[go: up one dir, main page]

CN101872399B - Dynamic digital copyright protection method based on dual identity authentication - Google Patents

Dynamic digital copyright protection method based on dual identity authentication Download PDF

Info

Publication number
CN101872399B
CN101872399B CN2010102145897A CN201010214589A CN101872399B CN 101872399 B CN101872399 B CN 101872399B CN 2010102145897 A CN2010102145897 A CN 2010102145897A CN 201010214589 A CN201010214589 A CN 201010214589A CN 101872399 B CN101872399 B CN 101872399B
Authority
CN
China
Prior art keywords
user
digital certificate
key
digital
pin code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010102145897A
Other languages
Chinese (zh)
Other versions
CN101872399A (en
Inventor
刘泉
江雪梅
李雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN2010102145897A priority Critical patent/CN101872399B/en
Publication of CN101872399A publication Critical patent/CN101872399A/en
Application granted granted Critical
Publication of CN101872399B publication Critical patent/CN101872399B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种基于双重身份认证的动态数字版权保护方法,包括如下步骤:将用户的数字证书下载到内置有随机数发生器的USBKEY中;当用户登录时,在USBKEY置入客户端后,根据输入的PIN码口令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,当用户对随机数序列签名的签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件;当用户未登录时,在USBKEY置入客户端后,根据输入的PIN码口令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。本方法能约束用户使用权限和划分用户权限范围,对离线状态用户身份进行认证,防止离线扩散。

The invention discloses a dynamic digital copyright protection method based on double identity authentication, comprising the following steps: downloading the user's digital certificate to a USBKEY with a built-in random number generator; , activate the USBKEY according to the input PIN code password, and then obtain the digital certificate in the USBKEY. When the digital certificate is valid, the random number generator generates a random number sequence. The use rights stipulated in the extension item are used to play online or download media work files online; when the user is not logged in, after the USBKEY is placed in the client, the USBKEY is activated according to the entered PIN code password, and then the digital certificate in the USBKEY is obtained. When it is valid, the media work file is played offline according to the use authority stipulated in the extension of the digital certificate. The method can restrict the user's use authority and divide the scope of the user's authority, authenticate the identity of the user in the offline state, and prevent offline diffusion.

Description

基于双重身份认证的动态数字版权保护方法A Dynamic Digital Copyright Protection Method Based on Double Identity Authentication

技术领域 technical field

本发明涉及信息安全领域,涉及数字版权保护和身份认证,特别涉及一种基于双重身份认证的动态数字版权保护方法。The invention relates to the field of information security, to digital copyright protection and identity authentication, in particular to a dynamic digital copyright protection method based on double identity authentication.

背景技术 Background technique

随着网络传输和通信技术的飞速发展,网络多媒体文件的分发、复制与编辑变得越来越普遍,与此同时,服务提供商越来越强烈地要求保护其数字内容,版权问题得到了越来越多的关注。由此而产生的数字版权管理技术(Digital Rights Management,以下简称DRM)可以实现版权的保护,其结合硬件和软件的存取机制,对数字多媒体内容在其生命周期内的存取进行有效地控制。目前,众多学者已经对DRM技术进行了深入广泛的研究。With the rapid development of network transmission and communication technology, the distribution, duplication and editing of network multimedia files have become more and more common. more and more attention. The resulting digital rights management technology (Digital Rights Management, hereinafter referred to as DRM) can realize the protection of copyright, which combines the access mechanism of hardware and software to effectively control the access of digital multimedia content in its life cycle . At present, many scholars have conducted in-depth and extensive research on DRM technology.

Steve K等人提出了一种隐私可保护的版权管理模式,该模式可以在线进行用户隐私受保护的身份认证许可,但是离线状态下无法定位版权用户的身份。Andreaux JP等人提出了一种用于数字家庭网络的版权保护系统,该系统将属性证书和许可证进行分离操作,从而实现了数字媒体的安全发放。但是受所在网络的限制,还没有推广到广域网的范畴。ShiHao等人则设计了一种用于协同的点对点对等网络的数字版权管理方案,该方案采用动态许可证技术,但是不支持版权受控内容的物理空间的迁移。Steve K et al. proposed a privacy-protectable copyright management model, which can perform online user privacy-protected identity authentication and permission, but cannot locate the identity of the copyright user offline. Andreaux JP et al proposed a copyright protection system for digital home networks, which separates attribute certificates and licenses, thereby realizing the safe distribution of digital media. However, due to the limitation of the network where it is located, it has not been extended to the scope of the wide area network. ShiHao et al. designed a digital rights management scheme for collaborative point-to-point peer-to-peer networks. This scheme uses dynamic license technology, but does not support the migration of copyright-controlled content in physical space.

虽然近年来的科研成果和实践经验已经取得了瞩目的成绩,但是版权管理平台上仍然存在着亟待解决的问题,具体表现在:Although the scientific research results and practical experience in recent years have achieved remarkable results, there are still problems to be solved on the copyright management platform, which are specifically reflected in:

(1)虽然在线状态下的身份认证技术很好地解决了用户的合法身份问题,但是,不能正确地约束用户的使用权限和清晰地划分用户的权限范围。(1) Although the identity authentication technology in the online state solves the legal identity problem of the user well, it cannot correctly restrict the user's use authority and clearly divide the user's authority scope.

(2)由于目前还没有离线状态下的用户身份认证机制,用户在版权管理平台上通过身份认证后,下载到本地计算机上的数字多媒体文件可以通过常用的媒体播放器进行直接播放,这样就会导致数字多媒体作品被恶意地篡改或者窃取,不能有效地防止离线扩散。(2) Since there is no user identity authentication mechanism in the offline state at present, after the user passes the identity authentication on the copyright management platform, the digital multimedia files downloaded to the local computer can be directly played by a commonly used media player, so that As a result, digital multimedia works are maliciously tampered with or stolen, which cannot effectively prevent offline diffusion.

因此,有必要提供一种改进的数字版权保护方法来克服现有技术的缺陷。Therefore, it is necessary to provide an improved digital copyright protection method to overcome the defects of the prior art.

发明内容 Contents of the invention

本发明的目的是提供一种基于双重身份认证的动态数字版权保护方法,USBKEY内的PIN码和数字证书能解决Steve K等人提出的版权管理模式中离线状态下无法定位版权用户的身份的问题、Andreaux JP等人提出的数字家庭网络的版权保护系未推广到广域网的范畴的问题、以及Shi Hao等人设计的用于协同的点对点对等网络的数字版权管理方案中不支持版权受控内容的物理空间的迁移的问题,并且数字证书的扩展项能在在线状态下正确约束用户的使用权限和清晰划分用户的权限范围,PIN码和数字证书能在离线状态下对用户身份进行认证,避免媒体作品被恶意地篡改或者窃取,有效防止离线扩散。The purpose of the present invention is to provide a dynamic digital copyright protection method based on dual identity authentication. The PIN code and digital certificate in the USBKEY can solve the problem that the identity of the copyright user cannot be located in the offline state in the copyright management mode proposed by Steve K et al. , the copyright protection system of digital home network proposed by Andreaux JP et al. has not been extended to the scope of wide area network, and the digital rights management scheme for collaborative peer-to-peer network designed by Shi Hao et al. does not support copyright-controlled content The migration of the physical space, and the extension of the digital certificate can correctly restrict the user's use authority and clearly divide the user's authority range in the online state. The PIN code and the digital certificate can authenticate the user's identity in the offline state, avoiding Media works are maliciously tampered with or stolen, effectively preventing offline diffusion.

为了实现上述目的,本发明提供了一种基于双重身份认证的动态数字版权保护方法,包括如下步骤:(1)将用户的数字证书下载到内置有随机数发生器的USBKEY中;(2)当用户登录时,在USBKEY置入客户端后,根据输入的PIN码口令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,当用户对随机数序列签名的签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件;(3)当用户未登录时,在USBKEY置入客户端后,根据输入的PIN码口令激活USBKEY,进而获取USBKEY内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。In order to achieve the above object, the present invention provides a dynamic digital copyright protection method based on dual identity authentication, comprising the following steps: (1) downloading the user's digital certificate to a USBKEY with a built-in random number generator; (2) when When the user logs in, after the USBKEY is placed in the client, activate the USBKEY according to the input PIN code password, and then obtain the digital certificate in the USBKEY. When the digital certificate is valid, the random number generator generates a random number sequence. When the signature information of the signature is correct, play or download the media work file online according to the use authority stipulated in the extension of the digital certificate; (3) When the user is not logged in, after the USBKEY is placed in the client, according to the input PIN password Activate the USBKEY to obtain the digital certificate in the USBKEY. When the digital certificate is valid, play the media file offline according to the usage rights specified in the extension of the digital certificate.

在本发明的一个实施例中,所述方法还包括:(11)当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符作为密钥要素,并利用密钥要素产生非对称密钥对后,CA代理中心对非对称密钥对的公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心,(12)CA权威认证中心在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书,将数字证书发送至CA代理中心;(13)CA代理中心将数字证书颁发给所有者或消费者,并将数字证书存储至数据库。In one embodiment of the present invention, the method further includes: (11) when the user registers the PIN code set by the user and the user's unique identifier automatically generated by the system as a key element, and using the key element to generate After the asymmetric key pair, the CA agency center will review the user's identity information in the public key of the asymmetric key pair, and after the user's identity information has passed the review, the public key in the asymmetric key pair and the user's identity The information is sent to the CA authority certification center, (12) the CA authority certification center generates a digital certificate when the user's identity information is consistent with the user's identity information information in the public key, and sends the digital certificate to the CA agency center; (13) the CA agent The center issues digital certificates to owners or consumers, and stores the digital certificates in the database.

在本发明的另一实施例中,所述数字证书包括用户的身份信息、公钥信息、CA权威认证中心的身份信息、CA权威认证中心对数字证书的签名、扩展项、以及有效期,其中用户的身份信息包含数字证书序列号、用户注册时提交的用户名称、以及系统平台为用户生成的唯一标识符,并由CA权威认证中心100来确定,扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息。In another embodiment of the present invention, the digital certificate includes the user's identity information, public key information, identity information of the CA authority certification center, the CA authority certification center's signature on the digital certificate, extensions, and validity period, wherein the user The identity information includes the serial number of the digital certificate, the user name submitted by the user when registering, and the unique identifier generated by the system platform for the user, and is determined by the CA authority certification center 100. The extended items include online playback, online download, and offline media playback. Permission information for the work file.

在本发明的又一实施例中,所述步骤(2)具体为:(21)在用户登录并将USBKEY置入客户端后,当输入的PIN码口令次数未超过规定次数时,输入PIN码口令,当输入的PIN码口令与USBKEY的PIN码相同时,激活USBKEY;(22)获取USBKEY内的数字证书,当数字证书有效时,随机数发生器产生随机数序列;(23)在用户对由随机数发生器根据非对称密钥对中的私钥作为初始化种子产生的随机数、证书有效时间、以及目标接收者组成的报文签名以及签名信息通过私钥加密后,利用数字证书的公钥对加密的签名信息进行解密,将报文进行数字签名,根据签名的报文与解密的签名信息判断用户的签名是否正确;(24)当签名正确时,判断服务器是否为信息的接收者,数字证书的时间戳是否为当前时间;(25)当服务器是信息的接收者,数字证书的时间戳是当前时间时,根据数字证书的扩展项所规定的使用权限在线播放或下载媒体作品文件。In yet another embodiment of the present invention, said step (2) is specifically: (21) after the user logs in and puts the USBKEY into the client, when the number of times of the input PIN code password does not exceed the specified number of times, input the PIN code Password, when the PIN code password of input is identical with the PIN code of USBKEY, activate USBKEY; (22) obtain the digital certificate in USBKEY, when digital certificate is valid, random number generator produces random number sequence; The random number generated by the random number generator based on the private key in the asymmetric key pair as the initialization seed, the valid time of the certificate, and the signature of the message composed of the target recipient and the signature information are encrypted by the private key, and the public key of the digital certificate is used. The key decrypts the encrypted signature information, digitally signs the message, and judges whether the user's signature is correct according to the signed message and the decrypted signature information; (24) When the signature is correct, determine whether the server is the receiver of the information, Whether the time stamp of the digital certificate is the current time; (25) When the server is the recipient of the information and the time stamp of the digital certificate is the current time, play or download the media work file online according to the use authority specified in the extension of the digital certificate.

在本发明的再一实施例中,所述步骤(3)具体为:(31)在用户未登录并将USBKEY置入客户端后,当输入的PIN码口令次数未超过规定次数时,输入PIN码口令,当输入的PIN码口令与USBKEY的PIN码相同时,激活USBKEY;(32)获取USBKEY内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。In yet another embodiment of the present invention, said step (3) is specifically: (31) after the user does not log in and puts the USBKEY into the client, when the number of times the input PIN code password does not exceed the specified number of times, input the PIN Code password, when the input PIN code password is the same as the PIN code of the USBKEY, activate the USBKEY; (32) Obtain the digital certificate in the USBKEY, when the digital certificate is valid, play the media offline according to the use authority stipulated in the extension of the digital certificate Works file.

在本发明的又一实施例中,所述方法还包括:当用户支付媒体作品文件的新使用权的费用后,更新用户的数字证书的扩展项和有效期;将更新的数字证书下载到USBKEY中以替代原有数字证书。In yet another embodiment of the present invention, the method also includes: after the user pays for the new use right of the media work file, updating the extension and validity period of the user's digital certificate; downloading the updated digital certificate into the USBKEY To replace the original digital certificate.

与现有技术相比,本发明基于双重身份认证的动态数字版权保护方法具有如下优点:Compared with the prior art, the present invention's dynamic digital copyright protection method based on double identity authentication has the following advantages:

(1)在在线状态和离线状态,均采用PIN码口令和数字证书来验证用户身份,这种双重身份验证避免了所有用户操作媒体文件,这样在离线状态下可以定位版权用户的身份,本发明家庭网络服务器组成一个域,通过向管理家庭网络和提供数字内容的服务器端申请相应的证书,服务器端将域作为一个整体管理,域中设备所申请的数字内容均被当作是域所申请,服务器端只与此用户域通信,而不与域中各设备直接通信,可将数字家庭网络的版权保护推广到广域网的范畴;通过秘密共享思想将数字证书的公钥分发给点对点对等网络中的可信任节点,为网络的数字版权管理中数字内容的分发提供了必要的安全保障,版权受控内容的物理空间可以迁移。(1) in online state and offline state, all adopt PIN code password and digital certificate to verify user identity, this double authentication has avoided all users to operate media file, can locate the identity of copyright user like this under offline state, the present invention The home network server forms a domain. By applying for the corresponding certificate from the server that manages the home network and provides digital content, the server manages the domain as a whole, and the digital content applied by the devices in the domain is regarded as the application of the domain. The server side only communicates with this user domain, and does not directly communicate with each device in the domain, which can extend the copyright protection of the digital home network to the scope of the wide area network; distribute the public key of the digital certificate to the peer-to-peer network through the idea of secret sharing The trusted node of the network provides the necessary security guarantee for the distribution of digital content in the digital rights management of the network, and the physical space of copyright-controlled content can be migrated.

(2)数字证书的扩展项规定了数字多媒体作品的使用权限,能实现在线下载、在线播放、离线播放的使用权限约束和权限范围划分。(2) The extension item of the digital certificate stipulates the use rights of digital multimedia works, which can realize the restriction and division of the use rights of online download, online play, and offline play.

(3)在在线状态时,采用随机数发生器产生随机数序列要求用户签名,用户每次签名的随机数序列均不相同,实现了身份认证的动态性。(3) In the online state, a random number generator is used to generate a random number sequence to require the user to sign, and the random number sequence of each signature of the user is different, which realizes the dynamics of identity authentication.

通过以下的描述并结合附图,本发明将变得更加清晰,这些附图用于解释本发明的实施例。The present invention will become clearer through the following description in conjunction with the accompanying drawings, which are used to explain the embodiments of the present invention.

附图说明 Description of drawings

图1为本发明基于双重身份认证的动态数字版权保护方法的流程图。Fig. 1 is a flowchart of the dynamic digital copyright protection method based on dual identity authentication of the present invention.

图2是图1所示基于双重身份认证的动态数字版权保护方法涉及的系统的架构图。FIG. 2 is an architecture diagram of a system involved in the dynamic digital copyright protection method based on dual identity authentication shown in FIG. 1 .

图3为图1所示基于双重身份认证的动态数字版权保护方法中USBKEY的组成框图。FIG. 3 is a block diagram of USBKEY in the dynamic digital copyright protection method based on double identity authentication shown in FIG. 1 .

图4为图1所示基于双重身份认证的动态数字版权保护方法中实现在线播放或下载的流程图。FIG. 4 is a flow chart of implementing online playback or downloading in the dynamic digital copyright protection method based on dual identity authentication shown in FIG. 1 .

图5为图1所示基于双重身份认证的动态数字版权保护方法中实现离线播放的流程图。FIG. 5 is a flow chart of realizing offline playback in the dynamic digital copyright protection method based on dual identity authentication shown in FIG. 1 .

图6为图1所示基于双重身份认证的动态数字版权保护方法中为用户颁发数字证书的流程图。FIG. 6 is a flow chart of issuing digital certificates to users in the dynamic digital copyright protection method based on dual identity authentication shown in FIG. 1 .

具体实施方式 Detailed ways

现在参考附图描述本发明的实施例,附图中类似的元件标号代表类似的元件。Embodiments of the present invention will now be described with reference to the drawings, in which like reference numerals represent like elements.

参考图1和图2,本实施例基于双重身份认证的动态数字版权保护方法包括如下步骤:With reference to Fig. 1 and Fig. 2, the dynamic digital copyright protection method based on dual identity authentication of the present embodiment comprises the following steps:

步骤S1,服务提供商将用户的数字证书下载到内置有随机数发生器的USBKEY(智能密码钥匙)500中,转步骤S2或步骤S3;Step S1, the service provider downloads the user's digital certificate to the USBKEY (smart password key) 500 with a built-in random number generator, and then turns to step S2 or step S3;

步骤S2,当用户登录时,在USBKEY 500置入客户端(用户PC机)410后,动态身份认证模块根据输入的PIN码口令激活USBKEY 500,进而获取USBKEY 500内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,当用户对随机数序列签名的签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件;Step S2, when the user logs in, after the USBKEY 500 is placed in the client (user PC) 410, the dynamic identity authentication module activates the USBKEY 500 according to the input PIN code password, and then obtains the digital certificate in the USBKEY 500, when the digital certificate is valid , the random number generator generates a random number sequence, and when the signature information signed by the user on the random number sequence is correct, the media work file can be played or downloaded online according to the usage rights stipulated in the extension of the digital certificate;

步骤S3,当用户未登录时,在USBKEY 500置入客户端(用户PC机)410后,离线播放模块根据输入的PIN码口令激活USBKEY 500,进而获取USBKEY 500内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。Step S3, when the user is not logged in, after the USBKEY 500 is inserted into the client (user PC) 410, the offline playback module activates the USBKEY 500 according to the input PIN code password, and then obtains the digital certificate in the USBKEY 500, when the digital certificate is valid , the media work file will be played offline according to the use rights stipulated in the extension of the digital certificate.

由上可以看出,本实施例基于双重身份认证的动态数字版权保护方法具有如下优点:As can be seen from the above, the dynamic digital copyright protection method based on double identity authentication in this embodiment has the following advantages:

(1)在在线状态和离线状态,均采用PIN码口令和数字证书来验证用户身份,这种双重身份验证避免了所有用户操作媒体文件。(1) In both online and offline states, PIN code passwords and digital certificates are used to verify user identities. This double identity verification prevents all users from operating media files.

(2)数字证书的扩展项规定了数字多媒体作品的使用权限,能实现在线下载、在线播放、离线播放的使用权限约束和权限范围划分。(2) The extension item of the digital certificate stipulates the use rights of digital multimedia works, which can realize the restriction and division of the use rights of online download, online play, and offline play.

(3)在在线状态时,采用随机数发生器产生随机数序列要求用户签名,用户每次签名的随机数序列均不相同,实现了身份认证的动态性,即使黑客截获数字签名,也无法仿冒合法用户的身份。(3) In the online state, a random number generator is used to generate a random number sequence to require the user to sign. The random number sequence of each signature of the user is different, which realizes the dynamic nature of identity authentication. Even if the hacker intercepts the digital signature, it cannot be counterfeited. The identity of the legitimate user.

见图3,所述USBKEY 500包括硬件设备管理子模块510、非对称密钥管理子模块520、算法管理子模块530、数据加密管理子模块540、以及服务提供商下载的用户的数字证书550。下面对USBKEY 500内的各组成部分进行详细说明。3, the USBKEY 500 includes a hardware device management submodule 510, an asymmetric key management submodule 520, an algorithm management submodule 530, a data encryption management submodule 540, and a user's digital certificate 550 downloaded by a service provider. The components of the USBKEY 500 are described in detail below.

所述硬件设备管理子模块510包括USB识别控制单元511、PIN码鉴别CPU单元512、以及加密保护的EPROM 513。所述USB识别控制单元511用于识别USBKEY 500插入或拔出客户端(用户PC机)410的操作,在识别出USBKEY 500插入操作时控制客户端410的CPU(CentralProcessing Unit,中央处理器)读取用户输入的PIN码口令。所述PIN码鉴别CPU单元512用于判断CPU读取的PIN码口令的正误以及判断输入PIN码的次数。所述EPROM单元513用于存储数字证书550、密钥等秘密数据,对该EPROM单元513的读写操作通过程序实现,用户无法直接读取,其中用户私钥是不可导出的,杜绝了复制用户数字证书或身份信息的可能性。The hardware device management submodule 510 includes a USB identification control unit 511, a PIN code identification CPU unit 512, and an EPROM 513 for encryption protection. Described USB identification control unit 511 is used for identifying USBKEY 500 to insert or pull out the operation of client (user PC) 410, controls the CPU (Central Processing Unit, central processing unit) of client 410 to read when identifying USBKEY 500 insertion operation Obtain the PIN password entered by the user. The PIN code identification CPU unit 512 is used for judging whether the PIN code password read by the CPU is correct or not and for judging the times of inputting the PIN code. The EPROM unit 513 is used to store secret data such as a digital certificate 550 and a key. The read and write operations of the EPROM unit 513 are implemented through a program, and the user cannot directly read it, and the user's private key cannot be exported, which prevents the user from copying Possibility of digital certificates or identity information.

所述非对称密钥管理子模块520用于将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法生成非对称密钥对,将非对称密钥对和数字证书550存储在加密保护的EPROM单元;密钥分为对称密钥和非对称密钥,并且均有有效期(密钥不能无限期使用,因为密钥使用时间越长,它泄露的机会就越大,引起的损失将越大)。在密钥有效期内,用户利用非对称密钥中的私钥加密报文,接收方利用数字证书中的公钥解密报文,当密钥有效期满时,利用密钥要素采用RSA算法重新生成非对称密钥对,根据重新生成的非对称密钥对更新密钥。具体地,所述非对称密钥管理子模块520包括密钥安装生成单元521、密钥使用更新单元522、以及密钥存储撤销单元523。密钥安装生成单元521用于将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法生成非对称密钥对;密钥使用更新单元522用于读取EPROM单元511中的非对称密钥对以及更新失效的非对称密钥对;密钥存储撤销单元523用于将生成的非对称密钥对保存到EPROM单元511中或删除EPROM单元511中中的非对称密钥对。The asymmetric key management submodule 520 is used to use the PIN code set by the user and the user's unique identifier (ID) automatically generated by the system when the user registers as key elements, and use the key elements to generate an asymmetric key using the RSA algorithm. Key pair, store the asymmetric key pair and the digital certificate 550 in the encrypted protected EPROM unit; the key is divided into a symmetric key and an asymmetric key, and both have validity periods (the key cannot be used indefinitely, because the key uses The longer the time, the greater the chance of it leaking, and the greater the damage it will cause). During the validity period of the key, the user uses the private key in the asymmetric key to encrypt the message, and the receiver uses the public key in the digital certificate to decrypt the message. When the key expires, the key element is used to regenerate the asymmetric Symmetric key pair, update the key based on the regenerated asymmetric key pair. Specifically, the asymmetric key management submodule 520 includes a key installation generation unit 521 , a key usage update unit 522 , and a key storage revocation unit 523 . The key installation generation unit 521 is used to use the PIN code set by the user and the user's unique identifier (ID) automatically generated by the system when the user registers as key elements, and use the key elements to generate an asymmetric key pair using the RSA algorithm; The key usage update unit 522 is used to read the asymmetric key pair in the EPROM unit 511 and update the invalid asymmetric key pair; the key storage revocation unit 523 is used to save the generated asymmetric key pair to the EPROM unit 511 Delete or delete the asymmetric key pair in the EPROM unit 511.

所述算法管理子模块530用于对每个算法标注一个ID进而存储和识别各个算法,在各个算法中选择进行加密的算法。其中,算法有RSA、DSA等非对称密钥算法,DES、RC6、RC5等对称密钥算法,SHA-1、MD5等数据散列算法,标注ID进行算法存储的方式能实现算法的合理存储,更好地解决USBKEY空间存储问题。具体地,所述算法管理子模块530包括算法库管理单元531、加密算法选择单元532、以及随机数发生器533。算法库管理单元531负责管理非对称密钥算法、对称密钥算法、数据散列算法;加密算法选择单元532负责根据任务要求调度每个算法;随机数发生器533有一个输入参数,即初始化种子,初始化种子不同,据此可产生每次不一样的随机数序列。The algorithm management sub-module 530 is used to mark each algorithm with an ID, store and identify each algorithm, and select an encryption algorithm among each algorithm. Among them, the algorithms include asymmetric key algorithms such as RSA and DSA, symmetric key algorithms such as DES, RC6, and RC5, and data hash algorithms such as SHA-1 and MD5. Better solve the USBKEY space storage problem. Specifically, the algorithm management submodule 530 includes an algorithm library management unit 531 , an encryption algorithm selection unit 532 , and a random number generator 533 . Algorithm library management unit 531 is responsible for managing asymmetric key algorithms, symmetric key algorithms, and data hash algorithms; encryption algorithm selection unit 532 is responsible for scheduling each algorithm according to task requirements; random number generator 533 has an input parameter, that is, initialization seed , the initialization seeds are different, and different random number sequences can be generated each time.

所述数据加密管理子模块540用于根据算法管理子模块530选择的加密算法进行数据的加密,并根据根据算法管理子模块530选择的加密算法进行数据的解密。具体地,所述数据加密管理子模块540包括数据加密实现单元541、数据解密实现单元542、以及数据文件签名单元543。数据加密实现单元541负责加密算法的操作;数据解密单元542负责解密算法的操作;数据文件签名单元543负责数字签名的操作。The data encryption management submodule 540 is used for encrypting data according to the encryption algorithm selected by the algorithm management submodule 530 , and performing data decryption according to the encryption algorithm selected by the algorithm management submodule 530 . Specifically, the data encryption management submodule 540 includes a data encryption implementation unit 541 , a data decryption implementation unit 542 , and a data file signature unit 543 . The data encryption implementation unit 541 is responsible for the operation of the encryption algorithm; the data decryption unit 542 is responsible for the operation of the decryption algorithm; the data file signature unit 543 is responsible for the operation of the digital signature.

由上可以看出,所述USBKEY 500可以看作是智能卡和读卡器的联合体。It can be seen from the above that the USBKEY 500 can be regarded as a combination of a smart card and a card reader.

如图4并结合图2和图3,所述步骤S2具体为:As shown in Figure 4 and in conjunction with Figure 2 and Figure 3, the step S2 is specifically:

步骤S21,在用户登录后,USBKEY 500的硬件设备管理子模块510的USB识别控制单元511识别出USBKEY 500插入客户端(用户PC机)410操作时,PIN码鉴别CPU单元512判断输入的PIN码口令次数是否超过规定次数,若是,结束(封锁用户口令,防止了非本人使用),若否,继续下一步;Step S21, after the user logs in, the USB identification control unit 511 of the hardware device management submodule 510 of the USBKEY 500 recognizes that when the USBKEY 500 is inserted into the client (user PC) 410 for operation, the PIN code identification CPU unit 512 judges the input PIN code Whether the number of passwords exceeds the specified number of times, if so, end (blocking the user password to prevent non-personal use), if not, continue to the next step;

步骤S22,待用户输入PIN码口令后,USB识别控制单元511控制客户端410的CPU读取用户输入的PIN码口令,PIN码鉴别CPU单元512判断输入的PIN码口令是否正确,若是,继续下一步,若否,转步骤S21;Step S22, after the user inputs the PIN code password, the CPU of the USB identification control unit 511 controls the client terminal 410 to read the PIN code password input by the user, and the PIN code discrimination CPU unit 512 judges whether the input PIN code password is correct, if so, continue One step, if not, go to step S21;

步骤S23,服务器端(版权管理平台服务器)230通过网络获取USBKEY 500的数字证书550,判断USBKEY 500的EPROM单元513存储的数字证书550是否有效,若是,继续下一步,若否,结束;Step S23, the server end (copyright management platform server) 230 obtains the digital certificate 550 of USBKEY 500 through the network, judges whether the digital certificate 550 stored in the EPROM unit 513 of USBKEY 500 is valid, if so, continue to the next step, if not, end;

步骤S24,USBKEY 500的非对称密钥管理子模块520中的密钥安装生成单元521将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,采用RSA算法生成非对称密钥对(公钥+私钥);算法管理子模块530中的随机数发生器533根据非对称密钥对中的私钥作为初始化种子产生随机数rc,并将随机数rc、证书有效时间tc、以及目标接收者sc作为报文;数据加密管理子模块540的数据文件签名单元543通过用户对报文进行签名,得到签名信息S(rc,tc,sc);数据加密管理子模块540的数据加密实现单元541利用非对称密钥对中的私钥对签名信息S(rc,tc,sc)进行加密,将加密的签名信息和报文一起发送至服务器端230,其中,数字签名是对整个报文进行的单向函数,是一组代表报文特征的定长代码,若仅改变报文中的一处,数字签名就完全不同。Step S24, the key installation generation unit 521 in the asymmetric key management submodule 520 of the USBKEY 500 uses the PIN code set by the user and the user unique identifier (ID) automatically generated by the system when the user registers as key elements, using The RSA algorithm generates an asymmetric key pair (public key+private key); the random number generator 533 in the algorithm management submodule 530 generates a random number r c as an initialization seed according to the private key in the asymmetric key pair, and the random The number r c , the valid time of the certificate t c , and the target recipient sc are used as the message; the data file signature unit 543 of the data encryption management submodule 540 signs the message through the user to obtain the signature information S(rc, t c , sc ); the data encryption implementation unit 541 of the data encryption management submodule 540 uses the private key in the asymmetric key pair to encrypt the signature information S(rc , t c , sc ), and encrypts the encrypted signature information and The message is sent to the server 230 together, wherein the digital signature is a one-way function performed on the entire message, and is a group of fixed-length codes representing the characteristics of the message. If only one part of the message is changed, the digital signature will be completely different.

步骤S25,服务器端230从数字证书550中提取用户的公钥,利用用户的公钥对数据加密管理子模块540发送的加密的签名信息进行解密,得到一个数字签名的明文,另外,服务器端230将数据加密管理子模块540发送的报文进行相同的数字签名,并与数字签名的明文比对一致性来验证数据文件签名单元543签名是否正确;Step S25, the server 230 extracts the user's public key from the digital certificate 550, and uses the user's public key to decrypt the encrypted signature information sent by the data encryption management submodule 540 to obtain a digitally signed plaintext. In addition, the server 230 Carry out the same digital signature to the message sent by the data encryption management submodule 540, and compare the consistency with the plaintext of the digital signature to verify whether the signature of the data file signature unit 543 is correct;

步骤S26,当签名正确时,服务器端230验证服务器是否为信息的接收者,数字证书550的时间戳是否为当前时间(这样任何拥有用户公钥的人都可根据验证结果接收或拒绝接收报文,同时实现禁止伪造数字签名及对报文的修改);Step S26, when the signature is correct, the server side 230 verifies whether the server is the receiver of the information, and whether the timestamp of the digital certificate 550 is the current time (so anyone who has the user's public key can receive or refuse to receive the message according to the verification result , and at the same time realize the prohibition of forgery of digital signatures and modification of messages);

步骤S27,当服务器230是信息的接收者且数字证书的时间戳是当前时间时,服务器端230根据数字证书550的扩展项内容判断用户是否具有在线播放或在线下载媒体文件的权限,若是,继续下一步,若否,结束;Step S27, when the server 230 is the receiver of the information and the time stamp of the digital certificate is the current time, the server 230 judges whether the user has the right to play or download the media file online according to the extension content of the digital certificate 550, if so, continue Next step, if not, end;

步骤S28,服务器端230允许在线播放或在线下载媒体文件。In step S28, the server 230 allows online playback or online download of the media file.

由上可以看出,当用户在线播放或在线下载媒体文件时,采用PIN码口令和数字证书双重认证用户的身份,实现了身份认证的高度可信性,采用随机数发生器产生随机数序列,每次用户的身份认证的随机数序列均不相同,实现了身份认证的动态性。此外,数字证书的扩展项明确规定了被授权多媒体文件与用户之间的权限关系,解决了在线观看和下载权限分配问题。It can be seen from the above that when a user plays or downloads a media file online, the identity of the user is double-authenticated by using a PIN code password and a digital certificate, which realizes a high degree of credibility of identity authentication, and a random number generator is used to generate a sequence of random numbers. The random number sequence of each user's identity authentication is different, which realizes the dynamic nature of identity authentication. In addition, the extension of the digital certificate clearly stipulates the authority relationship between the authorized multimedia file and the user, which solves the problem of online viewing and downloading authority distribution.

如图5以及图2、图3,所述步骤S3具体为:As shown in Figure 5 and Figure 2 and Figure 3, the step S3 is specifically:

步骤S31,在用户登录后,USBKEY 500的硬件设备管理子模块510的USB识别控制单元511识别出USBKEY 500插入客户端(用户PC机)410操作时,PIN码鉴别CPU单元512判断输入的PIN码口令次数是否超过规定次数,若是,结束(封锁用户口令,防止了非本人使用),若否,继续下一步;Step S31, after the user logs in, the USB identification control unit 511 of the hardware device management submodule 510 of the USBKEY 500 recognizes that when the USBKEY 500 is inserted into the client (user PC) 410 for operation, the PIN code identification CPU unit 512 judges the input PIN code Whether the number of passwords exceeds the specified number of times, if so, end (blocking the user password to prevent non-personal use), if not, continue to the next step;

步骤S32,待用户输入PIN码口令后,USB识别控制单元511控制客户端410的CPU读取用户输入的PIN码口令,PIN码鉴别CPU单元512判断输入的PIN码口令是否正确,若是,继续下一步,若否,转步骤S31;Step S32, after the user inputs the PIN code password, the CPU of the USB identification control unit 511 controls the client terminal 410 to read the PIN code password imported by the user, and the PIN code discrimination CPU unit 512 judges whether the input PIN code password is correct, if so, continue One step, if not, go to step S31;

步骤S33,客户端410获取USBKEY 500的数字证书550,判断USBKEY 500的EPROM单元513存储的数字证书550是否有效,若是,继续下一步,若否,结束;Step S33, the client 410 obtains the digital certificate 550 of the USBKEY 500, and judges whether the digital certificate 550 stored in the EPROM unit 513 of the USBKEY 500 is valid, if so, proceed to the next step, if not, end;

步骤S34,客户端410根据数字证书550的扩展项内容判断用户是否具有离线播放媒体文件的权限,若是,继续下一步,若否,结束;Step S34, the client 410 judges whether the user has the authority to play the media file offline according to the extension content of the digital certificate 550, if so, proceed to the next step, if not, end;

步骤S35,客户端410允许离线播放媒体文件。In step S35, the client 410 allows offline playback of the media file.

由上可以看出,当用户离线播放媒体文件时,采用PIN码口令和数字证书550双重认证用户的身份,实现了身份认证的高度可信性;数字证书的扩展项明确规定了被授权多媒体文件与用户之间的权限关系,解决了离线播放权限分配问题。It can be seen from the above that when the user plays the media file offline, the PIN code password and the digital certificate 550 are used to double-authenticate the user's identity, which realizes the high reliability of identity authentication; the extension of the digital certificate clearly stipulates that the authorized multimedia file The authority relationship with users solves the problem of offline playback authority allocation.

在本实施例中,所述数字证书550是由CA权威认证中心100和数字证书管理模块200签发的。如图2,所述数字证书管理模块200包括CA代理中心210、数据库220以及服务器端(版权管理平台服务器)230,则如图6,所述基于双重身份认证的动态数字版权保护方法还包括步骤:In this embodiment, the digital certificate 550 is issued by the CA authority 100 and the digital certificate management module 200 . As Fig. 2, described digital certificate management module 200 comprises CA agent center 210, database 220 and server end (copyright management platform server) 230, then as Fig. 6, described dynamic digital copyright protection method based on dual identity authentication also comprises steps :

步骤S61,当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符(ID)作为密钥要素,利用密钥要素采用RSA算法通过USBKEY500的非对称密钥管理子模块520产生非对称密钥对(公钥+私钥)并通过版权管理平台服务器230发送所述非对称密钥对中的公钥至CA代理中心210,CA代理中心210对公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心100;Step S61, when the user uses the PIN code set by the user and the user unique identifier (ID) automatically generated by the system when the user registers as the key element, the key element is used to pass the asymmetric key management submodule 520 of the USBKEY500 through the RSA algorithm Generate an asymmetric key pair (public key+private key) and send the public key in the asymmetric key pair to the CA agency center 210 through the copyright management platform server 230, and the CA agency center 210 will check the identity information of the user in the public key Perform an audit, and after the user's identity information passes the audit, send the public key in the asymmetric key pair and the user's identity information to the CA authority certification center 100;

步骤S62,CA权威认证中心100在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书550,所述数字证书550的格式是以X.509数字证书格式作为标准,其包括用户的身份信息、公钥信息、CA权威认证中心100的身份信息、CA权威认证中心100对数字证书550的签名、以及数字证书的扩展项、时间戳和有效期,其中所述用户的身份信息包含证书序列号、用户注册时提交的用户名称、系统平台为用户生成的唯一标识符(ID),并由CA权威认证中心100来确定,所述数字证书的扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息(只有数字证书在有效期范围内,同时数字证书的扩展项表明了在线播放、在线下载、离线播放权限,用户才能进行对应的操作),数字证书中的用户的身份信息表明用户的身份是否合法,公钥用于解密密文,扩展项用于限定用户权限,时间戳保证实时传输,有效期监控数字证书的有效性;Step S62, the CA authoritative certification center 100 generates a digital certificate 550 when the user's identity information is consistent with the user's identity information in the public key, and the format of the digital certificate 550 is based on the X.509 digital certificate format as a standard, which includes The user's identity information, public key information, identity information of the CA authority certification center 100, the signature of the CA authority certification center 100 on the digital certificate 550, and the extensions, time stamp and validity period of the digital certificate, wherein the user identity information includes The serial number of the certificate, the user name submitted by the user during registration, and the unique identifier (ID) generated by the system platform for the user are determined by the CA authority certification center 100. The extensions of the digital certificate include online play, online download, offline Permission information for playing media works files (only when the digital certificate is within the validity period, and the extension of the digital certificate indicates the online playback, online download, and offline playback permissions, the user can perform corresponding operations), the user’s identity information in the digital certificate Indicates whether the user's identity is legal, the public key is used to decrypt the ciphertext, the extension is used to limit user permissions, the time stamp ensures real-time transmission, and the validity period monitors the validity of the digital certificate;

步骤S63,CA权威认证中心100将数字证书550发送至CA代理中心210,CA代理中心210将数字证书550颁发给用户,并将数字证书存储在数据库220中。Step S63 , the CA authority certification center 100 sends the digital certificate 550 to the CA proxy center 210 , and the CA proxy center 210 issues the digital certificate 550 to the user, and stores the digital certificate in the database 220 .

由上可以看出,CA代理中心210负责审核用户的身份,CA权威认证中心100负责签发数字证书。It can be seen from the above that the CA agency center 210 is responsible for verifying the user's identity, and the CA authority certification center 100 is responsible for issuing digital certificates.

另外,所述基于双重身份认证的动态数字版权保护方法还包括步骤:In addition, the dynamic digital copyright protection method based on double identity authentication also includes the steps of:

步骤S101,当用户通过版权管理平台服务器230向CA代理中心210发送更新证书请求或作废证书请求后,CA代理中心210对更新证书请求或作废证书请求中包含的用户身份信息进行审核,当用户身份信息审核通过后,CA代理中心210将用户的私钥作为初始化种子产生定长代码的随机数序列,待用户对随机数序列签名后,向CA权威认证中心100申请更新证书或撤销证书;Step S101, when the user sends a certificate update request or a certificate revocation request to the CA proxy center 210 through the copyright management platform server 230, the CA proxy center 210 reviews the user identity information contained in the certificate update request or the certificate revocation request, and when the user identity After the information review is passed, the CA agency center 210 uses the user's private key as an initialization seed to generate a random number sequence with a fixed-length code, and after the user signs the random number sequence, apply to the CA authority certification center 100 for updating the certificate or revoking the certificate;

步骤S102,CA权威认证中心100更新数字证书550并将更新后的数字证书通过CA代理中心210发送至用户,或撤销数字证书并将撤销的数字证书加入证书撤销列表CRL中。Step S102, the CA authority 100 updates the digital certificate 550 and sends the updated digital certificate to the user through the CA proxy center 210, or revokes the digital certificate and adds the revoked digital certificate to the certificate revocation list CRL.

由上可以看出,CA代理中心210负责处理对于数字证书的更新请求或作废请求,CA权威认证中心100负责更新数字证书或撤销数字证书。It can be seen from the above that the CA proxy center 210 is responsible for processing the update request or invalidation request for the digital certificate, and the CA authoritative certification center 100 is responsible for updating the digital certificate or revoking the digital certificate.

此外,所述基于双重身份认证的动态数字版权保护方法还包括步骤:In addition, the dynamic digital copyright protection method based on double identity authentication also includes the steps of:

步骤S201,在用户通过版权管理平台服务器230向CA代理中心210提出证书状态查询请求后,CA代理中心210对证书状态查询请求中包含的用户身份信息进行审核;Step S201, after the user submits a certificate status query request to the CA proxy center 210 through the copyright management platform server 230, the CA proxy center 210 checks the user identity information contained in the certificate status query request;

步骤S202,当用户身份信息审核通过后,CA权威认证中心100查询数字证书550中的时间戳或查询证书撤销列表CRL,当时间戳是当前时间时,确定证书550的状态是在有效期内,当数字证书550位于证书撤销列表CRL时,确定证书的状态是已被撤销。Step S202, when the user identity information is verified, the CA authoritative certification center 100 queries the time stamp in the digital certificate 550 or the certificate revocation list CRL. When the time stamp is the current time, it determines that the status of the certificate 550 is within the validity period. When the digital certificate 550 is in the certificate revocation list (CRL), it is determined that the status of the certificate is revoked.

由上可以看出,CA代理中心210负责处理对于数字证书的状态查询请求,CA权威认证中心100负责查询数字证书的状态。It can be seen from the above that the CA proxy center 210 is responsible for processing the status query request for the digital certificate, and the CA authority certification center 100 is responsible for querying the status of the digital certificate.

在本实施例中,所述基于双重身份认证的动态数字版权保护方法还包括步骤:In this embodiment, the dynamic digital copyright protection method based on double identity authentication also includes the steps of:

步骤S301,当用户支付媒体文件的新使用权的费用后,CA代理中心210向CA权威认证中心100申请更新用户的数字证书550的扩展项和有效期;Step S301, after the user pays the fee for the new usage right of the media file, the CA agency center 210 applies to the CA authoritative certification center 100 to update the extension and the validity period of the digital certificate 550 of the user;

步骤S302,在CA权威认证中心100更新数字证书550后,服务提供商将更新的数字证书下载到USBKEY 500中以替代原有数字证书550。Step S302, after the CA authority certification center 100 updates the digital certificate 550, the service provider downloads the updated digital certificate to the USBKEY 500 to replace the original digital certificate 550.

由上可以看出,当数字证书到期、无效后,CA代理中心210可以根据用户的要求在支付了新使用权费用的前提下,更新数字证书,用户可以继续使用更新了数字证书的USBKEY 500进行在线播放、在线下载、离线播放操作。It can be seen from the above that when the digital certificate expires and is invalid, the CA agency center 210 can renew the digital certificate according to the user's request on the premise of paying the new usage right fee, and the user can continue to use the USBKEY 500 with the updated digital certificate Perform online playback, online download, and offline playback operations.

以上结合最佳实施例对本发明进行了描述,但本发明并不局限于以上揭示的实施例,而应当涵盖各种根据本发明的本质进行的修改、等效组合。The present invention has been described above in conjunction with the best embodiments, but the present invention is not limited to the above-disclosed embodiments, but should cover various modifications and equivalent combinations made according to the essence of the present invention.

Claims (5)

1.一种基于双重身份认证的动态数字版权保护方法,包括如下步骤:1. A dynamic digital copyright protection method based on dual identity authentication, comprising the steps of: (1)将用户的数字证书下载到内置有随机数发生器的智能密码钥匙中;(1) Download the user's digital certificate to the smart password key with a built-in random number generator; (2)当用户登录时,在智能密码钥匙置入客户端后,根据输入的PIN码口令激活智能密码钥匙,进而获取智能密码钥匙内的数字证书,当数字证书有效时,随机数发生器产生随机数序列,在用户对由随机数发生器根据非对称密钥对中的私钥作为初始化种子产生的随机数、证书有效时间、以及目标接收者组成的报文签名以及签名信息通过私钥加密后,将加密的签名信息和报文一起发送至服务器端,服务器端从数字证书中提取用户的公钥,利用用户的公钥对加密的签名信息进行解密,得到一个数字签名的明文,另外,服务器端将报文进行相同的数字签名,根据签名的报文与解密的签名信息判断用户的签名是否正确,当用户签名信息正确时,根据数字证书的扩展项所规定的使用权限在线播放或在线下载媒体作品文件;(2) When the user logs in, after the smart password key is placed in the client, the smart password key is activated according to the input PIN code password, and then the digital certificate in the smart password key is obtained. When the digital certificate is valid, the random number generator generates Random number sequence, when the user signs the message composed of the random number generated by the random number generator based on the private key in the asymmetric key pair as the initialization seed, the valid time of the certificate, and the target recipient, and the signature information is encrypted by the private key Finally, the encrypted signature information is sent to the server together with the message, and the server extracts the user's public key from the digital certificate, uses the user's public key to decrypt the encrypted signature information, and obtains a digitally signed plaintext. In addition, The server will carry out the same digital signature on the message, and judge whether the user's signature is correct according to the signed message and the decrypted signature information. download media work files; (3)当用户未登录时,在智能密码钥匙置入客户端后,根据输入的PIN码口令激活智能密码钥匙,进而获取智能密码钥匙内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件,(3) When the user is not logged in, after the smart password key is placed in the client, activate the smart password key according to the input PIN code password, and then obtain the digital certificate in the smart password key. When the digital certificate is valid, according to the digital certificate The use rights stipulated in the extension item play the media work file offline, 其特征在于,还包括:It is characterized in that it also includes: (11)当用户将用户设定的PIN码和用户注册时系统自动生成的用户唯一标识符作为密钥要素,并利用密钥要素产生非对称密钥对后,CA代理中心对非对称密钥对的公钥中用户的身份信息进行审核,待用户的身份信息通过审核后,将非对称密钥对中的公钥和用户的身份信息发送至CA权威认证中心;(11) When the user uses the PIN code set by the user and the unique user identifier automatically generated by the system when the user registers as the key element, and uses the key element to generate an asymmetric key pair, the CA agency center will verify the asymmetric key Review the user's identity information in the public key, and send the public key and user's identity information in the asymmetric key pair to the CA authority certification center after the user's identity information has passed the review; (12)CA权威认证中心在用户的身份信息与公钥中的用户的身份信息信息一致时产生数字证书,将数字证书发送至CA代理中心;(12) The CA authoritative certification center generates a digital certificate when the user's identity information is consistent with the user's identity information in the public key, and sends the digital certificate to the CA agency center; (13)CA代理中心将数字证书颁发给所有者或消费者,并将数字证书存储至数据库。(13) The CA agency center issues the digital certificate to the owner or consumer, and stores the digital certificate in the database. 2.如权利要求1所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述数字证书包括用户的身份信息、公钥信息、时间戳、CA权威认证中心的身份信息、CA权威认证中心对数字证书的签名、扩展项、以及有效期,其中用户的身份信息包含数字证书序列号、用户注册时提交的用户名称、以及系统平台为用户生成的唯一标识符,并由CA权威认证中心来确定,扩展项包含在线播放、在线下载、离线播放媒体作品文件的权限信息。2. the dynamic digital copyright protection method based on dual identity authentication as claimed in claim 1, is characterized in that, described digital certificate comprises user's identity information, public key information, time stamp, the identity information of CA authoritative certification center, CA Authoritative certification center's signature, extension, and validity period of the digital certificate, where the user's identity information includes the digital certificate serial number, the user name submitted by the user when registering, and the unique identifier generated by the system platform for the user, and is certified by the CA authority Determined by the center, the extension includes permission information for online playback, online download, and offline playback of media work files. 3.如权利要求1所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述步骤(2)进一步包括:3. the dynamic digital copyright protection method based on dual identity authentication as claimed in claim 1, is characterized in that, described step (2) further comprises: 在用户登录并将智能密码钥匙置入客户端后,当输入的PIN码口令次数未超过规定次数时,输入PIN码口令,当输入的PIN码口令与智能密码钥匙的PIN码相同时,激活智能密码钥匙;After the user logs in and puts the smart password key into the client, when the number of times the input PIN code password does not exceed the specified number of times, enter the PIN code password, and when the input PIN code password is the same as the PIN code of the smart password key, the smart password key; 当用户的签名正确时,判断服务器是否为信息的接收者,数字证书的时间戳是否为当前时间;When the user's signature is correct, determine whether the server is the recipient of the information, and whether the timestamp of the digital certificate is the current time; 当服务器是信息的接收者,数字证书的时间戳是当前时间时,根据数字证书的扩展项所规定的使用权限在线播放或下载媒体作品文件。When the server is the recipient of the information and the time stamp of the digital certificate is the current time, the media work file can be played or downloaded online according to the usage rights stipulated in the extension of the digital certificate. 4.如权利要求1所述的基于双重身份认证的动态数字版权保护方法,其特征在于,所述步骤(3)具体为:4. the dynamic digital copyright protection method based on dual identity authentication as claimed in claim 1, is characterized in that, described step (3) is specifically: (31)在用户未登录并将智能密码钥匙置入客户端后,当输入的PIN码口令次数未超过规定次数时,输入PIN码口令,当输入的PIN码口令与智能密码钥匙的PIN码相同时,激活智能密码钥匙;(31) After the user does not log in and puts the smart password key into the client, when the number of times the input PIN code password does not exceed the specified number of times, enter the PIN code password, and when the input PIN code password matches the PIN code of the smart password key At the same time, activate the smart password key; (32)获取智能密码钥匙内的数字证书,当数字证书有效时,根据数字证书的扩展项所规定的使用权限离线播放媒体作品文件。(32) Obtain the digital certificate in the smart cryptographic key, and when the digital certificate is valid, play the media work file offline according to the use authority specified in the extension of the digital certificate. 5.如权利要求1所述的基于双重身份认证的动态数字版权保护方法,其特征在于,还包括:5. the dynamic digital copyright protection method based on dual identity authentication as claimed in claim 1, is characterized in that, also comprises: 当用户支付媒体作品文件的新使用权的费用后,更新用户的数字证书的扩展项和有效期;After the user pays for the new right to use the media work file, update the extension and validity period of the user's digital certificate; 将更新的数字证书下载到智能密码钥匙中。Download the updated digital certificate into the smart password key.
CN2010102145897A 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication Expired - Fee Related CN101872399B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010102145897A CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010102145897A CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Publications (2)

Publication Number Publication Date
CN101872399A CN101872399A (en) 2010-10-27
CN101872399B true CN101872399B (en) 2012-08-22

Family

ID=42997256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010102145897A Expired - Fee Related CN101872399B (en) 2010-07-01 2010-07-01 Dynamic digital copyright protection method based on dual identity authentication

Country Status (1)

Country Link
CN (1) CN101872399B (en)

Families Citing this family (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082669A (en) * 2010-12-23 2011-06-01 深圳市文鼎创数据科技有限公司 Security certification method and device
CN102780572A (en) * 2011-05-11 2012-11-14 中兴通讯股份有限公司 License management method and device
CN102413146B (en) * 2011-12-23 2014-02-19 杭州数盾信息技术有限公司 Client authorized logon method based on dynamic codes
CN102427459B (en) * 2011-12-23 2014-03-05 杭州数盾信息技术有限公司 Offline authorization method based on Usbkeys
CN103049705B (en) * 2012-06-08 2016-08-03 深圳市朗科科技股份有限公司 A kind of based on virtualized method for secure storing, terminal and system
CN103051453B (en) * 2012-12-17 2016-03-23 连连银通电子支付有限公司 A kind of mobile terminal network affaris safety trade system based on digital certificate and method
CN104253801B (en) * 2013-06-28 2017-09-22 中国电信股份有限公司 Realize the methods, devices and systems of login authentication
CN104579663B (en) * 2013-10-24 2018-03-27 上海中移通信技术工程有限公司 For the method for the validity for limiting digital certificate
CN104780141B (en) 2014-01-10 2018-07-03 电信科学技术研究院 Message Authentication acquisition methods and equipment in a kind of car networking system
CN103929310A (en) * 2014-04-25 2014-07-16 长沙市梦马软件有限公司 Mobile phone client side password unified authentication method and system
CN105323204B (en) * 2014-05-29 2019-05-31 中兴通讯股份有限公司 Interaction classroom network system realization and server end
CN104901803A (en) * 2014-08-20 2015-09-09 易兴旺 Data interaction safety protection method based on CPK identity authentication technology
CN105553662B (en) * 2014-10-29 2019-01-08 航天信息股份有限公司 Dynamic digital copyright protection method and system based on id password
CN104504323B (en) * 2014-12-16 2017-06-06 浪潮集团有限公司 A kind of IPMI management systems with encryption certification
CN104866736B (en) * 2015-05-26 2017-10-03 武汉大学 The system for numeral copyright management and method of a kind of non-proliferation
GB2544109A (en) 2015-11-06 2017-05-10 Visa Europe Ltd Transaction authorisation
CN105516136B (en) * 2015-12-08 2019-05-24 深圳市口袋网络科技有限公司 Right management method, device and system
CN106921623B (en) * 2015-12-25 2020-06-05 航天信息股份有限公司 Identification key updating method and system
EP3258662B1 (en) * 2016-06-16 2019-10-30 ABB Schweiz AG Secure efficient registration of industrial intelligent electronic devices
CN106209849A (en) * 2016-07-13 2016-12-07 浪潮电子信息产业股份有限公司 Implementation scheme of double-factor login mode capable of being freely opened and closed
CN106778323B (en) * 2016-10-24 2018-06-26 北京亚控科技发展有限公司 A kind of safety key of configurable control integration platform
CN106452795A (en) * 2016-11-25 2017-02-22 成都三零凯天通信实业有限公司 USB decryption Key
CN106713279B (en) * 2016-11-29 2019-12-13 北京航天爱威电子技术有限公司 video terminal identity authentication system
CN108427880B (en) * 2018-03-07 2022-09-16 北京元心科技有限公司 Program running method and device
CN108337090A (en) * 2018-05-21 2018-07-27 上海众人网络安全技术有限公司 A kind of dynamic password acquisition methods, device, terminal and storage medium
CN109190354A (en) * 2018-09-10 2019-01-11 尉丽玲 A kind of ca authentication system and its operating method with U-key device
CN109214147A (en) * 2018-09-28 2019-01-15 内蒙古师范大学 A kind of encryption system of accounting software
CN109375960B (en) * 2018-09-29 2021-10-01 郑州云海信息技术有限公司 A method and device for loading copyright information
CN109801415A (en) * 2018-12-29 2019-05-24 海南新软软件有限公司 A kind of method for unlocking of encryption lock and encryption lock based on elliptic curve encryption algorithm
CN110099063B (en) * 2019-05-08 2020-05-26 杭州健康在线信息技术有限公司 Method for generating conference registration certificate
CN110287739B (en) * 2019-06-17 2020-12-29 西安纸贵互联网科技有限公司 Data security management method and system based on hardware private key storage technology
CN110598422A (en) * 2019-08-01 2019-12-20 浙江葫芦娃网络集团有限公司 Trusted identity authentication system and method based on mobile digital certificate
TWI818515B (en) * 2021-04-19 2023-10-11 銓安智慧科技股份有限公司 Digital key service device and method for activating digital key service
CN114329438A (en) * 2021-12-29 2022-04-12 福建新大陆支付技术有限公司 Rights management system, method and storage medium in application installation process
CN114422261B (en) * 2022-02-15 2024-06-07 北京无字天书科技有限公司 Management method, management system, computer device, and computer-readable storage medium
CN116155502B (en) * 2022-10-28 2025-07-25 江苏先安科技有限公司 Digital key fine granularity authority control method and system based on digital certificate

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1367475A2 (en) * 2002-05-15 2003-12-03 Microsoft Corporation Software application protection by way of a digital rights management (DRM) system
CN1971576A (en) * 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101714195A (en) * 2009-07-22 2010-05-26 北京创原天地科技有限公司 Digital certificate-based novel digital copyright protection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1367475A2 (en) * 2002-05-15 2003-12-03 Microsoft Corporation Software application protection by way of a digital rights management (DRM) system
CN1971576A (en) * 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101714195A (en) * 2009-07-22 2010-05-26 北京创原天地科技有限公司 Digital certificate-based novel digital copyright protection method and device

Also Published As

Publication number Publication date
CN101872399A (en) 2010-10-27

Similar Documents

Publication Publication Date Title
CN101872399B (en) Dynamic digital copyright protection method based on dual identity authentication
RU2352985C2 (en) Method and device for authorisation of operations with content
Popescu et al. A DRM security architecture for home networks
JP5450392B2 (en) Binding content licenses to portable storage devices
JP5065911B2 (en) Private and controlled ownership sharing
JP5200204B2 (en) A federated digital rights management mechanism including a trusted system
US7975312B2 (en) Token passing technique for media playback devices
CA2456400C (en) Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (drm) system
US7971261B2 (en) Domain management for digital media
CN101447008B (en) Digital content network copyright management system and method
KR100746030B1 (en) Method and apparatus for generating a rights object on behalf of a rights delegation
US8312518B1 (en) Island of trust in a service-oriented environment
KR20060041876A (en) Digital Copyright Enforcement Method
CN1708941A (en) Digital-rights management system
CN101206696A (en) Devices, methods and systems for protecting personal information
KR101452708B1 (en) CE device management server, method for issuing DRM key using CE device management server, and computer readable medium
WO2007086015A2 (en) Secure transfer of content ownership
WO2022148182A1 (en) Key management method and related device
CN101094062B (en) Method for implementing safe distribution and use of digital content by using memory card
KR100989371B1 (en) How to manage digital rights for your personal home domain
CN101118579A (en) A method and system for verifying permission
EP4455908A1 (en) Method for receiving content in user device over cdn
KR20240073387A (en) Did-based verification system for strengthening sovereignty of copyright holders and method for the same
CN117454445A (en) Block chain-based data access control method and related equipment
JP2005277951A (en) Authentication system and authentication method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120822

Termination date: 20190701