Nothing Special   »   [go: up one dir, main page]

CN114401426B - Dynamic key generation method and system - Google Patents

Dynamic key generation method and system Download PDF

Info

Publication number
CN114401426B
CN114401426B CN202111669543.9A CN202111669543A CN114401426B CN 114401426 B CN114401426 B CN 114401426B CN 202111669543 A CN202111669543 A CN 202111669543A CN 114401426 B CN114401426 B CN 114401426B
Authority
CN
China
Prior art keywords
key
time
data
equipment
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111669543.9A
Other languages
Chinese (zh)
Other versions
CN114401426A (en
Inventor
侯大平
吴桐
倪丽莎
缪克良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Gotech Intelligent Technology Co Ltd
Original Assignee
Zhuhai Gotech Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Gotech Intelligent Technology Co Ltd filed Critical Zhuhai Gotech Intelligent Technology Co Ltd
Priority to CN202111669543.9A priority Critical patent/CN114401426B/en
Publication of CN114401426A publication Critical patent/CN114401426A/en
Application granted granted Critical
Publication of CN114401426B publication Critical patent/CN114401426B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/426Internal components of the client ; Characteristics thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/633Control signals issued by server directed to the network components or client
    • H04N21/6332Control signals issued by server directed to the network components or client directed to client
    • H04N21/6334Control signals issued by server directed to the network components or client directed to client for authorisation, e.g. by transmitting a key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Multimedia (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method and a system for generating a dynamic key, wherein the method comprises the steps of randomly acquiring a time seed from a time pool and generating a first key, encrypting private data by using a symmetric encryption algorithm, wherein the encrypted key is the first key, and calculating the acquired rootkey and a factory number of equipment to generate a second key by using the algorithm; encrypting the time seeds by using a symmetric encryption algorithm, wherein the encryption key is a second key; the device generates a latest third key by combining the acquired rootkey with the device factory number of the device end; calculating a fourth key through the third key; and decrypting the encrypted private data by using a symmetric encryption algorithm through the fourth key to restore the valid data. The system of the present invention is applied to the above-described method. The invention can generate a relatively safe and efficient key based on a 2-layer encryption security mechanism and a non-repeated key, can effectively improve the security of private data, improves the attack cost of hackers and reduces the loss of operators.

Description

Dynamic key generation method and system
Technical Field
The invention relates to the technical field of set top boxes, in particular to a dynamic key generation method and a system applying the method.
Background
At present, manufacturers of set top boxes gradually increase and compete strongly, so that each manufacturer has own value-added service, data of the value-added service are encrypted by a server, multiplexed and modulated by a front-end transmitting device and transmitted to the set top box, a set top box terminal demodulates a digital signal through receiving a signal, descrambles the digital signal through a key and a decryption algorithm to obtain original private data, and the original private data is stored in a storage device of the set top box terminal.
In order to obtain the private data, a hacker performs forced encryption key and algorithm, once the hacker obtains the key of one set top box, the hacker can crack a large number of set top boxes using the same key, and at this time, the operator can only update the key in an OTA mode. After the complete updating, the hacker only needs to acquire the key from one set top box again, which is equivalent to cracking the whole system again, the operator must update the key again, and the operation cost is higher and higher, and the influence on the terminal user is larger and larger, so that the lost user is caused.
In addition, protection of private data of the set top box is performed at present:
the current mainstream method is to use one or more groups of identical keys in the set-top box, but all set-top boxes use the same key group to protect private data, and they need to update the key group periodically, in this way: the security is low, a hacker can copy or disguise all box end data after cracking one piece, the updating period is long, frequent conversion is needed, and the period change times are needed to be determined according to the cracking speed after the hacker cracks.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide a dynamic key generation method and a system thereof, which mainly solve the problems of low safety and long updating period in the prior art, generate a relatively safe and efficient key in the field by using a 2-layer encryption safety mechanism and a non-repeated key, generate non-repeated data for each set top box by a server, generate different keys at each set top box, increase the cracking difficulty and cost of hackers, and protect a key generation method and a data protocol at a server and a set top box.
In order to solve the problems, the technical scheme adopted by the invention is as follows:
a method for generating a dynamic key, comprising the steps of: acquiring the system time and UUID of a current server, calculating according to the system time and UUID algorithm to form a time pool, and randomly acquiring time data from the time pool to serve as a time seed;
acquiring hardware numbers, equipment factory numbers and equipment rootkeys of all the equipment, forming a number pool according to the data, and searching corresponding equipment hardware numbers, equipment factory numbers and equipment rootkeys from the number pool according to equipment characteristics;
carrying out algorithm calculation on the obtained time seeds, the equipment hardware numbers of the equipment delivery, the equipment delivery numbers and the algorithm conversion marking bits to generate a first secret key;
encrypting the private data by using a symmetric encryption algorithm, wherein an encryption key is a first key;
calculating the acquired rootkey and the factory number of the equipment to generate a second key through an algorithm;
encrypting the time seeds by using a symmetric encryption algorithm, wherein the encryption key is a second key;
the encrypted time seed encryption data and the encrypted private data are sent to the corresponding equipment end through front-end equipment;
after receiving the signal, the equipment end acquires encrypted private data, encrypted time seed encryption data and mark data from the signal data;
the device generates a latest third key by combining the acquired rootkey with the device factory number of the device end;
decrypting the time seed encrypted data by using a symmetric encryption algorithm through the third key, calculating a fourth key through the algorithm together with the factory number of the equipment, the hardware number of the equipment and mark data;
and decrypting the encrypted private data by using a symmetric encryption algorithm through the fourth key to restore the valid data.
Further, the forming the time pool according to the system time includes: the method comprises the steps of obtaining the system time of a current server, obtaining UUID (user identifier) of the server and time calculation to generate time seeds, and warehousing a plurality of time seeds to form a time pool, wherein when equipment is produced, equipment hardware numbers, equipment factory numbers and rootkeys are imported to the server through a network service black box technology to form an equipment number pool.
In a further aspect, the sending the encrypted first key to the corresponding device side through the front-end device includes: all the encrypted private data, the encrypted time seed data and the algorithm marking data are transmitted to a program multiplexer according to the DVB standard, the transmitted data are multiplexed by the program multiplexer and then enter a signal modulator, the multiplexed data are modulated into a receivable signal by the signal modulator, the signal is power amplified and then transmitted to a forwarding device through an antenna, and a user side obtains the power amplified signal data through a receiving device, so that the private data, the time seed data and the algorithm data are received to the device side.
Still further, the server key generation includes: time seed= ((local server time < < 16) |server UUID) < <64;
the first key= (-time seed) | (stb_id|sn)/(mark)), wherein stb_id is the device hardware number, SN is the device factory number, mark is the algorithm transformation flag bit, and the value range is 0-255.
Still further, the server key generation includes: time seed= ((local server time < < 16) |server UUID) < < 64); second key = (rootkey < < 64) | (-SN) +aes symmetric algorithm encryption.
In a further scheme, the device-side key acquisition includes: third key= (rootkey < < 64) | (-SN);
time seed = decrypting time seed encrypted data using AES symmetric algorithm + third key; fourth key= (-time seed) | (stb_id|sn)/(mark)); plaintext data = fourth key + AES symmetric algorithm decryption.
In a further aspect, the server time selection includes: acquiring accurate time of the current system to millisecond through a system function, continuously generating hundreds of millions of different time seeds, and updating data of a time pool every minute;
obtaining a different time seed through a random algorithm each time; when the time seeds of the time pool are reduced, automatically randomly inserting a time data into the time pool.
In a further scheme, the acquiring plaintext data by the device side includes: acquiring satellite data, judging whether the satellite data are valid data, if so, acquiring a rootkey, encrypted time data and encrypted private data, acquiring a third key by the arithmetic operation of a rootkey and a factory number of the device in the device, decrypting the time data by using an AES symmetric algorithm, generating a fourth key by the arithmetic operation of the decrypted time data, the factory number, a hardware number and a mark value of the device, decrypting the encrypted private data, judging whether the acquired valid data are correct, and if so, storing the data.
A dynamic key generation system comprising; the server is used for generating a first key and sending the encrypted first key to the corresponding equipment end through front-end equipment; the equipment end is used for generating a second secret key, decrypting the private data by using a symmetric key algorithm through the second secret key, and obtaining effective data; wherein the system will make a dynamic change each time the private data changes the first key.
In a further scheme, the system further comprises a database, wherein the database is used for inputting equipment hardware numbers and equipment factory numbers generated through an algorithm and inputting rootkeys written through a black box method.
Therefore, the system automatically generates a group of dynamic keys for decrypting the data according to the algorithm when the set top box receives the encrypted data by encrypting the private data by the server, and the keys generated by each set top box are not repeated. The two-layer encryption method mainly ensures that the key pair of the server and the set top box is matched, can effectively improve the security of private data, avoids the risk that the box end is completely cracked after being cracked by one, improves the attack cost of hackers and reduces the loss of operators.
The invention is described in further detail below with reference to the drawings and the detailed description.
Drawings
Fig. 1 is a flowchart of an embodiment of a dynamic key generation method of the present invention.
Fig. 2 is a schematic diagram of data exchange between a server and a device in an embodiment of a method for generating a dynamic key according to the present invention.
Fig. 3 is a flowchart of acquiring plaintext data at a device side in an embodiment of a method for generating a dynamic key according to the present invention.
Fig. 4 is a schematic diagram of a server generating a first key in an embodiment of a dynamic key generation method according to the present invention.
FIG. 5 is a schematic diagram of a server and a production line in an embodiment of a dynamic key generation system according to the present invention.
Fig. 6 is a schematic diagram of a server and device side in an embodiment of a dynamic key generation system according to the present invention.
FIG. 7 is a schematic diagram of a data entry database for a production line in an embodiment of a dynamic key generation system of the present invention.
Detailed Description
An embodiment of a method for generating a dynamic key:
as shown in fig. 1, a method for generating a dynamic key includes the following steps:
step S1, acquiring the system time and UUID of the current server, calculating to form a time pool according to the system time and UUID algorithm, and randomly acquiring time data from the time pool to serve as a time seed.
Step S2, obtaining hardware numbers, equipment factory numbers and equipment rootkeys of all the equipment, forming a number pool according to the data, and searching corresponding equipment hardware numbers, equipment factory numbers and equipment rootkeys from the number pool according to equipment characteristics.
And step S3, carrying out algorithm calculation on the obtained time seeds, the equipment hardware numbers of the equipment delivery, the equipment delivery numbers and the algorithm conversion marking bits to generate a first secret key.
And S4, encrypting the private data by using an AES symmetric encryption algorithm, wherein the encryption key is a first key.
And S5, calculating the acquired rootkey and the factory number of the equipment through an algorithm to generate a second key.
And S6, encrypting the time seeds by using an AES symmetric encryption algorithm, wherein the encryption key is a second key.
And S7, sending the encrypted time seed encryption data and the encrypted private data to the corresponding equipment end through the front-end equipment.
Step S8, after receiving the signal, the equipment end acquires encrypted private data, encrypted time seed encrypted data and mark data from the signal data.
And S9, the device generates the latest third key by combining the acquired rootkey with the device factory number of the device side.
And S10, decrypting the time seed encrypted data by using an AES symmetric encryption algorithm through the third key, calculating a fourth key through the algorithm together with the factory number of the equipment, the hardware number of the equipment and mark data.
And S11, decrypting the encrypted private data by using an AES symmetric encryption algorithm through a fourth key, and restoring the valid data.
Therefore, the dynamic key generation method provided by the invention comprises the steps of firstly, acquiring the system time of the current server, forming a time pool according to the system time, and randomly acquiring time data from the time pool to serve as a time seed; carrying out algorithm calculation on the obtained time seeds, the equipment hardware numbers of equipment delivery and the equipment delivery numbers to generate a first secret key; generating a second key by acquiring a rootkey and a factory number of the equipment; encrypting the time seed and the private data by using a symmetric key algorithm; the encrypted first key is sent to a corresponding device end through front-end equipment; after receiving the signal, the equipment end acquires encrypted private data and encrypted time seeds from the signal data; acquiring a rootkey from the equipment and generating a third key by combining the rootkey with the factory number of the equipment; combining the time seeds obtained by decryption with the equipment hardware number and the equipment factory number of the equipment end to generate the latest fourth key; and decrypting the private data by using a symmetric key algorithm through the fourth key to obtain the effective data.
Specifically, the method for generating the dynamic key provided by the invention specifically comprises the following steps: and acquiring the system time of the current server, forming a time pool according to the system time, randomly acquiring time data from the time pool, and acquiring the IDs of all the devices, the device SN and the device rootkey in the form of black boxes to form a device number pool. Then, acquiring a time seed and an equipment ID, generating a first key through secure operation, generating a second key through an algorithm by a rootkey of the equipment and an SN of the equipment, encrypting the time seed by the second key to form time seed encrypted data, and encrypting the private data by the first key to form private encrypted data; after receiving the signal, the equipment end acquires encrypted private data and encrypted time seeds from the signal data; generating a third key of the device through an ID algorithm in the device, decrypting the encrypted time seed through the third key by using an AES symmetric encryption algorithm to obtain a fourth key of the device, decrypting the encrypted private data through the fourth key and the AES symmetric encryption algorithm to obtain plaintext data.
It can be seen that, in this embodiment, the time seed is obtained by decryption, the stb_id and SN of the device and the time seed generate the latest decryption key, and the private data is decrypted by using the symmetric algorithm through the latest decryption key, so as to obtain the valid data.
In the above steps, each set top box generates different keys through the current flow, and the system dynamically changes each time the private data changes the first key.
In the above step, forming the time pool according to the system time includes: the method comprises the steps of obtaining the system time of a current server, obtaining UUID (user identifier) of the server and time calculation to generate time seeds, and warehousing a plurality of time seeds to form a time pool, wherein when equipment is produced, equipment hardware numbers, equipment factory numbers and rootkeys are imported to the server through a network service black box technology to form an equipment number pool.
Specifically, the current server system time is obtained, hundreds of millions of times are generated by using a random algorithm from the current time to the back 10 years, each piece of data and the time seed after the server UUID is subjected to algorithm calculation form a time pool, each time, one piece of data is randomly taken from the time pool and used as a seed to generate a new secret key, the fact that the time seed is not repeated is guaranteed, and the time pool is large enough to be impossible to simulate.
In the above steps, as shown in fig. 2, the sending, by the front-end device, the encrypted first key to the corresponding device side includes: all the encrypted private data, the encrypted time seeds and the algorithm marking data are transmitted to a program multiplexer according to the DVB standard, the transmitted data are multiplexed by the program multiplexer and then enter a signal modulator, the multiplexed data are modulated into a receivable signal by the signal modulator, the signal is power amplified and then transmitted to a forwarding device through an antenna, and a user side obtains the power amplified signal data through a receiving device, so that the private data, the time data and the algorithm data are received to a device side.
Specifically, all private data, time data and algorithm marking data are firstly inserted into a program multiplexer according to the DVB standard, the data are multiplexed by the program multiplexer and then enter a modulator, the data are modulated into signals, the signals are transmitted to a forwarding device through an antenna after power is amplified, a user side obtains the signal data through a receiving device, and therefore the private data and the time data are received by a set top box side.
In this embodiment, the formats of the transmission data packets of the server and the device end are shown in table (1):
Figure BDA0003449082450000091
(1)
in this embodiment, the server key generation includes two algorithms, as follows:
(1) The server key generation algorithm includes:
local server time= {0x90,0xfe,0x25,0x51,0x8f,0x38}.
Device hardware number stb_id= {0x13,0x23,0x11,0x23,0x41,0x23,0x 11}.
Device factory number sn= {0x12,0x32,0x00,0x12,0x32,0x33,0x21,0x11}.
Server uuid= {0x23,0x14}.
Device chip number rootkey= {0x23,0x13,0x15,0x12,0x34,0x7d,0x8c,0x11}.
Time seed algorithm:
time seed= ((local server time < < 16) |server UUID) < <64 (the algorithm ensures that each key is not duplicated).
Time seed = Byte1, byte2, byte3, byte4, byte5, byte6, byte7, byte8, byte9, byte10, byte11, byte12, byte13, byte14, byte15, byte16 (data format).
Device ID conversion:
STB_ID=Byte1,Byte2,Byte3,Byte4,Byte5,Byte6,Byte7,Byte8;
SN=Byte1,Byte2,Byte3,Byte4,Byte5,Byte6,Byte7,Byte8。
generating a new sequence of device IDs after the data parity position is changed:
STB_ID=Byte1,Byte3,Byte5,Byte7,Byte2,Byte4,Byte6,Byte8;
SN=Byte2,Byte4,Byte6,Byte8,Byte1,Byte3,Byte5,Byte7。
using the new STB_ID, SN performs an algorithm to generate KEY1:
the Key1 = (-time seed) |((stb_id|sn)/(Mark)) Mark can be transformed from 0-255, so the Key1 has different chosen values (the algorithm ensures that the Key1 is variable, non-repeatable, server controlled).
Key2= (rootkey < < 64) | (-SN) (rootkey is stored in an area inside the chip that cannot be read and written by the outside when the chip leaves the factory).
(2) The device key generation algorithm includes:
key3= (rootkey < < 64) | (—sn); (automatic acquisition of rootkey chip internal interface) time seed = symmetric algorithm AES decrypts the encrypted data of timeseed enc, key uses Key3.
Device ID conversion:
STB_ID=Byte1,Byte2,Byte3,Byte4,Byte5,Byte6,Byte7,Byte8
(automatic acquisition of device internal interface);
sn=byte 1, byte2, byte3, byte4, byte5, byte6, byte7, byte8 (device internal interface auto-get).
After the data parity position changes, a new sequence is generated:
STB_ID=Byte1,Byte3,Byte5,Byte7,Byte2,Byte4,Byte6,Byte8;
SN=Byte2,Byte4,Byte6,Byte8,Byte1,Byte3,Byte5,Byte7;
using the new stb_id, SN performs an algorithm to generate Key4:
key key4= (-time seed) | (stb_id|sn)/(mark)
Plaintext data = Key key4+ symmetric algorithm AES decryption.
In this embodiment, as shown in fig. 4, the server time selection includes: the current system time is accurate to millisecond through the system function, hundreds of millions of different time seeds are continuously generated, and the data of the time pool is updated every minute (the data is not repeated, the time pool is dynamic and is updated periodically, and the probability that the data are collided is low); obtaining a different time seed through a random algorithm each time; judging whether the length of the obtained original time seed data is = =16, if so, encrypting the time seed and the private data through a symmetric key algorithm to generate a first key; when the time seeds of the time pool are reduced, automatically randomly inserting a time data into the time pool. Wherein as time is always being generated, the thread that generates time from the system randomly takes an inserted time pool as the time pool decreases.
The rootkey is input into the chip in a black box mode when the set top box chip leaves the factory, and the outside does not allow reading and writing, so that the rootkey has a certain security level.
When the STB_ID and the SN are produced in the set top box, the STB_ID and the SN are produced in a black box mode and are imported into the server in batches.
In this embodiment, as shown in fig. 3, the device side acquiring plaintext data includes:
acquiring satellite data, judging whether the satellite data are valid data, if so, acquiring a rootkey, encrypted time data and encrypted private data, acquiring a third key by the arithmetic operation of a rootkey and a factory number of the device in the device, decrypting the time data by using an AES symmetric algorithm, generating a fourth key by the arithmetic operation of the decrypted time data, the factory number, a hardware number and a mark value of the device, decrypting the encrypted private data, judging whether the acquired valid data are correct, and if so, storing the data.
Therefore, the system automatically generates a group of dynamic keys for decrypting the data according to the algorithm when the set top box receives the encrypted data by encrypting the private data by the server, and the keys generated by each set top box are not repeated. The two-layer encryption method mainly ensures that the key pair of the server and the set top box is matched, can effectively improve the security of private data, avoids the risk that the box end is completely cracked after being cracked by one, improves the attack cost of hackers and reduces the loss of operators.
An embodiment of a dynamic key generation system:
referring to fig. 5 to 7, a dynamic key generation system includes; the server is used for generating a first key and sending the encrypted first key to the corresponding equipment end through the front-end equipment.
The device side is used for generating a second key, decrypting the private data through the second key by using a symmetric key algorithm, and obtaining effective data.
Wherein the system will make a dynamic change each time the private data changes the first key.
In this embodiment, the system further includes a database, where the database is used to record a device hardware number and a device factory number generated by an algorithm, and record a rootkey written by a black box method.
Therefore, the invention can ensure that the decryption key of each set top box is controlled to be changed by the server, the encryption key is changed dynamically each time, and the keys of each set top box are different. After a hacker obtains the key of one set-top box, they cannot use the same key to crack the private data of other set-top boxes, which is equivalent to the security of other set-top boxes. If a hacker breaks each set-top box by obtaining a key, if the hacker has 10 ten thousand set-top boxes, 10 ten thousand times of breaking are needed. Aiming at operators, the cracked set top box can be scrapped by using a special means, and the key is not required to be frequently updated, so that the risk brought by updating is reduced, the protection level of the private data security of the set top box is increased, and the cost of hacking is also increased.
Therefore, the invention has the following beneficial effects:
(1) The security double layer encryption, the keys all need to evolve.
(2) The key is not repeated and is obtained according to the algorithm of the time pool.
(3) Key dynamics: the private data of each set top box will be different due to different factory ID and device ID, and the generated keys will be different.
The above embodiments are only preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, but any insubstantial changes and substitutions made by those skilled in the art on the basis of the present invention are intended to be within the scope of the present invention as claimed.

Claims (10)

1. A method for generating a dynamic key, comprising the steps of:
acquiring the system time and UUID of a current server, calculating according to the system time and UUID algorithm to form a time pool, and randomly acquiring time data from the time pool to serve as a time seed;
acquiring hardware numbers, equipment factory numbers and equipment rootkeys of all the equipment, forming a number pool according to the data, and searching corresponding equipment hardware numbers, equipment factory numbers and equipment rootkeys from the number pool according to equipment characteristics;
carrying out algorithm calculation on the obtained time seeds, the equipment hardware numbers of the equipment delivery, the equipment delivery numbers and the algorithm conversion marking bits to generate a first secret key;
encrypting the private data by using a symmetric encryption algorithm, wherein an encryption key is a first key;
calculating the acquired rootkey and the factory number of the equipment to generate a second key through an algorithm;
encrypting the time seeds by using a symmetric encryption algorithm, wherein the encryption key is a second key;
the encrypted time seed encryption data and the encrypted private data are sent to the corresponding equipment end through front-end equipment;
after receiving the signal, the equipment end acquires encrypted private data, encrypted time seed encryption data and mark data from the signal data;
the device generates a latest third key by combining the acquired rootkey with the device factory number of the device end;
decrypting the time seed encrypted data by using a symmetric encryption algorithm through the third key, calculating a fourth key through the algorithm together with the factory number of the equipment, the hardware number of the equipment and mark data;
and decrypting the encrypted private data by using a symmetric encryption algorithm through the fourth key to restore the valid data.
2. The method of claim 1, wherein forming a time pool based on the system time comprises:
the method comprises the steps of obtaining the system time of a current server, obtaining UUID (user identifier) of the server and time calculation to generate time seeds, and warehousing a plurality of time seeds to form a time pool, wherein when equipment is produced, equipment hardware numbers, equipment factory numbers and rootkeys are imported to the server through a network service black box technology to form an equipment number pool.
3. The method according to claim 1, wherein the sending the encrypted first key to the corresponding device side through the front-end device includes:
all the encrypted private data, the encrypted time seed data and the algorithm marking data are transmitted to a program multiplexer according to the DVB standard, the transmitted data are multiplexed by the program multiplexer and then enter a signal modulator, the multiplexed data are modulated into a receivable signal by the signal modulator, the signal is power amplified and then transmitted to a forwarding device through an antenna, and a user side obtains the power amplified signal data through a receiving device, so that the private data, the time seed data and the algorithm data are received to the device side.
4. A method according to any one of claims 1 to 3, characterized in that:
the server key generation includes:
time seed= ((local server time < < 16) |server UUID) < <64;
the first key= (-time seed) |((stb_id|sn)/(mark), wherein stb_id is the device hardware number, SN is the device factory number, mark is the algorithm transformation flag bit, and the value range is 0-255.
5. The method according to claim 4, wherein:
the server key generation includes:
second key = (rootkey < < 64) | (-SN) +aes symmetric algorithm encryption.
6. The method according to claim 5, wherein:
the equipment-side key acquisition comprises the following steps:
third key= (rootkey < < 64) | (-SN);
time seed = decrypt data using AES symmetric algorithm + third key;
fourth key= (-time seed) |((stb_id|sn)/(mark));
plaintext data = fourth key + AES symmetric algorithm decryption.
7. A method according to any one of claims 1 to 3, characterized in that:
the server time selection comprises the following steps:
acquiring accurate time of the current system to millisecond through a system function, continuously generating hundreds of millions of different time seeds, and updating data of a time pool every minute;
obtaining a different time seed through a random algorithm each time;
when the time seeds of the time pool are reduced, automatically randomly inserting a time data into the time pool.
8. The method according to claim 6, wherein:
the device side obtaining plaintext data comprises the following steps:
acquiring satellite data, judging whether the satellite data are valid data, if so, acquiring a rootkey, encrypted time data and encrypted private data, acquiring a third key by the arithmetic operation of a rootkey and a factory number of the device in the device, decrypting the time data by using an AES symmetric algorithm, generating a fourth key by the arithmetic operation of the decrypted time data, the factory number, a hardware number and a mark value of the device, decrypting the encrypted private data, judging whether the acquired valid data are correct, and if so, storing the data.
9. A dynamic key generation system, wherein the system is applied to a dynamic key generation method as defined in any one of claims 1 to 8 for key generation, and the system comprises:
the server is used for generating a first key and a second key, and transmitting the encrypted first key to the corresponding equipment end through front-end equipment;
the device side is used for generating a third key and a fourth key, decrypting the private data by using a symmetric key algorithm through the fourth key, and obtaining effective data;
wherein the system will make a dynamic change each time the private data changes the first key.
10. The system according to claim 9, wherein:
the system also comprises a database, wherein the database is used for inputting the equipment hardware number and the equipment factory number generated by the algorithm and inputting the rootkey written by the black box method.
CN202111669543.9A 2021-12-31 2021-12-31 Dynamic key generation method and system Active CN114401426B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111669543.9A CN114401426B (en) 2021-12-31 2021-12-31 Dynamic key generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111669543.9A CN114401426B (en) 2021-12-31 2021-12-31 Dynamic key generation method and system

Publications (2)

Publication Number Publication Date
CN114401426A CN114401426A (en) 2022-04-26
CN114401426B true CN114401426B (en) 2023-05-05

Family

ID=81229248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111669543.9A Active CN114401426B (en) 2021-12-31 2021-12-31 Dynamic key generation method and system

Country Status (1)

Country Link
CN (1) CN114401426B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008135893A (en) * 2006-11-27 2008-06-12 Kiyoto Yui Encryption device and program for creating encrypted document attached with disposable encryption key
JP2009206593A (en) * 2008-02-26 2009-09-10 Kawasaki Microelectronics Inc Encryption method and apparatus
JP2011151690A (en) * 2010-01-24 2011-08-04 Michito Miyazaki Encryption key management system
CN103067160A (en) * 2013-01-14 2013-04-24 江苏智联天地科技有限公司 Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD)
CN105471903A (en) * 2015-12-31 2016-04-06 中国建设银行股份有限公司 Method for generating electronic lock activation information and related system, device and unlocking method
CN106027247A (en) * 2016-07-29 2016-10-12 宁夏丝路通网络支付有限公司北京分公司 Method for remotely issuing POS key
CN107483432A (en) * 2017-08-10 2017-12-15 广州杰之良软件有限公司 File encryption processing method and processing device
JP2018037898A (en) * 2016-08-31 2018-03-08 株式会社エヌ・ティ・ティ ピー・シー コミュニケーションズ Transmitter, communication system, transmission method, and program
CN112769559A (en) * 2020-12-31 2021-05-07 无锡艾立德智能科技有限公司 Symmetric key synchronization method based on multiple keys
CN113726508A (en) * 2021-08-30 2021-11-30 北京博瑞翔伦科技发展有限公司 TOTP algorithm and system for unmanned bin offline intelligent lock

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107689947B (en) * 2016-08-05 2021-03-30 华为国际有限公司 Data processing method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008135893A (en) * 2006-11-27 2008-06-12 Kiyoto Yui Encryption device and program for creating encrypted document attached with disposable encryption key
JP2009206593A (en) * 2008-02-26 2009-09-10 Kawasaki Microelectronics Inc Encryption method and apparatus
JP2011151690A (en) * 2010-01-24 2011-08-04 Michito Miyazaki Encryption key management system
CN103067160A (en) * 2013-01-14 2013-04-24 江苏智联天地科技有限公司 Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD)
CN105471903A (en) * 2015-12-31 2016-04-06 中国建设银行股份有限公司 Method for generating electronic lock activation information and related system, device and unlocking method
CN106027247A (en) * 2016-07-29 2016-10-12 宁夏丝路通网络支付有限公司北京分公司 Method for remotely issuing POS key
JP2018037898A (en) * 2016-08-31 2018-03-08 株式会社エヌ・ティ・ティ ピー・シー コミュニケーションズ Transmitter, communication system, transmission method, and program
CN107483432A (en) * 2017-08-10 2017-12-15 广州杰之良软件有限公司 File encryption processing method and processing device
CN112769559A (en) * 2020-12-31 2021-05-07 无锡艾立德智能科技有限公司 Symmetric key synchronization method based on multiple keys
CN113726508A (en) * 2021-08-30 2021-11-30 北京博瑞翔伦科技发展有限公司 TOTP algorithm and system for unmanned bin offline intelligent lock

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Shuqin Zhu ; Congxu Zhu.Secure Image Encryption Algorithm Based on Hyperchaos and Dynamic DNA Coding.2020,第22卷(第772期),全文. *
韩琪 ; .基于动态密钥选择的网络隐私信息双重加密方法.黑龙江工业学院学报(综合版).2020,(第03期),全文. *

Also Published As

Publication number Publication date
CN114401426A (en) 2022-04-26

Similar Documents

Publication Publication Date Title
US8832727B2 (en) Method and authentication server for verifying access identity of set-top box
US11259082B2 (en) Systems and methods for data processing, storage, and retrieval from a server
JP3965126B2 (en) Playback device for playing content
JP5062775B2 (en) SEARCH METHOD, SEARCH DEVICE, INDEX GENERATION METHOD, INDEX GENERATION DEVICE
KR100493291B1 (en) Copy protection method and system for digital media
CN106973310A (en) The player method of Streaming Media, EPG server and CDN server in a kind of IPTV system
US10193691B2 (en) Information processing device, server device, information processing system, moving object, and information processing method
CN106658093B (en) The exchange method and system of set-top box and server
KR100493284B1 (en) Copy protection method and system for digital media
CN110213669B (en) Video content anti-theft system and method based on TS (transport stream) slices
CN101399670A (en) Encryption module distribution system and device
US20190261028A1 (en) System and method for securely transferring data
CN102256170A (en) Encryption method and decryption method based on no-card CA (Certificate Authority)
WO2011061116A1 (en) Preventing cloning of receivers of encrypted messages
US10887634B2 (en) Video resource file acquisition method and management system
CN114401426B (en) Dynamic key generation method and system
CN116709325A (en) Mobile equipment security authentication method based on high-speed encryption algorithm
US20200145186A1 (en) Reducing variable-length pre-key to fix-length key
KR101346623B1 (en) Contents service providing method and authentication method between device and device using broadcast encryption, display device and device for low resource
CN106454435B (en) Conditional access method and related equipment and system
CN114401148A (en) Communication data encryption and decryption optimization method
KR102024058B1 (en) Device in multicast group
US20160165279A1 (en) Method of transmitting messages between distributed authorization server and conditional access module authentication sub-system in renewable conditional access system, and renewable conditional access system headend
CN116782210B (en) Dynamic encryption key generation method of high-speed encryption algorithm
US20100235626A1 (en) Apparatus and method for mutual authentication in downloadable conditional access system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant