mobile terminal, for example, has been solidified in the SIM (Subscriber Identity Model) card or the mobile terminal of the user, and the key is pre- On the broadcast server 1,
  • the content key obtaining means 1011 obtains the pre-stored content key K sms ;
  • the symmetric content key K sms is supplied from the content providing server 3 to the content key obtaining means 1011. And, the content key K sms is also supplied to the mobile terminal by the content providing server 3.
  • the broadcast server 1 has a weak management and control function for the key;
  • the encryption processing device 101 After acquiring the content key K sms , the encryption processing device 101 encrypts the content to be transmitted with the acquired content key to generate the content after the content key encryption K sms .
  • a specific technique for encrypting a plaintext using a key to obtain a ciphertext is well known to those skilled in the art, and the present invention does not describe it.
  • the encrypted content transmitting device 102 transmits the content encrypted by the content key K sms to the mobile terminal 2a based on the broadcast.
  • the encrypted content receiving device 201 of the device 20 of the mobile terminal 2a receives the encrypted processed content based on the broadcast transmission from the broadcast server 1.
  • the encrypted content transmitting apparatus 102 puts the content encrypted by the content key K sms into the short message, and provides the cell base station to which the mobile terminal 2 a belongs through the short message gateway or the short message service center, where the cell base station is located in the cell.
  • the short message is broadcasted on the cell broadcast channel (CBCH);
  • the encrypted content receiving device 201 receives the short message containing the content encrypted by the content key K sms on the cell broadcast channel, and proposes the content key therefrom K sms encrypted content.
  • the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive a short message containing the content encrypted by the content key K sms on the cell broadcast channel.
  • the manner in which the encrypted content transmitting apparatus 102 broadcasts the encrypted content to the mobile terminal is not limited to the embodiment, and those skilled in the art can make appropriate according to the actual wireless network under the teaching of the present invention. The adjustments should be within the scope of the claims of the present invention.
  • the decryption processing means 203 decrypts the received encrypted processed content to restore the original unencrypted content.
  • the second obtaining means 202 acquires content decryption information corresponding to the content key K sms .
  • the content key K sms is a symmetric key
  • the content key K sms is equivalent to the same Corresponding content decryption information
  • the content key K sms is an asymmetric key
  • the key to work with it should be obtained, and thus, corresponding to the three cases A, B and C listed above:
  • the previously generated symmetric content key K sms has been provided by the broadcast server 1 to the mobile terminal 2a before the secure communication, for example, in the user's SIM card or mobile terminal, and the second obtaining means 202 obtains the pre-stored content key K sms;
  • the symmetric content key K sms has been provided to the second obtaining means 202 by the corresponding content providing server 3 before this secure communication.
  • the decryption processing means 203 decrypts the content of the content key K sms encrypted by the broadcast transmission received from the broadcast server 1 based on the content decryption information corresponding to the content key K sms acquired by the second acquisition means 202, To restore the original unencrypted content.
  • the similar encrypted content receiving device of the mobile terminal 2b of the subscriber who subscribes to the same content acquires the content decryption information corresponding to the content key K sms , which can also be obtained by the similar second acquiring device and the decryption processing device.
  • the encrypted processing content further, if the user of the mobile terminal 2c does not obtain the content decryption information corresponding to the content key K sms because the user of the content is not the subscriber of the content, the similar decryption processing device cannot The received K sms encrypted content is decrypted to ensure the security of communication between the broadcast server 1 and the mobile terminals 2a and 2b.
  • the mobile terminals 2a and 2b may belong to the same base station cell or may belong to different cells.
  • the above third embodiment broadcasts the content encrypted by the content key to the mobile terminal by the broadcast server 1, and the mobile terminal has previously possessed the content decryption information working in cooperation with the content key, and can directly encrypt the content encrypted by the content key.
  • decryption is described in detail.
  • the broadcast server further adopts an encryption technology for the content key, which acquires the encrypted auxiliary information corresponding to each user, and encrypts the content key according to the encrypted auxiliary information, and then The technical scheme of encrypting the content key encrypted by the auxiliary information is provided to the mobile terminal for detailed description.
  • FIG. 3 is a schematic diagram of a network topology structure in which a broadcast server 1 and a plurality of mobile terminals 2a and 2b perform broadcast-based secure communication according to another embodiment of the present invention.
  • Figure 6 is a block diagram showing the operation of the apparatus for performing broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a in accordance with another embodiment of the present invention.
  • the broadcast server 1 includes means 10 for securely communicating with a plurality of respective mobile terminals used by a plurality of users, including the encryption processing means 101, the encrypted content transmitting means 102, and the first obtaining means 103.
  • the encryption processing device 101 and the encrypted content transmitting device 102 may constitute a cell broadcast service system (CBS System) composed of a cell broadcast device (Cell Broadcast Equipment) and a cell broadcast center (CBS System), which is used to The content key encrypted content is broadcast to each mobile terminal through the cell broadcast channel; and the first obtaining means 103, the content key encrypting means 104, and the content key transmitting means 105 may constitute a cell broadcast service subscriber manager (CBS Subscriber) Management), which encrypts the content key according to the encryption auxiliary information, and provides the encrypted content key to the subscribing user of the cell broadcast service via the Upa interface by SMS or other means.
  • CBS System cell broadcast service system
  • CBS Subscriber cell broadcast service subscriber manager
  • the mobile terminal 2a includes means 20' for secure communication with the broadcast server 1 based on the broadcast, the device 20' comprising an encrypted content receiving device 201, a second obtaining device 202, and a decryption processing device 203, the second obtaining device 202, further comprising a processing device 2021, the processing device 2021, further comprising a second push information obtaining device 20211.
  • the content key obtaining means 1011 obtains a content key for encrypting the content.
  • the content key obtaining means 1011 can be based on a random number generated at the time and the identification information of the content providing server 3.
  • a symmetric key-based content key K sms is generated based on a symmetric key algorithm such as DES (Data Encryption Standard), AES (Advanced Encryption), or the like.
  • the broadcast server 1 performs an operation similar to that of the foregoing third embodiment, the encryption processing device 101 encrypts the content provided by the content providing server 3 according to K sms , and then encrypts the content transmitting device 102 to pass the content key K sms , the encrypted content is based on broadcast Sending to the mobile terminal 2a, preferably, the encrypted content transmitting device 102 puts the content encrypted by the content key K sms into a short message and provides it to the cell to which the mobile terminal 2a belongs through the short message gateway or the short message service center.
  • the cell base station broadcasts the short message on a cell broadcast channel (CBCH) in the cell;
  • the mobile terminal 2a receives a short message containing the content encrypted by the content key K sms on the cell broadcast channel, and
  • the content encrypted by the content key K sms is proposed.
  • the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive the short message containing the content encrypted by the content key K sms on the cell broadcast channel. .
  • the encrypted content receiving device 201 of the device 20 of the mobile terminal 2a receives the encrypted content from the broadcast server 1 via the content key K sms transmitted by the broadcast. Similar mobile terminal 2b encrypted content receiving apparatus receives the broadcast server based on the content of a broadcast transmission key K sms, encrypted content. At the same time, the non-subscriber mobile terminal 2c can also receive the encrypted processed content.
  • the first obtaining means 103 of the device 10 of the broadcast server 1 acquires the encrypted auxiliary information corresponding to the user a to which the mobile terminal 2a belongs and the user b to which the mobile terminal 2b belongs, which is used for the encrypted auxiliary information.
  • the content key K sms is encrypted.
  • the encryption assistance information is based on an asymmetric key technology.
  • the encryption assistance information corresponding to the user a is the public key of the user a, and at the same time, the user a owns the mobile terminal 2a.
  • the broadcast server 1 acquires the respective public keys of the users a and b.
  • the first obtaining means 103 directly reads the public key; in another case, the public key is provided by the content providing server 3, or by other security
  • the management server is provided to the first obtaining means 103.
  • the encrypted auxiliary information is a symmetric encryption key associated with the identity of users a and b, and users a and b can generate the same encryption secret based on their user identity on their mobile terminal. Key or corresponding decryption assistance information.
  • the first push information obtaining means 1031 of the first obtaining means 103 requests the user a and the user b from the bootstrap service push function (BSF) 4 via the Zpn interface based on the GBA push technique.
  • BSF bootstrap service push function
  • the push information includes identity related information Ks_NAF/Ks_ext_NAF, Ks int NAF for generating an encryption key, and AUTN and RAND in the user's quintuple authentication vector for identifying GBA_U Or U/M of GBA_ME, the lifetime of the key, the ID of the broadcast server, the private ID of the user, the MAC, and so on.
  • the bootstrap service no users push a local function 4 and / or identity information b, and Z h it through an interface to a user and / or the home location register belongs b / home subscriber server requests and obtains 5 User's quintuple authentication vector CK (Cipher Key), IK (Integrity Key), RAND, RES, AUTN information, and generate push information of the general bootstrap architecture of user a and/or b according to the CK, IK information, and then The push information of the users a and b is supplied to the first push information acquiring means 1031'.
  • the first obtaining means 103 generates the respective encryption keys K cbs of the users a and b based on the acquired Ks NAF/Ks ext NAF .
  • the first push information obtaining means 1031 of the above broadcast server 1 interacts with the bootstrap service push function 4 to acquire the push information of the general bootstrapping architecture, and the first obtaining means 103 generates an encryption key related to the identity information of the user.
  • the process of K ebs is similar to the process in the general bootstrap architecture for one-to-one secure communication in the prior art, and the detailed process can be referred to the standard 3GPP TS 33.223 V800, which is not described in this specification.
  • the content key encryption device 104 encrypts the content key K sms based on the acquired encryption auxiliary information of the users a and b, for example, its public key or its encryption key K ebs , respectively, to generate and The content key K sms ° of each of the users a and b encrypted by the corresponding encrypted auxiliary information
  • the content key transmitting device 105 transmits the content key K sms encrypted by the respective encrypted auxiliary information of the users a and b to the mobile terminals 2a and 2b of the users a and b, respectively.
  • the content key transmission unit 105, or the short message gateway by the short message service center by way of the short message to the user via the key K sms a and b auxiliary information corresponding to the encrypted content encryption 'are transmitted to the user & With b.
  • the processing device of the second acquisition device 202 of the device 20 of the mobile terminal 2a 202 ⁇ , and similar processing devices of the mobile terminal 2b each acquire content decryption information that works in conjunction with the content key K sms .
  • the following description will be made from the perspective of the mobile terminal 2a.
  • the processing device 2021 receives the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a from the broadcast server 1, and acquires the decryption auxiliary information that works in cooperation with the encrypted auxiliary information.
  • the encryption auxiliary information is based on an asymmetric key technology, for example, is the public key of the user a, and the processing device 202 obtains the private key corresponding to the public key.
  • the decryption auxiliary information the content key K sms encrypted by the public key is decrypted.
  • the implementation of the asymmetric encryption technology such as the public and private keys is well known to those skilled in the art, and the present invention is not described herein. A person skilled in the art can appropriately modify the embodiment according to actual needs, and these modifications are all within the scope of the present invention.
  • the encrypted auxiliary information is a symmetric encryption key K cbs related to the identity of the user a, and the user a can generate the same on the mobile terminal 2a thereof.
  • Encryption key or corresponding decryption assistance information is a five-element in the same manner as the HLR/HSS according to the GBA Push information obtained from the bootstrap service push function (BSF) 4 based on the GBA psuh technology.
  • the group authentication vector CK (Cipher Key), IK (Integrity Key), RAND. RES, and AUTN information are then generated in the same manner as the BSF Push function to generate Ks_NAF/Ks_ext_NAF and Ks int NAF information.
  • the processing device 2021 generates a symmetric encryption key K ebs according to the identity related information Ks_NAF/Ks_ext_NAF, Ks int NAF , or a decryption key working in conjunction therewith.
  • the method that generates an encryption key K EBS should first acquire a broadcast server apparatus 103 generates an encryption key K EBS, the method corresponds to; or that generates K cbs, complex
  • the decryption key method of the work should correspond to the method of generating the encryption key K ebs by the first obtaining means 103 of the broadcast server 1 to ensure the generated encryption key K cbs or the decryption key working with it.
  • the encryption key K ebs used by the broadcast server 1 is identical.
  • the consistency can be determined in advance by the user and its operator and the broadcast server, for example, being solidified in the user's SIM card or negotiated before each communication.
  • the second push information obtaining means 20211, the process of authenticating and interacting with the bootstrap service push function 4 to obtain the push information of the general bootstrapping architecture, and the general bootstrapping architecture for one-to-one secure communication in the prior art The process in the process is similar, see 3GPP
  • the present invention utilizes the existing universal bootstrapping architecture (GBA) push technology by using the above-mentioned broadcast server 1 and the interaction between the mobile terminal and the bootstrap service push function 4, which is incorrect.
  • GSA universal bootstrapping architecture
  • the existing standards, methods and devices have been greatly modified, which can save a lot of costs. Then, the solution can be accepted by the market and has good commercial prospects.
  • the second obtaining means 202 decrypts the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a according to the acquired decryption auxiliary information, and obtains the content key K sms ' as the corresponding content decryption information. .
  • the decryption processing apparatus 203 based on the content key K sms ,, K sms based on the content of the key, decrypts the encrypted content, in order to restore the original unencrypted content processing.
  • the similar device of the mobile terminal 2b of the subscriber b of the content performs a similar operation, since the broadcast server 1 also transmits the content key K sms encrypted by the encrypted auxiliary information corresponding to the user b to the mobile terminal 2b.
  • the processing device of the mobile terminal 2b can acquire the decryption auxiliary information that works in conjunction with the encrypted auxiliary information corresponding to the user b, and the second obtaining device can solve the content key K sms , and then the decryption processing device can The key K sms , the encrypted content is decrypted to restore the original unencrypted content.
  • the processing device of the mobile terminal 2c of the user c who does not subscribe to the content cannot receive the content key K sms encrypted by the encryption auxiliary information corresponding thereto , so that the second obtaining device cannot encrypt the encryption corresponding to other users. If the content key K sms encrypted by the information is decrypted, the content key K sms cannot be obtained, and then the decryption processing apparatus cannot decrypt the content encrypted according to the content key K sms , and the original original cannot be obtained. Encrypted content. In this way, the security of the content communication between the broadcast server 1 and the mobile terminals 2a and 2b of the content subscription users a and b is ensured.
  • Multicast for secure communication.
  • the apparatus for performing, by the multicast server, for performing secure communication with multiple corresponding user equipments used by multiple users based on the multicast further includes a first multicast channel establishing apparatus, where a multicast channel of the user equipment, the encrypted content sending device is further configured to send the encrypted processed content to the plurality of user equipments in the multicast channel; correspondingly, the user equipment is used for the multicast-based and multicast server
  • the apparatus for performing secure communication further includes a second multicast channel establishing apparatus for establishing a multicast channel with the multicast server, and the encrypted content receiving apparatus is configured to receive the multicast from the multicast channel. Encrypted content of the server.
  • Other encryption/decryption processes are similar to those described in the previous section and will not be described here.
  • the present invention is not limited to the field of wireless communications, and that the present invention is equally applicable in communication networks such as IPTV that support broadcast and/or multicast.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and apparatus for safely communicating based on broadcast or multicast are disclosed. The method comprises the following steps: a broadcast or multicast server encrypts the content to be transmitted in order to generate the encrypted content, and then transmits the encrypted content to each of user equipments based on broadcast or multicast; each of the user equipments receives the encrypted content transmitted based on broadcast or multicast from the broadcast or multicast server, and decrypts the encrypted content which has been received in order to retrieve the original unencrypted content.

Description

用于基于广播或多播进行安全通信的方法及其装置 技术领域  Method and device for secure communication based on broadcast or multicast

本发明涉及通信网络中进行通信的方法和装置, 尤其涉及在通信 网络中基于广播或多播进行安全通信的方法和装置。 背景技术  The present invention relates to a method and apparatus for communicating in a communication network, and more particularly to a method and apparatus for secure communication based on broadcast or multicast in a communication network. Background technique

在目前的通信网络中, 广播或多播技术得到了越来越广泛地应 用, 网络运营商基于广播或多播与多个用户进行通信, 能够节省大量 的通信资源。 无线通信网络中的小区广播业务 ( Cell Broadcast Services, 以下简称 CBS )是一个典型的例子, 运营商可以使用 CBS 向广大用户提供相同的服务内容, 例如天气预报、 商业新闻、 交通信 息等等。 CBS 可以通过小区无线信道中的小区广播信道 ( Cell Broadcast CHannel, 以下简称 CBCH )进行实现。 很多通过 CBS提供 的信息是收费的或订阅的, 即运营商必须能够保证只有签约用户能够 获取到 CBS 提供的内容, 并且保证正确地计费; 而保证未付费的未 签约用户无法得到该内容。 一般来说, CBS可以由基于小区无线信道 中的小区广播信道 ( Cell Broadcast CHannel, 以下简称 CBCH ) 的短 消息业务( Short message service, 以下简称 SMS )。 而现有的在 CBCH 中发送的短消息都是以明文, 即不加密的形式进行传输。 因此, 目前 基于小区广播信道通过短消息进行广播的 CBS 是无法区分签约用户 与未签约用户, 换句话说, 是无法与签约用户进行安全通信的。  In the current communication network, broadcast or multicast technology is more and more widely used, and network operators can communicate with multiple users based on broadcast or multicast, which can save a lot of communication resources. Cell Broadcast Services (CBS) in a wireless communication network is a typical example. Operators can use CBS to provide the same service content to a wide range of users, such as weather forecasts, business news, traffic information, and so on. The CBS can be implemented by a Cell Broadcast CHannel (CBCH) in the cell radio channel. Many of the information provided through the CBS is either paid or subscribed, that is, the operator must be able to ensure that only the subscribers can obtain the content provided by the CBS and ensure that the billing is correctly charged; and that the unpaid subscribers who have not paid are not able to obtain the content. In general, the CBS may be a short message service (hereinafter referred to as SMS) based on a Cell Broadcast CHannel (CBCH) in a cell radio channel. The existing short messages sent in the CBCH are transmitted in plaintext, that is, in an unencrypted form. Therefore, the CBS currently broadcasting based on the cell broadcast channel through the short message cannot distinguish between the subscribed user and the unsigned user. In other words, the secure communication with the subscribed user cannot be performed.

在现有技术中, 定义于 3GPP TS33.223的通用自举架构(Generic Bootstrapping Architecture, 简称 GBA ) Push功能提供了一种下行点 对点的安全通信方式。 但是, 由于其点对点特性, 其并不适用于为基 于 CBS的点到多点的广播或多播提供安全通信。 发明内容  In the prior art, the Generic Bootstrapping Architecture (GBA) Push function defined in 3GPP TS33.223 provides a downlink peer-to-peer secure communication method. However, due to its point-to-point nature, it is not suitable for providing secure communication for point-to-multipoint broadcast or multicast based on CBS. Summary of the invention

为了解决现有技术中, 基于广播或多播无法进行安全通信的问题, 本发明提出, 广播或多播服务器对待发送的内容进行加密处理, 以生 成经加密处理后的内容, 而后将经加密处理的内容基于广播或多播发 送至一个或多个用户设备; 各个用户设备接收来自广播或多播服务器 的基于广播或多播发送的经加密处理的内容, 并对已接收的经加密处 理的内容进行解密处理, 以还原出原始未经加密处理的内容。 In order to solve the problem in the prior art that security communication cannot be performed based on broadcast or multicast, The invention provides that the broadcast or multicast server encrypts the content to be sent to generate the encrypted processed content, and then sends the encrypted processed content to one or more user devices based on broadcast or multicast; each user device The encrypted processed content based on the broadcast or multicast transmission from the broadcast or multicast server is received, and the received encrypted processed content is decrypted to restore the original unencrypted content.

具体地, 根据本发明的第一方面, 提供了一种在通信网络中的广 播或多播服务器中, 用于基于广播或多播与一个或多个用户使用的一 个或多个相应用户设备进行安全通信的方法, 其特征在于, 包括以下 步骤: a.对待发送的内容进行加密处理, 以生成经加密处理后的内容; b.将所述经加密处理的内容基于广播或多播发送至所述一个或多个用 户设备。  Specifically, according to a first aspect of the present invention, there is provided a broadcast or multicast server in a communication network for performing one or more corresponding user equipments for use with one or more users based on broadcast or multicast. A method for secure communication, comprising the steps of: a. encrypting content to be sent to generate encrypted processed content; b. transmitting the encrypted processed content to a broadcast or multicast based on broadcast or multicast Describe one or more user devices.

根据本发明的第二方面, 提供了一种在通信网络的用户使用的用 户设备中用于基于广播或多播与广播或多播服务器进行安全通信的 方法, 其中, 包括以下步骤: A.接收来自所述广播或多播服务器的基 于广播或多播发送的经加密处理的内容; B.对已接收的所述经加密处 理的内容进行解密处理, 以还原出原始未经加密处理的内容。  According to a second aspect of the present invention, there is provided a method for secure communication based on a broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network, wherein the method comprises the following steps: A. Receiving Encrypted processed content based on broadcast or multicast transmission from the broadcast or multicast server; B. Decrypting the received encrypted processed content to restore the original unencrypted processed content.

根据本发明的第三方面, 提供了一种在通信网络中的广播或多播 服务器中, 用于基于广播或多播与一个或多个用户使用的一个或多个 相应用户设备进行安全通信的装置, 其特征在于, 包括: 加密处理装 置,用于对待发送的内容进行加密处理,以生成经加密处理后的内容; 加密内容发送装置, 用于将所述经加密处理的内容基于广播或多播发 送至所述一个或多个用户设备。  According to a third aspect of the present invention, there is provided a broadcast or multicast server in a communication network for securely communicating with one or more respective user devices used by one or more users based on broadcast or multicast. The device, comprising: an encryption processing device, configured to perform encryption processing on the content to be sent to generate encrypted processed content; and an encrypted content transmitting device, configured to broadcast the encrypted content based on broadcast or more Broadcast to the one or more user devices.

根据本发明的第四方面, 提供了一种在通信网络的用户使用的用 户设备中用于基于广播或多播与广播或多播服务器进行安全通信的 装置, 其中, 包括: 加密内容接收装置, 用于接收来自所述广播或多 播服务器的基于广播或多播发送的经加密处理的内容; 解密处理装 置, 用于对已接收的所述经加密处理的内容进行解密处理, 以还原出 原始未经加密处理的内容。  According to a fourth aspect of the present invention, there is provided an apparatus for secure communication based on a broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network, comprising: an encrypted content receiving apparatus, And an encryption processing device for receiving the encrypted or processed content received from the broadcast or multicast server; and performing decryption processing on the received encrypted processed content to restore the original Unencrypted content.

本发明所提供的方法或装置, 弥补了当前通信网络中基于广播或 多播与签约用户进行安全通信的技术空白, 通过采用点到多点的通信 方式节省了通信网络中的大量通信资源, 并且能够保证运营商与签约 用户之间的安全通信, 保证正确地计费。 优选地, 本发明提供的方法 与装置不需要对现有的安全通信标准、安全模块及安全通信设备进行 较大改动, 使得本发明成本较低, 易于部署, 具有良好的商业前景。 附图说明 The method or apparatus provided by the present invention makes up for the current communication network based on broadcast or The technical gap between multicast and contracted users for secure communication, which saves a large amount of communication resources in the communication network by adopting point-to-multipoint communication, and can ensure secure communication between the operator and the contracted user, and ensure correct billing. . Preferably, the method and apparatus provided by the present invention do not require major changes to existing secure communication standards, security modules, and secure communication devices, so that the present invention is low in cost, easy to deploy, and has good commercial prospects. DRAWINGS

通过参照附图阅读以下所作的对非限制性实施例的详细描述, 能 够更容易地理解本发明的特征、 目的和优点。 其中, 相同的附图标记 代表相同或相似的元件。  The features, objects, and advantages of the present invention will become more <RTIgt; Wherein, the same reference numerals denote the same or similar elements.

图 1为根据本发明一个具体实施例, 广播服务器 1与多个移动终 端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图;  1 is a schematic diagram of a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b, in accordance with an embodiment of the present invention;

图 2为根据本发明一个具体实施例,广播服务器 1与移动终端 2a 进行基于广播的安全通信的方法流程图;  2 is a flow chart of a method for broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, in accordance with an embodiment of the present invention;

图 3为根据本发明另一个具体实施例, 广播服务器 1与多个移动 终端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图;  3 is a schematic diagram showing a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b according to another embodiment of the present invention;

图 4为根据本发明另一个具体实施例, 广播服务器 1与移动终端 2a进行基于广播的安全通信的方法流程图;  4 is a flow chart of a method for broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, in accordance with another embodiment of the present invention;

图 5为根据本发明又一个具体实施例, 广播服务器 1与移动终端 2a进行基于广播的安全通信的装置及其工作过程的框图;  5 is a block diagram showing an apparatus for performing broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, and a working process thereof, according to still another embodiment of the present invention;

图 6为根据本发明再一个具体实施例, 广播服务器 1与移动终端 2a进行基于广播的安全通信的装置及其工作过程的框图。 具体实施方式  Fig. 6 is a block diagram showing an apparatus for performing broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a and a working process thereof according to still another embodiment of the present invention. detailed description

以下首先根据图 1至图 4, 对根据本发明, 广播服务器基于广播 与多个用户使用的多个相应用户设备进行安全通信的方法进行详述。  First, a method for securely communicating with a plurality of corresponding user devices used by a plurality of users based on broadcasts according to the present invention will be described in detail below with reference to Figs. 1 through 4.

第一实施例  First embodiment

图 1为根据本发明一个具体实施例, 广播服务器 1与多个移动终 端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图。 其中该 通信网络是一个无线通信网络, 例如 3G无线通信网络。 该网络中包括 使用基于 CBS的短消息业务进行安全通信的广播服务器 1,移动终端 2a 及 2b,还包括与广播服务器 1相连的内容提供服务器(Content Provider, 简称 CP ) 3, 与一个未与运营商签约进行安全通信的移动终端 2c。 图中 省略了广播服务器 1与移动终端通过短消息进行安全通信所经由的短消 息网关 ( Short Message Gateway, 简称 SMG )或短消息业务中心 ( Short Message Service Center, 简称 SMSC ), 以及基站、 中继站等等通信设备。 本领域技术人员应能理解, 本发明并不限于图 1所示的 3G无线通信网 络及该网络拓朴结构, 在其他例如 2G 2.5G无线通信网络与其他网络 拓朴结构, 以及其他支持广播或多播的通信网络中, 本发明同样适用, 申请人也将在说明书中给出本发明应用于其他场景的实施例。 图 2为根 据本发明一个具体实施例,广播服务器 1与移动终端 2a进行基于广播的 安全通信的方法流程图。其中,广播服务器 1可以由小区广播中心( Cell Broadcast Center )和小区广播设备 ( Cell Broadcast Equipment )组成, 其用于将经加密的内容通过小区广播信道广播给各个移动终端。 1 is a schematic diagram of a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b, in accordance with an embodiment of the present invention. Which should The communication network is a wireless communication network, such as a 3G wireless communication network. The network includes a broadcast server 1 for secure communication using a short message service based on CBS, mobile terminals 2a and 2b, and a content providing server (Content Provider, CP for short) 3 connected to the broadcast server 1, and an unoperated operation The merchant signs a mobile terminal 2c for secure communication. The Short Message Gateway (SMG) or Short Message Service Center (SMSC), and the base station, relay station, etc., through which the broadcast server 1 and the mobile terminal communicate securely through short messages are omitted. And other communication devices. It should be understood by those skilled in the art that the present invention is not limited to the 3G wireless communication network shown in FIG. 1 and the network topology, such as other 2G 2.5G wireless communication networks and other network topologies, and other supporting broadcasts or The present invention is equally applicable to a multicast communication network, and the applicant will also present in the specification an embodiment in which the present invention is applied to other scenarios. 2 is a flow chart of a method for broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a, in accordance with an embodiment of the present invention. The broadcast server 1 may be composed of a Cell Broadcast Center and a Cell Broadcast Equipment, and is used to broadcast the encrypted content to each mobile terminal through a cell broadcast channel.

下面将参照图 1与图 2, 对根据本发明的, 广播服务器 1将经内容 密钥加密的内容广播给移动终端, 而移动终端已事先拥有与内容密钥 配合工作的内容解密信息, 可以直接对经内容密钥加密的内容进行解 密的过程进行详述。  1 and 2, according to the present invention, the broadcast server 1 broadcasts the content encrypted by the content key to the mobile terminal, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, which can be directly The process of decrypting the content encrypted by the content key is detailed.

首先, 内容提供服务器 3将需要提供给订户的内容提供给广播服务 器 1, 该内容可以是如前所述的天气预报、 商业新闻、 交通信息等, 提 供给各个订户的内容都是相同的。 接着, 广播服务器 1获取到待发送 给订户的内容。  First, the content providing server 3 supplies the content that needs to be provided to the subscriber to the broadcast server 1, the content may be weather forecast, business news, traffic information, etc. as described above, and the content provided to each subscriber is the same. Next, the broadcast server 1 acquires the content to be sent to the subscriber.

在步骤 S10中, 广播服务器 1对待发送给订户的内容进行加密处 理, 以生成经加密处理后的内容。  In step S10, the broadcast server 1 encrypts the content to be sent to the subscriber to generate the encrypted processed content.

具体的, 在步骤 S 101 中, 广播服务器 1获取用于加密该内容的 内容密钥 其中, 该内容密钥 Ksms可以基于对称密钥(即加密密 钥与解密密钥相同, 或通过加密密钥可以导出解密密钥), 也可以基 于非对称密钥(即加密密钥与解密密钥不同, 且根据加密密钥无法推 导出解密密钥)。 其中, 我们列举以下两种情况, 在这两种情况下, 广播服务器 1当前不需要将内容密钥 Ksms提供给移动终端: Specifically, in step S101, the broadcast server 1 acquires a content key for encrypting the content, wherein the content key K sms may be based on a symmetric key (ie, the encryption key is the same as the decryption key, or is encrypted by encryption) The key can be derived from the decryption key), or it can be based on an asymmetric key (ie, the encryption key is different from the decryption key, and cannot be pushed according to the encryption key) Export the decryption key). Among them, we cite the following two cases, in which case the broadcast server 1 does not currently need to provide the content key K sms to the mobile terminal:

A.该对称内容密钥 Ksms是广播服务器 1事先生成,并已经提供给 移动终端的, 例如已经固化在用户的 SIM ( Subscriber Identity Model, 客户识别模块) 卡或移动终端中, 该密钥预存在广播服务器 1上的, 则广播服务器 1获取预存的内容密钥 KsmsA. The symmetric content key K sms is generated by the broadcast server 1 in advance and has been provided to the mobile terminal, for example, has been solidified in the SIM (Subscriber Identity Model) card or the mobile terminal of the user, and the key is pre- If there is a broadcast server 1, the broadcast server 1 acquires the pre-stored content key K sms ;

B.该对称内容密钥 Ksms由内容提供服务器 3提供给广播服务器 1。 并且, 也由内容提供服务器 3将该内容密钥 Ksms提供给移动终端。 在 这种情况下, 广播服务器 1对密钥的管理和控制功能较弱; B. The symmetric content key K sms is supplied to the broadcast server 1 by the content providing server 3. And also the content providing server 3 K sms key by the content provided to the mobile terminal. In this case, the broadcast server 1 has a weak management and control function for the key;

在获取到内容密钥 K画后, 在步骤 S102中, 广播服务器 1用已获 取的内容密钥 Ksms, 对待发送的内容进行加密, 以生成经内容密钥加 密 Ksms后的内容。具体的使用密钥对明文进行加密得到密文的技术是 本领域技术人员熟知的, 本发明对此不作赘述。 After the content key K is acquired, in step S102, the broadcast server 1 encrypts the content to be transmitted using the acquired content key K sms to generate the content encrypted by the content key K sms . A specific technique for encrypting a plaintext using a key to obtain a ciphertext is well known to those skilled in the art, and the present invention does not describe it.

而后, 在步骤 S 11中, 广播月 务器 1将经内容密钥 Ksms加密后的 内容基于广播发送至移动终端 2a。 Then, in step S11, the broadcast server 1 transmits the content encrypted by the content key K sms to the mobile terminal 2a based on the broadcast.

接着, 在步骤 S20中, 移动终端 2a接收来自广播服务器 1的基 于广播发送的经加密处理的内容。  Next, in step S20, the mobile terminal 2a receives the encrypted processed content based on the broadcast transmission from the broadcast server 1.

具体的, 广播服务器 1将经内容密钥 K画加密的内容放入短消息 中,通过短消息网关或短消息服务中心,提供给移动终端 2a所属的小区 基站, 小区基站在该小区内的小区广播信道(CBCH )上将该短消息广 播出去; 移动终端 2a在该小区广播信道上接收到含有经内容密钥 K画 加密的内容的短消息, 并从中提出去经内容密钥 Ksms加密的内容。值得 注意的是, 同一小区的订阅了相同内容的订户的移动终端 2b, 以及非订 户的移动终端 2c 也可以在该小区广播信道上接收到含有经内容密钥 Ksms加密的内容的短消息。 值得注意的是, 广播服务器 1将加密内容广 播给移动终端的广播方式并不限于本实施例所限, 本领域一般技术人员 可以在本发明的教导下, 根据实际的无线网络做出适当的调整, 这些调 整都应处于本发明权利要求所保护的范围内。 Specifically, the broadcast server 1 puts the content encrypted by the content key K into a short message, and provides the cell base station to which the mobile terminal 2a belongs through the short message gateway or the short message service center, and the cell of the cell base station in the cell Broadcasting the short message on the broadcast channel (CBCH); the mobile terminal 2a receives a short message containing the content encrypted by the content key K on the cell broadcast channel, and proposes to encrypt the content key K sms content. It is to be noted that the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive a short message containing the content encrypted by the content key K sms on the cell broadcast channel. It should be noted that the broadcast mode of the broadcast server 1 to broadcast the encrypted content to the mobile terminal is not limited to the embodiment, and those skilled in the art can make appropriate adjustments according to the actual wireless network under the teaching of the present invention. These modifications are intended to be within the scope of the appended claims.

接着, 在步骤 S22中, 移动终端 2a对已接收的所述经加密处理的 内容进行解密处理, 以还原出原始未经加密处理的内容 Next, in step S22, the mobile terminal 2a performs the encrypted processing on the received The content is decrypted to restore the original unencrypted content

具体的, 在步骤 S22之前, 在步骤 S21 中, 移动终端 2a获取与 内容密钥 Ksms对应的内容解密信息。其中, 内容密钥 Ksms为对称密钥 时, 内容密钥 Ksms即等同于其对应的内容解密信息; 而当内容密钥 Ksms为非对称密钥时, 应获取与其配合工作的密钥, 于是, 与以上列 举的 A、 B两种情况分别对应的: Specifically, before step S22, in step S21, the mobile terminal 2a acquires content decryption information corresponding to the content key Ksms . Wherein, when the content key K sms is a symmetric key, the content key K sms is equivalent to its corresponding content decryption information; and when the content key K sms is an asymmetric key, the key corresponding to the work should be obtained. Therefore, corresponding to the two cases A and B listed above:

A,.事先生成的对称内容密钥 Ksms在本次安全通信之前已经由广 播服务器 1提供给移动终端 2a, 例如固化在用户的 SIM卡或移动终 端中, 则移动终端 2a获取预存的内容密钥 KsmsA. The previously generated symmetric content key K sms has been provided by the broadcast server 1 to the mobile terminal 2a before the secure communication, for example, in the user's SIM card or mobile terminal, and the mobile terminal 2a obtains the pre-stored content secret. Key K sms ;

B,.对称内容密钥 Ksms在本次安全通信前已由相应的内容提供服 务器 3提供给了移动终端 2a; B, the symmetric content key K sms has been provided to the mobile terminal 2a by the corresponding content providing server 3 before this secure communication;

而后, 在步骤 S22中, 移动终端 2a根据在步骤 S21 中获取的与 内容密钥 Ksms对应的内容解密信息,对接收来自广播服务器 1的基于 广播发送的经内容密钥 Ksms加密处理的内容进行解密,以还原出原始 未经加密处理的内容。 Then, in step S22, the mobile terminal 2a receives the content encrypted by the content key K sms based on the broadcast transmission from the broadcast server 1 based on the content decryption information corresponding to the content key K sms acquired in step S21. Decrypt to restore the original unencrypted content.

同理, 订阅相同内容的订户的移动终端 2b也在类似于步骤 S21 的步骤中获取到了与内容密钥 Ksms对应的内容解密信息,其进行以上 类似的步骤 S22, 因此其也可以得到原始未经加密处理的内容; 此外, 移动终端 2c 的用户由于不是该内容的订户, 其没有获得与内容密钥 Ksms对应的内容解密信息, 则其无法对接收到的经 Ksms加密的内容进 行解密,保证了广播服务器 1与移动终端 2a及 2b之间通信的安全性。 Similarly, the mobile terminal 2b of the subscriber who subscribes to the same content also obtains the content decryption information corresponding to the content key K sms in the step similar to step S21, which performs the above similar step S22, so that it can also obtain the original The content processed by the encryption; further, the user of the mobile terminal 2c cannot decrypt the received K sms- encrypted content because it is not the subscriber of the content, and does not obtain the content decryption information corresponding to the content key K sms The security of communication between the broadcast server 1 and the mobile terminals 2a and 2b is ensured.

可以理解, 移动终端 2a及 2b可以属于同一个基站小区, 也可以 分属于不同小区。  It can be understood that the mobile terminals 2a and 2b may belong to the same base station cell or may belong to different cells.

以上的第一实施例对广播服务器 1将经内容密钥加密的内容广播 给移动终端, 而移动终端已事先拥有与内容密钥配合工作的内容解密 信息, 可以直接对经内容密钥加密的内容进行解密的情况进行了详 述。 以下将对根据本发明的, 优选地, 广播服务器还采用对内容密钥 的加密技术, 其获取对应于各个用户的加密辅助信息, 并根据该加密 辅助信息对内容密钥进行加密, 而后将经加密辅助信息加密的内容密 钥提供给移动终端的技术方案进行详述。 The above first embodiment broadcasts the content encrypted by the content key to the mobile terminal by the broadcast server 1, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, and can directly encrypt the content encrypted by the content key. The case of decryption is described in detail. In the following, according to the present invention, preferably, the broadcast server further adopts an encryption technology for the content key, which acquires the encrypted auxiliary information corresponding to each user, and encrypts the content key according to the encrypted auxiliary information, and then Encrypted auxiliary information encrypted content The technical solution of the key provided to the mobile terminal is described in detail.

第二实施例  Second embodiment

图 3为根据本发明另一个具体实施例, 广播服务器 1与多个移动 终端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图。其中, 在图 1所示的拓朴结构的基础上, 该通信网络还包括与广播服务器 1相 连的自举月 务推送功能 ( Bootstrapping Server Function-Push , 简称 BSF Push ) 4, 及与自举服务推送功能 4相连的归属位置寄存器 /归属用户服 务器 ( Home Location Register, 简称 HLR/ Home Subscriber Server, 简称 HSS ) 5。 其中, 广播服务器 1可以包含两部分, 一部分是由小区广播 中心 ( Cell Broadcast Center ) 和小区广播设备 ( Cell Broadcast Equipment )组成的小区广播业务系统(CBS System ), 其用于将经内 容密钥加密的内容通过小区广播信道广播给各个移动终端; 还有一部 分是小区广播业务订户管理器( CBS Subscriber Management ),其才艮据 加密辅助信息对内容密钥进行加密, 并将经加密的内容密钥经 Upa 接口以短信或其他方式提供给小区广播业务的订阅用户。  3 is a schematic diagram showing a network topology of a broadcast-based secure communication between a broadcast server 1 and a plurality of mobile terminals 2a and 2b according to another embodiment of the present invention. The communication network further includes a Bootstrapping Server Function-Push (BSF Push) 4 connected to the broadcast server 1 and the bootstrapping service, based on the topology shown in FIG. The Home Location Register (HLR/Home Subscriber Server, referred to as HSS) 5 is connected to the push function 4. The broadcast server 1 may include two parts, and a part is a cell broadcast service system (CBS System) composed of a cell broadcast center and a cell broadcast equipment, which is used to encrypt the content key. The content is broadcast to each mobile terminal through a cell broadcast channel; and a part is a cell broadcast service subscriber manager (CBS Subscriber Management), which encrypts the content key according to the encrypted auxiliary information, and encrypts the encrypted content key. Subscribed users who provide SMS broadcast services via SMS or other means via the Upa interface.

图 4为根据本发明另一个具体实施例, 广播服务器 1与移动终端 2a进行基于广播的安全通信的方法流程图。  4 is a flow chart of a method for broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a, in accordance with another embodiment of the present invention.

如图所示, 在步骤 sior中, 广播服务器 1获取一个用于加密内 容的内容密钥, 具体的, 广播服务器 1可以根据一个当时生成的随机 数,及内容提供服务器 3的标识信息,基于对称密钥算法如 DES( Data Encryption Standard )、 AES ( Advanced Encryption ) 等生成一个基于 对称加密的内容密钥 Ksms,。 As shown in the figure, in step sior, the broadcast server 1 acquires a content key for encrypting the content. Specifically, the broadcast server 1 can be based on a random number generated at the time and the identification information of the content providing server 3, based on the symmetry. A key algorithm such as DES (Data Encryption Standard), AES (Advanced Encryption), etc. generates a content key K sms based on symmetric encryption.

而后,广播服务器 1进行与前述第一实施例类似的步骤,在 S 102 ' 中, 根据 Ksms,对内容提供服务器 3提供的内容进行加密, 而后在步 骤 sir中, 将经内容密钥 Ksms,加密后的内容基于广播发送至移动终 端 2a , 优选地, 广播月 务器 1将经内容密钥 Ksms,加密的内容放入短消 息中,通过短消息网关或短消息服务中心,提供给移动终端 2a所属的小 区基站, 小区基站在该小区内的小区广播信道(CBCH )上将该短消息 广播出去; 移动终端 2a在该小区广播信道上接收到含有经内容密钥 Ksms,加密的内容的短消息, 并从中提出去经内容密钥 Ksms,加密的内容。 值得注意的是, 同一小区的订阅了相同内容的订户的移动终端 2b, 以及 非订户的移动终端 2c也可以在该小区广播信道上接收到含有经内容密 钥 Ksms,加密的内容的短消息。 Then, the broadcast server 1 performs a similar procedure to the first embodiment described above, in S 102 ', encrypts the content provided by the content providing server 3 according to K sms , and then in step sir, passes the content key K sms The encrypted content is sent to the mobile terminal 2a based on the broadcast. Preferably, the broadcast server 1 puts the content encrypted by the content key K sms into the short message and provides it to the short message gateway or the short message service center. a cell base station to which the mobile terminal 2a belongs, the cell base station broadcasts the short message on a cell broadcast channel (CBCH) in the cell; the mobile terminal 2a receives the content-containing key on the cell broadcast channel K sms , a short message of the encrypted content, and from which the content is encrypted by the content key K sms . It should be noted that the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive the short message containing the content encrypted by the content key K sms on the cell broadcast channel. .

接着, 在步骤 S20,中, 移动终端 2a接收来自广播服务器 1的基 于广播发送的经内容密钥 Ksms,加密的内容。而在类似的步骤 S20"(图 中未示出) 中, 移动终端 2b接收来自广播服务器 1 的基于广播发送 的经内容密钥 Ksms,加密的内容。 同时, 非订户的移动终端 2c也可以收 到该经加密处理的内容。 Next, in step S20, the mobile terminal 2a receives the encrypted content based on the broadcast transmission based on the content key K sms from the broadcast server 1. In a similar step S20" (not shown), the mobile terminal 2b receives the encrypted content transmitted by the broadcast server based on the content key K sms . Meanwhile, the non-subscriber mobile terminal 2c can also The encrypted content is received.

与以上步骤不相关的, 在步骤 S 12,中, 广播服务器 1获取与移动 终端 2a所属的用户 a及移动终端 2b所属的用户 b分别对应的加密辅 助信息, 该加密辅助信息用于对内容密钥 Ksms,进行加密。 Regarding the above steps, in step S12, the broadcast server 1 acquires the encrypted auxiliary information corresponding to the user a to which the mobile terminal 2a belongs and the user b to which the mobile terminal 2b belongs, and the encrypted auxiliary information is used to encrypt the content. The key K sms is encrypted.

A.具体的,在一种情况下,该加密辅助信息基于非对称密钥技术, 例如, 用户 a对应的加密辅助信息为用户 a的公钥, 同时, 用户 a自 己在其移动终端 2a上拥有与该公钥配合工作的, 即解密的私钥, 用 户 b亦然, 则广播服务器 1获取用户 a与 b各自的公钥。 则在一种情 况下, 广播服务器 1本地保存有该公钥, 则其直接读取公钥; 在另一 种情况下, 该公钥由内容提供服务器 3, 或由其他安全管理服务器提 供给广播服务器 1。  A. Specifically, in one case, the encryption assistance information is based on an asymmetric key technology. For example, the encryption assistance information corresponding to the user a is the public key of the user a, and at the same time, the user a owns the mobile terminal 2a. Working with the public key, that is, the decrypted private key, and the user b is also the same, the broadcast server 1 acquires the respective public keys of the users a and b. In a case where the broadcast server 1 locally stores the public key, it directly reads the public key; in another case, the public key is provided to the broadcast by the content providing server 3 or by another security management server. Server 1.

B.在另一种优选的情况下, 该加密辅助信息是与用户 a与 b的身 份相关的对称的加密密钥, 用户 a与 b可以在其移动终端上基于其用 户身份生成同样的加密密钥或对应的解密辅助信息。 在这种情况下, 在步骤 S 121,中, 广播服务器 1基于 GBA push技术, 通过 Zpn接口向 自举服务推送功能 (BSF ) 4请求用户 a及用户 b的通用自举架构的 推送信息, 该推送信息中包含用于生成加密密钥的身份相关信息 Ks NAF/Ks ext NAF、 Ks int NAF, 用户的五元组认证矢量中的 AUTN和 RAND, 用于标识是 GBA_U或 GBA_ME的 U/M, 密钥的 生命周期、 广播服务器的 ID、 用户的私密身份 ID、 MAC等等。 其中, 若自举服务推送功能 4本地尚无用户 a和 /或 b的身份信息,则其还通 过 Zh接口, 向用户 a和 /或 b所属的归属位置寄存器 /归属用户服务器 5 请求并获得用户的五元组认证矢量 CK ( Cipher Key )、 IK ( Integrity Key )、 RAND, RES、 AUTN信息, 并根据该 CK、 IK信息生成用户 a 和 /或 b的通用自举架构的推送信息, 而后将用户 a和 b的推送信息提 供给广播服务器 1。 B. In another preferred case, the encrypted auxiliary information is a symmetric encryption key associated with the identity of users a and b, and users a and b can generate the same encryption secret based on their user identity on their mobile terminal. Key or corresponding decryption assistance information. In this case, in step S121, the broadcast server 1 requests the push information of the universal bootstrapping architecture of the user a and the user b through the Zpn interface to the bootstrap service push function (BSF) 4 based on the GBA push technology. The push information includes identity related information for generating an encryption key Ks NAF/Ks ext NAF, Ks int NAF, AUTN and RAND in the user's quintuple authentication vector, and is used to identify U/M which is GBA_U or GBA_ME. , the life cycle of the key, the ID of the broadcast server, the private identity ID of the user, the MAC, and so on. Wherein, if the bootstrap service push function 4 does not have the identity information of the user a and/or b locally, then it is also Pentad authentication vector over Z h interfaces to the home location register users a and / or b belongs / home subscriber server 5 requests and obtains user CK (Cipher Key), IK ( Integrity Key), RAND, RES, AUTN information And generating push information of the general bootstrapping architecture of the user a and/or b according to the CK and IK information, and then providing the push information of the users a and b to the broadcast server 1.

而后, 在步骤 S 122'中, 广播服务器 1根据已获取的用户 a与 b 各自的 Ks_NAF/Ks_ext_NAF、 Ks int NAF信息, 生成用户 a与 b各 自的加密密钥 Kcbs,。 Then, in step S122', the broadcast server 1 generates the respective encryption keys K cbs of the users a and b based on the acquired Ks_NAF/Ks_ext_NAF and Ks int NAF information of the users a and b.

以上广播服务器 1与自举服务推送功能 4进行交互获取通用自举 架构的推送信息的过程, 并生成与用户的身份信息相关的加密密钥 Kcbs,的过程, 与现有技术中的用于一对一安全通信的通用自举架构中 的过程类似, 详细过程可以参见标准 3GPP TS33.223V800 , 本说明书 不做赘述。 The process in which the above broadcast server 1 interacts with the bootstrap service push function 4 to acquire the push information of the general bootstrap architecture, and generates an encryption key K cbs related to the identity information of the user, which is used in the prior art. The process in the general bootstrap architecture of one-to-one secure communication is similar. For detailed procedures, refer to the standard 3GPP TS33.223V800, which is not described in this specification.

接着, 在步骤 S 13,中, 广播服务器 1分别根据已获取的用户 a与 b各自的加密辅助信息, 例如其公钥或其加密密钥 Kebs,, 对内容密钥 Ksms,进行加密, 以生成与用户 a与 b各自的经对应加密辅助信息加密 的内容密钥 Ksms'。 Next, in step S13, the broadcast server 1 encrypts the content key K sms according to the acquired encryption auxiliary information of the users a and b, for example, its public key or its encryption key K ebs , respectively. The content key K sms ' encrypted with the corresponding encrypted auxiliary information of each of the users a and b is generated.

而后, 在步骤 S 14,中, 广播服务器 1将与用户 a与 b各自的经对 应加密辅助信息加密的内容密钥 Ksms,发送给用户 a与 b各自的移动终 端 2a及 2b。 Then, in step S14, the broadcast server 1 transmits the content key K sms encrypted with the corresponding encrypted auxiliary information of the users a and b to the mobile terminals 2a and 2b of the users a and b, respectively.

优选地, 广播服务器 1 通过短消息网关或短消息服务中心, 通过 短信息方式将经与用户 a 与 b对应的加密辅助信息加密的内容密钥 Ksms '分别发送至的用户 &与 b。 Preferably, the broadcast server 1 transmits the content key K sms ' encrypted by the encrypted auxiliary information corresponding to the users a and b to the user & b respectively by the short message gateway or the short message service center.

而后, 在步骤 S21,及步骤 S21 " (图中未示出) 中, 移动终端 2a 与 2b各自获取与内容密钥 Ksms,配合工作的内容解密信息。 以下从移 动终端 2a的角度进行说明, 移动终端 2b进行类似的步骤。 Then, in step S21, and in step S21" (not shown), the mobile terminals 2a and 2b each acquire content decryption information that works in cooperation with the content key Ksms . Hereinafter, from the perspective of the mobile terminal 2a, The mobile terminal 2b performs similar steps.

具体的,在步骤 S211,中,移动终端 2a接收来自广播服务器 1的, 经与用户 a对应的加密辅助信息加密的内容密钥 Ksms,,并获取与该加 密辅助信息配合工作的解密辅助信息。 A,.在一种情况下, 与上文情况 A对应的, 该加密辅助信息基于 非对称密钥技术, 例如, 是用户 a的公钥, 则移动终端 2a获取到该 公钥对应的私钥作为解密辅助信息,以对经公钥加密的内容密钥 Ksms, 进行解密。 可以理解, 公私钥等非对称加密技术的实现是本领域技术 人员所熟知的, 本发明在此不作赘述。 本领域一般技术人员可以根据 实际需求对本实施例进行适当的修改, 这些修改都应处于本发明的保 护范围。 Specifically, in step S211, the mobile terminal 2a receives the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a from the broadcast server 1, and acquires the decryption auxiliary information working in cooperation with the encrypted auxiliary information. . A. In one case, corresponding to the case A above, the encrypted auxiliary information is based on an asymmetric key technology, for example, is the public key of the user a, and the mobile terminal 2a obtains the private key corresponding to the public key. as a decryption auxiliary information to a public key encryption of content key by K sms, decrypt. It can be understood that the implementation of the asymmetric encryption technology such as the public and private keys is well known to those skilled in the art, and the present invention is not described herein. A person skilled in the art can appropriately modify the embodiment according to actual needs, and these modifications are all within the scope of the present invention.

B,.在另一种情况下, 与上文情况 B对应的, 该加密辅助信息是 与用户 a的身份相关的对称的加密密钥 Kcbs,,用户 a可以在其移动终 端 2a上生成同样的加密密钥或对应的解密辅助信息。 具体的, 在步 骤 S2111,中, 移动终端 2a基于 GBA psuh技术,根据从自举服务推送 功能 (BSF ) 4获得的 GBA Push信息, 移动终端以与 HLR/HSS同样 方式生成五元组认证矢量 CK( Cipher Key )、 IK( Integrity Key )、 RAND、 RES、 AUTN 信息, 然后以与 BSF Push 功能同样的方式生成 Ks NAF/Ks ext NAF、 Ks int NAF信息。 B. In another case, corresponding to case B above, the encrypted auxiliary information is a symmetric encryption key K cbs related to the identity of the user a, and the user a can generate the same on the mobile terminal 2a thereof. Encryption key or corresponding decryption assistance information. Specifically, in step S2111, the mobile terminal 2a generates the quintuple authentication vector CK in the same manner as the HLR/HSS according to the GBA Push information obtained from the bootstrap service push function (BSF) 4 based on the GBA psuh technology. (Cipher Key), IK (Integrity Key), RAND, RES, AUTN information, and then generate Ks NAF/Ks ext NAF, Ks int NAF information in the same way as BSF Push.

而后, 在步骤 S2112'中, 移动终端 2a 根据身份相关信息 Ks NAF/Ks ext NAF . Ks int NAF , 生成对称加密密钥 Kebs,或与其 配合工作的解密密钥。 值得注意的是, 其生成加密密钥 Kebs,的方法, 应与广播服务器 1生成加密密钥 Kebs,的方法相对应; 或者, 其生成与 Kcbs,的配合工作的解密密钥方法, 应与广播服务器 1 生成加密密钥 Kcbs,的方法相对应, 以保证生成的加密密钥 Kebs,或与其配合工作的解 密密钥与广播服务器 1所用的加密密钥 Kebs,一致。 一般来说, 该一致 性可以由用户与其运营商及广播服务器之间事先协商确定, 例如固化 在用户的 SIM卡中或每次通信前协商得到。 Then, in step S2112', the mobile terminal 2a generates a symmetric encryption key K ebs or a decryption key working therewith based on the identity related information Ks NAF/Ks ext NAF . Ks int NAF . It is worth noting that the method of generating the encryption key K ebs should correspond to the method in which the broadcast server 1 generates the encryption key K ebs ; or it generates a decryption key method that cooperates with K cbs , Corresponding to the method in which the broadcast server 1 generates the encryption key K cbs , to ensure that the generated encryption key K ebs , or the decryption key working therewith , coincides with the encryption key K ebs used by the broadcast server 1. In general, the consistency can be determined in advance by the user and its operator and the broadcast server, for example, being solidified in the user's SIM card or negotiated before each communication.

以上移动终端 2a与自举服务推送功能 4进行认证、 交互以获取 通用自举架构的推送信息的过程, 与现有技术中的用于一对一安全通 信的通用自举架构中的过程类似, 参见 3GPP TS33.223V800。  The process of the above mobile terminal 2a performing authentication and interaction with the bootstrap service push function 4 to obtain the push information of the general bootstrap architecture is similar to the process in the general bootstrap architecture for one-to-one secure communication in the prior art. See 3GPP TS 33.223 V800.

值得注意的是, 在以上的情况 B-B,下, 本发明通过上述的广播服 务器 1及移动终端与自举服务推送功能 4的交互, 利用了现有的通用 自举架构(GBA ) push技术, 不对已有的标准、 方法及装置进行大的 修改, 因而可节约大量成本, 继而, 该方案能够为市场所接受, 具有 良好商业前景。 It should be noted that, in the above case BB, the present invention utilizes the existing universal use by the above-mentioned interaction between the broadcast server 1 and the mobile terminal and the bootstrap service push function 4. Bootstrap architecture (GBA) push technology, which does not make major modifications to existing standards, methods and devices, can save a lot of cost. Then, the solution can be accepted by the market and has good business prospects.

而后, 在步骤 S212'中, 移动终端 2a根据获取的解密辅助信息, 对经与用户 a对应的加密辅助信息加密的内容密钥 Ksms,进行解密,获 取内容密钥 Ksms', 作为对应的内容解密信息。 Then, in step S212', the mobile terminal 2a decrypts the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a according to the acquired decryption auxiliary information, and acquires the content key K sms ' as a corresponding Content decryption information.

最后, 在步骤 S22中', 移动终端 2a根据内容密钥 Ksms', 对根据 内容密钥 Ksms,加密的内容进行解密, 以还原出原始未经加密处理的 内容。 Finally, in step S22 ', the mobile terminal 2a based on the content key K sms', based on the content of the key K sms, encrypted content is decrypted to restore the original unencrypted content processing.

类似地, 该内容的订阅用户 b的移动终端 2b也进行类似的步骤, 由于广播服务器 1也将其经与用户 b对应的加密辅助信息加密的内容 密钥 Ksms,发送给移动终端 2b,则移动终端 2b可以获取与用户 b对应 的加密辅助信息配合工作的解密辅助信息, 并解出内容密钥 Ksms,, 继而对根据内容密钥 Ksms,加密的内容进行解密, 以还原出原始未经 加密处理的内容。 Similarly, the mobile terminal 2b of the subscriber b of the content performs a similar procedure. Since the broadcast server 1 also transmits the content key K sms encrypted by the encrypted auxiliary information corresponding to the user b to the mobile terminal 2b, The mobile terminal 2b can acquire the decryption auxiliary information that works in conjunction with the encrypted auxiliary information corresponding to the user b, and solve the content key K sms , and then decrypt the encrypted content according to the content key K sms to restore the original Encrypted content.

而没有订阅该内容的用户 c的移动终端 2c无法接收到经与其对 应的加密辅助信息加密的内容密钥 Ksms,, 使得也无法对经对应于其 他用户的加密辅助信息加密的内容密钥 Ksms,进行解密, 则其无法获 取到内容密钥 Ksms,, 继而无法对根据内容密钥 Ksms,加密的内容进行 解密, 无法得到原出原始未经加密处理的内容。 这样而来, 保证了广 播服务器 1与内容订阅用户 a与 b的移动终端 2a及 2b的内容通信的 安全。 The mobile terminal 2c of the user c who does not subscribe to the content cannot receive the content key K sms encrypted by the encryption auxiliary information corresponding thereto , so that the content key K encrypted by the encrypted auxiliary information corresponding to other users cannot be obtained. Sms , if decrypted, it cannot obtain the content key K sms , and then the content encrypted according to the content key K sms cannot be decrypted, and the original unencrypted content cannot be obtained. In this way, the security of the content communication between the broadcast server 1 and the mobile terminals 2a and 2b of the content subscription users a and b is ensured.

值得注意的是, 本发明中所述的内容密钥及加密辅助信息等用于 加密的密钥 (Key ) 包括一切用于将明文加密为密文的算法, 或算法 及其参数等等; 同样, 所述的内容解密信息与解密辅助信息等用于解 密的密钥 (Key ) 也包括一切用于将经对应加密密钥加密而成的密文 解密为明文的算法, 或算法及其参数等等。 具体的加密原理及方法是 本领域技术人员所熟知的, 并应都落入本发明的保护范围, 在此不做 以上所举的第一与第二实施例中, 广播服务器 1对待发送的内容 完全加密。 值得注意的是, 本发明还可以用于基于数字签名及证书的 安全通信过程。 具体的, 广播服务器 1基于预定的散列算法(杂凑算 法)对待发送的内容进行散列, 得到待发送内容的内容摘要, 并根据 内容密钥 Ksms对该内容摘要进行加密; 而后, 广播服务器 1将待发送 的内容以明文的形式广播给各个移动终端,还将经内容密钥 Ksms加密 的内容摘要广播给各个移动终端。 移动终端接收到以明文形式广播的 内容信息, 并按照相同的散列算法生成其接收到的内容信息的摘要; 移动终端还接收到经内容密钥 Ksms加密的内容摘要,并按照与以上第 一或第二实施例中类似的过程, 获取与广播服务器 1的内容密钥 Ksms 配合工作的内容解密信息, 从而解密出该内容摘要; 最后, 移动终端 比较解密出的内容摘要与自己根据所接收的内容信息生成的内容摘 要是否相同, 以确定其接收到的内容信息是广播服务器 1发送的, 并 且在传输过程中没有被更改。 It should be noted that the key (Key) used for encryption, such as the content key and the encryption auxiliary information, in the present invention includes all algorithms for encrypting plaintext into ciphertext, or algorithms and their parameters, etc.; The key (Key) used for decryption, such as the content decryption information and the decryption auxiliary information, also includes all algorithms for decrypting the ciphertext encrypted by the corresponding encryption key into plaintext, or an algorithm and its parameters, etc. Wait. The specific encryption principles and methods are well known to those skilled in the art, and should fall within the scope of protection of the present invention. In the first and second embodiments mentioned above, the content to be transmitted by the broadcast server 1 is completely encrypted. It is worth noting that the present invention can also be applied to a secure communication process based on digital signatures and certificates. Specifically, the broadcast server 1 hashes the content to be sent based on a predetermined hash algorithm (heap algorithm), obtains a content digest of the content to be sent, and encrypts the content digest according to the content key K sms ; and then, the broadcast server 1 Broadcasting the content to be transmitted to each mobile terminal in clear text, and broadcasting the content summary encrypted by the content key K sms to each mobile terminal. The mobile terminal receives the content information broadcasted in clear text, and generates a digest of the received content information according to the same hash algorithm; the mobile terminal further receives the content digest encrypted by the content key K sms , and according to the above A similar process in one or the second embodiment acquires content decryption information that works in conjunction with the content key K sms of the broadcast server 1 to decrypt the content digest; finally, the mobile terminal compares the decrypted content digest with the self-foundation Whether the content digest generated by the received content information is the same, to determine that the content information it receives is transmitted by the broadcast server 1, and is not changed during the transmission.

以上两个实施例对根据本发明,基于无线通信网络的广播进行安 全通信的方法进行了详述。 本领域技术人员应能理解, 本发明同样适 用于基于无线通信网络的多播(组播)进行安全通信。 具体的, 在多 播服务器将经加密处理的内容基于多播发送至多个用户设备前, 其首 先应建立与该多个用户设备的多播信道, 而后将在多播信道中将经加 密处理的内容发送给该多个用户设备; 相应的, 用户设备也应首先建 立与多播服务器之间的多播信道, 而后在多播信道中接收来自多播服 务器的经加密处理的内容。 其他加 /解密的过程与前文中描述的类似, 在此不作赘述。  The above two embodiments have been described in detail in accordance with the present invention, a method for performing secure communication based on broadcasts of a wireless communication network. Those skilled in the art will appreciate that the present invention is equally applicable to secure communication based on multicast (multicast) of a wireless communication network. Specifically, before the multicast server sends the encrypted content to multiple user equipments based on multicast, it should first establish a multicast channel with the multiple user equipments, and then the encrypted processing will be performed in the multicast channel. The content is sent to the plurality of user equipments; correspondingly, the user equipment should also first establish a multicast channel with the multicast server, and then receive the encrypted processed content from the multicast server in the multicast channel. Other encryption/decryption processes are similar to those described in the previous section and will not be described here.

以上对根据本发明, 广播服务器基于广播与多个用户使用的多个 相应用户设备进行安全通信的方法进行详述。以下将根据图 4与图 5, 对根据本发明, 广播服务器基于广播与多个用户使用的多个相应用户 设备进行安全通信的装置及其工作过程进行详述。  The above is a detailed description of a method for a broadcast server to securely communicate with a plurality of corresponding user devices used by a plurality of users based on the broadcast according to the present invention. 4 and FIG. 5, a device for performing secure communication between a broadcast server and a plurality of corresponding user devices used by a plurality of users according to the present invention and a working process thereof will be described in detail based on the present invention.

第三实施例  Third embodiment

图 1为根据本发明一个具体实施例, 广播服务器 1与多个移动终 端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图。 图 4为 根据本发明又一个具体实施例, 广播服务器 1 与移动终端 2a进行基 于广播的安全通信的装置及其工作过程的框图。 其中, 广播服务器 1 包括用于基于广播与多个用户使用的或多个相应移动终端进行安全 通信的装置 10, 该装置 10包括加密处理装置 101与加密内容发送装 置 102, 加密处理装置 101进一步包括内容密钥获取装置 1011。 移动 终端 2a包括用于基于广播与广播服务器 1进行安全通信的装置 20, 该装置 20包括加密内容接收装置 201,第二获取装置 202与解密处理 装置 203。 其中, 广播服务器 1可以由小区广播中心 (Cell Broadcast Center )和小区广播设备 ( Cell Broadcast Equipment )组成, 其用于将 经加密的内容通过小区广播信道广播给各个移动终端。 1 is a broadcast server 1 and a plurality of mobile terminals in accordance with an embodiment of the present invention. A schematic diagram of a network topology structure in which the terminals 2a and 2b perform broadcast-based secure communication. 4 is a block diagram of an apparatus for performing broadcast-based secure communication between a broadcast server 1 and a mobile terminal 2a, and a working process thereof, according to still another embodiment of the present invention. The broadcast server 1 includes means 10 for securely communicating with a plurality of users or a plurality of corresponding mobile terminals based on the broadcast, the device 10 comprising an encryption processing device 101 and an encrypted content transmitting device 102, the encryption processing device 101 further comprising Content key acquisition means 1011. The mobile terminal 2a includes means 20 for secure communication with the broadcast server 1 based on the broadcast, the device 20 comprising an encrypted content receiving device 201, a second obtaining device 202 and a decryption processing device 203. The broadcast server 1 may be composed of a Cell Broadcast Center and a Cell Broadcast Equipment, which are used to broadcast the encrypted content to each mobile terminal through a cell broadcast channel.

下面将参照图 1与图 4, 对根据本发明的, 广播服务器 1将经内容 密钥加密的内容广播给移动终端, 而移动终端已事先拥有与内容密钥 配合工作的内容解密信息, 可以直接对经内容密钥加密的内容进行解 密的装置及其工作过程进行详述。  1 and 4, according to the present invention, the broadcast server 1 broadcasts the content encrypted by the content key to the mobile terminal, and the mobile terminal has previously possessed content decryption information working in cooperation with the content key, which can be directly The apparatus for decrypting the content encrypted by the content key and its working process are described in detail.

首先, 内容提供服务器 3将需要提供给订户的内容提供给广播服务 器 1,该内容可以是如前所述的天气预报等,提供给各个订户的内容都 是相同的。 接着, 广播服务器 1获取到待发送给订户的内容。  First, the content providing server 3 supplies the content that needs to be provided to the subscriber to the broadcast server 1, the content may be a weather forecast or the like as described above, and the contents provided to the respective subscribers are the same. Next, the broadcast server 1 acquires the content to be sent to the subscriber.

加密处理装置 101对待发送给订户的内容进行加密处理, 以生成 经加密处理后的内容。  The encryption processing means 101 performs encryption processing on the content to be transmitted to the subscriber to generate the encrypted processed content.

内容密钥获取装置 1011获取用于加密该内容的内容密钥 Ksms。 其中, 该内容密钥 Ksms可以基于对称密钥(即加密密钥与解密密钥相 同,或通过加密密钥可以导出解密密钥),也可以基于非对称密钥(即 加密密钥与解密密钥不同, 且根据加密密钥无法推导出解密密钥)。 其中, 我们列举以下两种情况, 在这两种情况下, 广播服务器 1 当前 不需要将内容密钥 Ksms提供给移动终端: The content key acquisition means 1011 acquires the content key K sms for encrypting the content. The content key K sms may be based on a symmetric key (ie, the encryption key is the same as the decryption key, or the decryption key may be derived by using the encryption key), or may be based on an asymmetric key (ie, encryption key and decryption) The key is different, and the decryption key cannot be derived based on the encryption key). Among them, we cite the following two cases. In both cases, the broadcast server 1 does not currently need to provide the content key K sms to the mobile terminal:

A.该对称内容密钥 Ksms是广播服务器 1事先生成,并已经提供给 移动终端的, 例如已经固化在用户的 SIM ( Subscriber Identity Model, 客户识别模块) 卡或移动终端中, 该密钥预存在广播服务器 1上的, 则内容密钥获取装置 1011获取预存的内容密钥 KsmsA. The symmetric content key K sms is generated by the broadcast server 1 in advance and has been provided to the mobile terminal, for example, has been solidified in the SIM (Subscriber Identity Model) card or the mobile terminal of the user, and the key is pre- On the broadcast server 1, The content key obtaining means 1011 obtains the pre-stored content key K sms ;

B.该对称内容密钥 Ksms由内容提供服务器 3提供给内容密钥获取 装置 1011。 并且, 也由内容提供服务器 3将该内容密钥 Ksms提供给 移动终端。 在这种情况下, 广播服务器 1对密钥的管理和控制功能较 弱; B. The symmetric content key K sms is supplied from the content providing server 3 to the content key obtaining means 1011. And, the content key K sms is also supplied to the mobile terminal by the content providing server 3. In this case, the broadcast server 1 has a weak management and control function for the key;

在获取到内容密钥 Ksms后, 加密处理装置 101用已获取的内容密 钥 对待发送的内容进行加密, 以生成经内容密钥加密 Ksms后的 内容。 具体的使用密钥对明文进行加密得到密文的技术是本领域技术 人员熟知的, 本发明对此不作赘述。 After acquiring the content key K sms , the encryption processing device 101 encrypts the content to be transmitted with the acquired content key to generate the content after the content key encryption K sms . A specific technique for encrypting a plaintext using a key to obtain a ciphertext is well known to those skilled in the art, and the present invention does not describe it.

而后,加密内容发送装置 102将经内容密钥 Ksms加密后的内容基 于广播发送至移动终端 2a Then, the encrypted content transmitting device 102 transmits the content encrypted by the content key K sms to the mobile terminal 2a based on the broadcast.

接着, 移动终端 2a的装置 20的加密内容接收装置 201接收来自 广播服务器 1的基于广播发送的经加密处理的内容。  Next, the encrypted content receiving device 201 of the device 20 of the mobile terminal 2a receives the encrypted processed content based on the broadcast transmission from the broadcast server 1.

具体的, 加密内容发送装置 102将经内容密钥 Ksms加密的内容放 入短消息中, 通过短消息网关或短消息服务中心, 提供给移动终端 2a 所属的小区基站, 小区基站在该小区内的小区广播信道(CBCH )上将 该短消息广播出去;加密内容接收装置 201在该小区广播信道上接收到 含有经内容密钥 Ksms加密的内容的短消息, 并从中提出去经内容密钥 Ksms加密的内容。 值得注意的是, 同一小区的订阅了相同内容的订户的 移动终端 2b, 以及非订户的移动终端 2c也可以在该小区广播信道上接 收到含有经内容密钥 Ksms加密的内容的短消息。值得注意的是,加密内 容发送装置 102 将加密内容广播给移动终端的广播方式并不限于本实 施例所限, 本领域一般技术人员可以在本发明的教导下, 根据实际的无 线网络做出适当的调整, 这些调整都应处于本发明权利要求所保护的范 围内。 Specifically, the encrypted content transmitting apparatus 102 puts the content encrypted by the content key K sms into the short message, and provides the cell base station to which the mobile terminal 2 a belongs through the short message gateway or the short message service center, where the cell base station is located in the cell. The short message is broadcasted on the cell broadcast channel (CBCH); the encrypted content receiving device 201 receives the short message containing the content encrypted by the content key K sms on the cell broadcast channel, and proposes the content key therefrom K sms encrypted content. It is to be noted that the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive a short message containing the content encrypted by the content key K sms on the cell broadcast channel. It should be noted that the manner in which the encrypted content transmitting apparatus 102 broadcasts the encrypted content to the mobile terminal is not limited to the embodiment, and those skilled in the art can make appropriate according to the actual wireless network under the teaching of the present invention. The adjustments should be within the scope of the claims of the present invention.

接着, 解密处理装置 203对已接收的所述经加密处理的内容进行 解密处理, 以还原出原始未经加密处理的内容  Next, the decryption processing means 203 decrypts the received encrypted processed content to restore the original unencrypted content.

具体的,第二获取装置 202获取与内容密钥 Ksms对应的内容解密 信息。 其中, 内容密钥 Ksms为对称密钥时, 内容密钥 Ksms即等同于其 对应的内容解密信息; 而当内容密钥 Ksms为非对称密钥时, 应获取与 其配合工作的密钥, 于是, 与以上列举的 A、 B和 C三种情况分别对 应的: Specifically, the second obtaining means 202 acquires content decryption information corresponding to the content key K sms . Wherein, when the content key K sms is a symmetric key, the content key K sms is equivalent to the same Corresponding content decryption information; and when the content key K sms is an asymmetric key, the key to work with it should be obtained, and thus, corresponding to the three cases A, B and C listed above:

A,.事先生成的对称内容密钥 Ksms在本次安全通信之前已经由广 播服务器 1提供给移动终端 2a, 例如固化在用户的 SIM卡或移动终 端中, 则第二获取装置 202获取预存的内容密钥 KsmsA. The previously generated symmetric content key K sms has been provided by the broadcast server 1 to the mobile terminal 2a before the secure communication, for example, in the user's SIM card or mobile terminal, and the second obtaining means 202 obtains the pre-stored content key K sms;

B,.对称内容密钥 Ksms在本次安全通信前已由相应的内容提供服 务器 3提供给了第二获取装置 202。 B. The symmetric content key K sms has been provided to the second obtaining means 202 by the corresponding content providing server 3 before this secure communication.

而后, 解密处理装置 203根据第二获取装置 202获取的与内容密 钥 Ksms对应的内容解密信息,对接收来自广播服务器 1的基于广播发 送的经内容密钥 Ksms加密处理的内容进行解密,以还原出原始未经加 密处理的内容。 Then, the decryption processing means 203 decrypts the content of the content key K sms encrypted by the broadcast transmission received from the broadcast server 1 based on the content decryption information corresponding to the content key K sms acquired by the second acquisition means 202, To restore the original unencrypted content.

同理, 订阅相同内容的订户的移动终端 2b的类似的加密内容接 收装置获取到了与内容密钥 Ksms对应的内容解密信息,其通过类似的 第二获取装置与解密处理装置也可以得到原始未经加密处理的内容; 此外, 移动终端 2c 的用户由于不是该内容的订户, 其类似的第二获 取装置没有获得与内容密钥 Ksms对应的内容解密信息,则其类似的解 密处理装置无法对接收到的经 Ksms加密的内容进行解密,保证了广播 服务器 1与移动终端 2a及 2b之间通信的安全性。 Similarly, the similar encrypted content receiving device of the mobile terminal 2b of the subscriber who subscribes to the same content acquires the content decryption information corresponding to the content key K sms , which can also be obtained by the similar second acquiring device and the decryption processing device. The encrypted processing content; further, if the user of the mobile terminal 2c does not obtain the content decryption information corresponding to the content key K sms because the user of the content is not the subscriber of the content, the similar decryption processing device cannot The received K sms encrypted content is decrypted to ensure the security of communication between the broadcast server 1 and the mobile terminals 2a and 2b.

可以理解, 移动终端 2a及 2b可以属于同一个基站小区, 也可以 分属于不同小区。  It can be understood that the mobile terminals 2a and 2b may belong to the same base station cell or may belong to different cells.

以上的第三实施例对广播服务器 1将经内容密钥加密的内容广播 给移动终端, 而移动终端已事先拥有与内容密钥配合工作的内容解密 信息, 可以直接对经内容密钥加密的内容进行解密的情况进行了详 述。 以下将对根据本发明的, 优选地, 广播服务器还采用对内容密钥 的加密技术, 其获取对应于各个用户的加密辅助信息, 并根据该加密 辅助信息对内容密钥进行加密, 而后将经加密辅助信息加密的内容密 钥提供给移动终端的技术方案进行详述。  The above third embodiment broadcasts the content encrypted by the content key to the mobile terminal by the broadcast server 1, and the mobile terminal has previously possessed the content decryption information working in cooperation with the content key, and can directly encrypt the content encrypted by the content key. The case of decryption is described in detail. In the following, according to the present invention, preferably, the broadcast server further adopts an encryption technology for the content key, which acquires the encrypted auxiliary information corresponding to each user, and encrypts the content key according to the encrypted auxiliary information, and then The technical scheme of encrypting the content key encrypted by the auxiliary information is provided to the mobile terminal for detailed description.

第四实施例 图 3为根据本发明另一个具体实施例, 广播服务器 1与多个移动 终端 2a与 2b进行基于广播的安全通信的网络拓朴结构示意图。 图 6 为根据本发明另一个具体实施例, 广播服务器 1 与移动终端 2a进行 基于广播的安全通信的装置其工作过程的框图。 广播服务器 1包括用 于基于广播与多个用户使用的多个相应移动终端进行安全通信的装 置 10,, 该装置 10,包括加密处理装置 101,, 加密内容发送装置 102,, 第一获取装置 103,, 内容密钥加密装置 104,与内容密钥发送装置 105' ; 该加密处理装置 101,进一步包括内容密钥获取装置 1011,, 该 第一获取装置 103,可以进一步包括第一推送信息获取装置 1031,。 其 中,加密处理装置 101,与加密内容发送装置 102,可以构成由小区广播 设备 ( Cell Broadcast Equipment ) 和小区广播中心 ( Cell Broadcast Center )组成的小区广播业务系统( CBS System ), 其用于将经内容密 钥加密的内容通过小区广播信道广播给各个移动终端; 而第一获取装 置 103,,内容密钥加密装置 104,与内容密钥发送装置 105,可以构成小 区广播业务订户管理器( CBS Subscriber Management ),其根据加密辅 助信息对内容密钥进行加密,并将经加密的内容密钥经 Upa接口以短 信或其他方式提供给小区广播业务的订阅用户。 移动终端 2a 包括用 于基于广播与广播服务器 1进行安全通信的装置 20',该装置 20'包括 加密内容接收装置 201,, 第二获取装置 202,与解密处理装置 203,; 该 第二获取装置 202,进一步包括处理装置 2021,,该处理装置 2021,可以 进一步包括第二推送信息获取装置 20211,。 Fourth embodiment FIG. 3 is a schematic diagram of a network topology structure in which a broadcast server 1 and a plurality of mobile terminals 2a and 2b perform broadcast-based secure communication according to another embodiment of the present invention. Figure 6 is a block diagram showing the operation of the apparatus for performing broadcast-based secure communication between the broadcast server 1 and the mobile terminal 2a in accordance with another embodiment of the present invention. The broadcast server 1 includes means 10 for securely communicating with a plurality of respective mobile terminals used by a plurality of users, including the encryption processing means 101, the encrypted content transmitting means 102, and the first obtaining means 103. The content key encryption device 104 and the content key transmission device 105'; the encryption processing device 101 further includes a content key acquisition device 1011, and the first acquisition device 103 may further include a first push information acquisition device 1031,. The encryption processing device 101 and the encrypted content transmitting device 102 may constitute a cell broadcast service system (CBS System) composed of a cell broadcast device (Cell Broadcast Equipment) and a cell broadcast center (CBS System), which is used to The content key encrypted content is broadcast to each mobile terminal through the cell broadcast channel; and the first obtaining means 103, the content key encrypting means 104, and the content key transmitting means 105 may constitute a cell broadcast service subscriber manager (CBS Subscriber) Management), which encrypts the content key according to the encryption auxiliary information, and provides the encrypted content key to the subscribing user of the cell broadcast service via the Upa interface by SMS or other means. The mobile terminal 2a includes means 20' for secure communication with the broadcast server 1 based on the broadcast, the device 20' comprising an encrypted content receiving device 201, a second obtaining device 202, and a decryption processing device 203, the second obtaining device 202, further comprising a processing device 2021, the processing device 2021, further comprising a second push information obtaining device 20211.

如图所示, 内容密钥获取装置 1011,获取一个用于加密内容的内 容密钥, 具体的, 内容密钥获取装置 1011,可以根据一个当时生成的 随机数, 及内容提供服务器 3的标识信息, 基于对称密钥算法如 DES ( Data Encryption Standard )、 AES ( Advanced Encryption ) 等生成一 个基于对称加密的内容密钥 Ksms,。 As shown in the figure, the content key obtaining means 1011 obtains a content key for encrypting the content. Specifically, the content key obtaining means 1011 can be based on a random number generated at the time and the identification information of the content providing server 3. A symmetric key-based content key K sms is generated based on a symmetric key algorithm such as DES (Data Encryption Standard), AES (Advanced Encryption), or the like.

而后, 广播服务器 1进行与前述第三实施例类似的工作, 加密处 理装置 101,根据 Ksms,对内容提供服务器 3提供的内容进行加密, 而 后加密内容发送装置 102,将经内容密钥 Ksms,加密后的内容基于广播 发送至移动终端 2a, 优选地, 加密内容发送装置 102,将经内容密钥 Ksms,加密的内容放入短消息中, 通过短消息网关或短消息服务中心, 提 供给移动终端 2a所属的小区基站,小区基站在该小区内的小区广播信道 ( CBCH )上将该短消息广播出去; 移动终端 2a在该小区广播信道上接 收到含有经内容密钥 Ksms,加密的内容的短消息, 并从中提出去经内容 密钥 Ksms,加密的内容。值得注意的是, 同一小区的订阅了相同内容的订 户的移动终端 2b, 以及非订户的移动终端 2c也可以在该小区广播信道 上接收到含有经内容密钥 Ksms,加密的内容的短消息。 Then, the broadcast server 1 performs an operation similar to that of the foregoing third embodiment, the encryption processing device 101 encrypts the content provided by the content providing server 3 according to K sms , and then encrypts the content transmitting device 102 to pass the content key K sms , the encrypted content is based on broadcast Sending to the mobile terminal 2a, preferably, the encrypted content transmitting device 102 puts the content encrypted by the content key K sms into a short message and provides it to the cell to which the mobile terminal 2a belongs through the short message gateway or the short message service center. a base station, the cell base station broadcasts the short message on a cell broadcast channel (CBCH) in the cell; the mobile terminal 2a receives a short message containing the content encrypted by the content key K sms on the cell broadcast channel, and The content encrypted by the content key K sms is proposed. It should be noted that the mobile terminal 2b of the subscriber of the same cell subscribed to the same content, and the mobile terminal 2c of the non-subscriber may also receive the short message containing the content encrypted by the content key K sms on the cell broadcast channel. .

接着, 移动终端 2a的装置 20,的加密内容接收装置 201,接收来自 广播服务器 1的基于广播发送的经内容密钥 Ksms,加密的内容。移动终 端 2b的类似的加密内容接收装置接收来自广播服务器 1 的基于广播 发送的经内容密钥 Ksms,加密的内容。 同时, 非订户的移动终端 2c也 可以收到该经加密处理的内容。 Next, the encrypted content receiving device 201 of the device 20 of the mobile terminal 2a receives the encrypted content from the broadcast server 1 via the content key K sms transmitted by the broadcast. Similar mobile terminal 2b encrypted content receiving apparatus receives the broadcast server based on the content of a broadcast transmission key K sms, encrypted content. At the same time, the non-subscriber mobile terminal 2c can also receive the encrypted processed content.

与以上工作过程不相关的, 广播服务器 1 的装置 10的第一获取 装置 103,获取与移动终端 2a所属的用户 a及移动终端 2b所属的用户 b 分别对应的加密辅助信息, 该加密辅助信息用于对内容密钥 Ksms, 进行加密。 The first obtaining means 103 of the device 10 of the broadcast server 1 acquires the encrypted auxiliary information corresponding to the user a to which the mobile terminal 2a belongs and the user b to which the mobile terminal 2b belongs, which is used for the encrypted auxiliary information. The content key K sms is encrypted.

A.具体的,在一种情况下,该加密辅助信息基于非对称密钥技术, 例如, 用户 a对应的加密辅助信息为用户 a的公钥, 同时, 用户 a自 己在其移动终端 2a上拥有与该公钥配合工作的, 即解密的私钥, 用 户 b亦然, 则广播服务器 1获取用户 a与 b各自的公钥。 则在一种情 况下, 广播服务器 1本地保存有该公钥, 则第一获取装置 103,直接读 取公钥; 在另一种情况下, 该公钥由内容提供服务器 3, 或由其他安 全管理服务器提供给第一获取装置 103,。  A. Specifically, in one case, the encryption assistance information is based on an asymmetric key technology. For example, the encryption assistance information corresponding to the user a is the public key of the user a, and at the same time, the user a owns the mobile terminal 2a. Working with the public key, that is, the decrypted private key, and the user b is also the same, the broadcast server 1 acquires the respective public keys of the users a and b. In a case where the broadcast server 1 locally stores the public key, the first obtaining means 103 directly reads the public key; in another case, the public key is provided by the content providing server 3, or by other security The management server is provided to the first obtaining means 103.

B.在另一种优选的情况下, 该加密辅助信息是与用户 a与 b的身 份相关的对称的加密密钥, 用户 a与 b可以在其移动终端上基于其用 户身份生成同样的加密密钥或对应的解密辅助信息。 在这种情况下, 第一获取装置 103,的第一推送信息获取装置 1031,基于 GBA push技 术, 通过 Zpn接口向自举服务推送功能(BSF ) 4请求用户 a及用户 b 的通用自举架构的推送信息, 该推送信息中包含用于生成加密密钥的 身份相关信息 Ks_NAF/Ks_ext_NAF、 Ks int NAF , 用户的五元组认 证矢量中的 AUTN和 RAND,用于标识是 GBA_U或 GBA_ME的 U/M, 密钥的生命周期、广播服务器的 ID、用户的私密身份 ID、 MAC等等。 其中, 若自举服务推送功能 4本地尚无用户 a和 /或 b的身份信息, 则 其还通过 Zh接口, 向用户 a和 /或 b所属的归属位置寄存器 /归属用户 服务器 5 请求并获得用户的五元组认证矢量 CK ( Cipher Key )、 IK ( Integrity Key )、 RAND, RES、 AUTN信息, 并根据该 CK、 IK信息 生成用户 a和 /或 b的通用自举架构的推送信息, 而后将用户 a和 b的 推送信息提供给第一推送信息获取装置 1031 '。 B. In another preferred case, the encrypted auxiliary information is a symmetric encryption key associated with the identity of users a and b, and users a and b can generate the same encryption secret based on their user identity on their mobile terminal. Key or corresponding decryption assistance information. In this case, the first push information obtaining means 1031 of the first obtaining means 103 requests the user a and the user b from the bootstrap service push function (BSF) 4 via the Zpn interface based on the GBA push technique. Push information of the universal bootstrapping architecture, the push information includes identity related information Ks_NAF/Ks_ext_NAF, Ks int NAF for generating an encryption key, and AUTN and RAND in the user's quintuple authentication vector for identifying GBA_U Or U/M of GBA_ME, the lifetime of the key, the ID of the broadcast server, the private ID of the user, the MAC, and so on. Wherein, if the bootstrap service no users push a local function 4 and / or identity information b, and Z h it through an interface to a user and / or the home location register belongs b / home subscriber server requests and obtains 5 User's quintuple authentication vector CK (Cipher Key), IK (Integrity Key), RAND, RES, AUTN information, and generate push information of the general bootstrap architecture of user a and/or b according to the CK, IK information, and then The push information of the users a and b is supplied to the first push information acquiring means 1031'.

而后, 第一获取装置 103,根据已获取的用户 a 与 b 各自的 Ks NAF/Ks ext NAF . Ks_int_NAF信息, 生成用户 a与 b各自的加 密密钥 Kcbs,。 Then, the first obtaining means 103 generates the respective encryption keys K cbs of the users a and b based on the acquired Ks NAF/Ks ext NAF . Ks_int_NAF information of the users a and b respectively.

以上广播服务器 1的第一推送信息获取装置 1031,与自举服务推 送功能 4进行交互获取通用自举架构的推送信息的过程, 第一获取装 置 103,生成与用户的身份信息相关的加密密钥 Kebs,的过程,与现有技 术中的用于一对一安全通信的通用自举架构中的过程类似, 详细过程 可以参见标准 3GPP TS33.223V800, 本说明书不做赞述。 The first push information obtaining means 1031 of the above broadcast server 1 interacts with the bootstrap service push function 4 to acquire the push information of the general bootstrapping architecture, and the first obtaining means 103 generates an encryption key related to the identity information of the user. The process of K ebs , is similar to the process in the general bootstrap architecture for one-to-one secure communication in the prior art, and the detailed process can be referred to the standard 3GPP TS 33.223 V800, which is not described in this specification.

接着, 内容密钥加密装置 104,分别根据已获取的用户 a与 b各自 的加密辅助信息, 例如其公钥或其加密密钥 Kebs,, 对内容密钥 Ksms, 进行加密, 以生成与用户 a与 b各自的经对应加密辅助信息加密的内 容密钥 K sms ° Next, the content key encryption device 104 encrypts the content key K sms based on the acquired encryption auxiliary information of the users a and b, for example, its public key or its encryption key K ebs , respectively, to generate and The content key K sms ° of each of the users a and b encrypted by the corresponding encrypted auxiliary information

而后, 内容密钥发送装置 105,将与用户 a与 b各自的经对应加密 辅助信息加密的内容密钥 Ksms,发送给用户 a与 b各自的移动终端 2a 及 2b。 Then, the content key transmitting device 105 transmits the content key K sms encrypted by the respective encrypted auxiliary information of the users a and b to the mobile terminals 2a and 2b of the users a and b, respectively.

优选地, 内容密钥发送装置 105,通过短消息网关或短消息服务中 心, 通过短信息方式将经与用户 a与 b对应的加密辅助信息加密的内 容密钥 Ksms '分别发送至的用户 &与 b。 Preferably, the content key transmission unit 105, or the short message gateway by the short message service center by way of the short message to the user via the key K sms a and b auxiliary information corresponding to the encrypted content encryption 'are transmitted to the user & With b.

而后, 移动终端 2a的装置 20,的第二获取装置 202,的处理装置 202Γ , 及移动终端 2b 的类似的处理装置各自获取与内容密钥 Ksms, 配合工作的内容解密信息。 以下从移动终端 2a的角度进行说明。 Then, the processing device of the second acquisition device 202 of the device 20 of the mobile terminal 2a 202Γ, and similar processing devices of the mobile terminal 2b each acquire content decryption information that works in conjunction with the content key K sms . The following description will be made from the perspective of the mobile terminal 2a.

具体的, 处理装置 2021,接收来自广播服务器 1 的, 经与用户 a 对应的加密辅助信息加密的内容密钥 Ksms,,并获取与该加密辅助信息 配合工作的解密辅助信息。 Specifically, the processing device 2021 receives the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a from the broadcast server 1, and acquires the decryption auxiliary information that works in cooperation with the encrypted auxiliary information.

A,.在一种情况下, 与上文情况 A对应的, 该加密辅助信息基于 非对称密钥技术, 例如, 是用户 a的公钥, 则处理装置 202Γ获取到 该公钥对应的私钥作为解密辅助信息, 以对经公钥加密的内容密钥 Ksms,进行解密。 可以理解, 公私钥等非对称加密技术的实现是本领域 技术人员所熟知的, 本发明在此不作赘述。 本领域一般技术人员可以 根据实际需求对本实施例进行适当的修改, 这些修改都应处于本发明 的保护范围。 A. In one case, corresponding to the case A above, the encryption auxiliary information is based on an asymmetric key technology, for example, is the public key of the user a, and the processing device 202 obtains the private key corresponding to the public key. As the decryption auxiliary information, the content key K sms encrypted by the public key is decrypted. It can be understood that the implementation of the asymmetric encryption technology such as the public and private keys is well known to those skilled in the art, and the present invention is not described herein. A person skilled in the art can appropriately modify the embodiment according to actual needs, and these modifications are all within the scope of the present invention.

B,.在另一种情况下, 与上文情况 B对应的, 该加密辅助信息是 与用户 a的身份相关的对称的加密密钥 Kcbs,,用户 a可以在其移动终 端 2a上生成同样的加密密钥或对应的解密辅助信息。 具体的, 处理 装置 2021,的第二推送信息获取装置 20211,基于 GBA psuh技术, 根 据从自举服务推送功能(BSF ) 4获得的 GBA Push信息, 移动终端以 与 HLR/HSS 同样方式生成五元组认证矢量 CK ( Cipher Key )、 IK ( Integrity Key )、 RAND. RES、 AUTN信息, 然后以与 BSF Push功能 同样的方式生成 Ks_NAF/Ks_ext_NAF、 Ks int NAF信息。 B. In another case, corresponding to case B above, the encrypted auxiliary information is a symmetric encryption key K cbs related to the identity of the user a, and the user a can generate the same on the mobile terminal 2a thereof. Encryption key or corresponding decryption assistance information. Specifically, the second push information obtaining means 20211 of the processing device 2021 generates a five-element in the same manner as the HLR/HSS according to the GBA Push information obtained from the bootstrap service push function (BSF) 4 based on the GBA psuh technology. The group authentication vector CK (Cipher Key), IK (Integrity Key), RAND. RES, and AUTN information are then generated in the same manner as the BSF Push function to generate Ks_NAF/Ks_ext_NAF and Ks int NAF information.

而后, 处理装置 2021,根据身份相关信息 Ks_NAF/Ks_ext_NAF、 Ks int NAF , 生成对称加密密钥 Kebs,或与其配合工作的解密密钥。 值得注意的是, 其生成加密密钥 Kebs,的方法, 应与广播服务器 1的第 一获取装置 103,生成加密密钥 Kebs,的方法相对应; 或者, 其生成与 Kcbs,的配合工作的解密密钥方法, 应与广播服务器 1的第一获取装置 103,生成加密密钥 Kebs,的方法相对应, 以保证生成的加密密钥 Kcbs, 或与其配合工作的解密密钥与广播服务器 1 所用的加密密钥 Kebs,一 致。 一般来说, 该一致性可以由用户与其运营商及广播服务器之间事 先协商确定, 例如固化在用户的 SIM卡中或每次通信前协商得到。 以上第二推送信息获取装置 20211,与自举服务推送功能 4进行认 证、 交互以获取通用自举架构的推送信息的过程, 与现有技术中的用 于一对一安全通信的通用 自举架构中的过程类似, 参见 3GPP

Figure imgf000022_0001
Then, the processing device 2021 generates a symmetric encryption key K ebs according to the identity related information Ks_NAF/Ks_ext_NAF, Ks int NAF , or a decryption key working in conjunction therewith. Notably, the method that generates an encryption key K EBS, should first acquire a broadcast server apparatus 103 generates an encryption key K EBS, the method corresponds to; or that generates K cbs, complex The decryption key method of the work should correspond to the method of generating the encryption key K ebs by the first obtaining means 103 of the broadcast server 1 to ensure the generated encryption key K cbs or the decryption key working with it. The encryption key K ebs used by the broadcast server 1 is identical. In general, the consistency can be determined in advance by the user and its operator and the broadcast server, for example, being solidified in the user's SIM card or negotiated before each communication. The second push information obtaining means 20211, the process of authenticating and interacting with the bootstrap service push function 4 to obtain the push information of the general bootstrapping architecture, and the general bootstrapping architecture for one-to-one secure communication in the prior art The process in the process is similar, see 3GPP
Figure imgf000022_0001

值得注意的是, 在以上的情况 B-B,下, 本发明通过上述的广播服 务器 1及移动终端与自举服务推送功能 4的交互, 利用了现有的通用 自举架构(GBA ) push技术, 不对已有的标准、 方法及装置进行大的 修改, 因而可节约大量成本, 继而, 该方案能够为市场所接受, 具有 良好商业前景。  It should be noted that, in the above case BB, the present invention utilizes the existing universal bootstrapping architecture (GBA) push technology by using the above-mentioned broadcast server 1 and the interaction between the mobile terminal and the bootstrap service push function 4, which is incorrect. The existing standards, methods and devices have been greatly modified, which can save a lot of costs. Then, the solution can be accepted by the market and has good commercial prospects.

而后, 第二获取装置 202,根据获取的解密辅助信息, 对经与用户 a对应的加密辅助信息加密的内容密钥 Ksms,进行解密, 获取内容密钥 Ksms', 作为对应的内容解密信息。 Then, the second obtaining means 202 decrypts the content key K sms encrypted by the encrypted auxiliary information corresponding to the user a according to the acquired decryption auxiliary information, and obtains the content key K sms ' as the corresponding content decryption information. .

最后, 解密处理装置 203,根据内容密钥 Ksms,, 对根据内容密钥 Ksms,加密的内容进行解密, 以还原出原始未经加密处理的内容。 Finally, the decryption processing apparatus 203, based on the content key K sms ,, K sms based on the content of the key, decrypts the encrypted content, in order to restore the original unencrypted content processing.

类似地, 该内容的订阅用户 b的移动终端 2b的类似装置进行类 似的工作, 由于广播服务器 1也将其经与用户 b对应的加密辅助信息 加密的内容密钥 Ksms,发送给移动终端 2b, 则移动终端 2b的处理装置 可以获取与用户 b对应的加密辅助信息配合工作的解密辅助信息, 其 第二获取装置可以解出内容密钥 Ksms,, 继而其解密处理装置可以对 根据内容密钥 Ksms,加密的内容进行解密, 以还原出原始未经加密处 理的内容。 Similarly, the similar device of the mobile terminal 2b of the subscriber b of the content performs a similar operation, since the broadcast server 1 also transmits the content key K sms encrypted by the encrypted auxiliary information corresponding to the user b to the mobile terminal 2b. The processing device of the mobile terminal 2b can acquire the decryption auxiliary information that works in conjunction with the encrypted auxiliary information corresponding to the user b, and the second obtaining device can solve the content key K sms , and then the decryption processing device can The key K sms , the encrypted content is decrypted to restore the original unencrypted content.

而没有订阅该内容的用户 c的移动终端 2c的处理装置无法接收 到经与其对应的加密辅助信息加密的内容密钥 Ksms,, 使得其第二获 取装置无法对经对应于其他用户的加密辅助信息加密的内容密钥 Ksms,进行解密, 则其无法获取到内容密钥 Ksms,, 继而其解密处理装 置无法对根据内容密钥 Ksms,加密的内容进行解密, 无法得到原出原 始未经加密处理的内容。 这样而来, 保证了广播服务器 1与内容订阅 用户 a与 b的移动终端 2a及 2b的内容通信的安全。 The processing device of the mobile terminal 2c of the user c who does not subscribe to the content cannot receive the content key K sms encrypted by the encryption auxiliary information corresponding thereto , so that the second obtaining device cannot encrypt the encryption corresponding to other users. If the content key K sms encrypted by the information is decrypted, the content key K sms cannot be obtained, and then the decryption processing apparatus cannot decrypt the content encrypted according to the content key K sms , and the original original cannot be obtained. Encrypted content. In this way, the security of the content communication between the broadcast server 1 and the mobile terminals 2a and 2b of the content subscription users a and b is ensured.

本领域技术人员应能理解, 本发明同样适用于基于无线通信网络 的多播(组播)进行安全通信。 具体的, 多播服务器的用于基于多播 与多个用户使用的多个相应用户设备进行安全通信的装置在以上基 础上, 还包括第一多播信道建立装置, 其用于建立与该多个用户设备 的多播信道, 其加密内容发送装置还用于在多播信道中将经加密处理 的内容发送给该多个用户设备; 相应的, 用户设备的用于基于多播与 多播服务器进行安全通信的装置在以上基础上, 还包括第二多播信道 建立装置, 用于建立与多播服务器之间的多播信道, 其加密内容接收 装置用于在多播信道中接收来自多播服务器的经加密处理的内容。 其 他加 /解密的过程与前文中描述的类似, 在此不作赘述。 Those skilled in the art will appreciate that the present invention is equally applicable to wireless communication networks. Multicast (multicast) for secure communication. Specifically, the apparatus for performing, by the multicast server, for performing secure communication with multiple corresponding user equipments used by multiple users based on the multicast, further includes a first multicast channel establishing apparatus, where a multicast channel of the user equipment, the encrypted content sending device is further configured to send the encrypted processed content to the plurality of user equipments in the multicast channel; correspondingly, the user equipment is used for the multicast-based and multicast server The apparatus for performing secure communication further includes a second multicast channel establishing apparatus for establishing a multicast channel with the multicast server, and the encrypted content receiving apparatus is configured to receive the multicast from the multicast channel. Encrypted content of the server. Other encryption/decryption processes are similar to those described in the previous section and will not be described here.

本领域技术人员应能理解, 本发明并不仅限于无线通信领域, 在 例如 IPTV等支持广播和 /或多播的通信网络中, 本发明同样适用。  Those skilled in the art will appreciate that the present invention is not limited to the field of wireless communications, and that the present invention is equally applicable in communication networks such as IPTV that support broadcast and/or multicast.

以上对本发明的具体实施方式进行了描述。 需要说明的是, 本发明 并不局限于上述特定实施方式, 本领域技术人员可以在所附权利要求的 范围内做出各种变型或修改。  The specific embodiments of the present invention have been described above. It should be noted that the present invention is not limited to the specific embodiments described above, and various modifications or changes can be made by those skilled in the art within the scope of the appended claims.

Claims

权 利 要 求 书 Claim 1. 一种在通信网络中的广播或多播服务器中, 用于基于广播或 多播与一个或多个用户使用的一个或多个相应用户设备进行安全通 信的方法, 其特征在于, 包括以下步骤: A method for securely communicating with one or more respective user devices used by one or more users based on broadcast or multicast in a broadcast or multicast server in a communication network, characterized in that it comprises the following Steps: a.对待发送的内容进行加密处理, 以生成经加密处理后的内容; b.将所述经加密处理的内容基于广播或多播发送至所述一个或多 个用户设备。  a. The content to be sent is encrypted to generate encrypted processed content; b. The encrypted processed content is transmitted to the one or more user devices based on broadcast or multicast. 2. 根据权利要求 1所述的方法, 其特征在于, 所述步骤 a包括: -获取用于加密所述待发送的内容的内容密钥;  The method according to claim 1, wherein the step a comprises: - acquiring a content key for encrypting the content to be sent; -用已获取的内容密钥, 对所述待发送的内容进行加密, 以生成 经所述内容密钥加密后的内容;  - encrypting the content to be sent with the acquired content key to generate content encrypted by the content key; 所述 b步骤包括:  The b step includes: -将所述经内容密钥加密后的内容基于广播或多播发送至所述一 个或多个用户设备。  - transmitting the content encrypted content key to the one or more user devices based on broadcast or multicast. 3. 根据权利要求 2所述的方法, 其特征在于, 所述方法还包括 以下步骤:  3. The method according to claim 2, wherein the method further comprises the following steps: i.获取与所述一个或多个用户对应的一个或多个加密辅助信息; ii.根据已获取的所述一个或多个加密辅助信息, 对所述内容密钥 进行加密, 以生成与所述一个或多个用户对应的一个或多个经相应加 密辅助信息加密的内容密钥;  Obtaining one or more encrypted auxiliary information corresponding to the one or more users; ii. encrypting the content key according to the acquired one or more encrypted auxiliary information to generate a context Depicting one or more content keys encrypted by the corresponding encrypted auxiliary information corresponding to one or more users; iii.将所述一个或多个经加密辅助信息加密的内容密钥发送至相 应的一个或多个用户设备。  Iii. Send the content key encrypted by the one or more encrypted auxiliary information to the corresponding one or more user devices. 4.根据权利要求 3所述的方法,其特征在于,所述步骤 i还包括: il .获取所述一个或多个用户各自的, 与该用户的身份信息相关的 加密辅助信息。  The method according to claim 3, wherein the step i further comprises: il. acquiring, by the one or more users, the encrypted auxiliary information related to the identity information of the user. 5. 根据权利要求 1至 4中任一项所述的方法, 其特征在于, 所 述通信网络包括无线通信网络, 所述广播或多播服务包括基于小区广 播信道的小区广播业务, 所述广播或多播服务器包括小区广播服务 器, 所述用户设备包括移动终端, 所述步骤 b还包括: The method according to any one of claims 1 to 4, wherein the communication network comprises a wireless communication network, and the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, the broadcast Or multicast server including cell broadcast service The user equipment includes a mobile terminal, and the step b further includes: -将所述经加密处理的内容通过小区广播信道发送至所述一个或 多个移动终端。  - transmitting the encrypted processed content to the one or more mobile terminals over a cell broadcast channel. 6. 根据权利要求 5所述的方法, 其特征在于, 所述步骤 il进一 步包括:  The method according to claim 5, wherein the step il further comprises: -通过自举服务功能, 获取与所述一个或多个用户的身份信息相 关的各自的通用自举架构的推送信息;  - obtaining, by the bootstrap service function, push information of respective universal bootstrapping architectures associated with identity information of said one or more users; -根据所述通用自举架构的推送信息, 获取所述一个或多个用户 各自的加密辅助信息。  - obtaining, according to the push information of the universal bootstrapping architecture, the respective encrypted auxiliary information of the one or more users. 7.根据权利要求 3所述的方法,其特征在于,所述步骤 i还包括: il,.获取所述一个或多个用户各自的公钥信息, 作为其相应的加 密辅助信息。  The method according to claim 3, wherein the step i further comprises: il, acquiring the public key information of the one or more users as their corresponding encryption assistance information. 8. 根据权利要求 7所述的方法, 其特征在于, 所述通信网络包 括无线通信网络, 所述广播或多播服务包括基于小区广播信道的小区 广播业务, 所述广播或多播服务器包括小区广播服务器, 所述用户设 备包括移动终端, 所述步骤 b还包括:  8. The method according to claim 7, wherein the communication network comprises a wireless communication network, the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, and the broadcast or multicast server comprises a cell. a broadcast server, the user equipment includes a mobile terminal, and the step b further includes: -将所述经加密处理的内容通过小区广播信道发送至所述一个或 多个移动终端。  - transmitting the encrypted processed content to the one or more mobile terminals over a cell broadcast channel. 9. 根据权利要求 5至 8中任一项所述的方法, 其特征在于, 所 述步骤 iii还包括:  The method according to any one of claims 5 to 8, wherein the step iii further comprises: -通过短信息方式将所述一个或多个经加密辅助信息加密的内容 密钥发送至相应的一个或多个移动终端。  - transmitting the content key encrypted by the one or more encrypted auxiliary information to a corresponding one or more mobile terminals by means of a short message. 10.根据权利要求 1至 4与 7中任一项所述的方法,其特征在于, 所述广播或多播服务包括多播服务, 所述广播或多播服务器包括多播 服务器, 所述步骤 b之前, 还包括:  The method according to any one of claims 1 to 4, wherein the broadcast or multicast service comprises a multicast service, the broadcast or multicast server comprises a multicast server, and the step Before b, it also includes: -建立与所述一个或多个用户设备之间的多播信道;  Establishing a multicast channel with the one or more user equipments; 所述步骤 b还包括:  The step b further includes: -将所述经加密处理的内容通过所述多播信道发送至所述一个或 多个用户设备。 Transmitting the encrypted processed content to the one or more user devices over the multicast channel. 11. 一种在通信网络的用户使用的用户设备中用于基于广播或多 播与广播或多播服务器进行安全通信的方法, 其中, 包括以下步骤:11. A method for secure communication based on broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network, comprising the steps of: A .接收来自所述广播或多播服务器的基于广播或多播发送的经 加密处理的内容; A. receiving encrypted processed content based on broadcast or multicast transmission from the broadcast or multicast server; B .对已接收的所述经加密处理的内容进行解密处理, 以还原出原 始未经加密处理的内容。  B. Decrypting the received encrypted processed content to restore the originally unencrypted content. 12. 根据权利要求 11 所述的方法, 其特征在于, 所述经加密处 理的内容包括根据内容密钥加密的内容, 所述步骤 B之前包括: The method according to claim 11, wherein the encrypted processed content comprises content encrypted according to a content key, and the step B includes: I.获取与所述内容密钥配合工作的内容解密信息; I. acquiring content decryption information that works in conjunction with the content key; 所述步骤 B还包括:  The step B further includes: -根据所述内容解密信息, 对所述根据内容密钥加密的内容进行 解密, 以还原出原始未经加密处理的内容。  - decrypting the content encrypted according to the content key based on the content decryption information to restore the original unencrypted content. 13. 根据权利要求 12所述的方法, 其特征在于, 所述步骤 I 包 括以下步骤:  13. The method according to claim 12, wherein the step I comprises the following steps: I I .接收来自所述广播或多播服务器的,经与本用户对应的加密辅 助信息加密的内容密钥,并获取与所述加密辅助信息配合工作的解密 辅助信息;  Receiving a content key encrypted by the encrypted auxiliary information corresponding to the user from the broadcast or multicast server, and acquiring decryption auxiliary information working in cooperation with the encrypted auxiliary information; 12.根据所述解密辅助信息,对所述经与本用户对应的加密辅助信 息加密的内容密钥进行解密, 获取内容密钥作为对应的内容解密信  12. Decrypting the content key encrypted by the encryption auxiliary information corresponding to the user according to the decryption auxiliary information, and acquiring the content key as a corresponding content decryption letter 14. 根据权利要求 13 所述的方法, 其特征在于, 所述加密辅助 信息包括与本用户的身份信息相关的加密辅助信息, 所述步骤 II 进 一步包括: The method according to claim 13, wherein the encrypted auxiliary information comprises encrypted auxiliary information related to the identity information of the user, and the step II further comprises: -获取与所述本用户的身份信息相关的, 与所述加密辅助信息配 合工作的解密辅助信息。  - obtaining decryption assistance information associated with the identity information of the user that cooperates with the encrypted assistance information. 15. 根据权利要求 11至 14中任一项所述的方法, 其特征在于, 所述通信网络包括无线通信网络, 所述广播或多播服务包括基于小区 广播信道的小区广播业务, 所述广播或多播服务器包括小区广播服务 器, 所述用户设备包括移动终端, 所述步骤 Α还包括: -通过小区广播信道接收所述经加密处理的内容。 The method according to any one of claims 11 to 14, wherein the communication network comprises a wireless communication network, and the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, the broadcast Or the multicast server includes a cell broadcast server, and the user equipment includes a mobile terminal, and the step further includes: Receiving the encrypted processed content over a cell broadcast channel. 16. 根据权利要求 15所述的方法, 其特征在于, 所述步骤 II还 包括:  The method according to claim 15, wherein the step II further comprises: -通过自举服务功能, 获取与本用户的身份信息相关的通用自举 架构的推送信息;  - obtaining push information of the general bootstrapping architecture related to the identity information of the user through the bootstrap service function; -根据所述通用自举架构的推送信息, 获取与用户的身份信息相 关的解密辅助信息。  - obtaining decryption assistance information related to the identity information of the user based on the push information of the universal bootstrap architecture. 17. 根据权利要求 13 所述的方法, 其特征在于, 所述加密辅助 信息包括本用户的公钥信息, 所述步骤 II进一步包括:  The method according to claim 13, wherein the encryption assistance information includes the public key information of the user, and the step II further includes: -获取本用户的与所述公钥信息配合工作的私钥信息, 作为所述 对应的解密辅助信息。  - Obtaining the private key information of the user working in cooperation with the public key information as the corresponding decryption assistance information. 18. 根据权利要求 17所述的方法, 其特征在于, 所述通信网络 包括无线通信网络, 所述广播或多播服务包括基于小区广播信道的小 区广播业务, 所述广播或多播服务器包括小区广播服务器, 所述用户 设备包括移动终端, 所述步骤 A还包括:  18. The method according to claim 17, wherein the communication network comprises a wireless communication network, the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, and the broadcast or multicast server comprises a cell The broadcast server, the user equipment includes a mobile terminal, and the step A further includes: -通过小区广播信道接收所述经加密处理的内容。  Receiving the encrypted processed content over a cell broadcast channel. 19. 根据权利要求 15至 18中任一项所述的方法, 其特征在于, 所述步骤 II还包括:  The method according to any one of claims 15 to 18, wherein the step II further comprises: -接收来自所述广播或多播服务器通过短信息方式发送的, 经与 本用户对应的加密辅助信息加密的内容密钥。  Receiving a content key encrypted by the broadcast or multicast server by the short message, encrypted by the encrypted auxiliary information corresponding to the user. 20. 根据权利要求 11至 14与 17中任一项所述的方法, 其特征 在于, 所述广播或多播服务包括多播服务, 所述广播或多播服务器包 括多播服务器, 所述步骤 A之前, 还包括:  The method according to any one of claims 11 to 14 and 17, wherein the broadcast or multicast service comprises a multicast service, the broadcast or multicast server comprises a multicast server, and the step Before A, it also includes: -建立与所述多播服务器之间的多播信道;  Establishing a multicast channel with the multicast server; 所述步骤 A还包括:  The step A further includes: -通过所述多播信道接收所述经加密处理的内容。  Receiving the encrypted processed content over the multicast channel. 21. 一种在通信网络中的广播或多播服务器中, 用于基于广播或 多播与一个或多个用户使用的一个或多个相应用户设备进行安全通 信的装置, 其特征在于, 包括: -加密处理装置, 用于对待发送的内容进行加密处理, 以生成经 加密处理后的内容; An apparatus for secure communication with one or more corresponding user equipments used by one or more users based on a broadcast or multicast in a broadcast or multicast server in a communication network, comprising: An encryption processing device for performing encryption processing on the content to be transmitted to generate the encrypted processed content; -加密内容发送装置, 用于将所述经加密处理的内容基于广播或 多播发送至所述一个或多个用户设备。  An encrypted content transmitting means for transmitting the encrypted processed content to the one or more user devices based on broadcast or multicast. 22. 根据权利要求 21 所述的装置, 其特征在于, 所述加密处理 装置:  22. The device according to claim 21, wherein the encryption processing device: -内容密钥获取装置, 用于获取用于加密所述待发送的内容的内 容密钥;  a content key obtaining means, configured to acquire a content key for encrypting the content to be transmitted; 所述加密处理装置还用于:  The encryption processing device is further configured to: 用已获取的内容密钥, 对所述待发送的内容进行加密, 以生成经 所述内容密钥加密后的内容;  Encrypting the content to be sent with the obtained content key to generate content encrypted by the content key; 所述加密内容发送装置还用于:  The encrypted content transmitting apparatus is further configured to: 将所述经内容密钥加密后的内容基于广播或多播发送至所述一 个或多个用户设备。  The content encrypted by the content key is transmitted to the one or more user devices based on broadcast or multicast. 23. 根据权利要求 22所述的装置, 其特征在于, 所述装置还包 括:  23. The device of claim 22, wherein the device further comprises: -第一获取装置, 用于获取与所述一个或多个用户对应的一个或 多个加密辅助信息;  a first obtaining means for acquiring one or more encrypted auxiliary information corresponding to the one or more users; -内容密钥加密装置, 用于根据已获取的所述一个或多个加密辅 助信息, 对所述内容密钥进行加密, 以生成与所述一个或多个用户对 应的一个或多个经相应加密辅助信息加密的内容密钥;  a content key encryption means for encrypting the content key based on the one or more encrypted auxiliary information that has been acquired to generate one or more corresponding ones of the one or more users Encrypting the content key encrypted by the auxiliary information; -内容密钥发送装置, 用于将所述一个或多个经加密辅助信息加 密的内容密钥发送至相应的一个或多个用户设备。  a content key transmitting means for transmitting the content key encrypted by the one or more encrypted auxiliary information to a corresponding one or more user equipments. 24. 根据权利要求 23 所述的装置, 其特征在于, 所述第一获取 装置还用于:  The device according to claim 23, wherein the first acquiring device is further configured to: 获取所述一个或多个用户各自的, 与该用户的身份信息相关的加 密辅助信息。  Acquiring, for each of the one or more users, the encryption assistance information associated with the identity information of the user. 25. 根据权利要求 21至 24中任一项所述的装置, 其特征在于, 所述通信网络包括无线通信网络, 所述广播或多播服务包括基于小区 广播信道的小区广播业务, 所述广播或多播服务器包括小区广播服务 器, 所述用户设备包括移动终端, 所述加密内容发送装置还用于: 将所述经加密处理的内容通过小区广播信道发送至所述一个或 多个移动终端。 The apparatus according to any one of claims 21 to 24, wherein the communication network comprises a wireless communication network, and the broadcast or multicast service comprises a cell based a cell broadcast service of the broadcast channel, the broadcast or multicast server includes a cell broadcast server, the user equipment includes a mobile terminal, and the encrypted content sending apparatus is further configured to: send the encrypted processed content through a cell broadcast channel To the one or more mobile terminals. 26. 根据权利要求 25所述的装置, 其特征在于, 所述第一获取 装置进一步包括:  The device according to claim 25, wherein the first obtaining device further comprises: -第一推送信息获取装置, 用于通过自举服务功能, 获取与所述 一个或多个用户的身份信息相关的各自的通用自举架构的推送信息; 所述第一获取装置还用于:  a first push information obtaining means, configured to obtain, by the bootstrap service function, the push information of the respective universal bootstrapping architecture related to the identity information of the one or more users; the first obtaining means is further configured to: 根据所述通用自举架构的推送信息, 获取所述一个或多个用户各 自的加密辅助信息。  And obtaining, according to the push information of the universal bootstrap architecture, the encrypted auxiliary information of the one or more users. 27. 根据权利要求 23 所述的装置, 其特征在于, 所述第一获取 装置还用于:  The device according to claim 23, wherein the first acquiring device is further configured to: 获取所述一个或多个用户各自的公钥信息, 作为其相应的加密辅 助信息。  The respective public key information of the one or more users is obtained as its corresponding encryption auxiliary information. 28. 根据权利要求 27所述的装置, 其特征在于, 所述通信网络 包括无线通信网络, 所述广播或多播服务包括基于小区广播信道的小 区广播业务, 所述广播或多播服务器包括小区广播服务器, 所述用户 设备包括移动终端, 所述加密内容发送装置还用于:  28. The apparatus according to claim 27, wherein the communication network comprises a wireless communication network, the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, and the broadcast or multicast server comprises a cell a broadcast server, the user equipment includes a mobile terminal, and the encrypted content sending apparatus is further configured to: 将所述经加密处理的内容通过小区广播信道发送至所述一个或 多个移动终端。  The encrypted processed content is transmitted to the one or more mobile terminals over a cell broadcast channel. 29. 根据权利要求 25至 28中任一项所述的装置, 其特征在于, 所述内容密钥发送装置还用于:  The device according to any one of claims 25 to 28, wherein the content key transmitting device is further configured to: 通过短信息方式将所述一个或多个经加密辅助信息加密的内容 密钥发送至相应的一个或多个移动终端。  The content key encrypted by the one or more encrypted auxiliary information is transmitted to the corresponding one or more mobile terminals by means of a short message. 30. 根据权利要求 21至 24与 27中任一项所述的装置, 其特征 在于, 所述广播或多播服务包括多播服务, 所述广播或多播服务器包 括多播服务器, 所述装置还包括:  The apparatus according to any one of claims 21 to 24, wherein the broadcast or multicast service comprises a multicast service, the broadcast or multicast server comprises a multicast server, the device Also includes: -第一多播信道建立装置, 用于建立与所述一个或多个用户设备 之间的多播信道; a first multicast channel establishing means for establishing with said one or more user equipment Multicast channel between; 所述加密内容发送装置还用于:  The encrypted content transmitting apparatus is further configured to: 将所述经加密处理的内容通过所述多播信道发送至所述一个或 多个用户设备。  The encrypted processed content is transmitted to the one or more user devices over the multicast channel. 31. 一种在通信网络的用户使用的用户设备中用于基于广播或多 播与广播或多播服务器进行安全通信的装置, 其中, 包括:  31. An apparatus for secure communication based on a broadcast or multicast with a broadcast or multicast server in a user equipment used by a user of a communication network, comprising: -加密内容接收装置, 用于接收来自所述广播或多播服务器的基 于广播或多播发送的经加密处理的内容;  An encrypted content receiving device for receiving encrypted processed content based on broadcast or multicast transmission from said broadcast or multicast server; -解密处理装置, 用于对已接收的所述经加密处理的内容进行解 密处理, 以还原出原始未经加密处理的内容。  a decryption processing means for performing decryption processing on the received encrypted processed content to restore the original unencrypted processed content. 32. 根据权利要求 31 所述的装置, 其特征在于, 所述经加密处 理的内容包括根据内容密钥加密的内容, 所述装置还包括:  The device according to claim 31, wherein the encrypted processed content comprises content encrypted according to a content key, the device further comprising: -第二获取装置, 用于获取与所述内容密钥配合工作的内容解密 信息;  a second obtaining means, configured to acquire content decryption information that works in conjunction with the content key; 所述解密处理装置还用于:  The decryption processing device is further configured to: 根据所述内容解密信息, 对所述根据内容密钥加密的内容进行解 密, 以还原出原始未经加密处理的内容。  The content encrypted according to the content key is decrypted according to the content decryption information to restore the original unencrypted content. 33. 根据权利要求 32所述的装置, 其特征在于, 所述第二获取 装置包括:  33. The apparatus according to claim 32, wherein the second obtaining means comprises: -处理装置, 用于接收来自所述广播或多播服务器的, 经与本用 户对应的加密辅助信息加密的内容密钥,并获取与所述加密辅助信息 配合工作的解密辅助信息;  a processing device, configured to receive a content key encrypted by the encrypted auxiliary information corresponding to the user from the broadcast or multicast server, and acquire decryption auxiliary information working in cooperation with the encrypted auxiliary information; 所述第二获取装置还用于:  The second obtaining device is further configured to: 根据所述解密辅助信息, 对所述经与本用户对应的加密辅助信息 加密的内容密钥进行解密, 获取内容密钥作为对应的内容解密信息。  Decrypting the content key encrypted by the encryption auxiliary information corresponding to the user according to the decryption assistance information, and acquiring the content key as the corresponding content decryption information. 34. 根据权利要求 33 所述的装置, 其特征在于, 所述加密辅助 信息包括与本用户的身份信息相关的加密辅助信息, 所述处理装置还 用于:  The device according to claim 33, wherein the encryption assistance information includes encryption assistance information related to the identity information of the user, and the processing device is further configured to: 获取与所述本用户的身份信息相关的, 与所述加密辅助信息配合 工作的解密辅助信息。 Obtaining, related to the identity information of the user, matching with the encrypted auxiliary information Decryption assistance information for work. 35. 根据权利要求 31至 34中任一项所述的装置, 其特征在于, 所述通信网络包括无线通信网络, 所述广播或多播服务包括基于小区 广播信道的小区广播业务, 所述广播或多播服务器包括小区广播服务 器, 所述用户设备包括移动终端, 所述加密内容接收装置还用于: 通过小区广播信道接收所述经加密处理的内容。  The apparatus according to any one of claims 31 to 34, wherein the communication network comprises a wireless communication network, and the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, the broadcast Or the multicast server includes a cell broadcast server, the user equipment includes a mobile terminal, and the encrypted content receiving apparatus is further configured to: receive the encrypted processed content by using a cell broadcast channel. 36. 根据权利要求 35所述的装置, 其特征在于, 所述处理装置 还包括:  36. The device according to claim 35, wherein the processing device further comprises: -第二推送信息获取装置, 通过自举服务功能, 获取与本用户的 身份信息相关的通用自举架构的推送信息;  a second push information obtaining means for obtaining push information of the general bootstrapping architecture related to the identity information of the user through the bootstrap service function; 所述处理装置还用于:  The processing device is further configured to: 根据所述通用自举架构的推送信息, 获取与用户的身份信息相关 的解密辅助信息。  Decryption assistance information related to the identity information of the user is obtained according to the push information of the universal bootstrap architecture. 37. 根据权利要求 33 所述的装置, 其特征在于, 所述加密辅助 信息包括本用户的公钥信息, 所述处理装置还用于:  The device according to claim 33, wherein the encryption assistance information includes public key information of the user, and the processing device is further configured to: 获取本用户的与所述公钥信息配合工作的私钥信息, 作为所述对 应的解密辅助信息。  The private key information of the user working with the public key information is obtained as the corresponding decryption auxiliary information. 38. 根据权利要求 37所述的装置, 其特征在于, 所述通信网络 包括无线通信网络, 所述广播或多播服务包括基于小区广播信道的小 区广播业务, 所述广播或多播服务器包括小区广播服务器, 所述用户 设备包括移动终端, 所述加密内容接收装置还用于:  38. The apparatus according to claim 37, wherein the communication network comprises a wireless communication network, the broadcast or multicast service comprises a cell broadcast service based on a cell broadcast channel, and the broadcast or multicast server comprises a cell a broadcast server, the user equipment includes a mobile terminal, and the encrypted content receiving apparatus is further configured to: 通过小区广播信道接收所述经加密处理的内容。  The encrypted processed content is received over a cell broadcast channel. 39. 根据权利要求 35至 38中任一项所述的装置, 其特征在于, 所述处理装置还用于:  The device according to any one of claims 35 to 38, wherein the processing device is further configured to: 接收来自所述广播或多播服务器通过短信息方式发送的, 经与本 用户对应的加密辅助信息加密的内容密钥。  Receiving a content key encrypted by the broadcast or multicast server by the short message, encrypted by the encrypted auxiliary information corresponding to the user. 40. 根据权利要求 31至 34与 37中任一项所述的装置, 其特征 在于, 所述广播或多播服务包括多播服务, 所述广播或多播服务器包 括多播服务器, 所述装置还包括: -第二多播信道建立装置, 用于建立与所述多播服务器之间的多 播信道; 40. The apparatus according to any one of claims 31 to 34 and 37, wherein the broadcast or multicast service comprises a multicast service, the broadcast or multicast server comprises a multicast server, the device Also includes: a second multicast channel establishing means for establishing a multicast channel with said multicast server; 所述加密内容接收装置还用于:  The encrypted content receiving device is further configured to: 通过所述多播信道接收所述经加密处理的内容。  The encrypted processed content is received over the multicast channel. 41. 一种网络服务器, 其特征在于, 包括根据权利要求 21至 30 所述的装置。  A network server, comprising the apparatus according to claims 21 to 30. 42. 一种用户设备, 其特征在于, 包括根据权利要求 31至 40所 述的装置。  42. A user equipment, characterized in that it comprises a device according to claims 31 to 40.
PCT/CN2009/000521 2008-08-01 2009-05-14 Method and apparatus for safely communicating based on broadcast or multicast Ceased WO2010012148A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810041303.2 2008-08-01
CN200810041303.2A CN101640840B (en) 2008-08-01 2008-08-01 Broadcast or multicast-based safe communication method and broadcast or multicast-based safe communication device

Publications (1)

Publication Number Publication Date
WO2010012148A1 true WO2010012148A1 (en) 2010-02-04

Family

ID=41609922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/000521 Ceased WO2010012148A1 (en) 2008-08-01 2009-05-14 Method and apparatus for safely communicating based on broadcast or multicast

Country Status (2)

Country Link
CN (1) CN101640840B (en)
WO (1) WO2010012148A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860406A (en) * 2010-04-09 2010-10-13 北京创毅视讯科技有限公司 Central processor and mobile multimedia broadcasting device, system and method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645500B (en) * 2017-09-15 2021-01-01 成都德芯数字科技股份有限公司 Broadcast data interaction method and device
CN116260540B (en) * 2022-12-22 2025-04-25 西安电子科技大学 A hidden messaging method based on DRM digital broadcasting

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021945A1 (en) * 2001-10-24 2005-01-27 Valtteri Niemi Ciphering as a part of the multicast concept
US20060104442A1 (en) * 2004-11-16 2006-05-18 Samsung Electronics Co., Ltd. Method and apparatus for receiving broadcast content
CN101119200A (en) * 2007-08-03 2008-02-06 上海贝尔阿尔卡特股份有限公司 Method, network unit, terminal and system for providing broadcast/multicast service
CN101171860A (en) * 2005-04-07 2008-04-30 法国电信公司 Security method and device for managing access to multimedia content

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1192649C (en) * 2002-04-12 2005-03-09 华为技术有限公司 Method for sending cipher information to mobile terminal in mobile communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021945A1 (en) * 2001-10-24 2005-01-27 Valtteri Niemi Ciphering as a part of the multicast concept
US20060104442A1 (en) * 2004-11-16 2006-05-18 Samsung Electronics Co., Ltd. Method and apparatus for receiving broadcast content
CN101171860A (en) * 2005-04-07 2008-04-30 法国电信公司 Security method and device for managing access to multimedia content
CN101119200A (en) * 2007-08-03 2008-02-06 上海贝尔阿尔卡特股份有限公司 Method, network unit, terminal and system for providing broadcast/multicast service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects;Generie Bootstrapping Architecture (GBA) Push Function", 3GPP TS 33.223 V8.0.0, June 2008 (2008-06-01), pages 16 - 18, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Specs/html-info/33223.htm> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860406A (en) * 2010-04-09 2010-10-13 北京创毅视讯科技有限公司 Central processor and mobile multimedia broadcasting device, system and method
CN101860406B (en) * 2010-04-09 2014-05-21 北京创毅视讯科技有限公司 Central processor and mobile multimedia broadcasting device, system and method

Also Published As

Publication number Publication date
CN101640840A (en) 2010-02-03
CN101640840B (en) 2013-03-13

Similar Documents

Publication Publication Date Title
CN103190131B (en) End-to-end verification of multimedia content
US9467285B2 (en) Security of a multimedia stream
CA2496677C (en) Method and apparatus for secure data transmission in a mobile communication system
EP1374477B1 (en) Method and apparatus for security in a data processing system
KR101299837B1 (en) Trust establishment from forward link only to non-forward link only devices
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
RU2530331C2 (en) Multicast key negotiation method suitable for group calling system and respective system
US8954739B2 (en) Efficient terminal authentication in telecommunication networks
CN102036230B (en) Method for implementing local route service, base station and system
JP7771181B2 (en) Method and device for distributing multicast encryption keys
EP1832041A1 (en) System, method and computer program product for detecting a rogue member in a multicast group
CN105656941A (en) Identity authentication device and method
CN105577365A (en) A key negotiation method and device for user access to WLAN
Mavridis et al. Real-life paradigms of wireless network security attacks
EP2320691B1 (en) Method for enhancing the security of the multicast or broadcast system
US20090196424A1 (en) Method for security handling in a wireless access system supporting multicast broadcast services
CN1993920A (en) Security method and device in data processing system
CN101808286A (en) Multicast key agreement method and system for clustered system
CN117750372A (en) Satellite communication method, system, device, electronic equipment and storage medium
WO2010012148A1 (en) Method and apparatus for safely communicating based on broadcast or multicast
CN115918119B (en) Key updating method, device, equipment and storage medium
CN1801704B (en) Method and system for user access to core network
CN117158010A (en) Multicast broadcast service key
WO2022167239A1 (en) Encrypted wi-fi provisioning
CN116830533A (en) Method and apparatus for distributing multicast encryption keys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09802341

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09802341

Country of ref document: EP

Kind code of ref document: A1