[go: up one dir, main page]

WO2007019760A1 - A method and a system for a mobile terminal joining in a domain and obtaining a rights object - Google Patents

A method and a system for a mobile terminal joining in a domain and obtaining a rights object Download PDF

Info

Publication number
WO2007019760A1
WO2007019760A1 PCT/CN2006/001343 CN2006001343W WO2007019760A1 WO 2007019760 A1 WO2007019760 A1 WO 2007019760A1 CN 2006001343 W CN2006001343 W CN 2006001343W WO 2007019760 A1 WO2007019760 A1 WO 2007019760A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
drm agent
ocsp
domain
sends
Prior art date
Application number
PCT/CN2006/001343
Other languages
French (fr)
Chinese (zh)
Inventor
Yimin Li
Guoxin Shi
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007019760A1 publication Critical patent/WO2007019760A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]

Definitions

  • the present invention relates to DRM (Digital Rights Management) technology in a mobile communication system, and more particularly to a method in which a mobile terminal joins an add-on domain set by a content distributor of a digital information product and obtains a rights object from an issuer.
  • DRM Digital Rights Management
  • DRM is a precondition for realizing the sale of copyrighted digital information products via the Internet.
  • Digital copyright protection technology can effectively prevent digital copying, copying and transmission of digital information products through networks and computers.
  • the Digital Issue Product's Content Issuer (RI) encrypts the digital information and uploads it to the network.
  • the user downloads the encrypted digital information to the Copyright Agent (DRM Agent) on the terminal device. If the user wants to use the downloaded number.
  • Information and then request the rights object (RO) of the digital information product through the network, and the RO includes the key for decrypting the data.
  • the DRMAgent uses the key to decrypt the digital information, and then the user It can be used.
  • Certificate Status Protocol (OCSP) to identify the validity of the RI certificate.
  • OCSP Certificate Status Protocol
  • the 2-pass protocol process for the mobile terminal to actively obtain the RO from the RI includes the following steps:
  • the DRMAgent sends a RO Request message to the RI.
  • the RO request message carries the identification information and the usage mode of the mobile terminal user to select the digital information.
  • the DRMAgent controls the use of the corresponding digital information according to the RO.
  • R1 wants to actively distribute the RO to the mobile terminal, and prompts the user to download the specific address corresponding to the digital information.
  • the 1-pass protocol specifies a corresponding process. As shown in FIG. 2, the process includes only one step: S21: The RI sends an RO response message to the DRMAgent of the mobile terminal, where the response message carries the distributed RO; Generally, the specific address for downloading the corresponding digital information is sent to the user by means of short message, and the user can also be notified by any other communication means.
  • the mobile terminal user can also join the domain through a process specified by the 2-pass protocol, which is a member group established by the RI for a similar group purchase behavior, and has a unique domain identifier, and if the mobile terminal user is the member group The member of the group can obtain the RO of the specific digital information by joining the domain.
  • the mobile terminal requests to join to a domain by the following steps:
  • the DRMAgent sends a Join Domain Request message to the RI.
  • the mobile terminal user selects the operation of joining the domain through the DRM Agent and enters the domain identifier according to the prompt.
  • the DRMAgent sends a join domain request message to the RI, where the request message carries The identification information of the mobile terminal user and the domain identifier of the joined domain.
  • the RI verifies whether the user is a member of the joining domain according to the identification information of the mobile terminal user. If yes, the member is identified as a member who has successfully joined the domain, and carries the information in the joining domain response message. Domain password, if the user is not a member of the domain, the rejection message is carried in the join domain response message.
  • the domain password is generated and saved by the RI when the domain is established. After receiving the domain password, the user obtains the RO corresponding to the digital information through the initiated 2-pass protocol flow, which includes the following steps:
  • the DRMAgent sends a RO request message to the RI, where the request message carries a domain identifier.
  • the RI returns a domain RO response message to the DRM Agent of the mobile terminal.
  • the RI determines whether the terminal user has successfully joined the domain. If yes, the RO response message carries the joining domain RO encrypted by the domain password. After receiving the RO, the DRMAgent decrypts the domain RO by using the domain password, and according to the joining domain RO Control the mobile terminal user to use the corresponding digital information; otherwise, carry the rejection information in the join domain RO response message.
  • neither the mobile terminal nor the RI can verify the validity of the certificate of the other party, resulting in incomplete verification of the validity of the certificate, failing to implement a complete security system, causing system security vulnerabilities, and having an abandoned certificate accessing the RI to obtain the RO. may. Summary of the invention
  • the present invention provides a method and system for a mobile terminal to acquire a rights object and join a domain, so as to solve the problem of poor security in the existing DRM system.
  • a method for a mobile terminal to obtain a rights object includes the following steps:
  • the issuer sends an authentication request blank including the RI certificate to the Online Certificate Status Query (OCSP) responder before sending the rights (RO) object to the Copyright Agent Module (DRM Agent).
  • OCSP Online Certificate Status Query
  • RO Copyright Agent Module
  • the OCSP responder returns an authentication response message including the RI certificate validity authentication result and the OCSP responder digital signature to the RI;
  • the RI sends an RO response message including the RO object and carrying all the authentication response messages to the DRM Agent;
  • the DRM Agent receives the RO response message, confirms that the OCSP responder is legal according to the OCSP responder digital signature, and confirms that the RI certificate is valid according to the RI certificate validity authentication result. After that, the RO object is obtained.
  • the method further includes: the DRM Agent sends an RO request message including a DRM Agent certificate to the RI.
  • the DRM Agent certificate can also be authenticated by the following steps:
  • the authentication request message includes the DRM Agent certificate at the same time;
  • the authentication response message includes the validity certification result of the DRM Agent certificate
  • the RI After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the RO response message.
  • the RI sends an authentication request message including the DRM Agent certificate to the OCSP responder;
  • the sender when the DRM Agent and the RI, and/or the RI and the OCSP responder exchange each message, the sender generates a sender digital signature and writes the message together to send to the receiver, and receives After verifying that the sender is legal according to the sender's digital signature, the party performs subsequent processing.
  • the present invention also provides a method for a mobile terminal user to join a domain, including the following steps:
  • the DRM Agent of the mobile terminal sends a join domain request message including the mobile terminal user identifier and the join domain identifier to the RI;
  • the RI After confirming that the user is a member of the joining domain according to the user identifier and the joining domain identifier, the RI sends an authentication request message including the RI certificate to the OCSP responder, and identifies the user as joining the blast;
  • the RI sends a domain response message including the domain password of the joining domain to the DRM Agent and carrying all the authentication response messages;
  • the OCSP responder is legal, and after confirming that the RI certificate is valid according to the RI certificate validity certification result, the domain password is obtained.
  • the DRM Agent certificate is included in the Join Domain Request message.
  • the method can synchronously verify the DRM Agent certificate by the following steps:
  • the authentication response message includes the validity certification result of the DRM Agent certificate
  • the RI After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the join domain response message.
  • the RI After confirming that the terminal is legal according to the validity of the DRM Agent certificate validity verification, the RI re-verifies the RI certificate.
  • the DRM agent After obtaining the domain password, the DRM agent sends a domain RO request message including the domain identifier and the user identifier to the RI.
  • the RI After confirming that the user joins the member, the RI returns a join domain RO response message to the DRM Agent, and the join domain RO response message includes the join domain RO encrypted by using the domain password;
  • the DRM Agent receives the join domain RO response message, obtains the join domain RO, and decrypts using the domain password.
  • the RO acquisition provided in accordance with the present invention:
  • the method acquires the required join domain RO from the RI.
  • the present invention also provides a digital information copyright management system, including a copyright agent (DRM Agent) server disposed on a mobile terminal, and a mobile communication network.
  • DRM Agent copyright agent
  • An RI server connecting the DRM Agent server and an OCSP responder connecting the RI server through a mobile communication network;
  • the DRM Agent includes a proxy security module for digitally signing a message sent to the RI server; or verifying the legitimacy of a message with the digital signature from the RI server;
  • the RI server includes an RI security module for digitally signing a message sent to the DRM Agent server or the OCSP responder; or verifying a number from the DRM Agent server or the OCSP responder The legality of the signed message;
  • the DRM Agent further includes a proxy interface module for transmitting and receiving messages and a proxy control module for performing digital information copyright management, respectively connected to the proxy security module; the proxy control module sends a message to the RI server After being sent to the proxy security module for digital signature, sending by the proxy interface module; or, the proxy interface module sends a digitally signed message received from the RI server to the proxy security module. After the proxy security right module confirms that the identity of the generator of the digital signature is legal according to the digital signature, the message is sent to the proxy control module for processing; and/or
  • the RI server further includes an RI interface module for transmitting and receiving messages and an RI control module for performing RO or joining domain management, respectively connected to the RJ security module; the RI control module is to be sent to the RI server or the After the OCSP responder sends the message to the RI security module for digital signature, the RI interface module sends the message through the RI interface module; or the RI interface module receives the digital signature from the RI server or the OCSP responder. The message is sent to the RI security module, and after the RI security right module confirms that the identity of the digital signature is legal according to the digital signature, the message is sent to the RI control module for processing; and/or
  • the OCSP responder further includes an OCSP interface module for transmitting and receiving messages and an OCSP authentication module for authenticating the RI certificate and/or the DRM Agent certificate, respectively connecting the OCSP security a full module; the OCSP control module sends the message sent to the RI server to the OCSP security module for digital signature, and then sends the message through the OCSP interface module; or the OCSP interface module will be sent from the RI server
  • the received digitally signed message is sent to the OCSP security module, and after the OCSP security right module confirms that the identity of the digital signature is legal according to the digital signature, the message is sent to the OCSP control module. deal with.
  • the OCSP authentication module further includes an RI certificate revocation list for authentication and/or a DRM Agent certificate revocation list.
  • the authentication process of the RI certificate is added in the process specified by the 2-pass, 1-pass and 2-pass. protocol of the application RO, and the DM Agent certificate validity authentication process is further added. Eliminate the security vulnerabilities of the DRM system and improve the entire security system.
  • FIG. 1 is a flow of a 2-pass protocol initiated by a mobile terminal to request an RO from an RI
  • FIG. 2 is a flow chart of a 1-pass protocol for an RO to be dispatched to a mobile terminal by an RI
  • FIG. 4 is an implementation flow of the RO requesting the RO by the mobile terminal according to the present invention, where the RI sends the RO to the mobile terminal, requesting The OCSP responder verifies the validity of the RI certificate;
  • FIG. 5 is an implementation process of the RO being actively initiated by the RI to the mobile terminal, where the RI requests the OCSP responder to verify the validity of the RI certificate before dispatching the RO to the mobile terminal;
  • FIG. 6 is a flowchart of an implementation process for a RI request to join a domain initiated by a mobile terminal according to the present invention, where the RI requests the OCSP responder to verify the validity of the RI certificate before sending the domain password to the mobile terminal;
  • FIG. 7 is a schematic diagram showing the main structure of a DRM system according to Embodiment 4. detailed description
  • the purpose of the method of the present invention is to optimize a 2-pass protocol process in which a mobile terminal initiates an RO application to an RI in a DRM system, a 1-pass that is initiated by the RI to distribute an RO to a mobile terminal, and a join domain initiated by the mobile terminal.
  • the 2-pass protocol process adds validity certificates for RI certificates and/or DRM Agent certificates in these three processes.
  • the present invention uses the OCSP authentication method to add the RI request OCSP responder (Responder) to verify the validity of the RI certificate in the above three processes to ensure the RI's legal line. Further, the RI request OCSP responder is verified to verify the validity of the mobile DRM Agent certificate to ensure the legitimacy of the mobile terminal, thereby implementing a complete certificate verification system in the above three processes.
  • the RI request OCSP responder Responder
  • the RI request OCSP responder is verified to verify the validity of the mobile DRM Agent certificate to ensure the legitimacy of the mobile terminal, thereby implementing a complete certificate verification system in the above three processes.
  • the DRM Agent certificate also known as the terminal certificate, end user certificate, etc., is the only proof of the legal identity of the mobile terminal user, including a unique user private key, which corresponds to a public user public key.
  • the RI certificate is the only proof of the legal identity of each RI, including a unique RI private key and certificate identifier, and the RI private key corresponds to a public RI public key.
  • the OCSP Responder Certificate is a proof of the legal identity of the OCS Responder, which includes a unique Responder private key that corresponds to a public Responder public key.
  • the RI certificate revocation list is established on the OCSP responder and updated in time.
  • the RI certificate revocation list is used for registration cancellation.
  • the valid RI certificate identifier, the OCSP responder queries the current RI certificate revocation list to verify the validity of the RI certificate.
  • the digital signature can be used for the information receiver to legalize the identity of the sender of the information.
  • the sender of the information uses his private key and the complete information to be sent to generate a digital signature, and sends the digital signature and the information together to the receiver.
  • the receiving party decrypts the digital signature by using the public key, and obtains the verification information therefrom. If the verification information is the same as the received information, it indicates that the sender of the information is legal and trusted.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the first embodiment adds the RI request OCSP responder to verify the validity of the RI certificate based on the existing 2-pass protocol flow initiated by the mobile terminal to the RO requesting the RO:
  • the DRM Agent sends an RO request message to the RI.
  • the RO request message carries the DRM Agent certificate, the identification information of the digital information selected by the mobile terminal user, and the usage mode, and the user digital signature generated by the DRM Agent using the user private key and the complete RO request message.
  • the RI sends an OCSP Request (OCSP Request) message to the OCSP responder to verify the validity of the RI certificate.
  • OCSP Request OCSP Request
  • the RI After receiving the RO request message sent by the mobile terminal, the RI first uses the user public key and the user digital signature to verify whether the identity of the terminal is legal.
  • the positive method is: decrypting the digital signature by using the public key of the user, obtaining a complete message of the certificate, and receiving the complete message.
  • the received messages are compared. If they are not the same, the RO request message is considered to be from an illegal terminal and will not be returned. On the other hand, if the same, the RO request message is considered to be from the legal terminal, and then an OCSP request message is sent to the OCSP responder, which carries the RI certificate and the RI digital signature generated by using the RI private key and the complete OCSP request message.
  • the OCSP responder returns an OCSP Response (OCSP Response) message to the RI; the OCSP responder still first uses the RI public key to verify the RI digital signature to determine the legality of the RI, and refuses to reply to an illegal RI. According to the RI certificate revocation list, the RI certificate The validity of the certification.
  • the OCSP writes the authentication result into the OCSP Response authentication response message, and then generates the OCSP digital signature by using the responder private key and the complete OCSP authentication response message, and writes the OCSP authentication response message, and then carries the authentication result and the OCSP digital signature.
  • the OCSP authentication response message is sent to the RI.
  • the RI returns an RO response message to the DRM Agent of the mobile terminal.
  • the RI After receiving the OCSP authentication response message, the RI completes the following operations:
  • the DRM Agent After receiving the RO response message, the DRM Agent completes the following operations:
  • the DRM Agent on the mobile terminal side only confirms that the RO response message is from the legal RI, and the authentication result validated by the RI certificate comes from the legal OCSP responder, and the end user is allowed to use the downloaded digital information to ensure the digital information. The legitimacy and security of the source.
  • the authentication request message sent by R1 to the OCSP responder may further carry a terminal certificate, requesting the OCSP responder to authenticate the DRMAgent certificate, and similarly, the OCSP responder carries the authentication result of the DRM Agent certificate in the OCSP authentication response.
  • the message is returned to the RI, and the RI determines whether to send an RO response message to the terminal according to the authentication result of the DRM Agent certificate.
  • the RI sends the identification of the bearer certificate to the OCSP responder before performing step S42.
  • the request message is sent to the OCSP responder to authenticate the DRMAgent certificate, and the OCSP responder carries the authentication result of the DRM Agent certificate in the OCSP authentication response message and returns it to the RI. If the authentication result of the DRMAgent certificate is valid, the RI proceeds to step S42. Certification of the RI certificate.
  • the OCSP responder side needs to establish a DRM Agent certificate revocation list and update it in time.
  • the second embodiment is based on the 1-pass protocol procedure of the existing RI to distribute the RO to the mobile terminal, and the step of verifying the validity of the RI is added.
  • the DRMAgent is not required to be sent to the RI.
  • the RO request message, the other steps are the same as in the first embodiment, specifically:
  • the RI sends an OCSP request message to the OCSP responder to request verification of the validity of the RI certificate.
  • the RI sends an OCSP request message to the OCSP responder, which carries the RI certificate and the RI digital signature generated using the RI private key.
  • the OCSP responder returns an OCSP Response authentication response message to the RI.
  • the OCSP responder first uses the RI public key and the RI digital signature to authenticate the RI identity. If it is legal, it judges the validity of the RI certificate according to the RI ⁇ book revocation list, and vice versa.
  • the OCSP responder writes the authentication certificate into the OCSP Response authentication response message, generates the OCSP digital signature by using the responder private key, and writes the OCSP authentication response message, and then carries the OCSP authentication response message carrying the authentication result and the OCSP digital signature. Send to RI.
  • the RI sends an RO response message to the DRM Agent.
  • the RI After receiving the OCSP authentication response message carrying the OCSP digital signature, the RI completes the following operations:
  • the DRM Agent After receiving the RO response message, the DRM Agent completes the following operations:
  • the third embodiment adds the RI certificate authentication step based on the existing mobile terminal to the RI request to join the domain 2-pass protocol, and specifically includes:
  • the DRMAgent sends a join domain request message to the RI.
  • the mobile terminal user selects the operation of joining the domain through the DRMAgent and enters the domain identifier according to the prompt.
  • the DRMAgent sends a join domain request message to the RI, where the request message carries the identification information of the mobile terminal user, joins the domain identifier, and uses the user private key and The user's digital signature generated by the complete join domain request message.
  • the RI sends an OCSP request message to the OCSP responder, requesting to verify the validity of the RI certificate.
  • the RI After receiving the domain join request message sent by the mobile terminal, the RI uses the user public key and the user digital signature to verify the validity of the identity of the terminal user, and refuses to reply to the illegal terminal. For the legitimate terminal user who passes the authentication, the RI according to the identity of the mobile terminal user The information verifies whether the user belongs to the member of the joining domain, and if so, identifies the member as a member of the domain, and then sends an OCSP request message to the OCSP responder, where the message carries the RI certificate and the generated RI digital signature. .
  • the OCSP responder returns an OCSP Response authentication response message to the RI.
  • the OCSP responder first verifies the RI validity by using the RI public key and the RI digital signature, and then determines the validity of the RI certificate in the RI certificate list, and writes the authentication result into the OCSP authentication response message, and the OCSP authentication response is performed after the OCSP is digitally signed.
  • the message is sent to the RI;
  • the RI returns a join domain response message to the DRM Agent of the mobile terminal. After receiving the domain join response message carrying the third digital signature, the RI completes the following operations:
  • the DRM Agent After receiving the domain response message, the DRM Agent completes the following operations:
  • the DRM Agent confirms that the valid authentication result of the RI certificate comes from the legal OCSP responder, and then obtains the domain password from the RO response message, which ensures the legality and security of the domain password source.
  • the DRM agent After receiving the domain password, the DRM agent obtains the corresponding domain RO from the RI by initiating the 2-pass protocol process, including the following steps:
  • the DRM Agent sends an RO request message to the RI, where the request message carries a domain identifier.
  • the RI returns an RO response message to the DRM Agent of the mobile terminal.
  • the RI determines whether the mobile terminal user has been identified as a joining member of the corresponding domain. If yes, the RO response message carries the joining domain RO encrypted with the password. After receiving the RO, the DRM Agent obtains the joining domain by using the decryption with the password. The RO is used to control the user's use of the digital information. If the RI determines that the mobile terminal user has not successfully joined, the RO response message carries the rejection information.
  • the present invention also discloses a DRM system.
  • the DRM system in the field of mobile communication includes: a copyright agent server installed on the mobile terminal 100.
  • the DRM Agent 101 includes an agent interface module 1011 for transmitting and receiving messages and proxy
  • RI server 200 includes RI interface module 201 and RI control module 203 for sending and receiving messages
  • OCSP responder 300 includes OCSP interface module 301 and OCSP authentication module 303 for sending and receiving messages;
  • a security module for generating a digital signature or verifying a digital signature is required to be respectively set on the DRM Agent 101, the RI server 200, and the OCSP responder 300.
  • the security module stores a private key for encrypting and decrypting the digital signature.
  • the corresponding public key when the interface module sends a message, generates a digital signature for the message and sends it to the interface module; when the interface module receives the message, it is responsible for verifying the legality of the RI and/or OCSP responder identity to ensure the source of the message. Reliability and security. Described separately as follows:
  • the Agent security module 1012 of the DRM Agent 101 is connected between the Agent interface module 1011 and the Agent control module 1013.
  • the Agent control module 1013 sends the message sent to the RI server 200 to the Agent security module 1012 for digital signature, and then sends the message through the Agent interface module 1011.
  • the agent interface module 1011 sends the digital signature message received from the RI server 200 to the agent security module 1012.
  • the agent security module 1012 confirms that the identity of the digital signature is legal according to the digital signature, the agent sends the message to the agent.
  • the control module 1013 performs processing; the agent control module 1013 is connected to the display module 102 of the mobile terminal 100 for displaying the operation interface.
  • the RI security module 202 of the RI server 200 is connected between the RI interface module 201 and the RI control module 203; the RI control module 203 sends the message sent to the RI server 200 or the OCSP responder 300 to the RI security module 202 for digital signature.
  • the RI interface module 201 sends the digitally signed message received from the RI server 200 or the OCSP responder 300 to the RI security module 202, and the RI security right module confirms the digital signature according to the digital signature. After the identity of the producer is legal, the message is sent to the RI control module 203 for processing;
  • the OCSP security module 302 of the OCSP responder 300 is connected between the OCSP interface module 301 and the OCSP authentication module 303; the OCSP control module sends the message sent to the RI server 200 to the OCSP security module 302 for digital signature, and then passes the OCSP interface module.
  • the OCSP interface module 301 sends the digitally signed message received from the RI server 200 to the OCSP security module 302. After the OCSP security right module confirms the identity of the digital signature generator according to the digital signature, the message is sent.
  • the OCSP authentication module 303 also includes an RI certificate revocation list 3031 for authentication and a DRM Agent certificate revocation list 3032.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method for a mobile terminal joining a join domain set by a rights issuer and a method for obtaining a rights object from the issuer are disclosed. The rights issuer RI requires the authorization for the certificate of the RI, and a validity authorizing result and a digital signature of the OCSP responder are carried by the RO or the join domain responding message. The DRM Agent of the mobile terminal confirms the legality of the OCSP responder according to the digital signature of the OCSP responder, and obtains the RO object or the password to join the join domain after confirming the valid of the RI certification, thus the security and reliability of the RO object or the source of the password to join the join domain are guaranteed. The system implementing the method mentioned above includes a rights agent server, a RI server and an OCSP responder, each of which is configured as a security module separately.

Description

一种移动终端加入域和获取权限对象的方法和系统 技术领域  Method and system for joining mobile terminal to domain and obtaining rights object
本发明涉及移动通信系统中的 DRM ( Digital Rights Management, 数字版 权管理)技术, 特别涉及移动终端加入由数字信息产品的内容发行者设定的 加入域和从发行者处获取权限对象的方法。 背景技术  The present invention relates to DRM (Digital Rights Management) technology in a mobile communication system, and more particularly to a method in which a mobile terminal joins an add-on domain set by a content distributor of a digital information product and obtains a rights object from an issuer. Background technique
DRM是实现具有版权的数字信息产品通过网络销售的前提条件, 采用数 字版权保护技术可有效地防止通过网络和计算机非法复制、 拷贝、 传送数字 信息产品。 数字信息产品的内容发行者(Rights Issuer, RI )将数字信息加密 后上传到网络, 用户将加密的数字信息下载到终端设备上的版权代理服务器 ( DRM Agent ) 中, 用户如果要使用下载的数字信息, 再通过网络向 RI请求 该数字信息产品的权限对象( Rights Object, RO ) , RO中包括解密数据的密 钥, 如果是一次性付费的产品, DRMAgent利用该密钥解密数字信息后, 用 户就可以使用了, 如果需要对用户操作权限进行控制, RO中还包括该数字信 息的权限管理信息, DRM Agent根据这些限制条件管理用户对数字信息的具 体使用, 现有技术中, 对数字产品的限制控制一般包括: 使用的次数、 预览 次数、 每一次预览的限定时间以及使用期限等。  DRM is a precondition for realizing the sale of copyrighted digital information products via the Internet. Digital copyright protection technology can effectively prevent digital copying, copying and transmission of digital information products through networks and computers. The Digital Issue Product's Content Issuer (RI) encrypts the digital information and uploads it to the network. The user downloads the encrypted digital information to the Copyright Agent (DRM Agent) on the terminal device. If the user wants to use the downloaded number. Information, and then request the rights object (RO) of the digital information product through the network, and the RO includes the key for decrypting the data. If the product is a one-time paid product, the DRMAgent uses the key to decrypt the digital information, and then the user It can be used. If the user operation authority needs to be controlled, the RO also includes the rights management information of the digital information. The DRM Agent manages the specific use of the digital information by the user according to these restrictions. In the prior art, the digital product is Limit controls generally include: number of uses, number of previews, limited time for each preview, and duration of use.
由于移动通信技术的发展, 越来越多的用户开始使用移动终端从网络下 载数字信息, 现有的移动通信系统中有关 DRM的协议中,. 尽管在 4-pass注册 协议规定的终端开户和注册流程中, 为防止非法终端和非法 RI, 要求移动终 端和 RI必须进行双向的证书认证, 即 DRMAgent与 RI相互提供本方证书, 也 同时认证对方证书的正确性与有效性, 并使用证书状态查询 (Online  Due to the development of mobile communication technologies, more and more users are beginning to use mobile terminals to download digital information from the network. Among the existing mobile communication systems related to DRM, although the terminal is opened and registered in the 4-pass registration agreement. In the process, in order to prevent illegal terminals and illegal RI, the mobile terminal and the RI are required to perform two-way certificate authentication, that is, the DRMAgent and the RI mutually provide the local certificate, and also authenticate the correctness and validity of the other party certificate, and use the certificate status query. (Online
Certificate Status Protocol, OCSP )来鉴別 RI证书的有效性。 但是在终端向 RI 取得 RO的 2-pass协议流程和 1 -pass协议流程中, 以及力口入域的 2-pass协议流程 中, 没有涉及对双方证书有效性(即证书重发状态) 的验证, 详细说明如 下: Certificate Status Protocol (OCSP) to identify the validity of the RI certificate. However, in the 2-pass protocol flow and the 1-pass protocol flow in which the terminal obtains the RO from the RI, and the 2-pass protocol flow in the inbound domain, the verification of the validity of both certificates (ie, the certificate retransmission status) is not involved. , detailed instructions such as Next:
如图 1所示, 为移动终端主动向 RI获取 RO的 2-pass协议流程, 包括如下 步骤:  As shown in Figure 1, the 2-pass protocol process for the mobile terminal to actively obtain the RO from the RI includes the following steps:
511、 DRMAgent向 RI发送 RO请求(RO Request ) 消息;  511. The DRMAgent sends a RO Request message to the RI.
RO请求消息中携带了移动终端用户选择数字信息的标识信息和使用方 式。 - The RO request message carries the identification information and the usage mode of the mobile terminal user to select the digital information. -
512、 RI向移动终端的 DRMAgent返回 RO响应 (RO Response ) 消息; RO响应消息中携带了 RI根据移动终端用户选择的使用方式生成对应的512. The RI returns a RO response (RO Response) message to the DRMAgent of the mobile terminal; the RO response message carries the RI according to the usage mode selected by the mobile terminal user to generate a corresponding
RO, DRMAgent收到 RO后, 根据该 RO控制对应的数字信息的使用。 RO, after receiving the RO, the DRMAgent controls the use of the corresponding digital information according to the RO.
有时, RI推行优惠活动或根据终端用户的使用累计情况进行赠送时, R1 希望向移动终端主动派发 RO, 同时提示用户下载对应数字信息的具体地址, Sometimes, when RI promotes a promotional event or gives a gift based on the cumulative usage of the end user, R1 wants to actively distribute the RO to the mobile terminal, and prompts the user to download the specific address corresponding to the digital information.
1-pass协议规定了相应的流程, 如图 2所示, 该流程仅包括如下一个步骤: S21、 RI向移动终端的 DRMAgent^送 RO响应消息, 该响应消息中携带 了被派发的 RO; RI—般通过短信方式向用户发送下载对应数字信息的具体地 址 , 也可采用其他任何通讯方式通知用户。 The 1-pass protocol specifies a corresponding process. As shown in FIG. 2, the process includes only one step: S21: The RI sends an RO response message to the DRMAgent of the mobile terminal, where the response message carries the distributed RO; Generally, the specific address for downloading the corresponding digital information is sent to the user by means of short message, and the user can also be notified by any other communication means.
移动终端用户还可以通过 2-pass协议规定的流程请求加入到一个域中, 该域是 RI为某个类似团购的行为建立的成员组, 具有唯一的域标识, 移动终 端用户如果是该成员组的组员, 则可以通过加入域取得特定数字信息的 RO, 如图 3所示, 移动终端通过如下步 请求加入到一个域中:  The mobile terminal user can also join the domain through a process specified by the 2-pass protocol, which is a member group established by the RI for a similar group purchase behavior, and has a unique domain identifier, and if the mobile terminal user is the member group The member of the group can obtain the RO of the specific digital information by joining the domain. As shown in FIG. 3, the mobile terminal requests to join to a domain by the following steps:
531、 DRMAgent向 RI发送力 p入域请求( Join Domain Request ) 消息; 移动终端用户通过 DRM Agent选择加入域的操作并根据提示输入域标 识, DRMAgent向 RI发送加入域请求消息, 该请求消息中携带了移动终端用 户的标识信息和加入域的域标识。  531. The DRMAgent sends a Join Domain Request message to the RI. The mobile terminal user selects the operation of joining the domain through the DRM Agent and enters the domain identifier according to the prompt. The DRMAgent sends a join domain request message to the RI, where the request message carries The identification information of the mobile terminal user and the domain identifier of the joined domain.
532、 RI向移动终端的 DRM Agent返回加入域响应 (Join Domain  532. The RI returns a domain response to the DRM Agent of the mobile terminal (Join Domain
Response ) 消息; Response ) message
RI根据移动终端用户的标识信息验证该用户是否为加入域的成员, 如果 是, 将该成员标识为已经成功加入域的成员, 并在加入域响应消息中携带该 域密码, 如果该用户不是加入域的成员则在加入域响应消息中携带拒绝信 息。 域密码由 RI在建立域时对应生成并保存, 用户收到域密码后, 再通过发 起的 2-pass协议流程向 RI取得对应数字信息的 RO, 具体包括如下步骤: The RI verifies whether the user is a member of the joining domain according to the identification information of the mobile terminal user. If yes, the member is identified as a member who has successfully joined the domain, and carries the information in the joining domain response message. Domain password, if the user is not a member of the domain, the rejection message is carried in the join domain response message. The domain password is generated and saved by the RI when the domain is established. After receiving the domain password, the user obtains the RO corresponding to the digital information through the initiated 2-pass protocol flow, which includes the following steps:
533、 DRMAgent向 RI发送 RO请求消息, 该请求消息中携带了域标识; 533. The DRMAgent sends a RO request message to the RI, where the request message carries a domain identifier.
534、 RI向移动终端的 DRM Agent返回加入域 RO响应消息; 534. The RI returns a domain RO response message to the DRM Agent of the mobile terminal.
RI判断该终端用户是否已经成功加入域中, 如果是则在 RO响应消息中携 带利用域密码加密的加入域 RO, DRMAgent收到 RO后, 利用域密码解密加 入域 RO, 并根据该加入域 RO控制移动终端用户使用对应的数字信息; 否则 在加入域 RO响应消息中携带拒绝信息。  The RI determines whether the terminal user has successfully joined the domain. If yes, the RO response message carries the joining domain RO encrypted by the domain password. After receiving the RO, the DRMAgent decrypts the domain RO by using the domain password, and according to the joining domain RO Control the mobile terminal user to use the corresponding digital information; otherwise, carry the rejection information in the join domain RO response message.
在上述三个流程中, 移动终端和 RI都不能验证对方证书的有效性, 造成 证书有效性验证不完整, 无法实现完整的安全体系, 造成系统安全漏洞, 并 且存在废弃证书接入 RI获得 RO的可能。 发明内容  In the above three processes, neither the mobile terminal nor the RI can verify the validity of the certificate of the other party, resulting in incomplete verification of the validity of the certificate, failing to implement a complete security system, causing system security vulnerabilities, and having an abandoned certificate accessing the RI to obtain the RO. may. Summary of the invention
本发明提供一种移动终端获取权限对象和加入域的方法及系统, 以解决 现有 DRM系统中安全性较差的问题。 '  The present invention provides a method and system for a mobile terminal to acquire a rights object and join a domain, so as to solve the problem of poor security in the existing DRM system. '
一种移动终端获取权限对象的方法, 包括如下步骤:  A method for a mobile terminal to obtain a rights object includes the following steps:
发行者 (RI ) 向版权代理模块(DRM Agent )发送权限( RO )对象之 前, 向在线证书状态查询 (OCSP ) 响应器发送包括 RI 证书的认证请求消 白 ·  The issuer (RI) sends an authentication request blank including the RI certificate to the Online Certificate Status Query (OCSP) responder before sending the rights (RO) object to the Copyright Agent Module (DRM Agent).
OCSP响应器向 RI返回包括 RI证书有效性认证结果和 OCSP响应器数 字签名的认证响应消息;  The OCSP responder returns an authentication response message including the RI certificate validity authentication result and the OCSP responder digital signature to the RI;
RI向 DRM Agent发送包括 RO对象并携带全部所述认证响应消息的 RO 响应消息;  The RI sends an RO response message including the RO object and carrying all the authentication response messages to the DRM Agent;
DRM Agent接收所述 RO响应消息, 根据 OCSP 响应器数字签名确认 OCSP 响应器合法, 并根据所述 RI证书有效性认证结果确认 RI证书有效 后, 获取所述 RO对象。 The DRM Agent receives the RO response message, confirms that the OCSP responder is legal according to the OCSP responder digital signature, and confirms that the RI certificate is valid according to the RI certificate validity authentication result. After that, the RO object is obtained.
所述方法还包括: DRM Agent向 RI发送包括 DRM Agent证书的 RO请 求消息。  The method further includes: the DRM Agent sends an RO request message including a DRM Agent certificate to the RI.
所述的方法中, 还可以通过以下步骤认证 DRM Agent证书:  In the method, the DRM Agent certificate can also be authenticated by the following steps:
所述认证请求消息中同时包括所述 DRM Agent证书;  The authentication request message includes the DRM Agent certificate at the same time;
所述认证响应消息中同时包括所述 DRM Agent证书的有效性认证结 果; 以及  The authentication response message includes the validity certification result of the DRM Agent certificate;
RI根据所述 DRM Agent证书的有效性认证结果确认 DRM Agent证书有 效后, 再发送所述 RO响应消息。  After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the RO response message.
或者, 先通过下述步骤认证 DRM Agent证书:  Alternatively, first authenticate the DRM Agent certificate by following these steps:
RI向 OCSP响应器发'送包括 DRM Agent证书的认证请求消息;  The RI sends an authentication request message including the DRM Agent certificate to the OCSP responder;
OCSP响应器向 RI返回包括 DRM Agent证书有效性认证结果的认证响 应消息;  The OCSP responder returns an authentication response message including the DRM Agent certificate validity authentication result to the RI;
RI根据所述 DRM Agent证书有效性认证结果确认终端合法后, 再验证 RI证书。  After confirming that the terminal is legal according to the validity of the DRM Agent certificate validity verification, the RI re-verifies the RI certificate.
所述的方法中, DRM Agent与 RI之间、 和 /或 RI与 OCSP响应器之间 在交互每一个消息时, 发送方生成发送方数字签名并写入所述消息一起发送 给接收方, 接收方根据所述发送方数字签名验证发送方合法后, 再进行后续 处理。  In the method, when the DRM Agent and the RI, and/or the RI and the OCSP responder exchange each message, the sender generates a sender digital signature and writes the message together to send to the receiver, and receives After verifying that the sender is legal according to the sender's digital signature, the party performs subsequent processing.
基于同一技术构思, 本发明还提供一种移动终端用户加入域的方法, 包 括如下步骤:  Based on the same technical concept, the present invention also provides a method for a mobile terminal user to join a domain, including the following steps:
移动终端的 DRM Agent向 RI发送包括移动终端用户标识和加入域标识 的加入域请求消息;  The DRM Agent of the mobile terminal sends a join domain request message including the mobile terminal user identifier and the join domain identifier to the RI;
RI根据所述用户标识和加入域标识确认该用户为该加入域的成员后, 向 OCSP 响应器发送包括 RI证书的认证请求消息, 并将该用户标识为加入成 贝;  After confirming that the user is a member of the joining domain according to the user identifier and the joining domain identifier, the RI sends an authentication request message including the RI certificate to the OCSP responder, and identifies the user as joining the blast;
OCSP响应器向 RI返回包括 RI证书有效性认证结果和 OCSP响应器数 字签名的认证响应消息; The OCSP responder returns to the RI including the RI certificate validity authentication result and the OCSP responder number. Word-signed authentication response message;
RI向 DRM Agent发送包括所述加入域的域密码并携带全部所述认证响 应消息的加入域响应消息;  The RI sends a domain response message including the domain password of the joining domain to the DRM Agent and carrying all the authentication response messages;
DRM Agent接收所述加入域响应消息, 根据 OCSP响应器数字签名确认 The DRM Agent receives the join domain response message and confirms according to the OCSP responder digital signature.
OCSP 响应器合法, 并根据所述 RI证书有效性认证结果确认 RI证书有效 后, 获取所述域密码。 The OCSP responder is legal, and after confirming that the RI certificate is valid according to the RI certificate validity certification result, the domain password is obtained.
所述加入域请求消息中同时包括所述 DRM Agent证书。  The DRM Agent certificate is included in the Join Domain Request message.
所述方法可以通过下述步骤同步验证 DRM Agent证书:  The method can synchronously verify the DRM Agent certificate by the following steps:
所述认证响应消息中同时包括所述 DRM Agent证书的有效性认证结 果; 以及  The authentication response message includes the validity certification result of the DRM Agent certificate;
RI根据所述 DRM Agent证书的有效性认证结果确认 DRM Agent证书有 效后, 再发送所述加入域响应消息。  After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the join domain response message.
或者, 通过下述步骤先验证 DRM Agent证书:  Alternatively, verify the DRM Agent certificate by following the steps below:
RI向 OCSP响应器发送包括 DRM Agent证书的认证请求消息;  The RI sends an authentication request message including a DRM Agent certificate to the OCSP responder;
OCSP响应器向 RI返回包括 DRM Agent证书有效性认证结果的认证响 应消息;  The OCSP responder returns an authentication response message including the DRM Agent certificate validity authentication result to the RI;
RI根据所述 DRM Agent证书有效性认证结果确认终端合法后, 再验证 RI证书。  After confirming that the terminal is legal according to the validity of the DRM Agent certificate validity verification, the RI re-verifies the RI certificate.
DRM Agent获取域密码后, 向 RI发送包括域标识和用户标识的加入域 RO请求消息;  After obtaining the domain password, the DRM agent sends a domain RO request message including the domain identifier and the user identifier to the RI.
RI确认该用户为加入成员后, 向 DRM Agent返回加入域 RO 响应消 息, 该加入域 RO响应消息包括利用域密码进行加密的加入域 RO;  After confirming that the user joins the member, the RI returns a join domain RO response message to the DRM Agent, and the join domain RO response message includes the join domain RO encrypted by using the domain password;
DRM Agent接收所述加入域 RO响应消息, 获取所述加入域 RO并利用 所述域密码解密。  The DRM Agent receives the join domain RO response message, obtains the join domain RO, and decrypts using the domain password.
或者, 根据本发明提供的 RO获取: ^法从 RI获取需要的加入域 RO。 为实现本发明所述方法, 本发明还提供一种数字信息版权管理系统, 包 括设置在移动终端上的版权代理(DRM Agent )服务器、 通过移动通信网络 连接所述 DRM Agent服务器的 RI服务器和通过移动通信网络连接所述 RI 服务器的 OCSP响应器; Alternatively, the RO acquisition provided in accordance with the present invention: The method acquires the required join domain RO from the RI. In order to implement the method of the present invention, the present invention also provides a digital information copyright management system, including a copyright agent (DRM Agent) server disposed on a mobile terminal, and a mobile communication network. An RI server connecting the DRM Agent server and an OCSP responder connecting the RI server through a mobile communication network;
所述 DRM Agent包括代理安全模块, 用于为发送给所述 RI服务器的消 息进行数字签名; 或者, 验证来自所述 RI 服务器并带有数字签名的消息的 合法性; .  The DRM Agent includes a proxy security module for digitally signing a message sent to the RI server; or verifying the legitimacy of a message with the digital signature from the RI server;
所述 RI服务器包括 RI安全模块, 用于为发送给所述 DRM Agent服务 器或所述 OCSP 响应器的消息进行数字签名; 或者, 验证来自所述 DRM Agent服务器或所述 OCSP响应器并带有数字签名的消息的合法性;  The RI server includes an RI security module for digitally signing a message sent to the DRM Agent server or the OCSP responder; or verifying a number from the DRM Agent server or the OCSP responder The legality of the signed message;
所述 OCSP响应器包括 OCSP安全模块; 用于为发送给所述 RI服务器 的消息进行数字签名; 或者, 验证来从所述 RI服务器并带有数字签名的消 息的合法性。  The OCSP responder includes an OCSP security module; for digitally signing a message sent to the RI server; or verifying the legitimacy of a message with a digital signature from the RI server.
所述 DRM Agent还包括用于收发消息的代理接口模块和执行数字信息 版权管理的代理控制模块, 分别连接所述代理安全模块; 所述代理控制模块 将发给所述 RI月艮务器的消息送入所述代理安全模块进行数字签名后, 通过 所述代理接口模块发送; 或者, 所述代理接口模块将从所述 RI服务器接收 的带有数字签名的消息送入所述代理安全模块, 所述代理安全权模块根据所 述数字签名确认该数字签名的生成方身份合法后, 将所述消息送入所述代理 控制模块进行处理; 和 /或  The DRM Agent further includes a proxy interface module for transmitting and receiving messages and a proxy control module for performing digital information copyright management, respectively connected to the proxy security module; the proxy control module sends a message to the RI server After being sent to the proxy security module for digital signature, sending by the proxy interface module; or, the proxy interface module sends a digitally signed message received from the RI server to the proxy security module. After the proxy security right module confirms that the identity of the generator of the digital signature is legal according to the digital signature, the message is sent to the proxy control module for processing; and/or
所述 RI服务器还包括用于收发消息的 RI接口模块和执行 RO或加入域 管理的 RI控制模块, 分别连接所述 RJ安全模块; 所述 RI控制模块将发给 ,所述 RI服务器或所述 OCSP响应器的消息送入所述 RI安全模块进行数字签 名后, 通过所述 RI接口模块发送; 或者, 所述 RI接口模块将从所述 RI服 务器或所述 OCSP 响应器接收的带有数字签名的消息送入所述 RI 安全模 块, 所述 RI 安全权模块根据所述数字签名确认该数字签名的生成方身份合 法后, 将所述消息送入所述 RI控制模块进行处理; 和 /或  The RI server further includes an RI interface module for transmitting and receiving messages and an RI control module for performing RO or joining domain management, respectively connected to the RJ security module; the RI control module is to be sent to the RI server or the After the OCSP responder sends the message to the RI security module for digital signature, the RI interface module sends the message through the RI interface module; or the RI interface module receives the digital signature from the RI server or the OCSP responder. The message is sent to the RI security module, and after the RI security right module confirms that the identity of the digital signature is legal according to the digital signature, the message is sent to the RI control module for processing; and/or
所述 OCSP响应器还包括用于收发消息的 OCSP接口模块和认证 RI证 书和 /或 DRM Agent证书有效性的 OCSP认证模块, 分别连接所述 OCSP安 全模块; 所述 OCSP控制模块将发给所述 RI服务器的消息送入所述 OCSP 安全模块进行数字签名后, 通过所述 OCSP 接口模块发送; 或者, 所述 OCSP接口模块将从所述 RI 服务器接收的带有数字签名的消息送入所述 OCSP安全模块, 所述 OCSP安全权模块根据所述数字签名确认该数字签名 的生成方身份合法后, 将所述消息送入所述 OCSP控制模块进行处理。 所述 OCSP认证模块中还包括认证用的 RI证书撤销列表和 /或 DRM Agent证书撤 销列表。 The OCSP responder further includes an OCSP interface module for transmitting and receiving messages and an OCSP authentication module for authenticating the RI certificate and/or the DRM Agent certificate, respectively connecting the OCSP security a full module; the OCSP control module sends the message sent to the RI server to the OCSP security module for digital signature, and then sends the message through the OCSP interface module; or the OCSP interface module will be sent from the RI server The received digitally signed message is sent to the OCSP security module, and after the OCSP security right module confirms that the identity of the digital signature is legal according to the digital signature, the message is sent to the OCSP control module. deal with. The OCSP authentication module further includes an RI certificate revocation list for authentication and/or a DRM Agent certificate revocation list.
本发明的有益效果如下:  The beneficial effects of the present invention are as follows:
本发明针对 DRM系统中, 在申请 RO的 2-pass , 1 -pass以及加入域的 2- pass.协议规定的流程中, 增加 RI证书的认证流程, 并进一步增加了 D M Agent证书有效性认证流程, 消除了 DRM 系统的安全漏洞, 完善了整个安 全体系。 附图说明  In the DRM system, the authentication process of the RI certificate is added in the process specified by the 2-pass, 1-pass and 2-pass. protocol of the application RO, and the DM Agent certificate validity authentication process is further added. Eliminate the security vulnerabilities of the DRM system and improve the entire security system. DRAWINGS
图 1为现有由移动终端发起的向 RI请求 RO的 2-pass协议流程; 图 2为现有由 RI主动发起的向移动终端派发 RO的 1-pass协议流程; 图 3为现有的由移动终端发起的向 RI请求加入域的 2-pass协议流程; . 图 4为本发明所述由移动终端发起的向 RI请求 RO的一种实现流程, 其 中, RI 向移动终端发送 RO之前, 请求 OCSP 响应器验证 RI证书的有效 性; 、  FIG. 1 is a flow of a 2-pass protocol initiated by a mobile terminal to request an RO from an RI; FIG. 2 is a flow chart of a 1-pass protocol for an RO to be dispatched to a mobile terminal by an RI; FIG. A 2-pass protocol flow initiated by the mobile terminal to join the domain to the RI; FIG. 4 is an implementation flow of the RO requesting the RO by the mobile terminal according to the present invention, where the RI sends the RO to the mobile terminal, requesting The OCSP responder verifies the validity of the RI certificate;
图 5为本发明所述由 RI主动发起的向移动终端派发 RO的一种实现流 程, 其中, RI向移动终端派发 RO之前, 请求 OCSP响应器验证 RI证书的 有效性;  5 is an implementation process of the RO being actively initiated by the RI to the mobile terminal, where the RI requests the OCSP responder to verify the validity of the RI certificate before dispatching the RO to the mobile terminal;
图 6 为本发明所述由移动终端发起的向 RI请求加入域的一种实现流 程, 其中, RI向移动终端发送域密码之前, 请求 OCSP响应器验证 RI证书 的有效性; 图 7为实施例四所述的一种 DRM系统主要结构示意图。 具体实施方式 FIG. 6 is a flowchart of an implementation process for a RI request to join a domain initiated by a mobile terminal according to the present invention, where the RI requests the OCSP responder to verify the validity of the RI certificate before sending the domain password to the mobile terminal; FIG. 7 is a schematic diagram showing the main structure of a DRM system according to Embodiment 4. detailed description
本发明所述方法的目的在于优化 DRM系统中, 移动终端发起向 RI申请 RO的 2-pass协议流程、 由 RI主动发起的向移动终端派发 RO的 1-pass以及 由移动终端发起的加入域的 2-pass协议流程, 在这三个流程中增加 RI证书 和 /或 DRM Agent证书的有效性认证。  The purpose of the method of the present invention is to optimize a 2-pass protocol process in which a mobile terminal initiates an RO application to an RI in a DRM system, a 1-pass that is initiated by the RI to distribute an RO to a mobile terminal, and a join domain initiated by the mobile terminal. The 2-pass protocol process adds validity certificates for RI certificates and/or DRM Agent certificates in these three processes.
为实现该方法, 本发明使用 OCSP认证方式, 在上述三个流程中加入 RI 请求 OCSP响应器(Responder )验证 RI证书有效性的步驟, 以保证 RI的合 法行。 进一步, 还增加了 RI请求 OCSP响应器验证移动 DRM Agent证书有 效性的步骤, 以保证移动终端的合法性, 从而在上述三个流程中实现完整的 证书验证体系。  To implement the method, the present invention uses the OCSP authentication method to add the RI request OCSP responder (Responder) to verify the validity of the RI certificate in the above three processes to ensure the RI's legal line. Further, the RI request OCSP responder is verified to verify the validity of the mobile DRM Agent certificate to ensure the legitimacy of the mobile terminal, thereby implementing a complete certificate verification system in the above three processes.
首先, 说明本发明所述方法涉及到的几个概念:  First, several concepts related to the method of the present invention are illustrated:
1、 DRM Agent证书  1, DRM Agent certificate
DRM Agent证书, 也称为终端证书、 终端用户证书等, 是移动终端用户 合法身份的唯一证明, 其中包括一个唯一的用户私钥, 该用户私钥对应一个 公开的用户公钥。  The DRM Agent certificate, also known as the terminal certificate, end user certificate, etc., is the only proof of the legal identity of the mobile terminal user, including a unique user private key, which corresponds to a public user public key.
2、 RI证书  2, RI certificate
RI证书是每一个 RI合法身份的唯一证明, 其中包括一个唯一 RI私钥和 证书标识, 该 RI私钥对应一个公开的 RI公钥。  The RI certificate is the only proof of the legal identity of each RI, including a unique RI private key and certificate identifier, and the RI private key corresponds to a public RI public key.
3、 OCSP响应器证书  3, OCSP responder certificate
OCSP响应器证书是 OCS 响应器合法身份的证明, 其中包括一个唯一 响应器私钥, 该响应器私钥对应一个公并的响应器公钥。  The OCSP Responder Certificate is a proof of the legal identity of the OCS Responder, which includes a unique Responder private key that corresponds to a public Responder public key.
4、 OCSP认证方法  4, OCSP certification method
是指利用 OCSP响应器认证 RI证书有效性的方法, OCSP响应器上建立 有 RI证书撤销列表并及时进行更新, RI证书撤销列表用于登记被撤销而失 效的 RI证书标识, OCSP响应器查询当前的 RI证书撤销列表来验证 RI证书 的有效性。 Refers to the method of authenticating the validity of the RI certificate by using the OCSP responder. The RI certificate revocation list is established on the OCSP responder and updated in time. The RI certificate revocation list is used for registration cancellation. The valid RI certificate identifier, the OCSP responder queries the current RI certificate revocation list to verify the validity of the RI certificate.
5、 利用数字签名进行身份验证  5, using digital signatures for authentication
数字签名可以用于信息接收方对信息发送方的身份进行合法性认证, 例 如: 信息发送方利用自己的私钥和要发送的完整信息生成数字签名, 将数字 签名和信息一起发送给接收方, 接收方利用公开的公钥解密数字签名, 从中 得到验证信息, 如果验证信息和接收到的信息相同, 则表明信息的发送方是 合法可信的。  The digital signature can be used for the information receiver to legalize the identity of the sender of the information. For example: The sender of the information uses his private key and the complete information to be sent to generate a digital signature, and sends the digital signature and the information together to the receiver. The receiving party decrypts the digital signature by using the public key, and obtains the verification information therefrom. If the verification information is the same as the received information, it indicates that the sender of the information is legal and trusted.
下面以具体实施例并结合附图详细说明本发明。  The invention will now be described in detail by way of specific embodiments with reference to the accompanying drawings.
实施例一:  Embodiment 1:
如图 4所示, 实施例一以现有由移动终端发起的向 RI请求 RO的 2-pass 协议流程为基础, 增加了 RI请求 OCSP响应器验证 RI证书有效性的步驟: As shown in FIG. 4, the first embodiment adds the RI request OCSP responder to verify the validity of the RI certificate based on the existing 2-pass protocol flow initiated by the mobile terminal to the RO requesting the RO:
541、 DRM Agent向 RI发送 RO请求消息; 541. The DRM Agent sends an RO request message to the RI.
RO请求消息中携带了 DRM Agent证书、 移动终端用户选择的数字信息的 标识信息和使用方式, 以及 DRM Agent利用用户私钥和完整的 RO请求消息生 成的用户数字签名。  The RO request message carries the DRM Agent certificate, the identification information of the digital information selected by the mobile terminal user, and the usage mode, and the user digital signature generated by the DRM Agent using the user private key and the complete RO request message.
542、 RI向 OCSP响应器发送 OCSP请求( OCSP Request ) 消息请求验证 RI证书的有效性;  542. The RI sends an OCSP Request (OCSP Request) message to the OCSP responder to verify the validity of the RI certificate.
RI收到移动终端发送的 RO请求消息后, 先利用用户公钥和用户数字签名 验证终端身份是否合法, 正方法为: 利用用户公钥解密数字签名, 得到猃 证的完整消息, 并与实际接收到的消息进行比较, 如果不相同则认为该 RO请 求消息来自非法终端, 不予回复。 反之如果相同则认为 RO请求消息来自合法 终端, 然后向 OCSP响应器发送 OCSP请求消息, 该消息中携带了 RI证书和利 用 RI私钥和完整的 OCSP请求消息生成的 RI数字签名。  After receiving the RO request message sent by the mobile terminal, the RI first uses the user public key and the user digital signature to verify whether the identity of the terminal is legal. The positive method is: decrypting the digital signature by using the public key of the user, obtaining a complete message of the certificate, and receiving the complete message. The received messages are compared. If they are not the same, the RO request message is considered to be from an illegal terminal and will not be returned. On the other hand, if the same, the RO request message is considered to be from the legal terminal, and then an OCSP request message is sent to the OCSP responder, which carries the RI certificate and the RI digital signature generated by using the RI private key and the complete OCSP request message.
543、 OCSP响应器向 RI返回 OCSP认证响应 ( OCSP Response ) 消息; OCSP响应器仍然首先利用 RI公钥验证 RI数字签名, 来判断 RI的合法 性, 拒绝回复不合法的 RI, 对合法的 RI则再根据 RI证书撤销列表对该 RI证书 的有效性进行认证。 543. The OCSP responder returns an OCSP Response (OCSP Response) message to the RI; the OCSP responder still first uses the RI public key to verify the RI digital signature to determine the legality of the RI, and refuses to reply to an illegal RI. According to the RI certificate revocation list, the RI certificate The validity of the certification.
OCSP将认证结果写入 OCSP Response认证响应消息, 再利用响应器私钥 和完整的 OCSP认证响应消息生成 OCSP数字签名并写入该 OCSP认证响应消 息中, 然后将携带有认证结果和 OCSP数字签名的 OCSP认证响应消息发送给 RI。  The OCSP writes the authentication result into the OCSP Response authentication response message, and then generates the OCSP digital signature by using the responder private key and the complete OCSP authentication response message, and writes the OCSP authentication response message, and then carries the authentication result and the OCSP digital signature. The OCSP authentication response message is sent to the RI.
S44、 RI向移动终端的 DRM Agent返回 RO响应消息;  S44. The RI returns an RO response message to the DRM Agent of the mobile terminal.
RI收到 OCSP认证响应消息后, 完成下列操作:  After receiving the OCSP authentication response message, the RI completes the following operations:
1 ) 、 生成 DRMAgent请求的 RO并写入 RO响应消息;  1) generating the RO requested by the DRMAgent and writing the RO response message;
2 ) 、 将携带 OCSP数字签名的 OCSP认证响应消息作为一个参数直接写 入 RO响应消息;  2), the OCSP authentication response message carrying the OCSP digital signature is directly written into the RO response message as a parameter;
3 ) 、 利用 RI私钥和完整的 RO响应消 '息再生成 RI数字签名, 并将 RI数字 签名写入 RO响应消息 , 然后将 RO响应消息发送给 DRM Agent。  3), using the RI private key and the complete RO response to generate the RI digital signature, and write the RI digital signature into the RO response message, and then send the RO response message to the DRM Agent.
DRM Agent收到 RO响应消息后 , 完成如下操作:  After receiving the RO response message, the DRM Agent completes the following operations:
1 ) 、 利用 RI公钥和 RI数字签名验证 RI身份, 如果合法则继续, 否则结 束;  1) verify the RI identity with the RI public key and the RI digital signature, if it is legal, continue, otherwise it ends;
2 ) 、 利用响应器公钥和 OCSP数字签名验证 OCSP响应器身份的合法 性, 如果合法则继续, 否则结束;  2) verify the validity of the OCSP responder identity by using the responder public key and the OCSP digital signature, if it is legal, then continue, otherwise it ends;
3 ) 、 判断 RI证书的认证结果是否为有效, 如果证书有效, 则从 RO响应 消息中获取 RO, 否则结束。  3) Determine whether the authentication result of the RI certificate is valid. If the certificate is valid, obtain the RO from the RO response message, otherwise it ends.
从上述步骤中, 移动终端侧的 DRM Agent只有确认了 RO响应消息来自合 法的 RI, 并且 RI证书有效的认证结果来自合法的 OCSP响应器, 才允许终端 用户使用下载的数字信息, 保证了数字信息来源的合法性和安全性。  From the above steps, the DRM Agent on the mobile terminal side only confirms that the RO response message is from the legal RI, and the authentication result validated by the RI certificate comes from the legal OCSP responder, and the end user is allowed to use the downloaded digital information to ensure the digital information. The legitimacy and security of the source.
进一步在步骤 S42中, R1发送给 OCSP响应器的认证请求消息中还可以携 带终端证书, 请求 OCSP响应器对 DRMAgent证书进行认证, 同样, OCSP响 应器将 DRM Agent证书的认证结果携带在 OCSP认证响应消息中返回给 RI , RI再根据 DRM Agent证书的认证结果决定是否向该终端发送 RO响应消息。  Further, in step S42, the authentication request message sent by R1 to the OCSP responder may further carry a terminal certificate, requesting the OCSP responder to authenticate the DRMAgent certificate, and similarly, the OCSP responder carries the authentication result of the DRM Agent certificate in the OCSP authentication response. The message is returned to the RI, and the RI determines whether to send an RO response message to the terminal according to the authentication result of the DRM Agent certificate.
或者, RI在进行步骤 S42之前, 先向 OCSP响应器发送携带终端证书的认 证请求消息, 请求 OCSP响应器对 DRMAgent证书进行认证, OCSP响应器将 DRM Agent证书的认证结果携带在 OCSP认证响应消息中返回给 RI, 如果 DRMAgent证书的认证结果为有效, RI再进行步骤 S42进行 RI证书的认证。 Alternatively, the RI sends the identification of the bearer certificate to the OCSP responder before performing step S42. The request message is sent to the OCSP responder to authenticate the DRMAgent certificate, and the OCSP responder carries the authentication result of the DRM Agent certificate in the OCSP authentication response message and returns it to the RI. If the authentication result of the DRMAgent certificate is valid, the RI proceeds to step S42. Certification of the RI certificate.
为实现上述 DRM Agent证书的认证, OCSP响应器侧需要建立 DRM Agent 证书撤销列表并及时进行更新。  To implement the above-mentioned DRM Agent certificate authentication, the OCSP responder side needs to establish a DRM Agent certificate revocation list and update it in time.
实施例二  Embodiment 2
如图 5所示, 实施例二是以现有 RI向移动终端派发 RO的 1-pass协议流程 为基础, 增加了验证 RI有效性的步驟, 与实施例一相比, 不需要 DRMAgent 向 RI发送 RO请求消息, 其它步骤和实施例一中相同, 具体为:  As shown in FIG. 5, the second embodiment is based on the 1-pass protocol procedure of the existing RI to distribute the RO to the mobile terminal, and the step of verifying the validity of the RI is added. Compared with the first embodiment, the DRMAgent is not required to be sent to the RI. The RO request message, the other steps are the same as in the first embodiment, specifically:
S51、 RI向 OCSP响应器发送 OCSP请求消息请求验证 RI证书的有效性; S51. The RI sends an OCSP request message to the OCSP responder to request verification of the validity of the RI certificate.
RI向 OCSP响应器发送 OCSP请求消息, 该消息中携带了 RI证书, 以及利 用 RI私钥生成的 RI数字签名。 The RI sends an OCSP request message to the OCSP responder, which carries the RI certificate and the RI digital signature generated using the RI private key.
552、 OCSP响应器向 RI返回 OCSP Response认证响应消息;  552. The OCSP responder returns an OCSP Response authentication response message to the RI.
OCSP响应器首先利用 RI公钥和 RI数字签名对 RI身份进行合法性认证, 如果合法再根据 RI^正书撤销列表判断该 RI证书的有效性, 反之不予回复。  The OCSP responder first uses the RI public key and the RI digital signature to authenticate the RI identity. If it is legal, it judges the validity of the RI certificate according to the RI^ book revocation list, and vice versa.
OCSP响应器将认证结杲写入 OCSP Response认证响应消息, 再利用响应 器私钥生成 OCSP数字签名并写入该 OCSP认证响应消息中, 然后将携带有认 证结果和 OCSP数字签名的 OCSP认证响应消息发送给 RI。  The OCSP responder writes the authentication certificate into the OCSP Response authentication response message, generates the OCSP digital signature by using the responder private key, and writes the OCSP authentication response message, and then carries the OCSP authentication response message carrying the authentication result and the OCSP digital signature. Send to RI.
553、 RI向 DRM Agent发送 RO响应消息;  553. The RI sends an RO response message to the DRM Agent.
RI收到携带 OCSP数字签名的 OCSP认证响应消息后, 完成下列操作: After receiving the OCSP authentication response message carrying the OCSP digital signature, the RI completes the following operations:
1 ) 、 将要派发的 RO写入 RO响应消息; 1), the RO to be dispatched is written into the RO response message;
2 ) 、 将携带 OCSP数字签名的 OCSP认证响应消息作为一个参数直接写 入 RO响应消息;  2), the OCSP authentication response message carrying the OCSP digital signature is directly written into the RO response message as a parameter;
3 ) 、 利用 RI私钥和完整的 RO响应消息生成的 RI数字签名写入 RO响应消 息, 然后将 RO响应消息发送给移动终端的 DRMAgent。  3) Write the RO response message by using the RI private key and the RI digital signature generated by the complete RO response message, and then send the RO response message to the DRMAgent of the mobile terminal.
DRM Agent收到 RO响应消息后, 完成下列操作:  After receiving the RO response message, the DRM Agent completes the following operations:
1 ) 、 利用 RI公钥和 RI数字签名验证 RI身份 , 如果合法则继续, 否则结 束; 1), verify the RI identity with the RI public key and the RI digital signature, if it is legal, continue, otherwise Bunch
2 ) 、 利用响应器公钥和 OCSP数字签名验证 OCSP响应器身份的合法 性, 如果合法则继续, 否则结束;  2) verify the validity of the OCSP responder identity by using the responder public key and the OCSP digital signature, if it is legal, then continue, otherwise it ends;
3 ) 、 判断 RI证书的认证结果是否为有效, 如果证书有效, 则从 RO响应 消息中获取派发的 RO, 否则结束。  3) Determine whether the authentication result of the RI certificate is valid. If the certificate is valid, obtain the RO from the RO response message, otherwise it ends.
本实施例中, 由于是 RI主动向移动终端派发 RO, 不需要增加验证 DRM Agent证书是否有效的步骤。  In this embodiment, since the RI actively distributes the RO to the mobile terminal, there is no need to increase the step of verifying whether the DRM Agent certificate is valid.
实施例三  Embodiment 3
如图 6所示, 实施例三以现有的移动终端向 RI请求加入域的 2-pass协 议流程为基础, 增加 RI证书的认证步骤, 具体包括: .  As shown in FIG. 6, the third embodiment adds the RI certificate authentication step based on the existing mobile terminal to the RI request to join the domain 2-pass protocol, and specifically includes:
561、 DRMAgent向 RI发送加入域请求消息;  561. The DRMAgent sends a join domain request message to the RI.
移动终端用户通过 DRMAgent选择加入域的操作并根据提示输入加入域 标识, DRMAgent则向 RI发送加入域请求消息, 该请求消息中携带了移动终 端用户的标识信息、 加入域标识以及利用用户私钥和完整的加入域请求消息 生成的用户数字签名。  The mobile terminal user selects the operation of joining the domain through the DRMAgent and enters the domain identifier according to the prompt. The DRMAgent sends a join domain request message to the RI, where the request message carries the identification information of the mobile terminal user, joins the domain identifier, and uses the user private key and The user's digital signature generated by the complete join domain request message.
562、 RI向 OCSP响应器发送 OCSP请求消息, 请求验证 RI证书的有效 性;  562. The RI sends an OCSP request message to the OCSP responder, requesting to verify the validity of the RI certificate.
RI收到移动终端发送的加入域请求消息后, 利用用户公钥和用户数字签 名验证终端用户身份的合法性, 拒绝回复非法终端, 对于通过猃证的合法终 端用户, RI根据移动终端用户的标识信息验证该用户是否对应的加入域的成 员, 如果是, 将该成员标识为¾ 成功加入域的成员, 然后向 OCSP响应器 发送 OCSP请求消息, 该消息中携带了 RI证书和生成的 RI数字签名。  After receiving the domain join request message sent by the mobile terminal, the RI uses the user public key and the user digital signature to verify the validity of the identity of the terminal user, and refuses to reply to the illegal terminal. For the legitimate terminal user who passes the authentication, the RI according to the identity of the mobile terminal user The information verifies whether the user belongs to the member of the joining domain, and if so, identifies the member as a member of the domain, and then sends an OCSP request message to the OCSP responder, where the message carries the RI certificate and the generated RI digital signature. .
S63、 OCSP响应器向 RI返回 OCSP Response认证响应消息;  S63. The OCSP responder returns an OCSP Response authentication response message to the RI.
OCSP响应器首先利用 RI公钥和 RI数字签名验证 RI合法后 , 再 居 RI证 书列表判断该 RI证书的有效性, 并将认证结果写入 OCSP认证响应消息, 将 OCSP数字签名后该 OCSP认证响应消息中发送给 RI;  The OCSP responder first verifies the RI validity by using the RI public key and the RI digital signature, and then determines the validity of the RI certificate in the RI certificate list, and writes the authentication result into the OCSP authentication response message, and the OCSP authentication response is performed after the OCSP is digitally signed. The message is sent to the RI;
S64、 RI向移动终端的 DRM Agent返回加入域响应消息; RI收到携带第三数字签名的加入域响应消息后, 完成下列操作: S64. The RI returns a join domain response message to the DRM Agent of the mobile terminal. After receiving the domain join response message carrying the third digital signature, the RI completes the following operations:
1 ) 、 将要域密码写入加入域响应消息;  1), the domain password is written into the domain response message;
2 ) 、 将携带 OCSP数字签名的 OCSP认证响应消息作为参数直接写入加 入域响应消息;  2), directly writing the OCSP authentication response message carrying the OCSP digital signature as a parameter to the adding domain response message;
3 ) 、 利用 RI私钥和该加入域响应消息再生成 RI数字签名写入加入域响 应消息, 然后将加入域响应消息发送给 DRM Agent。  3), using the RI private key and the join domain response message to generate an RI digital signature to write the join domain response message, and then send the join domain response message to the DRM Agent.
DRM Agent收到加入域响应消息后, 完成下列操作:  After receiving the domain response message, the DRM Agent completes the following operations:
1 ) 、 利用 RI公钥和 RI数字签名验证 RI身份, 如果合法则继续, 否则结 束;  1) verify the RI identity with the RI public key and the RI digital signature, if it is legal, continue, otherwise it ends;
2 ) 、 利用响应器公钥和 OCSP数字签名验证 OCSP响应器身份的合法 性, 如果合法则继续, 否则结束;  2) verify the validity of the OCSP responder identity by using the responder public key and the OCSP digital signature, if it is legal, then continue, otherwise it ends;
3 ) 、 判断 RI证书的认证结果是否为有效, 如果证书有效, 则从 RO响应 消息中获取域密码, 否则结束。  3) Determine whether the authentication result of the RI certificate is valid. If the certificate is valid, obtain the domain password from the RO response message, otherwise it ends.
至此, DRM Agent确认 RI证书有效的认证结果来自合法的 OCSP响应器 时, 才从 RO响应消息中获取域密码, 保证了域密码来源的合法性和安全性。  At this point, the DRM Agent confirms that the valid authentication result of the RI certificate comes from the legal OCSP responder, and then obtains the domain password from the RO response message, which ensures the legality and security of the domain password source.
DRM Agent收到域密码后, 再通过发起 2-pass协议流程向 RI取得对应的 加入域 RO, 具体包括如下步骤:  After receiving the domain password, the DRM agent obtains the corresponding domain RO from the RI by initiating the 2-pass protocol process, including the following steps:
565、 DRM Agent向 RI发送 RO请求消息, 该请求消息中携带了域标识; 565. The DRM Agent sends an RO request message to the RI, where the request message carries a domain identifier.
566、 RI向移动终端的 DRM Agent返回 RO响应消息; 566. The RI returns an RO response message to the DRM Agent of the mobile terminal.
RI判断该移动终端用户是否已经被标识为对应域的加入成员, 如果是则 在 RO响应消息中携带利用与密码加密了的加入域 RO , DRM Agent收到 RO 后, 利用与密码解密获取加入域 RO, 用来控制用户对数字信息的使用; 如果 RI判断该移动终端用户还没有成功加入, 则在 RO响应消息中携带拒绝信息。  The RI determines whether the mobile terminal user has been identified as a joining member of the corresponding domain. If yes, the RO response message carries the joining domain RO encrypted with the password. After receiving the RO, the DRM Agent obtains the joining domain by using the decryption with the password. The RO is used to control the user's use of the digital information. If the RI determines that the mobile terminal user has not successfully joined, the RO response message carries the rejection information.
上述步驟 S65和步骤 S66利用现有 2-pass协议流程, 为进一步增加安全 性, 还可以利用本发明所述的实施例一, 再次增加对 RI证书和 /或 DRMAgent 证书进行有效性驺正的步骤, 具体实现细节和实施例一中相同, 这里不再赘 述0 本发明针对 DRM系统中, 在申请 RO的 2-pass , 1 -pass以及加入 i或的 2- pass协议规定的流程中, 增加 RI证书的认证流程, 补充了证书有效' !·生认证 的完整性, 消除了 DRM系统的安全漏洞, 并进一步增加了 DRM Agent证书 有效性认证流程, 完善了整个安全体系。 The above steps S65 and S66 use the existing 2-pass protocol flow. To further increase the security, the first embodiment of the present invention may be used to further increase the validity of the RI certificate and/or the DRMAgent certificate. the specific implementation details of the same embodiment example 1 and omitted here 0 The present invention is directed to the DRM system, in the process of applying the 2-pass, 1-pass of the RO and the 2-pass protocol added by the i, the RI certificate authentication process is added, and the certificate is valid. Sexuality, eliminating the security vulnerabilities of the DRM system, and further increasing the DRM Agent certificate validity certification process, and improving the entire security system.
实施例四  Embodiment 4
为实现本发明方法, 本发明还公开一种 DRM系统, 如图 Ί所示, 现有 移动通信领域的 DRM系统包括: 设置在移动终端 100上的版权代理月良务器 In order to implement the method of the present invention, the present invention also discloses a DRM system. As shown in the figure, the DRM system in the field of mobile communication includes: a copyright agent server installed on the mobile terminal 100.
( DRM Agent ) 101、 通过移动通信网络连接 DRM AgentlOl 的 RI服务器 200和通过移动通信网络连接 RI服务器 200的 OCSP响应器 300; 其中: DRM AgentlOl 包括用于收发消息的代理 (Agent )接口模块 1011 和代理(DRM Agent) 101, an RI server 200 connected to the DRM Agent 101 through a mobile communication network, and an OCSP responder 300 connected to the RI server 200 through a mobile communication network; wherein: the DRM Agent 101 includes an agent interface module 1011 for transmitting and receiving messages and proxy
( Agent )控制模块 1013; RI服务器 200 包括用于收发消息的 RI接口模块 201和 RI控制模块 203; OCSP响应器 300包括用于收发消息的 OCSP接口 模块 301和 OCSP认证模块 303; (Agent) control module 1013; RI server 200 includes RI interface module 201 and RI control module 203 for sending and receiving messages; OCSP responder 300 includes OCSP interface module 301 and OCSP authentication module 303 for sending and receiving messages;
为实现本发明所述方法, 需要分别在 DRM AgentlOl、 RI服务器 200和 OCSP响应器 300上设置用于生成数字签名或验证数字签名的安全模块, 安 全模块中存储有加解密数字签名的私钥和对应的公钥, 在接口模块发送消息 时, 为消息生成数字签名后发送给接口模块; 在接口模块接收到消息时, 负 责验证 RI和 /或 OCSP响应器身份的合法性, 以保证消息来源的可靠性和安 全性。 分别描述如下:  In order to implement the method of the present invention, a security module for generating a digital signature or verifying a digital signature is required to be respectively set on the DRM Agent 101, the RI server 200, and the OCSP responder 300. The security module stores a private key for encrypting and decrypting the digital signature. The corresponding public key, when the interface module sends a message, generates a digital signature for the message and sends it to the interface module; when the interface module receives the message, it is responsible for verifying the legality of the RI and/or OCSP responder identity to ensure the source of the message. Reliability and security. Described separately as follows:
DRM AgentlOl的 Agent安全模块 1012连接在 Agent接口模块 1011和 Agent控制模块 1013之间; Agent控制模块 1013将发给 RI服务器 200的消 息送入 Agent安全模块 1012进行数字签名后, 通过 Agent接口模块 1011发 送; 或者, Agent接口模块 1011将从 RI服务器 200接收的带有数字签名的 消息送入 Agent安全模块 1012, Agent安全模块 1012根据数字签名确认该数 字签名的生成方身份合法后, 将消息送入 Agent控制模块 1013 进行处理; Agent控制模块 1013连接到移动终端 100的显示模块 102, 用以显示操作界 面。 RI服务器 200的 RI安全模块 202连接在 RI接口模块 201和 RI控制模 块 203之间; RI控制模块 203将发给 RI服务器 200或 OCSP响应器 300的 消息送入 RI安全模块 202进行数字签名后, 通过 RI接口模块 201发送; 或 者, RI接口模块 201将从 RI服务器 200或 OCSP响应器 300接收的带有数 字签名的消息送入 RI安全模块 202, RI安全权模块根据数字签名确认该数 字签名的生成方身份合法后, 将消息送入 RI控制模块 203进行处理; The Agent security module 1012 of the DRM Agent 101 is connected between the Agent interface module 1011 and the Agent control module 1013. The Agent control module 1013 sends the message sent to the RI server 200 to the Agent security module 1012 for digital signature, and then sends the message through the Agent interface module 1011. Or the agent interface module 1011 sends the digital signature message received from the RI server 200 to the agent security module 1012. After the agent security module 1012 confirms that the identity of the digital signature is legal according to the digital signature, the agent sends the message to the agent. The control module 1013 performs processing; the agent control module 1013 is connected to the display module 102 of the mobile terminal 100 for displaying the operation interface. The RI security module 202 of the RI server 200 is connected between the RI interface module 201 and the RI control module 203; the RI control module 203 sends the message sent to the RI server 200 or the OCSP responder 300 to the RI security module 202 for digital signature. The RI interface module 201 sends the digitally signed message received from the RI server 200 or the OCSP responder 300 to the RI security module 202, and the RI security right module confirms the digital signature according to the digital signature. After the identity of the producer is legal, the message is sent to the RI control module 203 for processing;
OCSP响应器 300的' OCSP安全模块 302连接在 OCSP接口模块 301和 OCSP认证模块 303之间; OCSP控制模块将发给 RI服务器 200的消息送入 OCSP安全模块 302进行数字签名后, 通过 OCSP接口模块 301 发送; 或 者, OCSP接口模块 301将从 RI服务器 200接收的带有数字签名的消息送入 OCSP安全模块 302, OCSP安全权模块根据数字签名确认该数字签名的生成 方身份合法后, 将消息送入 OCSP控制模块进行处理。 OCSP认证模块 303 中还包括认证用的 RI 证书撤销列表 3031 和 DRM Agent证书撤销列表 3032。  The OCSP security module 302 of the OCSP responder 300 is connected between the OCSP interface module 301 and the OCSP authentication module 303; the OCSP control module sends the message sent to the RI server 200 to the OCSP security module 302 for digital signature, and then passes the OCSP interface module. The OCSP interface module 301 sends the digitally signed message received from the RI server 200 to the OCSP security module 302. After the OCSP security right module confirms the identity of the digital signature generator according to the digital signature, the message is sent. Into the OCSP control module for processing. The OCSP authentication module 303 also includes an RI certificate revocation list 3031 for authentication and a DRM Agent certificate revocation list 3032.
具体实现细节在实施例一、 实施例二和实施例三中都有详细描述, 这不 再赘述。  The specific implementation details are described in detail in the first embodiment, the second embodiment, and the third embodiment, which will not be described again.
显然, 本领域的技术人员可以对本发明进行各种改动和变型而不脱离本 发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权利要 求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。  It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of the inventions

Claims

权 利 要 求 Rights request
1、 一种移动终端获取权限对象的方法, 其特征在于, 包括如下步骤: 发行者 (RI ) 向版权代理模块 (DRM Agent )发送权限( RO )对象之 前, 向在线证书状态查询 (OCSP ) 响应器发送包括 RI证书的认证请求消 息; A method for obtaining a rights object by a mobile terminal, comprising the steps of: an issuer (RI) responding to an online certificate status query (OCSP) before transmitting a rights (RO) object to a rights agent module (DRM Agent) Transmitting an authentication request message including an RI certificate;
OCSP响应器向 RI返回包括 RI证书有效性认证结果和 OCSP响应器数 字签名的认证响应消息;  The OCSP responder returns an authentication response message including the RI certificate validity authentication result and the OCSP responder digital signature to the RI;
RI向 DRM Agent发送包括 RO对象并携带全部所述认证响应消息的 RO 响应消息;  The RI sends an RO response message including the RO object and carrying all the authentication response messages to the DRM Agent;
DRM Agent接收所述 RO响应消息, 根据 OCSP 响应器数字签名确认 OCSP 响应器合法, 并根据所述 RI证书有效性认证结果确认 RI证书有效 后, 获取所述 RO对象。  The DRM Agent receives the RO response message, confirms that the OCSP responder is legal according to the OCSP responder digital signature, and obtains the RO object after confirming that the RI certificate is valid according to the RI certificate validity authentication result.
2、 如权利要求 1所述的方法, 其特征在于, RI在收到 DRM Agent发送 的包括 DRM Agent证书的 RO请求消息后, 向 OCSP响应器发送包括 RI证 书的认证请求消息。  2. The method according to claim 1, wherein the RI sends an authentication request message including the RI certificate to the OCSP responder after receiving the RO request message including the DRM Agent certificate sent by the DRM Agent.
3、 如权利要求 2所述的方法, 其特征在于,  3. The method of claim 2, wherein
所述认证请求消息中同时包括所述 DRM Agent证书;  The authentication request message includes the DRM Agent certificate at the same time;
所述认证响应消息中同时包括所述 DRM Agent证书的有效性认证结 果; 以及  The authentication response message includes the validity certification result of the DRM Agent certificate;
RI根据所述 DRM Agent证书的有效性认证结果确认 DRM Agent证书有 效后, 再发送所述 RO响应消息。  After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the RO response message.
4、 如权利要求 2所述的方法, 其特征在于, RI在收到 DRM Agent发送 的包括 DRM Agent证书的 RO请求消息后, 先向 OCSP 响应器发送包括 DRM Agent证书的认证请求消息;  The method according to claim 2, after receiving the RO request message including the DRM Agent certificate sent by the DRM Agent, the RI first sends an authentication request message including the DRM Agent certificate to the OCSP responder;
OCSP响应器向 RI返回包括 DRM Agent证书有效性认证结杲的认证响 应消息; RI根据所述 DRM Agent证书有效性认证结果确认终端合法后, 再向 OCSP响应器发送包括 RI证书的认证请求消息。 The OCSP responder returns an authentication response message including the DRM Agent certificate validity authentication result to the RI; After confirming that the terminal is legal according to the DRM Agent certificate validity authentication result, the RI sends an authentication request message including the RI certificate to the OCSP responder.
5、 如权利要求 3或 4所述的方法, 其特征在于, DRM Agent与 RI之 间、 和 /或 RI与 OCSP响应器之间在交互每一个消息时, 发送方生成发送方 数字签名并写入所述消息一起发送给接收方, 接收方根据所述发送方数字签 名验证发送方合法后, 再进行后续处理。  5. The method according to claim 3 or 4, wherein the sender generates a sender digital signature and writes when each message is exchanged between the DRM Agent and the RI, and/or between the RI and the OCSP responder. The incoming message is sent to the receiver together, and the receiver verifies the sender according to the sender's digital signature, and then performs subsequent processing.
6、 一种移动终端用户加入域的方法, 其特征在于, 包括如下步骤: 移动终端的 DRM Agent向 RI发送包括移动终端用户标识和加入 i或标识 的加入域请求消息;  A method for a mobile terminal user to join a domain, comprising the steps of: the DRM Agent of the mobile terminal sends a join domain request message including the mobile terminal user identifier and the join i or the identifier to the RI;
RI才艮据所述用户标识和加入域标识确认该用户为该加入域的成员后, 向 OCSP 响应器发送包括 RI证书的认证请求消息, 并将该用户标识为加入成 贝;  After confirming that the user is a member of the joining domain according to the user identifier and the joining domain identifier, the RI sends an authentication request message including the RI certificate to the OCSP responder, and identifies the user as joining the blast;
OCSP响应器向 RI返回包括 RI证书有效性认证结果和 OCSP响应器数 字签名的认证响应消息;  The OCSP responder returns an authentication response message including the RI certificate validity authentication result and the OCSP responder digital signature to the RI;
RI向 DRM Agent发送包括所述加入域的域密码并携带全部所述认证响 应消息的加入 i或响应消息;  The RI sends a join i or a response message including the domain password of the joining domain to the DRM Agent and carrying all the authentication response messages;
DRM Agent接收所述加入域响应消息 , 根据 OCSP响应器数字签名确认 OCSP 响应器合法, 并才艮据所述 RI证书有效性认证结果确认 RI证书有效 后, 获取所述域密码。  The DRM Agent receives the join domain response message, confirms that the OCSP responder is legal according to the OCSP responder digital signature, and obtains the domain password after confirming that the RI certificate is valid according to the RI certificate validity authentication result.
7、 如权利要求 6 所述的方法, 其特征在于, 所述加入域请求消息中同 时包括所述 DRM Agent证书。  7. The method according to claim 6, wherein the joining domain request message includes the DRM Agent certificate at the same time.
8、 如权利要求 7所述的方法, 其特征在于,  8. The method of claim 7 wherein:
所述认证响应消息中同时包括所述 DRM Agent证书的有效性认证结 果; 以及 '  The authentication response message includes both the validity certification result of the DRM Agent certificate; and '
RI根据所述 DRM Agent证书的有效性认证结果确认 DRM Agent证书有 效后, 再发送所述加入 i或响应消息。  After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the join i or response message.
9、 如权利要求 7所述的方法, 其特征在于, RI 收到移动终端的加入域 请求消息后, 先向 OCSP 响应器发送包括 DRM Agent证书的认证请求消 9. The method according to claim 7, wherein the RI receives the joining domain of the mobile terminal After requesting the message, first send an authentication request including the DRM Agent certificate to the OCSP responder.
OCSP响应器向 RI返回包括 DRM Agent证书有效性认证结果的认证响 应消息; The OCSP responder returns an authentication response message including the DRM Agent certificate validity authentication result to the RI;
RI根据所述 DRM Agent证书有效性认证结果确认 DRM Agent合法后, 再向 OCSP响应器发送包括 RI证书的认证请求消息。  After confirming that the DRM agent is legal according to the DRM Agent certificate validity authentication result, the RI sends an authentication request message including the RI certificate to the OCSP responder.
10、 如权利要求 7、 8或 9所述的方法, 其特征在于, DRM Agent收到 获取所述域密码后, 向 RI发送包括域标识和用户标识的加入域 RO请求消 息;  The method according to claim 7, 8 or 9, wherein after receiving the domain password, the DRM Agent sends a join domain RO request message including a domain identifier and a user identifier to the RI;
RI确认该用户为加入成员后, 向 DRM Agent返回加入域 RO 响应消 息 , 该加入域 RO响应消息包括利用域密码加密了的加入域 RO;  After confirming that the user joins the member, the RI returns a join domain RO response message to the DRM Agent, and the join domain RO response message includes the join domain RO encrypted by using the domain password;
DRM Agent接收所述加入域 RO响应消息, 获取所述加入域 RO并利用 所述域密码解密。  The DRM Agent receives the join domain RO response message, obtains the join domain RO, and decrypts using the domain password.
11、 如权利要求 7、 8或 9所述的方法, 其特征在于, DRM Agent获取 所述域密码后, 向 RI发送包括域标识、 用户标识和 DRM Agent证书的加入 域 RO请求消息;  The method according to claim 7, 8 or 9, wherein the DRM Agent obtains the domain password, and sends a domain RO request message including a domain identifier, a user identifier, and a DRM Agent certificate to the RI;
RI确认该用户为加入成员后, 向 OCSP响应器发送包括 RI证书的认证 请求消息;  After confirming that the user joins the member, the RI sends an authentication request message including the RI certificate to the OCSP responder;
OCSP响应器向 RI返回包括 RI证书的有效性认证结果和 OCSP响应器 数字签名的认证响应消息;  The OCSP responder returns an authentication response message including the validity verification result of the RI certificate and the digital signature of the OCSP responder to the RI;
RI向 DRM Agent返回加入域 RO响应消息, 该 RO响应消息包括利用 域密码进行加密的加入域 RO并携带完整的所述认证响应消息;  The RI returns a domain RO response message to the DRM Agent, where the RO response message includes the join domain RO encrypted by using the domain password and carries the complete authentication response message;
DRM Agent接收所述加入域 RO响应消息, 根据 OCSP响应器数字签名 确认 OCSP响应器合法, 并根据所述 RI证书有效性认证结果确认 RI证书有 效后, 获取所述加入域 RO并利用所述域密码解密。  Receiving, by the DRM Agent, the join domain RO response message, confirming that the OCSP responder is legal according to the OCSP responder digital signature, and confirming that the RI certificate is valid according to the RI certificate validity authentication result, acquiring the join domain RO and using the domain Password decryption.
12、 如权利要求 11所述的方法, 其特征在于,  12. The method of claim 11 wherein:
所述认证请求消息中同时包括所述 DRM Agent证书; 所述认证响应消息中同时包括所述 DRM Agent证书的有效性认证结 果; 以及 The authentication request message includes the DRM Agent certificate at the same time; The authentication response message includes the validity certification result of the DRM Agent certificate;
RI根据所述 DRM Agent证书的有效性认证结果确认 DRM Agent证书有 效后, 再发送所述 RO响应消息。  After confirming that the DRM Agent certificate is valid according to the validity verification result of the DRM Agent certificate, the RI sends the RO response message.
13、 如权利要求 11所述的方法, 其特征在于, RI收到 DRM Agent的加 入域 RO请求消息后, 先向 OCSP响应器发送包括 DRM Agent证书的认证请 求消息;  The method according to claim 11, wherein after receiving the domain RO request message of the DRM Agent, the RI first sends an authentication request message including the DRM Agent certificate to the OCSP responder;
OCSP响应器向 RI返回包括 DRM Agent证书有效性认证结果的认证响 应消息;  The OCSP responder returns an authentication response message including the DRM Agent certificate validity authentication result to the RI;
RI根据所述 DRM Agent证书有效性认证结果确认终端合法后, 再向 OCSP响应器发送包括 RI证书的认证请求消息。  After confirming that the terminal is legal according to the DRM Agent certificate validity authentication result, the RI sends an authentication request message including the RI certificate to the OCSP responder.
14、 如权利要求 12或 13所述的方法, 其特征在于, DRM Agent与 RI 之间、 RI与 OCSP响应器之间在交互每一个消息时, 发送方生成发送方数字 签名并写入所述消息一起发送给接收方, 接收方根据所述发送方数字签名验 证发送方合法后, 再进行后续处理。  14. The method according to claim 12 or 13, wherein when the DRM Agent and the RI, the RI and the OCSP responder interact with each message, the sender generates a sender digital signature and writes the The message is sent to the receiver together, and the receiver verifies the sender according to the sender's digital signature, and then performs subsequent processing.
15、 一种数字信息版权管理系统, 包括设置在移动终端上的版权代理 ( DRM Agent )服务器、 通过移动通信网络连接所述 DRM Agent服务器的 15. A digital information copyright management system, comprising a copyright agent (DRM Agent) server disposed on a mobile terminal, connected to the DRM Agent server by a mobile communication network
RI服务器和通过移动通信网络连接所述 RI服务器的 OCSP响应器; 其特征 在于, An RI server and an OCSP responder that connects the RI server through a mobile communication network;
所述 DRM Agent包括代理安全模块, 用于为发送给所述 R1服务器的消 息进行数字签名; 或者, 验证来自所述 RI服务器并带有数字签名的消息的 合法性;  The DRM Agent includes a proxy security module for digitally signing a message sent to the R1 server; or verifying the legitimacy of a message with the digital signature from the RI server;
所述 RI服务器包括 RI安全模块, 用于为发送给所述 DRM Agent服务 器或所述 OCSP 响应器的消息进行数字签名; 或者, 验证来自所述 DRM Agent服务器或所述 OCSP响应器并带有数字签名的消息的合法性;  The RI server includes an RI security module for digitally signing a message sent to the DRM Agent server or the OCSP responder; or verifying a number from the DRM Agent server or the OCSP responder The legality of the signed message;
所述 OCSP响应器包括 OCSP安全模块; 用于为发送给所述 RI服务器 的消息进行数字签名; 或者, 验证来从所述 RI服务器并带有数字签名的消 息的合法性。 The OCSP responder includes an OCSP security module; for digitally signing a message sent to the RI server; or, verifying from the RI server with a digital signature The legitimacy of interest.
16、 如权利要求 15所述的系统, 其特征在于, 所述 DRM Agent还包括 用于收发消息的代理接口模块和执行数字信息版权管理的代理控制模块, 分 别连接所述代理安全模块; 所述代理控制模块将发给所述 RI服务器的消息 送入所述代理安全模块进行数字签名后, 通过所述代理接口模块发送; 或 者, 所述代理接口模块将从所述 RI服务器接收的带有数字签名的消息送入 所述代理安全模块, 所述代理安全权模块根据所述数字签名确认该数字签名 的生成方身份合法后, 将所述消息送入所述代理控制模块进行处理; 和 /或 , 所述 RI服务器还包括用于收发消息的 RI接口模块和执行 RO或加入域 管理的 RI控制模块, 分别连接所述 RI安全模块; 所述 RI控制模块将发给 所述 RI服务器或所述 OCSP响应器的消息送入所述 RI安全模块进行数字签 名后, 通过所述 RI接口模块发送; 或者, 所述 RI接口模块将从所述 RI服 务器或所述 OCSP 响应器接收的带有数字签名的消息送入所述 RI '安全模 块, 所^ RI安全权模块才艮据所述数字签名确认该数字签名的生成方身份合 法后, 将所述消息送入所述 RI控制模块进行处理; 和 /或  The system according to claim 15, wherein the DRM Agent further comprises a proxy interface module for transmitting and receiving messages and a proxy control module for performing digital information copyright management, respectively connected to the proxy security module; The proxy control module sends the message sent to the RI server to the proxy security module for digital signature, and then sends the message through the proxy interface module; or the proxy interface module receives the number from the RI server. The signed message is sent to the proxy security module, and after the digital security signature confirms that the identity of the generator of the digital signature is legal, the message is sent to the proxy control module for processing; and/or The RI server further includes an RI interface module for transmitting and receiving messages and an RI control module for performing RO or joining domain management, respectively connected to the RI security module; the RI control module is to be sent to the RI server or the After the OCSP responder sends the message to the RI security module for digital signature, the RI interface module is used. Sending; or, the RI interface module sends a digitally signed message received from the RI server or the OCSP responder to the RI 'security module, and the RI security right module according to the number After the signature confirms that the identity of the generator of the digital signature is legal, the message is sent to the RI control module for processing; and/or
所述 OCSP响应器还包括用于收发消息的 OCSP接口模块和认证 RI证 书和 /或 DRM Agent证书有效性的 OCSP认证模块, 分别连接所述 OCSP安 全模块; 所述 OCSP控制模块将发给所述 RI服务器的消息送入所述 OCSP 安全模块进行数字签名后, 通过所述 OCSP 接口模块发送; 或者, 所述 OCSP 接口模块将从所述 RI 服务器接收的带有数字签名的消息送入所述 OCSP安全模块, 所述 OCSP安全权模块根据所述数字签名确认该数字签名 的生成方身份合法后, 将所述消息送入所述 OCSP控制模块进行处理。  The OCSP responder further includes an OCSP interface module for transmitting and receiving messages and an OCSP authentication module for authenticating the RI certificate and/or the DRM Agent certificate, respectively connecting the OCSP security module; the OCSP control module will send the After the RI server sends the message to the OCSP security module for digital signature, it is sent by the OCSP interface module; or the OCSP interface module sends a digitally signed message received from the RI server to the OCSP. The security module, after the OCSP security right module confirms that the identity of the generator of the digital signature is legal according to the digital signature, sends the message to the OCSP control module for processing.
17、 如权利要求 16 所述的系统, 其特征在于, 所述 OCSP认证.模块中 还包括认证用的 RI证书撤销列表和 /或 DRM Agent证书撤销列表。  The system according to claim 16, wherein the OCSP authentication module further includes an RI certificate revocation list for authentication and/or a DRM agent certificate revocation list.
PCT/CN2006/001343 2005-08-12 2006-06-15 A method and a system for a mobile terminal joining in a domain and obtaining a rights object WO2007019760A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2005100902961A CN100337175C (en) 2005-08-12 2005-08-12 Method and system of adding region and obtaining authority object of mobile terminal
CN200510090296.1 2005-08-12

Publications (1)

Publication Number Publication Date
WO2007019760A1 true WO2007019760A1 (en) 2007-02-22

Family

ID=36805628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001343 WO2007019760A1 (en) 2005-08-12 2006-06-15 A method and a system for a mobile terminal joining in a domain and obtaining a rights object

Country Status (2)

Country Link
CN (1) CN100337175C (en)
WO (1) WO2007019760A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100337175C (en) * 2005-08-12 2007-09-12 华为技术有限公司 Method and system of adding region and obtaining authority object of mobile terminal
KR100941535B1 (en) 2006-06-09 2010-02-10 엘지전자 주식회사 Method of leaving the domain of a device in digital rights management, the device and its system
KR100823279B1 (en) * 2006-09-04 2008-04-18 삼성전자주식회사 Method and apparatus for creating a rights object by privilege delegation
CN100483435C (en) * 2006-09-15 2009-04-29 华为技术有限公司 Method and system for replacing copyright object in digital copyright management system
KR100948384B1 (en) * 2006-11-29 2010-03-22 삼성전자주식회사 A device capable of moving a rights object, a portable storage device, and a method of moving a rights object
CN101681413B (en) * 2007-03-12 2012-07-18 索尼在线娱乐有限公司 Method and system for secure transfer of digital objects
KR20080104594A (en) * 2007-05-28 2008-12-03 삼성전자주식회사 Apparatus and Method for Online Certificate Validation for Offline Devices
CN101315654B (en) * 2007-06-01 2013-02-27 华为技术有限公司 A method and system for verifying permission
KR101393012B1 (en) * 2007-07-03 2014-05-12 삼성전자주식회사 System and method for management of license
CN101364871B (en) * 2007-08-10 2011-12-21 华为技术有限公司 Method, system and apparatus for domain manager to carry out domain management to user equipment
CN101458745B (en) * 2007-12-12 2013-02-06 上海爱信诺航芯电子科技有限公司 Tracing subsystem of digital copyright management proxy system and working method thereof
CN101420430B (en) * 2008-11-28 2011-12-07 华为终端有限公司 Methods and apparatus for information security protection
CN102026161B (en) * 2009-09-21 2014-11-05 中兴通讯股份有限公司 System and method for validity verification of certificate in mobile backhaul net
CN102236753B (en) * 2010-05-07 2016-06-08 中兴通讯股份有限公司 Copyright managing method and system
CN102945532A (en) * 2012-11-20 2013-02-27 南京邮电大学 Digital rights realizing method for supporting rights assignment
CN104462874B (en) * 2013-09-16 2017-09-05 北大方正集团有限公司 A DRM method and system supporting offline sharing of digital resources
CN107786515B (en) * 2016-08-29 2020-04-21 中国移动通信有限公司研究院 Method and device for certificate authentication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1452941A2 (en) * 2003-02-11 2004-09-01 Microsoft Corporation Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system
CN1561025A (en) * 2004-03-03 2005-01-05 北京北大方正电子有限公司 Method for binding digital content and hardware with hardware adaptability
US20050021467A1 (en) * 2001-09-07 2005-01-27 Robert Franzdonk Distributed digital rights network (drn), and methods to access operate and implement the same
US20050138400A1 (en) * 2003-12-19 2005-06-23 Institute For Information Industry Digital content protection method
CN1794128A (en) * 2005-08-12 2006-06-28 华为技术有限公司 Method and system of adding region and obtaining authority object of mobile terminal

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7340600B1 (en) * 2000-01-14 2008-03-04 Hewlett-Packard Development Company, L.P. Authorization infrastructure based on public key cryptography
US7318155B2 (en) * 2002-12-06 2008-01-08 International Business Machines Corporation Method and system for configuring highly available online certificate status protocol responders
KR20050064119A (en) * 2003-12-23 2005-06-29 한국전자통신연구원 Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
EP1706954B1 (en) * 2004-01-09 2018-07-25 Assa Abloy Ab Signature-efficient real time credentials for ocsp and distributed ocsp

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021467A1 (en) * 2001-09-07 2005-01-27 Robert Franzdonk Distributed digital rights network (drn), and methods to access operate and implement the same
EP1452941A2 (en) * 2003-02-11 2004-09-01 Microsoft Corporation Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system
US20050138400A1 (en) * 2003-12-19 2005-06-23 Institute For Information Industry Digital content protection method
CN1561025A (en) * 2004-03-03 2005-01-05 北京北大方正电子有限公司 Method for binding digital content and hardware with hardware adaptability
CN1794128A (en) * 2005-08-12 2006-06-28 华为技术有限公司 Method and system of adding region and obtaining authority object of mobile terminal

Also Published As

Publication number Publication date
CN100337175C (en) 2007-09-12
CN1794128A (en) 2006-06-28

Similar Documents

Publication Publication Date Title
WO2007019760A1 (en) A method and a system for a mobile terminal joining in a domain and obtaining a rights object
US7899187B2 (en) Domain-based digital-rights management system with easy and secure device enrollment
KR101298562B1 (en) System and method for implementing digital signature using one time private keys
JP6471112B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND PROGRAM
US20050204038A1 (en) Method and system for distributing data within a network
US20090144541A1 (en) Method and apparatus of mutual authentication and key distribution for downloadable conditional access system in digital cable broadcasting network
KR101452708B1 (en) CE device management server, method for issuing DRM key using CE device management server, and computer readable medium
JP2005525622A (en) Method and system for providing third party authorization authorization
AU3584100A (en) Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor
WO2007099608A1 (en) Authentication system, ce device, mobile terminal, key certificate issuing station, and key certificate acquisition method
CN101103630A (en) Method and system for authorizing multimedia multicast
RU2007138849A (en) NETWORK COMMERCIAL TRANSACTIONS
WO2008002081A1 (en) Method and apparatus for authenticating device in multi domain home network environment
CN101160915A (en) Method and device for realizing accurate charging in digital copyright management
CN113329003B (en) An access control method, user equipment and system for the Internet of Things
CN113676478A (en) Data processing method and related equipment
JP2004159298A5 (en)
CN100377525C (en) Streaming media service implementation method, service provision system and operation support system
CN114091001B (en) Collaborative authentication method, system, device and storage medium
CN102236753A (en) Rights management method and system
CN116800491A (en) Secure cross-service platform identity authentication method based on digital certificates
JP4761348B2 (en) User authentication method and system
JP2000261428A (en) Authentication device in decentralized processing system
KR100447623B1 (en) Authentication and payment based on ticket in wireless Internet
CN119382888A (en) User authentication method, intelligent business system, equipment, medium and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06742175

Country of ref document: EP

Kind code of ref document: A1