CN101790073A - Method for establishing safety communication channel and communication device thereof - Google Patents
Method for establishing safety communication channel and communication device thereof Download PDFInfo
- Publication number
- CN101790073A CN101790073A CN200910077843A CN200910077843A CN101790073A CN 101790073 A CN101790073 A CN 101790073A CN 200910077843 A CN200910077843 A CN 200910077843A CN 200910077843 A CN200910077843 A CN 200910077843A CN 101790073 A CN101790073 A CN 101790073A
- Authority
- CN
- China
- Prior art keywords
- random number
- key
- channel
- unit
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 165
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000005540 biological transmission Effects 0.000 claims abstract description 21
- 230000008901 benefit Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000013475 authorization Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for establishing a safety communication channel and a communication device thereof. The method comprises the following steps of: generating a first random number and a second random number by a communication unit of two communicating parties; encrypting the first random number and the second random number by a pre-stored channel establishing key; transmitting the first encrypted random number and the second encrypted random number to the other communication unit; receiving a second decrypted random number returned by the other communication unit; judging whether the returned second random number is accordant with the second generated random number; and if the judgment result indicates that the returned second random number is accordant with the second generated random number, determining that the safety communication channel is established successfully. Through the method and the device, the safety communication channel is established by using the obtained channel establishing key, so transmission data can be encrypted by using a channel protection key, data transmission safety is ensured and data leakage is prevented.
Description
Technical Field
The present invention relates to the field of digital television technology, and more particularly, to a method for establishing a secure communication channel between a security device and a set-top box and a communication device thereof.
Background
As is well known, a Conditional Access System (CAS) is used to control a user to perform Conditional Access to a broadcast service, and to implement a paid service of the broadcast System through authorization management.
At present, in the field of digital television, protection of the program content transmission process is realized by using a Control Word (CW), that is, after a digital program is scrambled by the control word CW, an authorized user can obtain the CW for descrambling the program, and descramble the scrambled program.
As shown in fig. 1, the front-end scrambler encrypts the byte stream using a frequently changing control word CW; the control word CW is encrypted with a product key and transmitted in Entitlement Control Message (ECM). The front end encrypts the product key by using the user key, and sends the encrypted product key to the terminal set-top box through an authorization Management information (EMM) data packet.
The set-top box filters the EMM data packets according to the serial numbers of the security devices, the filtered EMM data packets are sent to the security devices, the security devices decrypt the encrypted product keys by using the pre-embedded user keys, and the decrypted product keys are stored in the security devices. Wherein the security device may be a smart card inserted into the set-top box.
The set-top box filters the ECM packet of the current channel according to the identification number of the ECM packet and sends the ECM packet to the safety device, the safety device decrypts the encrypted control word CW by using the decrypted product key, and the decrypted control word CW is returned to the set-top box for descrambling the program. After the digital program is descrambled, the user can watch the authorized product through the display unit of the terminal.
However, in the prior art, after the security device decrypts the control word CW by using the product key, the control word CW is not protected during being sent to the descrambling unit of the set-top box through the interface, so that the control word CW can be diffused through the interfaces of the security device and the set-top box. Thus, multiple set-top boxes may be caused to view programs using a single secure device, compromising the benefits of the service provider.
The invention patent application with Chinese patent application No. 200710172886.8 and publication No. CN 101198014A discloses a method for preventing a smart card from sharing a CA, through the method, random sequence security handshake communication is established between a set-top box and the smart card, and communication information between the set-top box and the smart card is encrypted through a security channel key, so that a plurality of set-top boxes can be prevented from using one smart card, but the invention patent application does not explain how to establish a security communication channel.
Disclosure of Invention
The invention aims to provide a method for establishing a secure channel and a communication device thereof. The invention establishes the secure communication channel of the two communication parties by using the acquired channel establishment key, so that the two communication parties obtain the same channel protection key, and the transmitted data is protected by using the channel protection key.
To achieve the above object, the present invention provides a method for establishing a secure communication channel, the method comprising: one communication unit of two communication parties generates a first random number and a second random number; encrypting the first random number and the second random number by utilizing a pre-stored channel establishment key; transmitting the encrypted first random number and the encrypted second random number to another communication unit; receiving the decrypted second random number returned by the other communication unit; judging whether the returned second random number is consistent with the generated second random number; and if the judgment result is consistent, the secure communication channel is successfully established.
To achieve the above object, the present invention provides a method for establishing a secure communication channel, the method comprising: the other communication unit of the two communication parties receives the encrypted first random number and the encrypted second random number transmitted by the one communication unit; decrypting the encrypted first random number and the encrypted second random number by using a pre-stored channel establishment key to obtain the first random number and the second random number; transmitting the second random number to the one communication unit; and receiving the information of successful establishment of the secure channel returned by the communication unit.
To achieve the above object, the present invention provides a communication apparatus comprising:
a random number generation unit for generating a first random number and a second random number;
the first encryption unit is used for encrypting the first random number and the second random number by utilizing a pre-stored channel establishment key;
a first transmission unit configured to transmit the encrypted first random number and the encrypted second random number to another communication apparatus;
a first receiving unit, configured to receive the decrypted second random number returned by the another communication apparatus;
a judging unit, configured to judge whether the returned second random number is consistent with the generated second random number;
and the first channel determining unit is used for determining that the establishment of the secure communication channel is successful and determining that the first random number is a channel protection key if the judgment result of the judging unit is consistent.
To achieve the above object, the present invention provides a communication apparatus comprising:
a third receiving unit, configured to receive the encrypted first random number and the encrypted second random number transmitted by one of the two communication units;
a second decryption unit, configured to decrypt the encrypted first random number and the encrypted second random number using a pre-stored channel establishment key to obtain the first random number and the second random number;
a third transmitting unit configured to transmit the second random number to the one communication apparatus;
a fourth receiving unit, configured to receive information on successful establishment of the secure channel returned by the communication device;
and the second channel determining unit is used for determining that the establishment of the secure communication channel is successful according to the returned information and determining that the first random number is a channel protection key.
The method has the advantages that the obtained channel is used for establishing the secret key to establish the safe communication channel of the two communication parties, so that the two communication parties obtain the same channel protection secret key, the transmitted data are protected by using the channel protection secret key, the leakage of the transmitted data during the communication of the two communication parties is avoided because the outside cannot obtain the channel protection secret key, the two communication parties can be set top boxes and safety devices, and thus, the situation that one safety device is used by a plurality of set top boxes is avoided, and the benefit of a service provider is guaranteed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flow chart of viewing data decryption in the related art;
fig. 2 is a schematic configuration diagram of a communication apparatus according to embodiment 1 of the present invention;
fig. 3 is a schematic configuration diagram of a communication apparatus according to embodiment 2 of the present invention;
fig. 4 is a schematic diagram of a configuration of a first key acquisition unit in embodiment 2 of the present invention;
fig. 5 is a schematic configuration diagram of a communication apparatus according to embodiment 3 of the present invention;
fig. 6 is a schematic diagram of a second key acquisition unit in embodiment 3 of the present invention;
fig. 7 is a flowchart of a secure communication channel establishment method according to embodiment 4 of the present invention;
FIG. 8 is a flowchart of a secure communication channel establishment method according to embodiment 5 of the present invention
FIG. 9 is a system architecture diagram illustrating the establishment of a secure channel between a set-top box and a secure device in an embodiment of the present invention;
FIG. 10 is a flowchart of the set top box and secure device of FIG. 9 obtaining a channel establishment key;
fig. 11 is a flowchart of establishing a communication channel between the set-top box and the secure device of fig. 9.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Embodiment mode 1
The present invention provides a communication apparatus, as shown in fig. 2, the apparatus includes a random number generation unit 201, a first encryption unit 202, a first transmission unit 203, a first reception unit 204, a first judgment unit 205, and a first channel determination unit 206;
wherein, the random number generating unit 201 is used for generating a first random number and a second random number; the first encryption unit 202 is configured to encrypt the first random number and the second random number by using a pre-stored channel establishment key; the first sending unit 203 is configured to send the encrypted first random number and second random number to another communication apparatus; the first receiving unit 204 is configured to receive the decrypted second random number returned by the another communication apparatus; the judging unit 205 is configured to judge whether the returned second random number is consistent with the generated second random number; if the judgment result of the judgment unit 205 is consistent, the secure channel determination unit 206 is configured to determine that the secure communication channel is successfully established, and determine that the first random number is a channel protection key.
In the present embodiment, the first random number is represented by Ra; the second random number is represented by Rb; the encrypted first random number is represented by Ra 'and the encrypted second random number is represented by Rb'; the channel establishment key is represented by CBK; the channel protection key is denoted CPK.
In this embodiment, as shown in fig. 2, the apparatus further includes a storage unit 207, and the storage unit 207 is configured to store the channel establishment key CBK, the first random number Ra, and the second random number Rb.
As shown in fig. 2, the apparatus further includes a second sending unit 208, where the second sending unit 208 is configured to send the secure communication channel establishment success information to the other communication unit.
In this embodiment, for the digital television conditional access system, the communication device may be a set-top box of the digital television receiving terminal, or may also be a security device, such as a smart card, inserted into the set-top box.
If the communication device is a security device, a first random number Ra and a second random number Rb can be generated in the security device, the first random number Ra and the second random number Rb are encrypted, the encrypted Ra 'and Rb' are transmitted to the set-top box, the decrypted second random number, namely Rb, returned by the set-top box is received, the security device compares whether the returned second random number Rb is consistent with the generated second random number Rb, if the judgment result is consistent, the establishment of a security channel is determined to be successful, and the first random number Ra is determined to be a channel protection key CPK. In addition, the set-top box can also receive the information that the secure channel is successfully established, and determine that the first random number is a Channel Protection Key (CPK).
Therefore, before the security device transmits the control word CW to the set-top box, the channel protection key CPK is used for encrypting the control word CW, and then the encrypted CW is transmitted to the set-top box.
In this case, after receiving the data encrypted by the channel protection key CPK, the set-top box first decrypts the data by using the channel protection key to obtain the control word CW, and then descrambles the television program by using the control word CW.
In addition, if the communication device is a set-top box, the process of establishing the secure communication channel is similar to that of the secure device, and the set-top box can decrypt the encrypted content by using the determined channel protection key CPK, which is not described herein again.
In this embodiment, a secure communication channel is established by using the acquired channel establishment key, and the first random number is determined as a channel protection key. Because the channel protection key can not be obtained by a third party except two communication parties, the transmission data can be encrypted through the channel protection key, the security of data transmission is ensured, and the data leakage is prevented. Thus, the use of a security device by a plurality of set-top boxes can be avoided, thereby ensuring the benefits of service providers.
Example 2
The present invention provides a communication apparatus, as shown in fig. 3, the apparatus includes a random number generation unit 201, a first encryption unit 202, a first transmission unit 203, a first reception unit 204, a first judgment unit 205, a first channel determination unit 206, a storage unit 207, and a second transmission unit 208; the function is the same as the embodiment and is not described in detail herein.
Further, as shown in fig. 3, the apparatus further includes: a first key obtaining unit 301, where the first key obtaining unit 301 is configured to obtain the channel establishment key CBK.
In this embodiment, the channel establishment key CBK can be obtained in various ways and stored in the storage unit 207.
For example, the channel establishment key CBK may be directly stored in the devices of the two communicating parties, so that the devices of the two communicating parties directly establish the secure communication channel by using the communication establishment key CBK.
Further, the channel establishment key CBK may be generated in a secure environment other than the two parties of the communication and then transmitted to one device of the two parties of the communication, for example, to the communication device of the present embodiment. The secure environment generally refers to an encryption engine, i.e., a computer that has no virus or is unlikely to be hacked. In this case, after the channel establishment key CBK is generated in the secure environment, the channel establishment key CBK may be encrypted and then transmitted, so as to ensure the security of the key. But is not limited to the above, and other ways may be used to obtain the channel establishment key CBK.
In this manner, the channel establishing key CBK is generated from the secure environment, and is encrypted using the unit keys Uka and Ukb of the communication apparatuses of both parties of communication, respectively, to obtain the first channel establishing key euka (CBK) and the second channel establishing key eukb (CBK) encrypted with Uka, and then the encrypted first and second channel establishing keys euka (CBK) and eukb (CBK) are transmitted to the apparatuses. As shown in fig. 4, the first key obtaining unit 301 may include: a second receiving unit 401 and a first decryption unit 402;
wherein the second receiving unit 401 is configured to receive an encrypted first channel establishment key euka (cbk) and an encrypted second channel establishment key eukb (cbk); the first decryption unit 402 decrypts the encrypted first channel establishment key euka (CBK) using the device's unit key Uka to obtain the channel establishment key CBK.
As can be seen from the above, the channel establishment key can be obtained by decrypting the encrypted first channel establishment key, and the channel establishment key is stored.
In this embodiment, the unit keys Uka, Ukb may be stored in advance in the devices of both communication parties.
In addition, as shown in fig. 3, the apparatus further includes a third sending unit 302, where the third sending unit 302 is configured to send the encrypted second channel establishment key eukb (CBK) to the other communication apparatus, so that the other communication apparatus decrypts the eukb (CBK) by using its unit key Ukb after receiving the eukb (CBK) to obtain the channel establishment key CBK.
In this embodiment, for the digital television conditional access system, the communication device may be a set-top box of the digital television receiving terminal, or may also be a security device, such as a smart card, inserted into the set-top box. Similar to embodiment 1, the description is omitted here.
As can be seen from the above, a secure communication channel is established by using the acquired channel establishment key, and the first random number is determined to be a channel protection key. Because the channel protection key can not be obtained by a third party except two communication parties, the transmission data can be encrypted through the channel protection key, the security of data transmission is ensured, and the data leakage is prevented. Thus, a plurality of set-top boxes can be prevented from using one safety device, thereby ensuring the benefits of service providers
Example 3
An embodiment of the present invention further provides a communication apparatus, as shown in fig. 5, the apparatus includes: a third receiving unit 501, a second decryption unit 502, a third transmitting unit 503, a fourth receiving unit 504, and a second channel determining unit 505; wherein,
the third receiving unit 501 is configured to receive the encrypted first random number Ra 'and the encrypted second random number Rb' transmitted by one of the two communicating units; the second decryption unit 502 decrypts the encrypted first random number Ra 'and the encrypted second random number Rb' by using the pre-stored channel establishment key CBK to obtain the first random number Ra and the second random number Rb; the third sending unit 503 is configured to send the second random number Rb to the communication apparatus, such as the communication apparatus described in embodiment 1 or embodiment 2;
the fourth receiving unit 504 is configured to receive the information that the establishment of the secure channel is successful, which is returned by the communication device;
the second channel determination unit 505 determines that the secure communication channel is successfully established according to the returned information, and determines that the first random number Ra is the channel protection key CPK.
As shown in fig. 5, the apparatus further includes a storage unit 506 for storing the channel establishment key CBK, and the decrypted first random number Ra and second random number Rb.
As shown in fig. 5, the apparatus further includes a second key obtaining unit 507, where the second key obtaining unit 507 is configured to obtain the channel establishment key CBK.
In this embodiment, the channel establishment key CBK pre-stored in the apparatus can be obtained in various ways, for example, the channel establishment key can be directly stored in the apparatus, or can be obtained from other devices.
In the case of obtaining from another device, for example, the case of obtaining from one communication apparatus of both parties of communication described in embodiment 2. For transmission security, the encrypted channel establishment key eukb (CBK) may be transmitted and then decrypted using its unit key Ukb to obtain the channel establishment key CBK.
In this case, as shown in fig. 6, the second key acquisition unit 507 includes a fifth reception unit 601, a third decryption unit 602: wherein, the fifth receiving unit 601 is configured to receive the encrypted second channel establishing key eukb (cbk) transmitted by the one communication apparatus; the third decryption unit 602 decrypts the encrypted second channel establishment key eukb (CBK) using the device's unit key Ukb to obtain the channel establishment key CBK.
Thus, the channel protection key CPK can be used to encrypt or decrypt transmission data, which is similar to embodiment 1 and will not be described herein again.
In this embodiment, for the digital television conditional access system, the communication device may be a set-top box of the digital television receiving terminal, or may also be a security device inserted into the set-top box. The communication device is used in cooperation with the communication devices of the embodiments 1 and 2, and details are not repeated here.
As can be seen from the above, in the present embodiment, a secure communication channel is established by using the acquired channel establishment key, and the first random number is determined as a channel protection key. Because the channel protection key can not be obtained by a third party except two communication parties, the transmission data can be encrypted through the channel protection key, the security of data transmission is ensured, and the data leakage is prevented.
Example 4
An embodiment of the present invention provides a method for establishing a secure communication channel, as shown in fig. 7, where the method includes: one communication unit of both communication parties generates a first random number Ra and a second random number Rb (see step 701); encrypting the first random number Ra and the second random number Rb by using a pre-stored channel establishment key (see step 702); transmitting the encrypted first random number Ra 'and the encrypted second random number Rb' to another communication unit (see step 703); receiving the decrypted second random number Rb returned by the other communication unit (see step 704); judging whether the returned second random number Rb is identical to the generated second random number Rb (see step 705); if the determination result is consistent, the secure communication channel is established, and the first random number Ra can be determined as the channel protection key CPK (see step 706).
In this embodiment, after the secure communication channel is successfully established, the method may further include: sending the secure communication channel establishment success information to the other communication unit. Thus, the other communication unit can determine the channel protection key CPK as the first random number Ra based on the information, thereby transmitting data using the channel protection key CPK.
In this embodiment, before one communication unit of the two parties of communication generates the first random number Ra and the second random number Rb, the method further includes: and acquiring a channel establishment key CBK.
In this embodiment, there are various ways to obtain the channel establishment key CBK, for example, the channel establishment key CBK may be directly stored in the communication device;
in addition, the method can also be obtained from an external safe environment, and the specific mode is as follows: receiving an encrypted first channel establishment key euka (cbk) and an encrypted second channel establishment key eukb (cbk) from the secure environment; the encrypted first channel establishment key euka (CBK) is decrypted using the unit key Uka of the one communication unit to obtain the channel establishment key CBK. The channel establishment key CBK is then stored.
After obtaining the channel establishment key CBK, the encrypted second channel establishment key euka (CBK) may also be transmitted to another communication unit.
In this embodiment, the secure environment provides a channel establishment key, which may be implemented as follows: generating the channel establishment key CBK; encrypting the channel establishment key CBK with the unit keys Uka, Ukb of the one communication unit and the other communication unit, respectively, to obtain an encrypted first channel establishment key euka (CBK) and an encrypted second channel establishment key eukb (CBK); the encrypted first channel establishment key euka (cbk) and the encrypted second channel establishment key eukb (cbk) are transmitted to the one communication unit.
In this embodiment, when the set-top box is powered on or the security device is inserted into the set-top box, the secure communication channel may be established through the above technical solution, and after the secure communication channel is successfully established, it may be determined that the first random number is the channel protection key. Because the channel protection key can not be obtained by a third party except two communication parties, the transmission data can be encrypted through the channel protection key, the security of data transmission is ensured, and the data leakage is prevented. Therefore, the use of one security device by a plurality of set-top boxes can be avoided, thereby guaranteeing the benefits of service providers.
Example 5
An embodiment of the present invention further provides a method for establishing a secure communication channel, as shown in fig. 8, where the method includes: the other communication unit of the two communication parties receives the encrypted first random number and the encrypted second random number transmitted by the one communication unit (see step 801); decrypting the encrypted first random number and the encrypted second random number by using a pre-stored channel establishment key to obtain the first random number and the second random number (see step 802); transmitting the decrypted second random number to the one communication unit (see step 803); the information of successful establishment of the secure channel returned by the one communication unit is received (see step 804).
Thus, the first random number Ra can be determined to be the channel protection key CPK.
In this embodiment, the method further includes acquiring the channel establishment key. Similarly, the method can be obtained in various ways. If the channel establishment key is obtained through the secure environment in embodiment 4, in this embodiment, the channel establishment key may be obtained as follows:
receiving an encrypted second channel establishment key eukb (cbk) transmitted by the one communication unit; the encrypted second channel establishment key eukb (CBK) is decrypted with the unit key Ukb of the other communication unit to obtain a channel establishment key CBK. Then, the channel establishment key CBK is stored.
The following describes a process of establishing a secure communication channel by taking a set-top box and a security device of a digital television terminal as examples.
Fig. 9 is an architecture diagram for establishing a secure communication channel between the set-top box and the secure device. If the channel establishment key CBK is obtained from the secure environment, the system may further include the secure environment.
This is described in detail below with reference to fig. 9, 10 and 11.
As shown in fig. 10, the secure environment first generates a channel establishment key and transmits the channel establishment key to the secure device after encryption. As shown in fig. 10, when the set-top box is powered on or the security device is inserted into the set-top box, the process may employ the following steps:
step 1001: the secure environment generates a channel establishment key CBK; wherein the channel establishment key CBK is a key generated by the secure environment 901 for the secure device 902 and the set-top box 903 for establishing a secure communication channel between the secure device 901 and the set-top box 903. The CBK generation method may adopt any existing method, and is not described herein again.
The secure environment 901 encrypts the channel establishment key CBK with the secure device's element key UKa to obtain euka (CBK), step 1002.
At step 1003, the secure environment 901 encrypts the channel establishment key CBK with the unit key UKb of the set-top box to obtain eukb (CBK).
At step 1004, the secure environment 901 sends the euka (cbk) and eukb (cbk) to the secure device 902.
In step 1005, the secure device decrypts the euka (CBK) using the pre-stored unit key UKa to obtain the channel establishment key CBK.
At step 1006, the security device stores the eukb (cbk).
The above steps may enable the secure device 902 to first obtain the channel establishment key.
As shown in fig. 11, a process for establishing a secure communication channel between the security apparatus 902 and the set-top box 903 is described. As shown in fig. 11, the following may be used:
in step 1101, the security apparatus 902 sends the eukb (cbk) to the set top box 903.
In step 1102, the set top box 903 decrypts the eukb (CBK) with its unit key UKb to obtain the channel establishment key CBK.
in step 1104, the secure device 902 generates a random number Ra and a random number Rb after receiving the decryption success message.
In step 1105, the secure device 902 encrypts the random number Ra and the random number Rb with the obtained channel establishment key CBK to obtain a ciphertext Ra 'of the random number Ra and a ciphertext Rb' of the random number Rb.
In step 1106, the security apparatus 902 sends ciphers Ra 'and Rb' to the set top box 903.
In step 1107, the set top box 903 decrypts the ciphertexts Ra 'and Rb' by using the obtained channel establishment key CBK to obtain the random number Ra and the random number Rb.
In step 1108, the set top box 903 sends the decrypted random number Rb to the secure device 902.
In step 1109, the secure device 902 compares the random number Rb returned by the set top box 903 with a locally generated random number Rb.
And step 1110, if the comparison results are equal, establishing the secure communication channel successfully, and notifying the set top box of the successful establishment.
in step 1111b, the set top box 903 uses the random number Ra as the channel protection key CPK.
In addition, the security device and set-top box may be interchanged when establishing the communication channel.
As can be seen from the above, a secure communication channel is established by using the acquired channel establishment key, and the first random number is determined to be a channel protection key. Because the channel protection key can not be obtained by a third party except two communication parties, the transmission data can be encrypted through the channel protection key, the data transmission safety is ensured, the data leakage is prevented, the condition that a plurality of set top boxes use one safety device is effectively prevented, and the benefit of a service provider is protected.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (21)
1. A method of establishing a secure communication channel, the method comprising:
one communication unit of two communication parties generates a first random number and a second random number;
encrypting the first random number and the second random number by utilizing a pre-stored channel establishment key;
transmitting the encrypted first random number and the encrypted second random number to another communication unit;
receiving the decrypted second random number returned by the other communication unit;
judging whether the returned second random number is consistent with the generated second random number;
and if the judgment result is consistent, the secure communication channel is successfully established.
2. The method of claim 1, wherein after the secure communication channel is successfully established, the method further comprises: and sending the information of successful establishment of the secure communication channel to the other communication unit.
3. The method according to claim 1, wherein before one of the communication units of the two parties generates the first random number and the second random number, the method further comprises: and acquiring the channel establishment key.
4. The method of claim 3, wherein the obtaining the channel establishment key comprises:
receiving an encrypted first channel establishment key and an encrypted second channel establishment key;
decrypting the encrypted first channel establishment key using the unit key of the one communication unit to obtain the channel establishment key.
5. The method of claim 3, wherein after obtaining the channel establishment key, the method further comprises: and storing the channel establishment key.
6. The method of claim 4, wherein after obtaining the channel establishment key, the method further comprises: transmitting the encrypted second channel establishment key to the other communication unit.
7. The method of claim 3, wherein before the obtaining the channel establishment key, the method further comprises:
generating the channel establishment key;
encrypting the channel establishment keys with the unit keys of the one communication unit and the other communication unit respectively to obtain an encrypted first channel establishment key and an encrypted second channel establishment key;
transmitting the encrypted first channel establishment key and the encrypted second channel establishment key to the one communication unit.
8. A method of establishing a secure communication channel, the method comprising:
the other communication unit of the two communication parties receives the encrypted first random number and the encrypted second random number transmitted by the one communication unit;
decrypting the encrypted first random number and the encrypted second random number by using a pre-stored channel establishment key to obtain the first random number and the second random number;
transmitting the second random number to the one communication unit;
and receiving the information of successful establishment of the secure channel returned by the communication unit.
9. The method of claim 8, further comprising: and acquiring the channel establishment key.
10. The method of claim 9, wherein obtaining the channel establishment key comprises:
receiving an encrypted second channel establishment key transmitted by said one communication unit;
decrypting the encrypted second channel establishment key with the unit key of the other communication unit to obtain the channel establishment key.
11. The method of claim 10, wherein after obtaining the channel establishment key, the method further comprises: and storing the channel establishment key.
12. A communications apparatus, the apparatus comprising:
a random number generation unit for generating a first random number and a second random number;
a first encryption unit, configured to encrypt the first random number and the second random number using a pre-stored channel establishment key;
a first transmission unit configured to transmit the encrypted first random number and the second random number to another communication apparatus;
a first receiving unit, configured to receive the decrypted second random number returned by the another communication apparatus;
a judging unit configured to judge whether the returned second random number is consistent with the generated second random number;
and the first channel determining unit is used for determining that the establishment of the secure communication channel is successful and determining that the first random number is a channel protection key if the judgment result of the judging unit is consistent.
13. The apparatus of claim 12, further comprising:
a second sending unit, configured to send the information that the secure communication channel is successfully established to the other communication unit.
14. The apparatus according to claim 12, further comprising a storage unit configured to store the channel establishment key or the first random number and the second random number.
15. The apparatus according to claim 12, further comprising a first key obtaining unit configured to obtain the channel establishment key.
16. The apparatus according to claim 15, wherein the first key obtaining unit includes:
a second receiving unit for receiving the encrypted first channel establishment key and the encrypted second channel establishment key;
a first decryption unit that decrypts the encrypted first channel establishment key with a unit key of the apparatus to obtain the channel establishment key.
17. The apparatus according to claim 16, further comprising a third transmission unit configured to transmit the encrypted second channel establishment key to the another communication apparatus.
18. A communications apparatus, the apparatus comprising:
a third receiving unit, configured to receive the encrypted first random number and the encrypted second random number transmitted by one of the two communication units;
a second decryption unit, configured to decrypt the encrypted first random number and the encrypted second random number using a pre-stored channel establishment key to obtain the first random number and the second random number;
a fourth transmitting unit configured to transmit the second random number to the one communication apparatus;
a fourth receiving unit, configured to receive information on successful establishment of the secure channel returned by the communication device;
and the second channel determining unit determines that the establishment of the secure communication channel is successful according to the returned information and determines that the first random number is a channel protection key.
19. The apparatus according to claim 18, further comprising a second key obtaining unit configured to obtain the channel establishment key.
20. The apparatus according to claim 19, wherein the second key obtaining unit includes:
a fifth receiving unit configured to receive the encrypted second channel establishment key transmitted by the one communication apparatus;
a third decryption unit that decrypts the encrypted second channel establishment key with a unit key of the apparatus to acquire the channel establishment key.
21. The apparatus according to claim 19, further comprising a storage unit configured to store the channel establishment key or the first random number and the second random number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910077843A CN101790073A (en) | 2009-01-23 | 2009-01-23 | Method for establishing safety communication channel and communication device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910077843A CN101790073A (en) | 2009-01-23 | 2009-01-23 | Method for establishing safety communication channel and communication device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101790073A true CN101790073A (en) | 2010-07-28 |
Family
ID=42533096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910077843A Pending CN101790073A (en) | 2009-01-23 | 2009-01-23 | Method for establishing safety communication channel and communication device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101790073A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014152060A1 (en) * | 2013-03-15 | 2014-09-25 | General Instrument Corporation | Protection of control words employed by conditional access systems |
| CN105610772A (en) * | 2015-09-15 | 2016-05-25 | 宇龙计算机通信科技(深圳)有限公司 | Communication method, communication apparatus, terminal and communication system |
| CN114615313A (en) * | 2022-03-08 | 2022-06-10 | 树根互联股份有限公司 | Data transmission method and device, computer equipment and readable storage medium |
-
2009
- 2009-01-23 CN CN200910077843A patent/CN101790073A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014152060A1 (en) * | 2013-03-15 | 2014-09-25 | General Instrument Corporation | Protection of control words employed by conditional access systems |
| US9385997B2 (en) | 2013-03-15 | 2016-07-05 | Arris Enterprises, Inc. | Protection of control words employed by conditional access systems |
| CN105610772A (en) * | 2015-09-15 | 2016-05-25 | 宇龙计算机通信科技(深圳)有限公司 | Communication method, communication apparatus, terminal and communication system |
| CN114615313A (en) * | 2022-03-08 | 2022-06-10 | 树根互联股份有限公司 | Data transmission method and device, computer equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1059001B1 (en) | Method for protecting the audio/visual data across the nrss inte rface | |
| EP2461534A1 (en) | Control word protection | |
| CN102075812B (en) | Data receiving method and system of digital television | |
| KR20100092902A (en) | Securely providing a control word from a smartcard to a conditional access module | |
| WO2011120901A1 (en) | Secure descrambling of an audio / video data stream | |
| CA2557824A1 (en) | Secure negotiation and encryption module | |
| KR20110096056A (en) | Content decryption device and encryption system using an additional key layer | |
| CN101335579A (en) | Method implementing conditional reception and conditional receiving apparatus | |
| CN102256170A (en) | Encryption method and decryption method based on no-card CA (Certificate Authority) | |
| CN101626484A (en) | Method for protecting control word in condition access system, front end and terminal | |
| TWI523533B (en) | Control-word deciphering, transmission and reception methods, recording medium for these methods and control-word server | |
| CN201515456U (en) | Safe device, set-top box and receiving terminal for digital television receiving terminals | |
| WO2006120535A1 (en) | System and method for efficient encryption and decryption of drm rights objects | |
| CN101790073A (en) | Method for establishing safety communication channel and communication device thereof | |
| CN101179345A (en) | Method of encrypting and decrypting condition receiving system | |
| CN201830399U (en) | Front end and client of conditional access system | |
| JP2006518134A (en) | Pay television systems associated with decoders and smart cards, rights revocation methods in such systems, and messages sent to such decoders | |
| JP4536092B2 (en) | Conditional reception processing device | |
| CN103402129A (en) | Condition receiving method, condition receiving equipment and condition receiving system | |
| US20110191589A1 (en) | Preventing the use of modified receiver firmware in receivers of a conditional access system | |
| CN101998163A (en) | Entitlement management method, terminal equipment and front end | |
| KR100950458B1 (en) | Mobile broadcasting conditional access system based on memory card | |
| KR100850946B1 (en) | Apparatus and method for conditional access | |
| CN113497961A (en) | Conditional access system based on smart phone | |
| CN113497960A (en) | Conditional access system based on smart phone |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100728 |