1353748 九、發明說明: 35U.S.C. §119規定之優先權要求 本專利申請案要求臨時專利申請案第6〇/496, i ^號之優 先權’其名稱為「廣播多點傳送服務」,申請日期為· 年8月18曰,而且係讓渡給本專利申請案之受讓者並於此明 示以引用的方式併入本文中。 【發明所屬之技術領域】 本發明大體上關於通信’且更明確言之,係關於用以在 利用廣播多點傳送服務(BCMCS)之無線通信系統中對於資 訊服務進行收費的方法與裝置。 【先前技術】 廣播多點傳送服務(BCMCS)在無線通信系統中,提供到 達複數個經由無線通信媒體接收廣播資料之行動台的點對 多點通信服務。由無線通信系統發送至複數個行動台之廣 播資料(即’内容),可包括(但不必然限於)新聞、電影、運 動項目及其類似者。發送給行動台之内容的特定型式可包 括相當多種的多媒體資料,譬如文字、聲頻、圖片、串流 視訊等。該内容通常是由一内容提供者產生,且透過無2 通信系統的廣播頻道,廣播至訂購該特定服務的行動a。 該廣播内容通常係經由數層次之加密與解密而加密及解 密,以提供至少某些程度之保證,使未經授權之使用者不 能將未獲授權之内容解密(即,未由行動台的使用者訂購之 内容)。為了能將廣播内容加密及解密,廣播多點傳送服務 利用加密密鑰的使用。 95619.doc 1353748 一長期加密密鑰(通常稱為一廣播接取密鑰(BAK))係由 廣播多點傳送服務供應到行動台的記憶體中。一短期密餘 (SK)係由廣播接取密鑰ΒΑΚ及一隨機數字SKRAND推衍 出。内谷係以短期密鑰SK加密,且連同隨機數字skrand 藉由無線通信系統透過空中廣播到行動台。該行動台從該 隨機數字SKRAND及廣播接取密鑰BAK計算出短期密鑰 SK,且使用該紐期密錄SK將已接收内容解密,用以呈現内 容予行動台的使用者。 通常,行動台的使用者會被針對接收到廣播接取密鑰 BAK時之廣播内容收費。因此,不管使用者是否實際上觀 看到來自廣播多點傳送服務之廣播内容,該使用者都會在 收到廣播接取密鑰(BAK)時收費。當使用者因其目前未觀 看之廣播内容被收費時,該使用者會因這些不需產生之額 外費用而增加負擔。 本發明係關於克服,或至少減少以上提出的一或多 題所造成之影響。 【發明内容】 本發明的-特點提供—方法。該方法包括接收—週期性 改變數字,及接收_具有識別符以表示服務頻道之第—密 錄…第二密鑰被產生,其係至少該週期性改變數字及該 在錄的函數。第二密餘的產生數目經計數以產生二 十數值’用以對於在终端機顯示的内容收費。 本發明的另一特點係提供一裝置。 一週期性改變數字的構件,及接收一 該裝置包括用以接收 具有識別符之第一密 95619.doc 1353748 錄以指示服務頻道的構件。該裝置進__步包括用以產生至少 -第二密狀構件,該第二密料至少該週期性改變數字及 該第-密錄的函數’及用以計數第二密錄之產生數目,以產 生用以對於在終端機顯示的内容收費之計數值的構件。 【實施方式】 現請轉到圖式,且特別參考圖丨,其顯示依據本發明一具 體貫施例之無線通信系統100之示範性方塊圖。無線通信系 統100包含複數個與複數個基地收發站(BTS) i i 〇通信之行 動台(MS)105 ’其等係在地理上分散以致當行動台1〇5在無 線通信系統100中來回移動時,提供與行動台1〇5之持續通 信涵蓋。行動台105可採用能從基地收發站11〇接收資訊之 任何元件形式,包括個人數位助理(PDA)、無線電話、具有 無線能力之膝上型電腦、無線數據機或任何其他具無線能 力的元件。 根據一具體實施例,無線通信系統1〇〇利用廣播多點傳送 服務(BCMCS),用以點至多點發送資料訊包至在無線通信 系統100内通信之行動台105的預定群組。在一具體實施例 中,該資料訊包提供之内容諸如新聞、電影、運動項目及 其類似者’係從基地收發站110透過一無線通信鏈路115發 送到行動台105。應瞭解發送至行動台1〇5的特定型式内容 可包括相當多種的多媒體資料(如文字、聲頻、圖片、串流 視訊等),且因此無須受限於前述實例。 各基地收發站1 ίο係耦合至一基地台控制器(bsc)i2〇,其 控制在基地收發站110與無線通信系統1〇〇之其他組件間的 95619.doc 1353748 連接。基地枚發站110與基地台控制器120協同形成一益線 電接取網路(議),用以傳送該内容到在無線通信系統ι〇〇 内通L的複數個行動台1()5。無線電接取網路可由提供訂講 服務至行動台105使用者之無線载體擁有,或可為-由另一 載體擁有的㈣料,其於該㈣㈣设遊時,提供服務 予行動台105的使用者。 在〃體實才例中,基地台控制器i 2〇係經由一訊包控制 功月b(PCF)麵合至—訊包資料服務節點(pDsN)i4〇,用以經 由-網際網路通信協^(Ιρ)媒體(未顯示),接合無線通信系 統1〇〇與内容提供者(CP)16Ge)⑽細丨赠理資料訊包, 用於在廣播多點傳送服務控制器15()控制下分配至行動台 105,其可或可不具有與pDSN 14()之直接連接。廣播多點傳 达服務控制器150將由内容提供者16〇提供之内容的廣播與 多點傳送㈣’且對於廣播多點傳送服務施行保全功能:、 對於廣播多點傳送服務,基地收發站u〇&pDsN 14〇接收 到貝訊的串流,及在一指定的無線通信鏈路115上提供該資 汛至在無線通信系統1〇〇内通信之預定群組的行動台丨^。 廣播多點傳送服務控制器15()可進—步輕合至_鑑別、授權 及帳號(AAAM司服器170,其提供㈣、授權、帳號給無線 通信系統100之複數個訂購至廣播多點傳送服務之行動台 1〇5。AAA祠服器170可實施為一第三者词服器其既不二 起始網路載體也不由行動台1〇5之服務網路載體擁有。 内合提供者160產生之内容,將從基地收發站丨廣播至 經授權接收該特定型式内容之預定群組的行動台1〇5。内 95619.doc 1353748 谷提供者160可實施為一第三者内容來源,其既不由起始網 路載體也不由行動台1〇5之服務網路載體擁有。應瞭解基地 σ控制器120也可耦合至各種型式之網路,諸如一公用切換 电話網路(PSTN)(未顯示),(例如)用以擴展無線通信系統 1〇〇的通信能力。在所示的具體實施例中,基地收發站 與仃動台105係依據一分碼多向近接(CDMA)方案操作。然 而,應瞭解無線通信系統100可使用各種其他多向進接方 案,諸如分時多向近接(TDMA)及其類似者,而不脫離本發 明的精神與範疇。 無線通信系統1 〇〇致動經由無線通信鏈路丨丨5高速廣播多 點傳送服務,其包括一能以可由大量行動台i接收的高資 料速率發送之廣播頻道。本文中之名詞「廣播頻道」係用 以指一承載廣播流量之單一正向鏈路實體頻道。資料也可 從行動台105經由無線通信鏈路115之反向鏈路發送至基地 收發站110»在一具體實施例中,反向鏈路可包括一發送信 號流量頻道與一資料速率控制(DRC)頻道。反向鏈路之資料 速率控制(DRC)頻道可經由一資料速率請求使用,以對無線 通L系統100指出可用於透過該正向鏈路之廣播頻道來廣 播内容的一可支援廣播資料速率。 現請參考圖2,其顯示依據一具體實施例之行動台i 〇5的 方塊圖。在其更簡單的形式中之一,行動台1〇5包括一用以 調错至該廣播頻道的接收器2〇5,用以接收從基地收發站 11 〇發送的廣播多點傳送服務内容。一發射器2丨〇可發送資 料至與行動台105通1§的基地收發站110。行動台也包括 95619.doc 1353748 控制盗215,用以控制行動台1〇5的各種操作功能。 行動台105進一步配置有一使用者識別模組(111]^)22〇。在 具體實靶例中,UIM 220可為與行動台1〇5的控制器215 耦〇之可移除C憶體模組。然而,應瞭解UIM 220或者可實 施為行動台105的-固定部分。麵2紙體上係與行動台 的特定使用者聯結,且係用以確認該行動台1〇5的特 疋使用者係獲得提供予特定使用者的特權(諸如接取無線 通k系統100、由系統1〇〇提供之特定服務/特徵,及/或接取 ’•1由廣播多點傳送服務訂購之特定内容)。 行動台105也可包括一顯示螢幕23〇,以允許觀看由内容 提供者160提供的内容。如上述,在圖2中所示之行動台1〇5 係以其更簡單的形式提供。因此,行動台1〇5可包括額外的 組件,用以提供各種其他功能而不脫離本發明的精神與範 可。所以,應瞭解行動台1〇5 一些組件的功能可整合成一單 一組件,與以—單一實體組件設置不同。 在無線通信系統100内廣播的内容係經由數層次之加密 與解密來加密及解密,以提供至少某些程度之保證,使未 經授權之使用者不能將未獲授權之内容解密(即,未由行動 台105的使用者訂購之内容)。為了能將該内容加密及解 岔,廣播多點傳送服務利用加密密鑰的使用。一密鑰係一 與密碼演算法一起運作以產生特定密文的值。在多點傳送 -廣播-多媒體系統中之資料内容的加密與解密方式之實例, 係揭示於2〇〇1年8月20日申請之美國專利申請序號 09/933,972中,其標題為「在資料處理系統中保全之方法及 95619.doc -11- 1353748 裝置(Method and Apparatus for Security in a Data processing System)」,其全數以引用方式併入本文。 為了在一特定時間將廣播内容解碼,行動台105需要知道 目前的解密密鑰。為了避免竊取由廣播多點傳送服務提供 内容的服務,通常係頻繁地(諸如每分鐘)改變該解密密鑰。 此等解密密鑰係稱為短期密鑰(SK),其係用以對一相當短 時間週期内之廣播内容解碼。 為能獲得接取廣播多點傳送服務控制器150,行動台105 的使用者會登錄且向廣播多點傳送服務訂購。一旦訂購可 行,各種加密密鑰會與行動台105週期性地更新。在登錄過 程中,廣播多點傳送服務控制器150與行動台105之UIM 220 就一登錄密鑰(RK)取得一致,即作為使用者與廣播多點傳 送服務間的安全聯結。此時廣播多點傳送服務控制器150 可接著傳送以登錄密鑰RK加密之UIM 220更機密資訊。登 錄密鑰RK係保密地存在UIM 220中,且對於行動台105的一 給定UIM 220係獨一的(即,每一使用者都指定一不同的登 錄密鑰RK)。1353748 IX. Invention Description: 35U.SC §119 Privilege Requirements This patent application requires provisional patent application No. 6/496, i ^ priority [the name is "broadcast multicast service", application The date is August 18, and is assigned to the assignee of the present application and is hereby expressly incorporated by reference. TECHNICAL FIELD OF THE INVENTION The present invention relates generally to communications and, more specifically, to methods and apparatus for charging for communication services in a wireless communication system utilizing a Broadcast Multicast Service (BCMCS). [Prior Art] Broadcast Multicast Service (BCMCS) provides a point-to-multipoint communication service to a plurality of mobile stations that receive broadcast data via a wireless communication medium in a wireless communication system. The broadcast material (i.e., 'content) transmitted by the wireless communication system to a plurality of mobile stations may include, but is not necessarily limited to, news, movies, sports items, and the like. The specific type of content sent to the mobile station can include a wide variety of multimedia materials such as text, audio, pictures, streaming video, and the like. The content is typically generated by a content provider and broadcast to the action a that subscribes to the particular service over the broadcast channel of the no-2 communication system. The broadcast content is typically encrypted and decrypted via several levels of encryption and decryption to provide at least some degree of assurance that unauthorized users cannot decrypt unauthorised content (ie, not used by the mobile station). The content of the order). In order to be able to encrypt and decrypt broadcast content, the broadcast multicast service utilizes the use of an encryption key. 95619.doc 1353748 A long-term encryption key (often referred to as a broadcast access key (BAK)) is supplied to the mobile station's memory by a broadcast multicast service. A short-term secret (SK) is derived from the broadcast access key and a random number SKRAND. The inner valley is encrypted with a short-term key SK and broadcasted over the air to the mobile station via a wireless communication system along with a random number skrand. The mobile station calculates the short-term key SK from the random number SKRAND and the broadcast access key BAK, and decrypts the received content using the key-time record SK to present the content to the user of the mobile station. Typically, the user of the mobile station will be charged for the broadcast content when the broadcast access key BAK is received. Therefore, regardless of whether the user actually sees the broadcast content from the broadcast multicast service, the user charges when receiving the broadcast access key (BAK). When a user is charged for a broadcast content that he or she does not currently view, the user will be burdened by these additional costs that are not required to be generated. The present invention is directed to overcoming, or at least reducing, the effects of one or more of the problems set forth above. SUMMARY OF THE INVENTION The present invention provides a method. The method includes receiving - periodically changing the number, and receiving - having an identifier to indicate a first-secret of the service channel - a second key is generated, which is at least the periodic change number and the recorded function. The number of generations of the second secret is counted to produce a tens value 'for charging for the content displayed at the terminal. Another feature of the invention is the provision of a device. A means for periodically changing the number, and receiving a means comprising means for receiving a first key having an identifier of 95619.doc 1353748 to indicate a service channel. The apparatus includes a method for generating at least a second dense member, the second dense material having at least the periodic change number and the function of the first-secret record, and a number for generating the second secret record. To generate a means for charging a count value for the content displayed on the terminal. [Embodiment] Turning now to the drawings, and with particular reference to the drawings, FIG. The wireless communication system 100 includes a plurality of mobile stations (MS) 105' that are in communication with a plurality of base transceiver stations (BTS) ii, which are geographically dispersed such that when the mobile station 1 〇 5 moves back and forth in the wireless communication system 100 , providing continuous communication with the mobile station 1〇5. The mobile station 105 can take the form of any component capable of receiving information from the base transceiver station 11 , including a personal digital assistant (PDA), a wireless telephone, a wireless capable laptop, a wireless data modem, or any other wireless capable component. . In accordance with an embodiment, the wireless communication system 1 utilizes a Broadcast Multicast Service (BCMCS) for point-to-multipoint transmission of data packets to a predetermined group of mobile stations 105 communicating within the wireless communication system 100. In one embodiment, the content provided by the data package, such as news, movies, sports, and the like, is transmitted from the base transceiver station 110 to the mobile station 105 via a wireless communication link 115. It should be understood that the particular type of content sent to the mobile station 1〇5 may include a relatively wide variety of multimedia material (e.g., text, audio, pictures, streaming video, etc.) and thus need not be limited to the foregoing examples. Each base transceiver station 1 is coupled to a base station controller (bsc) i2, which controls the 95619.doc 1353748 connection between the base transceiver station 110 and other components of the wireless communication system 1 . The base station 110 cooperates with the base station controller 120 to form a power line access network for transmitting the content to a plurality of mobile stations 1 () 5 in the wireless communication system. . The radio access network may be owned by a wireless carrier that provides a subscription service to the user of the mobile station 105, or may be a (four) material owned by another carrier that provides services to the mobile station 105 during the (four) (four) travel. user. In the case of the physical system, the base station controller i 2 is connected to the packet data service node (pDsN) i4 via a packet control power month b (PCF) for communication via the Internet. Cooperating with the media (not shown), engaging the wireless communication system 1 and the content provider (CP) 16Ge) (10) detailing the data packet for control in the broadcast multicast service controller 15 () It is assigned to the mobile station 105, which may or may not have a direct connection to the pDSN 14(). The broadcast multipoint communication service controller 150 broadcasts and multicasts (4) of the content provided by the content provider 16 and performs a security function for the broadcast multicast service: for the broadcast multicast service, the base transceiver station The & pDsN 14 receives the stream of the beacon and provides the resource to a predetermined group of mobile stations within the wireless communication system 1 on a designated wireless communication link 115. The broadcast multicast service controller 15() can further step to the _authentication, authorization, and account number (AAAM server 170, which provides (4), authorization, account number to the wireless communication system 100 for multiple subscriptions to broadcast multiple points. The mobile service server 1〇5. The AAA server 170 can be implemented as a third party word server, which is neither the starting network carrier nor the service network carrier of the mobile station 1〇5. The content generated by the user 160 is broadcast from the base transceiver station to the mobile station 1〇5 authorized to receive the predetermined group of the particular type of content. The internal 95619.doc 1353748 the valley provider 160 can be implemented as a third party content source. It is neither owned by the originating network bearer nor by the service network bearer of the mobile station 1. It should be understood that the base sigma controller 120 can also be coupled to various types of networks, such as a public switched telephone network (PSTN). (not shown), for example, to extend the communication capabilities of the wireless communication system. In the particular embodiment shown, the base transceiver station and the mobile station 105 are based on a code division multi-directional proximity (CDMA). Solution operation. However, you should understand wireless communication. System 100 can use a variety of other multi-directional advancing schemes, such as time-division multi-directional proximity (TDMA) and the like without departing from the spirit and scope of the present invention. Wireless communication system 1 〇〇 actuation via a wireless communication link丨丨5 high-speed broadcast multicast service, which includes a broadcast channel that can be transmitted at a high data rate that can be received by a large number of mobile stations i. The term "broadcast channel" is used herein to refer to a single forward chain carrying broadcast traffic. The physical channel. The data may also be transmitted from the mobile station 105 to the base transceiver station 110 via the reverse link of the wireless communication link 115. In a specific embodiment, the reverse link may include a transmit signal flow channel and a data. Rate Control (DRC) channel. The data rate control (DRC) channel of the reverse link can be used via a data rate request to indicate to the wireless system L system 100 that the content can be broadcast over the broadcast channel of the forward link. One can support the broadcast data rate. Referring now to Figure 2, there is shown a block diagram of a mobile station i 〇 5 in accordance with an embodiment. In one of its simpler forms, action The station 1〇5 includes a receiver 2〇5 for adjusting to the broadcast channel for receiving the broadcast multicast service content transmitted from the base transceiver station 11. The transmitter 2 can transmit data to and from the station. The mobile station 105 is connected to the base transceiver station 110. The mobile station also includes 95619.doc 1353748 control theft 215 for controlling various operational functions of the mobile station 1. The mobile station 105 is further provided with a user identification module (111). ]^)22〇. In a specific target example, the UIM 220 may be a removable C memory module coupled to the controller 215 of the mobile station 1〇5. However, it should be understood that the UIM 220 may be implemented as an action. The fixed part of the table 105. The face 2 is coupled to a particular user of the mobile station and is used to confirm that the amnesty user of the mobile station 1〇5 is granted privileges to a particular user (such as accessing the wireless k-system 100, The specific services/features provided by System 1 and/or the specific content ordered by the Broadcast Multicast Service. The mobile station 105 can also include a display screen 23 to allow viewing of the content provided by the content provider 160. As described above, the mobile station 1〇5 shown in Fig. 2 is provided in a simpler form. Accordingly, the mobile station 1 5 may include additional components to provide various other functions without departing from the spirit and scope of the present invention. Therefore, it should be understood that the functions of some components of the mobile station can be integrated into a single component, which is different from the single entity component setting. Content broadcast within the wireless communication system 100 is encrypted and decrypted via several levels of encryption and decryption to provide at least some degree of assurance that unauthorized users cannot decrypt unauthorised content (ie, not Content ordered by the user of the mobile station 105). In order to be able to encrypt and decrypt the content, the broadcast multicast service utilizes the use of an encryption key. A key system operates in conjunction with a cryptographic algorithm to produce a value for a particular ciphertext. An example of the method of encrypting and decrypting data content in a multicast-broadcast-multimedia system is disclosed in U.S. Patent Application Serial No. 09/933,972, filed on Aug. 20, 2011, entitled Method and Apparatus for Security in a Data Processing System, which is incorporated herein by reference in its entirety. In order to decode the broadcast content at a particular time, the mobile station 105 needs to know the current decryption key. In order to avoid stealing services provided by the broadcast multicast service, the decryption key is usually changed frequently, such as every minute. These decryption keys are referred to as short-term keys (SK), which are used to decode broadcast content over a relatively short period of time. In order to be able to access the broadcast multicast service controller 150, the user of the mobile station 105 logs in and subscribes to the broadcast multicast service. Once the order is available, the various encryption keys are periodically updated with the mobile station 105. During the login process, the broadcast multicast service controller 150 and the UIM 220 of the mobile station 105 agree on a login key (RK), i.e., as a secure connection between the user and the broadcast multipoint delivery service. At this point, the broadcast multicast service controller 150 can then transmit the UIM 220 more confidential information encrypted with the login key RK. The login key RK is secretly present in the UIM 220 and is unique to a given UIM 220 of the mobile station 105 (i.e., each user specifies a different login key RK).
在訂購過程中,廣播多點傳送服務控制器150以一共同廣 播接取密鑰(BAK)之值傳送UIM 220,其係一用以推衍多個 短期密鑰SK之中期、共享密鑰,且係以一針對各使用者之 架構分配至已訂購使用者之UIM 220。廣播多點傳送服務控 制器150將廣播接取密鑰BAK的值傳送給行動台105的UIM 220,係使用對於UIM 220而言係獨一的登錄密鑰RK加密。 行動台105的UIM 220能從使用儲存於其中之登錄密鑰RK 956l9.doc -12- 1353748 鑰RK的加密版本,回復原始廣播接取密鑰BAK的值。廣播 接取密鑰ΒΑΚ作為廣播多點傳送服務控制器150與廣播多 點傳送服務之已訂購使用者的群組間的安全聯結。廣播接 取密鑰識別符BAKID係以登錄密鑰RK連同一識別符加密 之廣播接取密鑰ΒΑΚ,以指出發送給行動台105的特定内 容。 對於各訂戶端,廣播多點傳送服務控制器150使用一臨時 密鑰ΤΚ將廣播接取密鑰ΒΑΚ加密,其係由儲存在UIM 220 中之使用者特定登錄密鑰RK及一隨機數字TKRAND推衍 出,以獲得一使用者特定加密廣播接取密鑰識別符 BAKID。廣播多點傳送月艮務控制器150傳送對應的廣播接取 密鑰識別符BAKID,到已訂購使用者的行動台105。例如, 廣播接取密鑰ΒΑΚ可當作一使用對應於各UIM 220之登錄 密鑰RK加密的IP訊包發送。在範例性具體實施例中,廣播 接取密鑰識別符BAKID係一 IPSec訊包,且廣播接取密鑰 BAK是一具有使用登錄密鑰RK為密鑰加密之廣播接取密 鑰BAK的一 IPSec訊包。因為登錄密鑰RK係一「針對各使用 者」之密鑰,廣播多點傳送服務控制器150會個別地傳送廣 播接取密鑰BAK至各訂戶端。因此,廣播接取密鑰BAK未 傳送至整個無線通信系統100的廣播頻道。行動台105將廣 播接取密鑰識別符BAKID傳遞UIM 220。UIM 220使用儲存 在UIM 220中登錄密鑰RK之值及廣播接取密鑰識別符 BAKID之值計算廣播接取密鑰BAK。廣播接取密鑰BAK之 值接著儲存在UIM 220中。在一具體實施例中,廣播接取密 956l9.doc -13- 1353748 鑰識別符B AKID包括一安全參數索引(SPI)值,其指示行動 台105之控制器215將廣播接取密鑰識別符BAKID傳遞給 UIM 220,且指示UIM 220使用登錄密鑰RK以將廣播接取密 鑰BAK解密。更新廣播接取密鑰BAK之時間週期需足以允 許廣播多點傳送服務控制器150在無須導致明顯負擔下,將 廣播接取密鑰BAK個別地傳送至各訂戶端。 廣播多點傳送服務控制器150接著廣播短期密鑰SK,使 得行動台105能將關連短期密鑰的特定内容解密。短期密鑰 SK是廣播接取密鑰B AK及一週期性改變數字SKRAND的一 函數。週期性改變數字SKRAND可為以功能類似密碼雜凑 函數之雜湊函數產生的一隨機數字。週期性改變數字 SKRAND也可以是一序列數字、一時間戳記或其他改變 值,只要其實施使得使用者無法預先計算該短期密鑰SK。 UIM 220從廣播接取密鑰BAK與SKRAND抽取短期密鑰 SK,係藉由使用廣播接取密鑰BAK與SKRAND的函數,且 傳遞短期密鑰SK至行動105的控制器215。該廣播多點傳送 服務控制器150利用目前短期密鑰SK漿廣播内容解密。在一 具體實施例中,例如會使用一加密演算法(諸如進階加密標 準(AES)密碼演算法)。已加密之内容接著由一依照封入安 全酬載(ESP)發送模式之Ipsec訊包傳送。Ipsec訊包也含有 一 SPI值,其指示行動台105使用目前之短期密鑰SK以將收 到的廣播内容解密。 使用公用密鑰或共享密鑰以加密及解密之各種其他具體 實施例也可在本發明的範嚕中施行。例如,在一替代性具 956l9.doc -14- 1353748 體實施例中’安全傳遞或提出廣播接取密錄BAK給UIM 220’係可藉由使用公用密鑰機制(諸如此項技術中為人已 知之RSA或ElGamal)提供。 圖3係依據本發明一具體實施例,用以施行對於廣播多點 傳送服務進行計時收費之發信號流程圖。用於所關注特定 頻道之廣播接取密錄BAK會供應至行動台1〇5的使用者識 別模組件(UIM)220中的記憶體。供應訊息的廣播接取密鑰 係在圖3所示之305處從AAA伺服器17〇發送到行動台1〇5的 UIM 220。廣播多點傳送服務控制器1 5 0以臨時密錄TK將廣 播接取密錄BAK加密,其係由登錄密錄RK與隨機數字 TKRAND推衍出。在一具體實施例中,登錄密输rk在BAK 於305開始供應前,已供應到行動台1 〇5的UIM 220中》 在310,由基地台控制器120與基地收發站11〇協同形成之 無線電接取網路(RAN) ’將已加密内容經由廣播頻道廣播給 行動台105。連同已加密的内容’無線電接取網路也廣播該 週期性改變數字SKRAND與廣播接取密錄識別符bAKID, 以識別廣播接取密錄· ΒΑΚ β該週期性改變數字SKRAND與 廣播接取密錄ΒΑΚ係由行動台105使用以計算短期密錄SK。 行動台105從無線電接取網路的基地收發站11 〇接收到已 加密的内容、SKRAND與BAKID。行動台1〇5的控制器215 在315傳送給UIM 220已接收到的SKRANr)與BAKID,連同 一短期密錄SK(SKRequest)之請求。傳送給UIM 220之請求 SKRequest也包括用於廣播頻道的識別符。在320,UIM 220 從SKRAND與由BAK識別符BAKID識別出的bak計算短期 95619.doc • 15- 1353748 密鑰sk。 UIM 220會維持一為各廣播頻道推衍之短期密鑰SK之數 目的短期密鑰計數(SKCount)。UIM 220在每次計算時會遞 增SKCount且傳遞一新短期密鑰。使用者已觀看一特定内容 頻道的時間量可由將SKCount乘以短期密鑰改變之時間週 期(即,SKPeriod)而推衍出。在一具體實施例中,SKPeriod 可由系統操作員根據被竊取内容之可能性加以設定。例 如,SKPeriod之範圍可從幾秒到幾分鐘。 在325,UIM 220傳送短期密鑰SK給行動台105的控制器 215。當從UIM 220接收到短期密鑰SK時,行動台105的控 制器215現可使用短期密鑰SK將内容解密且呈現所收到的 内容,用以在行動台105的顯示螢幕230上觀看。 每當行動台105從無線電接取網路的基地收發站110接收 到新的週期性改變數字SKRAND時,會重複步驟325至 3 10。週期性改變數字SKRAND可經常改變以確保經授權的 使用者觀看到廣播内容。 在330,儲存在行動台105的UIM 220中之廣播接取密鑰 BAK可能逾期或接近逾期。行動台105的控制器215在335 連同一短期密鑰SK的請求SKRequest將SKRAND與BAKID 傳送給UIM 220。 在340,當UIM 220決定廣播接取密鑰BAK逾期時,UIM 220使用登錄密鑰RK與隨機數字TKRAND計算臨時密鑰 TK。臨時密鑰TK是一單次使用之使用者特定密鑰,其可用 以將廣播接取密鑰BAK值加密與解密。TKRAND可為一以 95619.doc •16- 1353748 類似密碼雜湊函數之雜凑函數產生的隨機數字。因此,τκ 是一將登錄密鑰RK用作一機密密鑰的臨時密鑰,且係從登 錄密鑰RK與隨機數字TKRAND中推衍出。 在345,UIM 220使用臨時密鑰τκ將短期密鑰計數 SKCount加密,且將已加密SKCouut與TKRAND連同一需求 新廣播接取密繪BAK的指示傳送給行動台1〇5的控制器 215。因為SKCount係用臨時密錄TK加密(此對行動台1〇5的 控制器215係未知),控制器215無法明智地將加密的 SKCount變成一低值》此實質上減少内容被竊取的可能性, 且保護使用者防止被未經授權地接取使用者之内容觀看計 數。 在另一具體實施例中,短期密鑰SK可明顯地發送且UIM 22〇可產生一使用SKCount與臨時密鑰TK的簽章。在.此具體 實施例中,簽章會被發送至AAA伺服器170。 在3 50,行動台105的控制器215傳送一需求「未處理」 (即,新)廣播接取密鑰BAK之請求至廣播多點傳送服務控制 器150。連同廣播接取密鑰BAK之請求,行動台105會包括 從UIM 220接收到的已加密SKCount及TKRAND。 在355,廣播多點傳送服務控制器150傳遞已加密之 SKCount與TKRAND至AAA伺服器170。AAA伺服器170從登 錄密鑰RK與TKRAND計算臨時密鑰TK,且將(SKCount)解 密。AAA伺服器170以SKCount更新使用者的帳號記錄。在 360,一新的廣播接取密鑰BAK會供應到行動台105的UIM 220中。如上述,使用者已觀看一特定内容的時間量可由將 95619.doc 17- 1353748 SKCount乘以短期密錄改變之時間週期(即,SKPeriod)而推 衍出。因此,行動台105的使用者可被針對使用者實際觀看 該内容之時間量(因為需要短期密鑰SK以觀看該内容)收 費,與從在行動台105接收到BAK的時間計費相反。 為了避免中斷由使用者觀看之廣播服務,行動台105可在 目前BAK逾期前從AAA伺服器170提取一新廣播接取密鑰 BAK。在此情況下,行動台1〇5可在新BAK供應到UIM 220 後繼續使用舊BAK—陣子。 重要的是確保SKCount係正確地維持著。在一具體實施例 中,當傳送(SKCount)到行動台105時,UIM 220使舊的計數 不能用,且對於目前考慮之廣播頻道開始一新的計數。當 新BAK供應至UIM 220時可放棄舊計數。如果新BAK尚未供 應,當下次行動台110請求SKCount時,UIM 220回覆舊與 新計數的總如作為SKCount。鐘別、授權與帳號之施行可使 用舊與新計數的總和以提供内容觀看時間。 在另一具體實施例中,UIM 220在將計數器之目前值傳送 到行動台105後繼續遞增SKCount。當廣播多點傳送服務控 制器150傳送一新BAK時,其也送回從UIM 220接收在BAK 請求中依加密形式之計數。UIM 220將從廣播多點傳送服務 控制器150接收的計數解密,且從SKCounter中減去所收到 的計數。此特定具體實施例允許預付帳單應用於計時收 費°廣播多點傳送服務控制器170維持已付的計數且將其傳 給UIM 220。按著UIM 22〇計算差異且允許使用者視需要支 付更多計數。 95619.doc -18- 1353748 在另一具體實施例中,當供應一新BAK時,UIM 220會重 設SKCounter為零。在此特定具體實施例中,該使用者不會 為在傳送SKCount與接收新BAK間的時間觀看廣播内容而 被收費* 熟悉意願技術人士應瞭解,可使用任何各種不同科技及 技術呈現資訊及信號。例如,以上說明中可能提及的資料、 指令、命令、資訊、信號、位元、符號及晶片可由電壓、 電流、電磁波、磁場或微粒、光場或微粒或其任何組合表 示。 籲 熟悉此項技術人士應進一步瞭解在此揭示的具體實施例 所說明的各種邏輯區塊、模組、電路及演算步驟可實施為 電子硬體、電腦軟體或兩者之組合。為了清楚說明硬體及 軟體之此互通性,以上已就其功能性大體說明各種示範性 組件、區塊、模組、電路及步驟。此類功能是否實施為硬 體或軟體取決於整體系統所用的特定應用及設計限制。熟 悉此項技術人士可採用各種方法實施每個特定應用之該說 鲁 明功能性,但此類實施決定不應解釋為會造成背離本發明 之範# » 結合在此揭示的具體實施例所說明的各種原先性邏輯區 塊、模組及電路’可用一通用處理器、一數位信號處理器 (DSP)、一特定應用積體電路(ASIC)' 一場可程式化閘極陣 列(FPGA)或其他可程式化邏輯元件、離散閘極或電晶體邏 輯、離散硬體組件或設計用以執行在此說明的功能之任何 組合來實施或執行。一通用處理器也可為一微處理器,但 95619.doc -19- 在替代例中,該處理器可兔 益Ύ以為任何習知處理器 '控制器、 微控制器每肤_離;σ 么人以狀匕機益。一處理器也可實施為電腦裝置的一 ί合’例如,一膽及-微處理器之組合、複數個微處理 盗與—DSP核心結合的一或多個微處理器或任何其他此 類配置〇 八 在此結合揭示的該等具體實施例所說明之方法或演算法 的t驟可以直接採用硬體、由—處理器執行的—軟體模組 或採用二者之組合而具體化。軟體模組可駐存於RAM記憶 體、快閃記憶H、R0M記憶體、脈⑽記憶體、EEpR〇M 記憶體、暫存器、硬碟、可抽取磁碟、CD_R〇M、或此技 術中所熟知之任何其他形式的儲存媒體中。—範例性储存 =體係輕合至處理器,以致該處理器可自儲存媒體中讀取 貝訊,以及寫入資訊到儲存媒體。在替代性範例中,該儲 存媒體可與該處理器整合。該處理器及該儲存媒體可駐留 於單一 ASIC中,或成為一行動台中之分離組件。 所揭示之具體實施例之先前說明係提供使任何熟悉此項 技術人士可製造或使用本發明。熟悉此項技術人士應明白 此等具體實施例可進行各種修改,而且此處所定義的通用 原理可應用於其他具體實施例而不背離本發明之精神或範 鳴。因此’本發明非意於受限本文中所示的具體實施例, 而係符合在此所揭示之原理及新穎特徵一致之最廣泛範 嘴。因此’本發明並非欲受限於此處所示的具體實施例, 而係符合與此處所揭示之原理及新穎特徵相一致之最廣範 疇。 956l9.doc -20- Ϊ353748 【圖式簡單說明】 圖丄係顯示湘依據本發明—具體實施例㈣播多 送服務(BCMCS)之無線通信系統的範例性方塊圖; 圓2係顯示圖i的無線通信系統之行動台的一更詳細表示 法之方塊圖;及 不 圖3係顯示在圖1之無線通信系統的組件間發送信號’以 施行對於觀看廣播多點傳送服務進.行計時收費之發放信號 流程圖 【主要元件符號說明】 100 無線通信系統 105 行動台 110 基地收發站 115 無線通信鏈路 120 基地台控制器 140 訊包資料服務節點 150 廣播多點傳送服務控制器 160 内容提供者 170 鑑別、授權與帳號伺服器 205 接收器 21〇 發射器 215 控制器 220 使用者識別模組 230 顯示螢幕 956l9.docIn the ordering process, the broadcast multicast service controller 150 transmits the UIM 220 with a value of a common broadcast access key (BAK), which is used to derive a plurality of short-term keys SK, a shared key, And is assigned to the UIM 220 of the subscribed user in a framework for each user. The broadcast multicast service controller 150 transmits the value of the broadcast access key BAK to the UIM 220 of the mobile station 105, using a unique login key RK encryption for the UIM 220. The UIM 220 of the mobile station 105 can reply to the value of the original broadcast access key BAK from the encrypted version using the login key RK 956l9.doc -12- 1353748 key RK stored therein. The broadcast access key is used as a secure connection between the broadcast multicast service controller 150 and the group of subscribed users of the broadcast multicast service. The broadcast access key identifier BAKID is a broadcast access key 加密 encrypted with the same key by the login key RK to indicate the specific content transmitted to the mobile station 105. For each subscriber, the broadcast multicast service controller 150 encrypts the broadcast access key using a temporary key, which is pushed by the user specific login key RK and a random number TKRAND stored in the UIM 220. Derived to obtain a user-specific encrypted broadcast access key identifier BAKID. The broadcast multicast server 150 transmits the corresponding broadcast access key identifier BAKID to the mobile station 105 of the subscribed user. For example, the broadcast access key can be sent as an IP packet encrypted using the login key RK corresponding to each UIM 220. In an exemplary embodiment, the broadcast access key identifier BAKID is an IPSec packet, and the broadcast access key BAK is a broadcast access key BAK encrypted with a login key RK as a key. IPSec packet. Since the login key RK is a "for each user" key, the broadcast multicast service controller 150 individually transmits the broadcast access key BAK to each subscriber. Therefore, the broadcast access key BAK is not transmitted to the broadcast channel of the entire wireless communication system 100. The mobile station 105 passes the broadcast access key identifier BAKID to the UIM 220. The UIM 220 calculates the broadcast access key BAK using the value of the login key RK stored in the UIM 220 and the value of the broadcast access key identifier BAKID. The value of the broadcast access key BAK is then stored in the UIM 220. In a specific embodiment, the broadcast access key 956l.doc -13 - 1353748 key identifier B AKID includes a Security Parameter Index (SPI) value indicating that the controller 215 of the mobile station 105 will receive the broadcast key identifier. The BAKID is passed to the UIM 220 and the UIM 220 is instructed to use the login key RK to decrypt the broadcast access key BAK. The time period for updating the broadcast access key BAK is sufficient to allow the broadcast multicast service controller 150 to individually transmit the broadcast access key BAK to each subscriber terminal without incurring a significant burden. The broadcast multicast service controller 150 then broadcasts the short-term key SK, enabling the mobile station 105 to decrypt the particular content of the associated short-term key. The short-term key SK is a function of the broadcast access key B AK and a periodic change number SKRAND. The periodic change number SKRAND can be a random number generated by a hash function that functions like a cryptographic hash function. Periodically changing the number SKRAND can also be a sequence of numbers, a timestamp or other change value, as long as it is implemented so that the user cannot pre-calculate the short-term key SK. The UIM 220 extracts the short-term key SK from the broadcast access keys BAK and SKRAND by using the function of broadcasting the keys BAK and SKRAND and passing the short-term key SK to the controller 215 of the action 105. The broadcast multicast service controller 150 decrypts the content using the current short-term key SK pulp broadcast. In a specific embodiment, for example, an encryption algorithm (such as an Advanced Encryption Standard (AES) cryptographic algorithm) will be used. The encrypted content is then transmitted by an Ipsec packet in accordance with the Secure Pay (ESP) transmission mode. The IPsec packet also contains an SPI value indicating that the mobile station 105 uses the current short-term key SK to decrypt the received broadcast content. Various other specific embodiments for encrypting and decrypting using a public key or a shared key can also be implemented in the scope of the present invention. For example, in an alternative embodiment 956l9.doc -14-1353748 embodiment, 'secure delivery or presentation of a broadcast access BAK to UIM 220' can be done by using a public key mechanism (such as a person in the art) Known as RSA or ElGamal). 3 is a flow diagram of a signaling process for timing a charge for a broadcast multicast service in accordance with an embodiment of the present invention. The broadcast access secret BAK for the particular channel of interest is supplied to the memory in the user identification module component (UIM) 220 of the mobile station 1〇5. The broadcast access key of the offer message is sent from the AAA server 17A to the UIM 220 of the mobile station 1〇5 at 305 as shown in FIG. The broadcast multicast service controller 150 encrypts the broadcast-subscribe BAK with a temporary secret record TK, which is derived from the login secret record RK and the random number TKRAND. In a specific embodiment, the login secret rk is already supplied to the UIM 220 of the mobile station 1 〇5 before the BAK is started at 305. At 310, the base station controller 120 and the base transceiver station 11 are cooperatively formed. Radio Access Network (RAN) 'Broadcasts encrypted content to mobile station 105 via a broadcast channel. Together with the encrypted content 'the radio access network also broadcasts the periodic change number SKRAND and the broadcast access secret record identifier bAKID to identify the broadcast access secret record ΒΑΚ β the periodic change number SKRAND and the broadcast access secret The recording system is used by the mobile station 105 to calculate the short-term confidential record SK. The mobile station 105 receives the encrypted content, SKRAND and BAKID from the base transceiver station 11 of the radio access network. The controller 215 of the mobile station 1 传送5 transmits to the request of the SKRANr) and the BAKID that the UIM 220 has received, together with a short-term secret record SK (SKRequest). The request transmitted to UIM 220 SKRequest also includes an identifier for the broadcast channel. At 320, the UIM 220 calculates the short-term 95619.doc • 15- 1353748 key sk from SKRAND and the bak identified by the BAK identifier BAKID. The UIM 220 maintains a short-term key count (SKCount) for the number of short-term keys SK derived for each broadcast channel. UIM 220 increments SKCount and passes a new short-term key on each calculation. The amount of time a user has viewed a particular content channel can be derived by multiplying SKCount by the time period of the short-term key change (i.e., SKPeriod). In one embodiment, SKPeriod can be set by the system operator based on the likelihood of the stolen content. For example, SKPeriod can range from a few seconds to a few minutes. At 325, UIM 220 transmits short-term key SK to controller 215 of mobile station 105. Upon receipt of the short-term key SK from the UIM 220, the controller 215 of the mobile station 105 can now decrypt the content using the short-term key SK and present the received content for viewing on the display screen 230 of the mobile station 105. Steps 325 through 3 10 are repeated each time the mobile station 105 receives a new periodic change number SKRAND from the base transceiver station 110 of the radio access network. The periodic change number SKRAND can be changed frequently to ensure that the authorized user views the broadcast content. At 330, the broadcast access key BAK stored in the UIM 220 of the mobile station 105 may be overdue or near expired. The controller 215 of the mobile station 105 transmits the SKRAND and BAKID to the UIM 220 at 335 with the request SKRequest of the same short-term key SK. At 340, when the UIM 220 determines that the broadcast access key BAK is overdue, the UIM 220 calculates the temporary key TK using the login key RK and the random number TKRAND. The temporary key TK is a single-use user-specific key that can be used to encrypt and decrypt the broadcast access key BAK value. TKRAND can be a random number generated by a hash function of 95619.doc • 16-1353748-like password hash function. Therefore, τκ is a temporary key using the login key RK as a secret key, and is derived from the login key RK and the random number TKRAND. At 345, the UIM 220 encrypts the short-term key count SKCount using the temporary key τκ, and transmits the encrypted SKCouut and TKRAND to the controller 215 of the mobile station 1〇5. Since SKCount is encrypted with temporary secret recording TK (this controller 215 for the mobile station 1〇5 is unknown), the controller 215 cannot wisely change the encrypted SKCount to a low value. This substantially reduces the possibility of content being stolen. And protect the user from unauthorized access to the user's content viewing count. In another embodiment, the short-term key SK can be sent explicitly and the UIM 22 can generate a signature using the SKCount and the temporary key TK. In this particular embodiment, the signature will be sent to the AAA server 170. At 550, the controller 215 of the mobile station 105 transmits a request for an "unprocessed" (i.e., new) broadcast access key BAK to the broadcast multicast service controller 150. In conjunction with the request to broadcast the access key BAK, the mobile station 105 will include the encrypted SKCount and TKRAND received from the UIM 220. At 355, the broadcast multicast service controller 150 passes the encrypted SKCount and TKRAND to AAA server 170. The AAA server 170 calculates the temporary key TK from the login key RK and TKRAND, and decrypts (SKCount). The AAA server 170 updates the user's account record with SKCount. At 360, a new broadcast access key BAK is supplied to the UIM 220 of the mobile station 105. As described above, the amount of time the user has viewed a particular content can be derived by multiplying the 95619.doc 17-1353748 SKCount by the time period of the short-term secret change (i.e., SKPeriod). Thus, the user of the mobile station 105 can be charged for the amount of time the user actually views the content (because the short-term key SK is required to view the content), as opposed to the time billing received from the mobile station 105. In order to avoid interrupting the broadcast service viewed by the user, the mobile station 105 may extract a new broadcast access key BAK from the AAA server 170 before the current BAK expires. In this case, the mobile station 1〇5 can continue to use the old BAK after the new BAK is supplied to the UIM 220. It is important to ensure that the SKCount is properly maintained. In one embodiment, when transmitting (SKCount) to the mobile station 105, the UIM 220 renders the old count unusable and begins a new count for the currently considered broadcast channel. The old count can be discarded when the new BAK is supplied to the UIM 220. If the new BAK is not yet available, when the next mobile station 110 requests SKCount, UIM 220 replies the old and new counts as a total of SKCount. The implementation of the clock, authorization, and account can use the sum of the old and new counts to provide content viewing time. In another embodiment, UIM 220 continues to increment SKCount after transmitting the current value of the counter to mobile station 105. When the broadcast multicast service controller 150 transmits a new BAK, it also sends back a count received from the UIM 220 in the form of encryption in the BAK request. The UIM 220 decrypts the count received from the broadcast multicast service controller 150 and subtracts the received count from the SKCounter. This particular embodiment allows the prepaid bill to be applied to the timed charge. The broadcast multicast service controller 170 maintains the paid count and passes it to the UIM 220. The difference is calculated according to UIM 22 and allows the user to pay more counts as needed. 95619.doc -18- 1353748 In another embodiment, UIM 220 resets SKCounter to zero when a new BAK is supplied. In this particular embodiment, the user is not charged for viewing the broadcast content during the time between transmitting the SKCount and receiving the new BAK. * Familiarity The skilled person should understand that information and signals can be presented using any of a variety of different technologies and techniques. . For example, the materials, instructions, commands, information, signals, bits, symbols, and wafers that may be mentioned in the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, light fields or particles, or any combination thereof. It should be understood by those skilled in the art that the various logic blocks, modules, circuits, and calculation steps described in the specific embodiments disclosed herein can be implemented as an electronic hardware, a computer software, or a combination of both. To clearly illustrate this interoperability of hardware and software, various exemplary components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the specific application and design constraints used by the overall system. A person skilled in the art can implement the described Luming functionality for each particular application in a variety of ways, but such implementation decisions should not be construed as causing a departure from the scope of the invention. Various original logic blocks, modules, and circuits 'a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC)', a programmable gate array (FPGA), or other Programmable logic elements, discrete gate or transistor logic, discrete hardware components or are designed to perform or perform any combination of the functions described herein. A general-purpose processor can also be a microprocessor, but 95619.doc -19- In the alternative, the processor can be considered as any conventional processor 'controller, microcontroller per skin _ away; σ The person is taking advantage of the opportunity. A processor can also be implemented as a combination of computer devices, for example, a combination of a biliary and microprocessor, a plurality of microprocessors, and one or more microprocessors in combination with a DSP core or any other such configuration. The method or algorithm described in connection with the disclosed embodiments may be embodied by a hardware, a processor-executed software module, or a combination of the two. The software module can reside in RAM memory, flash memory H, ROM memory, pulse (10) memory, EEpR〇M memory, scratchpad, hard disk, removable disk, CD_R〇M, or this technology Any other form of storage medium known in the art. - Exemplary Storage = The system is lighted to the processor so that the processor can read the broadcast from the storage medium and write the information to the storage medium. In an alternative example, the storage medium can be integrated with the processor. The processor and the storage medium can reside in a single ASIC or be a separate component in a mobile station. The previous description of the specific embodiments disclosed is provided to enable any person skilled in the art to make or use the invention. A person skilled in the art will appreciate that the specific embodiments can be modified in various ways, and the general principles defined herein may be applied to other specific embodiments without departing from the spirit or scope of the invention. Therefore, the present invention is not intended to be limited to the details of the embodiments disclosed herein. Therefore, the present invention is not intended to be limited to the particular embodiments shown, but the 956l9.doc -20- Ϊ353748 [Simplified illustration of the drawings] Figure 丄 shows an exemplary block diagram of a wireless communication system according to the present invention - a specific embodiment (4) broadcast multi-delivery service (BCMCS); circle 2 shows the figure i A block diagram of a more detailed representation of a mobile station of a wireless communication system; and FIG. 3 is a diagram showing the transmission of signals between components of the wireless communication system of FIG. 1 for performing time-of-charge charging for viewing broadcast multicast services. Issuing Signal Flowchart [Major Component Symbol Description] 100 Wireless Communication System 105 Mobile Station 110 Base Transceiver Station 115 Wireless Communication Link 120 Base Station Controller 140 Packet Data Service Node 150 Broadcast Multicast Service Controller 160 Content Provider 170 Authentication, Authorization and Account Server 205 Receiver 21 〇 Transmitter 215 Controller 220 User Identification Module 230 Display Screen 956l9.doc