Method of verifying identity of subscriber terminal

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to digital television (DTV), especially to the method of verifying identity of a subscriber terminal in a DTV network. The method of carrying out authentication procedure of at least one subscriber terminal comprises the following stages: reading out, using a set-top box (STB) at the subscriber terminal, the period of validity of the key and key information, stored in the subscriber identification module at the subscriber terminal when the set-top box is launched; initiation, using the STB, of sending a request for authentication to a central station, if the period of validity of the key has expired, and authentication by the central station, in accordance with the authentication request; determination by the central station of whether authentication has been successful, and if successful, sending a corresponding reply message, containing new key information, and a reply message on failure of authentication if otherwise; updating, through the STB, key information when a reply message on successful authentication has been received.

EFFECT: reduced congestion of a network or authentication server.

18 cl, 8 dwg

 

The technical field to which the invention relates

The present invention relates to the field of digital television (DTV), in particular to a method of performing authentication against user terminal in the network DTV.

Prior art

Network DTV includes a Central station DTV (for simplicity called "Central station") and a number of subscriber terminals. Central station respectively transmits the encrypted program DTV broadcast through the network to each subscriber terminal, which receives signals using a set-top-boxes (STB), and then decrypts the DTV program using the key located in the module subscriber identity from the structure of the subscriber terminal, and, ultimately, plays the program on your TV. The most common subscriber identity module is a smart card, and at the time of purchase by the subscriber in sets of key information.

Open network DTV is unidirectional network. However, due to the increase of DTV services, network DTV has a tendency to become bidirectional network to support interactive services. This is the basic model of network DTV interactive function that is defined in the standard for digital television (DVB).

Figure 1 is a schematic diagram illustrious the th base model network DTV interactive function, defined by the DVB standard. The Central station 1 includes a module 11 service broadcasting data DTV programs and module 12 interactive services to establish bidirectional communication between the subscriber terminal 2 and the Central station 1. TV STB 21 (STB) user terminal 2 includes a broadcast interface 211 for receiving data DTV programs and interactive interface 212 to establish bidirectional communication between the subscriber terminal 2 and the Central station 1.

Module 11 service broadcasting transmits the encrypted program DTV broadcast through the network 3, and for providing the subscriber with the ability to view DTV programs these signals are then received through the broadcast interface 211 set-top-boxes 21 (STB). Broadcasting network 3 includes a channel for transmission and reception of DTV programs (called "channel television broadcasting"). Channel TV broadcast sets unidirectional data transmission between the Central station 1 and each subscriber terminal 2, and is provided in a unidirectional network DTV.

Module 12 interactive services connected with television subscriber station 21 (STB) user terminal over the interactive network 4, while establishing a bidirectional interactive channel between the Central station 1 and each subscriber terminal 2. Bidirectional interactive channel comprises a reverse interactive channel and direct online channel. Reverse interactive channel refers to the channel that is set from the user terminal 2 to the Central station 1, for providing the subscriber with the ability to send the request or response is returned. Direct online channel refers to the channel established from the Central station 1 to the user terminal 2, to perform a data transfer statement or response to the subscriber request. Such direct online channel may be embedded in the broadcast network 3. In fact, two-way interactive network DTV is created by adding a bidirectional interactive channel in broadcast DTV.

Regardless of unidirectional network DTV or bidirectional network DTV was developed based on the unidirectional network DTV, the profit model of the operator is different from the model of profit that existed during the era of traditional analog television. In other words, the operator mainly profits from subscribers viewing DTV program, and does not depend on television advertising and payment of technical service network. In this connection, enter DTV conditional access system (CAS) to provide assurance that the program may be available for viewing only legallymandated, on the network DTV.

This feature was implemented in the prior art through the use of a subscriber identity module (e.g., smart card) legal subscriber. When connecting such a smart card to the TV the set-top box 21 (STB) reads in a smart card key, and then decrypt and decode the encrypted DTV programs to display the programs to ensure that programs may be available for viewing only legitimate subscribers. However, there is still piracy DTV through the traditional method of physical clone smart card user terminal. Because online information subscribers may not be received by the Central station 1, such illegal subscribers can share the account number of one of the subscriber without performing the search, which leads to financial losses for the operator.

In relation to getting online information of subscribers to the Central station, the Patent Office of China by the present Applicant filed a patent application entitled "SYSTEM AND METHOD FOR ACQUIRING ON-LINE INFORMATION OF SUBSCRIBERS IN a DIGITAL TELEVISION NETWORK ("System and method of obtaining online information of subscribers in a digital television network").

2 is a structural schematic diagram illustrating the she network elements DTV according to the above-mentioned patent application. Network DTV developed based on the unidirectional network DTV, and in accordance with the DVB standard (digital video). It includes the Central station 1 and multiple user terminals 2. Each user terminal 2 includes TV box 21 (STB) and the module 22 subscriber identity. Thus, the set-top box TV 21 (STB) is added module 214 bi-directional communication, and the Central station 1 is configured with server 13 authentication, which is connected to the control module 14 subscribers located in the Central station 1. The Central station 1 and terminal 2 establish a bidirectional interactive communication through an interactive network 4.

TV STB 21 (STB) is used to perform the following operations: when you start set-top-boxes 21 (STB), in addition to performing the usual functions, such as tuning, demodulation, demultiplexing the TS, decryption, decoding, etc., television STB 21 (STB) receives a unique identifier (ID) of the caller module 22 of the subscriber's identification, and then initiate the transmission of the authentication request to the Central station 1 through module 214 bi-directional communication; and then TV STB 21 (STB) receives tenoe message from the Central station 1, and if the received response message is information indicating a successful authentication, the television STB 21 (STB) continues to perform the traditional functions, such as setting, demultiplexing and so on, otherwise the program DTV will not be available for viewing. Furthermore, when disconnecting, television STB 21 (STB) sends a message about disconnecting from the network (status offline) to the Central station 1 through module 214 bi-directional communication.

Module 214 bi-directional communication is used for communication to and feedback online channel that mainly includes the steps: (1) active initiating a connection with the server 13 authentication from the Central station 1; (2) receiving the data returned from the set-top-boxes 21 (STB), and transfer this data to the server 13 authentication from the Central station 1; (3) receiving data from the server 13 authentication from the Central station 1 and transfer this data to the television the set-top box 21 (STB).

Module 22 subscriber identity connected with television subscriber station 21 (STB), is used to store a unique identifier (ID) of the subscriber and key for decrypting data DTV programs, and to record the information of the currently viewed program. Currently used smart card is a traditional subscriber identity module.

The server 13 authentication is used to receive the returned data subscribers and perform the functions of the subscriber authentication that includes the steps: (1)as a server, receiving the return data of each subscriber from each user terminal serving as a client; (2) reading the data record identifier (ID) of the subscriber management module subscribers (SMS) from the Central station; (3) maintain online information, each set-top-boxes (STB) according to the information identifier (ID), reported by subscribers during startup and shutdown; (4) perform authentication the subscriber.

The method of obtaining online information of subscribers in the network DTV set out according to the above disclosed network DTV (with reference to Fig.3-6). This method includes a process of transmitting the authentication request through a set-top-boxes (STB), the processing of the authentication request via a Central station, the transfer process request to disconnect the subscriber via a set-top-boxes (STB) and the processing of the request to disconnect the subscriber via a Central station.

(I) the transfer Process request for authentication is icatio through set-top boxes (STB) (with reference to Figure 3).

When you start set-top-boxes (STB), it reads the unique identifier (ID) of the caller module 22 subscriber identity, initiate the transmission of the authentication request includes a unique identifier (ID) of the subscriber to the Central station 1 through module 214 bi-directional communication and waits for a response message from the Central station 1. Just in case, if the received response message indicates that the authentication is successful, a television STB 21 (STB) can receive data in DTV programs.

(II) processing the authentication request by the Central station 1 (with reference to Figure 4).

If the server 13 authentication from the Central station 1 has received a request for authentication of the subscriber, it reads out the authentication and a unique identifier (ID) of the subscriber. If authentication is successful, the subscriber is set to the online mode (connected to network), and the server 13 authentication returns a message indicating successful previous authentication. Otherwise, the subscriber is illegal and server 13 authentication returns a response message indicating a failed authentication, the subscriber terminal.

(III) the Process of transfer request disabled person via phone the imaging set-top box (STB) (with reference to Figure 5).

Disabling a user terminal TV STB (STB) reads the unique identifier (ID) of the subscriber and sends a shutdown message to the subscriber to the Central station, and then the user terminal is disabled.

(IV) processing the request to disconnect the subscriber via a Central station (with reference to Fig.6).

If the Central station accepts the request to disconnect the subscriber, it searches the subscriber among the subscribers online, and removes the subscriber from the list of subscribers online.

In the above method financial losses of the operator, due to the fact that the Central station receives the online status of subscribers time and reduces illegal access to the network DTV when using online information of subscribers is reduced.

However, if subscribers simultaneously initiate the authentication identifier (ID) of the subscriber in a relatively short period of time, this leads to an overload of the interactive network or overloading the authentication server in terms of throughput. In particular, due to the constant increase in the number of subscribers and network adapted to a large number of subscribers, the problem of authentication identifiers (ID) of a large number of subscribers for whom the simultaneous launch in a short time should be allowed.

The Invention

Some embodiments of the present invention provide a method of performing authentication against user terminal to resolve technical problems characteristic of the prior art, due to which there is network congestion or overload of the authentication server, by performing authentication identifiers (ID) of a large number of subscribers during the simultaneous launch in the procedure for obtaining online information subscribers via a Central station.

Embodiments of the present invention provide the following technical solution.

The way to perform authentication against the user terminal includes the steps:

reading through set-top boxes (STB) of the user terminal, the key expiration time of the key information stored in the module subscriber identity from the structure of the subscriber terminal when you start set-top-boxes (STB);

initiating transmission by a television set-top boxes (STB), the authentication request to the Central station upon expiration of the above term, and run through the Central station, authentication, in accordance with the request for authentication is ificatio;

determining, by the Central station, you have successfully passed the authentication, and if the authentication is successful, it returns a response message about successfully passed authentication, which includes the new key information, otherwise it returns the response message of unsuccessful authentication;

update, via set-top-boxes (STB), key information when receiving a response message about successfully passed authentication.

The method also includes the step: installation of the subscriber terminal in the status line after successfully passed authentication.

The method also includes the step: if the does not expire, determine whether the remaining useful time of the above-mentioned term lower threshold value, and if the remaining useful time of the above-mentioned period of validity less than the threshold value, it triggers the transmission of the authentication request to the Central station via a set-top-boxes (STB), otherwise the procedure ends.

The method also includes the step of: waiting for a random time before initiating the authentication request to the Central station.

The process of determining that you have successfully passed the authentication includes a step definition the population, whether a unique identifier (ID) of the subscriber terminal in an authentication request is legal.

The method also includes the step of: after successful authentication, determining whether the subscriber terminal is able online, and if the subscriber is in the status online, it returns a response message of successful completion of authentication, which includes the new key information.

The method also includes the steps: sequential determination by the Central station, also expires if the expiration date for each user terminal, and if the expiration date for each user terminal expires, sending an authentication message to the roll of subscribers to the subscriber terminal, otherwise the procedure ends; transmitting, by the Central station, the updated key information to the subscriber terminal, and install the subscriber terminal in the status line if the response message from the user terminal was made for a specified period of time; updating, by the user terminal, the key information.

The method also includes the step: if the expiration date does not expire, determine whether the remaining useful time to mention the second term lower threshold value, and if the remaining useful time of the above-mentioned period of validity less than the threshold value, sending an authentication message to the roll of subscribers to the subscriber terminal, otherwise the procedure ends.

The method also includes the step: if the expiration date for a user terminal expires, determining whether the subscriber terminal status online, and if the state of the user terminal is online, you determine that the time in the status line of the subscriber terminal is a great pre-established maximum time in the status line, and if the time in the status line of the subscriber terminal is more than a preset maximum time status online, sending an authentication message to the roll of subscribers to the subscriber terminal, otherwise the procedure ends.

The method also includes the steps of: receiving, via a user terminal, an authentication message of the roll of subscribers and return a response message that includes a unique identifier (ID) of the subscriber's terminal.

The method also includes the steps of: transmitting, via a set-top-boxes (STB), the authentication request off the treatment disabling a set-top-boxes (STB); receiving, by the Central station, the authentication request, and if authentication is successful, the installing user terminal in the state of offline.

Another variant of implementation of the present invention provides a system for performing authentication against user terminal in the network of digital television (DTV), the system includes:

at least one subscriber terminal, each of which includes television the set-top box (STB) and the subscriber identity module for storing key information for decrypting data DTV programs, and key information includes the key and the expiration date; and

Central station for transmitting encrypted data of DTV programs to each user terminal;

and TV STB (STB) configured to read the expiration date of the key from the subscriber identity module when you start set-top-boxes (STB), initiating transmission of the authentication request to the Central station if the above expires, and updates the key information when receiving a response message about successfully passed authentication, which includes the new key information from the Central station; and

moreover, the Central stations is, made to perform authentication according to the authentication request initiated by the television the set-top box (STB), and determine that you have successfully passed the authentication, and if the authentication is successful, it returns a response message about successfully passed the authentication, otherwise it returns a response message of a failed authentication.

Additional variant of implementation of the present invention provides a user terminal, including:

the subscriber identification module, configured to store key information for decrypting the encrypted data in a digital television (DTV), and the key information includes the key and the expiration date; and

television the set-top box (STB)configured to read the expiration date of the key from the subscriber identity module when you start set-top-boxes (STB), initiating transmission of the authentication request to the Central station if the above expires, and updates the key information when receiving the response message passes authentication, which includes the new key information from the Central station.

An additional option from the implementation of this is bretania provides Central station made to perform authentication according to the authentication request initiated by the television the set-top box (STB) user terminal, determine that you have successfully passed the authentication; the response message is returned on successful completion of the authentication, which includes the new key information, if the authentication is successful, the new key information includes the new key and the validity period of the new key, and return a response message of a failed authentication, if authentication fails.

Some embodiments of the present invention, in comparison with the prior art, have the following advantages: an authentication request is initiated, if the key validity period expires or if the remaining useful lifetime of less than the threshold value, thus, the processes of the prior art, in which each user terminal must initiate the transmission of the authentication request during startup, can be avoided and therefore the probability of network congestion or overload of the authentication server is reduced. In addition, some embodiments of the present invention add the process of initiating procedures set the second authentication via a Central station, thus allowing the Central station to receive online information from subscribers in time, and reducing illegal access to networks DTV.

List of figures

Figure 1 - schematic diagram illustrating the basic network model DTV interactive function defined by the DVB standard according to the prior art;

2 is a structural schematic diagram illustrating the principle of network DTV interactive function according to the prior art;

Figure 3 is a block diagram illustrating the process of transmitting the authentication request through a set-top-boxes (STB) according to the prior art;

4 is a block diagram of a sequence of operations illustrating the process of processing the authentication request via a Central station according to the prior art;

5 is a block diagram of a sequence of operations illustrating a process of transmitting the request to disconnect the subscriber via a set-top-boxes (STB) according to the prior art;

6 is a block diagram of a sequence of operations that illustrates the processing of the request to disconnect the subscriber via a Central station according to the prior art;

7 is a block diagram of placentas the activities of operations, illustrating the procedure for performing authentication against the user terminal, the network DTV, according to a variant implementation of the present invention;

Fig - block diagram of the sequence of operations illustrating a network authentication performed by the Central station, according to a variant implementation of the present invention.

Detailed description of embodiments

Hereinafter the present invention will be described in detail using embodiments and drawings.

7, according to a variant implementation of the present invention, depicts a block diagram of a sequence of operations illustrating a procedure for performing authentication against user terminal in the network DTV.

At step S110, when the television STB 21 (STB) is started, it reads the key expiration time stored in the module 22 subscriber identity.

Conditional access programs is introduced in the network DTV to program network DTV could be available for viewing only legitimate subscribers. Conditional access programs is to control the transmission of the control word. The Central station 1 randomly generates a control word (CW), through which the management of the scrambling signal DTV programs transmitted by the Central station 1. For successful diskriminirovaniya scrambled signal on terminal 2 terminal 2 must have a control word (CW), similar to the control word Central station 1, to control descrambling. If the control word (CW) of the Central station 1 is transmitted directly to the subscriber terminal 2, it can easily be intercepted by hackers. Thus, the control word (CW) must be encrypted before sending.

Currently, to enhance the security of transmission of the control word (CW), the ciphertext produced by the first level to encrypt the control word (called message access management (ECM), in General, is transmitted together with the scrambled code stream by multiplexing. The message access control (ECM) also includes information such as time, price, program, and information access control program, etc. the Second level encrypts the control word (CW) using the secret key (SK), and the third level encrypts the secret key (SK) using the data encryption key programs (PDK). Produced the encrypted text and command access control make the message conditional access (EMM), which also includes information about access rights of a subscriber, for example, the number of ARS the t-card, the access time, the access level, etc. This information is mainly used to assign access rights to the subscriber, thus, the message conditional access (EMM) is a control message directed to the subscriber, providing the right of access to the subscriber with respect to when and on which channel the subscriber can view the program.

Method two keys, in General, is designed to prevent the interception of the key hackers. In method two keys pair of keys is allocated to each subscriber. One of the keys is the key of the subscriber terminal, called the private key, which is used only for decryption and is usually stored in the module subscriber identity. Another key is the public key used for encryption only. These two keys have a one-to-one corresponding relation with an algorithm, and encryption using the public key can be decrypted only using the private key. Thus, we are freed from the direct transmission of the key and, in this regard, the security level is very high. This authentication process is known as digital signature. Private key (PK) (abbreviated as "key"), in General, is stored in the module 22 subscriber identity (including a smart card), in connection with this message conditional access (FDC) can be RA is encrypted only subscriber terminal 2. That is one smart card can only be decrypted by the related information of the conditional access messages (EMM), all information needed to decode the message access control (ECM) can be obtained after decrypting the conditional access messages (EMM), then the code word (CW) can be obtained by decrypting the message access control (ECM), as well as a code word can be transmitted to the tool diskriminirovaniya random sequences, in television the set-top box 21 (STB), to perform operations diskriminirovaniya. All these processes decryption can be performed within the system decryption in the smart card.

Furthermore, in addition to the key, the key information contained in the module 22 subscriber identity also includes the key expiration time. The initial key and the validity period is pre-installed in the smart card, and the following key information may be transmitted to the subscriber terminal via the Central station 1.

At step S120 TV STB 21 (STB) defines expires if the expiration date, and if the expiration date expires, then the process moves to step S140, otherwise, the process goes to step S130.

At step S130 TV STB 21 (STB) determines whether the left is Eesa useful period lower threshold value, and if the remaining useful lifetime of less than the threshold value, the process goes to step S140, otherwise the procedure ends. The threshold value is set in advance and mainly serves to provide opportunities prior to the next key and the validity period of the next key before the expiration of the last key. For example, a subscriber who has subscribed to a monthly payment channel to a five-month period, at the end of each month should have the right and the key for the next month. The threshold value may be a half day, one day or one week, depending on the key type. Thus, due to the fact that the television STB 21 (STB) does not initiate the transmission of the authentication request, when the remaining useful time of the validity period is not lower threshold, the number of television initiated the set-top box 21 (STB) of authentication requests is greatly reduced.

At step S140 TV STB 21 (STB) initiates the transmission of the authentication request after waiting for a random time T1. Thus, the situation initiating many set-top boxes (STB) simultaneous transmission of authentication requests can be avoided.

T1 can be set randomly by a television set-top box 21 (STB), and can also be adjusted according to the subscription scale network. In a particular embodiment, the Central station may adjust T1 according to the number of managed subscriber terminal, to set the value of T1 and pass the value T1 of each television the set-top box 21 (STB).

The authentication request includes a unique identifier (ID) of the subscriber received from the module 22 subscriber identity.

At step S150, the server 13 authentication from the Central station 1 receives the authentication request and receives a unique identifier (ID) of the subscriber from the authentication request. Then, the server 13 authentication from the Central station 1 performs authentication according to a unique identifier (ID) of the subscriber, for example, determines whether the subscriber is a legal subscriber in the network DTV, according to a unique identifier (ID) of the subscriber, whether the subscriber with the same unique identifier (ID) of the subscriber in the status line. If authentication is successful, the server 13 authentication from the Central station 1 transmits a response message, which includes the new key information and points to successfully progeny the authentication, and sets the user terminal 2 in the status line; otherwise, the server 13 authentication from the Central station 1 returns a response message indicating a failed authentication, the subscriber terminal 2.

At step S160 TV STB 21 (STB) receives the response message and determines if the response message successfully traversed authentication, and if the response message indicates successful previous authentication, television STB 21 (STB) updates the key information, otherwise the procedure ends.

If the key validity period expires, the Central station 1 performs data encryption digital television (DTV) using the new key and transmits the data of the digital television (DTV) television the set-top box 21 (STB). Without a corresponding new key data digital television (DTV) cannot be decrypted, that is, the digital television (DTV) are not available for viewing. The Central station can receive online information from the subscriber terminal through the above processes, thus reducing the use of illegal subscribers and, therefore reducing piracy.

In the above-mentioned open way, if the validity period of the key from the user terminal 2 does not expire it is possible that the Central station 1 will not install user terminal 2 in the status line when you start set-top-boxes 21 (STB) of the user terminal 2. Thus, another variant of implementation of the present invention additionally provides network authentication procedure, which includes the following depicted on Fig processes.

At step S210, the Central station 1 determines whether expires the expiration date for each user terminal, and if the expiration date for each user terminal expires, then the process goes to step S230, otherwise the process moves to step S220.

At step S220, the Central station 1 determines whether the remaining useful time of the validity period, the smaller the threshold value, and if the remaining useful lifetime of less than the threshold value, the process goes to step S240, otherwise the procedure ends.

At step S230, the Central station 1 determines whether the user terminal 2 in the status line, and if the user terminal 2 is in a state online, the process goes to step S240, otherwise, the process goes to step S250.

At step S240, the Central station 1 determines whether expires validity status online user terminal 2, and ellisras state actions, online user terminal 2 expires then the process goes to step S250, otherwise the procedure ends; more specifically, the maximum time in the status line is set in advance for each user terminal 2 to the Central station, and the process of determining whether expires validity status online subscriber, is implemented by determining whether the time in the status line of the subscriber, a large maximum time in the status line. This should mainly be provided by the Central station 1, the possibility of initiating a new roll of subscribers to the subscriber terminal that is already in the status line.

At step S250, the Central station 1 transmits the authentication message of the roll of subscribers to the subscriber terminal 2, and this authentication message includes a unique identifier (ID) of the subscriber, and if the authentication message of the roll of subscribers was made in the process, set-top-boxes 21 (STB) of the user terminal 2, the television STB 21 (STB) returns a response message that includes a unique identifier (ID) of the subscriber terminal 2.

At step S260, if the response message from the user terminal 2 was taken for a set period of time, the Central is tance 1 returns the updated key information of the subscriber terminal 2 and sets the user terminal 2 in the status line.

At step S270 user terminal 2 updates the key information to receive new data digital television (DTV).

For the best information from the user terminal, a television STB 21 (STB) may transmit a request for authentication disable disabling user terminal 2. The Central station performs authentication after receiving the authentication request disconnect from the network, and the authentication includes determining whether a unique identifier (ID) of the subscriber's legal, whether the user terminal is connected to the network, etc. Central station sets the subscriber's status offline after successfully passed authentication.

The above disclosure corresponds only to the preferred options for implementation of the present invention, and the present invention should not be limited to these preferred options for implementation. Any change that may be considered by experts in the field of technology should be within the scope of the present invention.

1. The method of performing the authentication procedure in relation to at least one user terminal, comprising stages on which:

read through set-top boxes (STB) of the composition of the user terminal, the key expiration time of the key information stored in the module subscriber identity from the structure of the subscriber terminal, when you start set-top-boxes (STB);

initiate, through set-top boxes (STB), the transmission of the authentication request to the Central station if the mentioned key validity period expires, and performing, by the Central station, the authentication according to the authentication request;

determine, via a Central station that you have successfully passed the authentication, and if the authentication is successful, return a response message of successful completion of authentication, which includes the new key information, otherwise return a response message about a failed passing the authentication.

updating, by a television subscriber stations (STB), the key information when receiving a response message a successful authentication.

2. The method according to claim 1, additionally containing a stage, where the set of the subscriber terminal in the status line, after successfully passed authentication.

3. The method according to claim 1 or 2, additionally containing a stage at which, if referred to the expiration date does not expire, determine whether the remaining useful time mentioned with the eye of the actions of key lower threshold value, and if the remaining useful time of the above-mentioned period of validity less than the threshold value, then initiate the transmission of the authentication request to the Central station via a set-top-boxes (STB), otherwise the procedure ends.

4. The method according to claim 3, additionally containing a phase in which wait for a random time before initiating the transmission of the authentication request to the Central station.

5. The method according to claim 1, wherein the process of determining that you have successfully passed the authentication includes a step, which determines whether the unique identifier (ID) of the subscriber terminal in the authentication request is legal.

6. The method according to claim 5, additionally containing a stage at which, if the authentication is successful, determine whether the subscriber terminal is able online, and if the subscriber is in a state online, then return a response message of successful completion of authentication, which includes the new key information.

7. The method according to claim 1, further comprising stages which sequentially determines, via a Central station shall expire if the expiration date, for each user terminal, and if the expiration date for each user terminal expires, you are sending out ifications message of the roll of subscribers to the subscriber terminal, otherwise, the procedure ends;

transmit, via the Central station, the updated key information to the subscriber terminal and the set terminal in the status line if the response message from the user terminal was taken over a specified period of time;

updating, by the user terminal, the key information.

8. The method according to claim 7, additionally comprising stages, which,

if the expiration date does not expire, determine whether the remaining useful time of the above-mentioned key period lower threshold value, and if the remaining useful time of the above-mentioned period of validity less than the threshold value, then perform a send authentication messages of the roll of subscribers to the subscriber terminal, otherwise the procedure ends.

9. The method according to claim 7, additionally comprising stages, on which if a key period for the subscriber terminal expires, determine whether the subscriber terminal status line; and

if the state of the user terminal is online, determine whether the time in the status line of the subscriber terminal is a large pre-established maximum time in the status line, and if time online subscription t is rminal more pre-established maximum time status online, you are sending authentication messages of the roll of subscribers to the subscriber terminal, otherwise the procedure ends.

10. The method according to claim 7, additionally comprising stages, which are, by the user terminal, the authentication message of the roll of subscribers and return a response message that includes a unique identifier (ID) of the subscriber's terminal.

11. The method according to claim 1 or 7, further comprising stages, which forwards the request to the authentication disable disabling

set-top-boxes (STB);

receive, via the Central station, the request for authentication and, if authentication is successful, install the terminal in the status line.

12. System to perform the authentication procedure in respect of the subscriber terminal in the network of digital television (DTV), containing:

at least one subscriber terminal, each of which contains television the set-top box (STB) and the subscriber identity module for storing key information for decrypting data DTV programs, and key information includes the key and the expiration date; and

Central station for transmitting encrypted data of DTV programs on each and onatski terminal;

and TV STB (STB) configured to read the expiration date of the key from the subscriber identity module when you start set-top-boxes (STB), initiating transmission of the authentication request to the Central station, and if the expiration date expires, the update key information when receiving a response message about successfully passed authentication, which includes the new key information from the Central station; and

while the Central station is configured to perform authentication according to the authentication request initiated by the television the set-top box (STB), determine that you have successfully passed the authentication, and if the authentication is successful, return a response message about successfully passed the authentication, otherwise return a response message about the failed authentication.

13. System according to clause 12, in which a Central station is additionally configured to establish a user terminal in the status line after successfully passed authentication.

14. System according to clause 12, in which a Central station is additionally configured to sequentially determine whether expires the expiration date, for each user terminal, and if the period d is istia key for each user terminal expires, transmitting the authentication message to the roll of subscribers to the subscriber terminal; transmitting the updated key information to the subscriber terminal, and install the subscriber terminal in the status line if the response message from the user terminal was taken over a specified period of time.

15. User terminal that contains:

the subscriber identification module, configured to store key information for decrypting the encrypted data in a digital television (DTV), and the key information includes the key and the expiration date; and

television the set-top box (STB)configured to read the expiration date of the key from the subscriber identity module when you start set-top-boxes (STB), initiating transmission of the authentication request to the Central station if the validity period expires, and updates the key information when receiving a response message about successfully passed authentication, which includes the new key information from the Central station.

16. The Central station containing an authentication server configured to perform authentication according to the authentication request initiated by the television the set-top box (STB) of the subscription term is Nala; determine that you have successfully passed the authentication; return a response message of successful completion of authentication, which includes the new key information, if the authentication is successful, the new key information includes the new key and the validity period of the new key; and returning a response message of a failed authentication, if authentication fails.

17. Central station in clause 16, further configured to establish a user terminal in the status line after successfully passed authentication.

18. Central station in clause 16, further configured to sequentially determine whether expires the expiration date, for each user terminal, and if the expiration date for each user terminal expires, then send authentication messages of the roll of subscribers to the subscriber terminal; transmitting the updated key information to the subscriber terminal, and establishing a user terminal in the status line if the response message from the user terminal was taken over a specified period of time.



 

Same patents:

FIELD: information technologies.

SUBSTANCE: invention can be used in system of the forced performance of requirements which provides access possibility to the enciphered digital content on a computing mechanism only according to parametres the certain rights of the license got by the user of digital contents. The first confidential builder on the first computing mechanism carries out cryptographic, an estimate and the forced performance of requirements and forcedly contacts it, the first certificate of the user device corresponding to the first computing mechanism, forcedly contacts the user. Accordingly, the second confidential builder on the second computing mechanism carries out cryptographic processing, an estimate and the forced performance of requirements and forcedly contacts it, the second certificate of the user device corresponding to the second computing mechanism, also forcefully contacts the user. The first competent builder gains contents for reproduction on the first computing mechanism by means of the first certificate of the user device and the license, and the second confidential builder gains contents for reproduction on the second computing mechanism by means of the second certificate of the user device and the same license.

EFFECT: prevention of non-authorised duplication of digital content by the user related to the digital license and having of some computing mechanisms.

16 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: invention refers to method of control of decoding of program traffic set received by receiving system. Method of control of decoding of program traffic set received by receiving system implying that sequence of messages is received in conventional access subsystem (9, 10) comprising the specified receiving system, and each message is associated with one of coded program traffic set and represents information return enabling decoding of associated coded traffic by at least one decoding module (12) within receiving system. It is detected whether messages received within certain interval are associated with various coded program traffic set, and at least one of requests presented by messages received within certain interval is rejected, if number of various coded program traffics with which these messages are associated, exceeds preset value.

EFFECT: creation of receiving system, portable protector which enables program traffic provider to control program traffic set to which user of receiving system simultaneously addresses.

16 cl, 2 dwg

FIELD: information technology.

SUBSTANCE: decoder and subscription television data control system proposed contain at least two decoders, each of those is connected to at least one removable protective module. The protection is realised using identification data, contained in the decoder and protective module indicated. Besides, each of the decoders contains a descrambler and subscription television data processing deactivation units. Each decoder also contains a counter, which influences the deactivation units mentioned. Besides, at least one of the removable protective modules is assigned as primary and therefore contains decoder counter reinitialisation units.

EFFECT: provision of capability to regulate decoder operation time and to adjust operation parameters at any time using protective module.

19 cl, 13 dwg

FIELD: information encryption.

SUBSTANCE: system contains an encrypted data broadcasting centre, at least one control centre, a terminal device, a decoder located between the encrypted data broadcasting centre and the terminal device, the decoder includes an encrypted data reception and decryption module and a data access authority control module; the data access authority control module contains a protection module.

EFFECT: provision of system allowing to simplify access authority control at broadcasting centre level and ensuring optimal data security.

12 cl, 2 dwg

FIELD: receivers/decoders of services, provided with certain conditions, in particular in a system for accessing an encrypted data stream, priced per time unit.

SUBSTANCE: system contains control center (2), which transmits a data stream through a broadcasting channel, encrypted by means of control words, which are included in composition of access control messages, and meant for receipt by at least one user device (1), connected to safety block (3), having unique address and containing credit, which is reduced with purchase of products or consumption of data stream, where safety block (3) is provided with means for reducing credit for value, dependent on product, or for value, dependent on duration of access to data stream, where aforementioned values and/or duration are determined in access control messages or in conditional access messages, and system contains means, made independent from user device (1), for transmitting identifier, representing a unique number, and price code which indicates size of credit subject to load, in control center (2), and control center (2) additionally contains devices for receipt and verification of price code and for transmission of an encrypted message through broadcasting channel, having a unique address, corresponding to identifier, and giving a command to the safety block (3) to load the credit in defined amount.

EFFECT: development of a new approach to provision of access to paid television for broad clientele, substantially reduced subscriber management related costs.

5 cl, 1 dwg

FIELD: receivers/decoders of services, provided in conditional access mode, in particular, receivers having storage block (memorization device), such as a hard drive.

SUBSTANCE: method is claimed for storing an event, encrypted with usage of at least one control word (CW) in receiver/decoder (STB), connected to safety block (SC), where at least one control word and access privileges for aforementioned event are contained in access control messages (ECM-messages), method includes following operations: recording of encrypted event, and also of at least one ECM-message in storage block; transmission of at least one ECM-message into safety block (SC), verification of the fact that safety block (SC) contains access privileges for aforementioned event, generation of receipt (Q), which contains data related to management of event in reproduction mode, where receipt (Q) contains signature (SGN), generated on basis of the whole ECM-message or its part with usage of secret key (K) contained in safety block (SC) and specific for every safety block, where during later consumption of event the authenticity of the receipt (Q) is verified in prioritized manner compared to conventional access privileges, stored in safety block (SC), storage of aforementioned receipt (Q) in storage block.

EFFECT: provision of method for storing an event.

6 cl, 3 dwg

FIELD: cryptographic protocols, in particular, efficient encoding at content level.

SUBSTANCE: method is provided for generation of digital data with cryptographic protection, encoding content and composed into messages. Encoding of at least a part of the message is performed and encoded messages are provided in form of output signal in format, allowing the interface of server service to compose a message in form of at least one packet, including at least one header and useful load, where at least one header includes information, which allows the service interface in the client to assemble each message for decoding application using useful load of packets. Each message is divided onto the first and at least one additional section of the message. At least one of the message sections is encoded in such a way that it may be decoded independently from other message sections. Assembly of encrypted message is performed by addition of resynchronization marker, separating the message section from adjacent message section and including precise information about synchronization, at least for additional sections of the message.

EFFECT: synchronized decoding process in case of data loss.

14 cl, 8 dwg

FIELD: copy/access protection.

SUBSTANCE: audio/video stream processing system includes module for inputting audio/video stream, which receives audio/video stream, containing field of information about audio/video content, including first copy control information, and audio/video content field, including second copy control information; reading module which extracts first and second copy control information from received audio/video stream and determines whether first copy control information is modified; and module for decoding audio/video stream, which processes received audio/video stream in accordance to predetermined criteria, if first copy control information is modified.

EFFECT: protection of content, prevented unsanctioned processing of content.

15 cl, 8 dwg

FIELD: engineering of systems for loading and reproducing protective unit of content.

SUBSTANCE: in accordance to invention, in receiving device 110 for protected preservation of unit 102 of content on carrier 111 of information unit 102 of content is stored in protected format and has associated license file, file 141 of license being encrypted with usage of open key, associated with a group of reproduction devices 120,121, and, thus, each reproduction device 121 in group can decrypt file 141 of license and reproduce unit 102 of content, and devices not belonging to group can not do that, while device 121 for reproduction may provide the open key, specific for given device, to system for controlling content distribution, and then system for controlling content distribution returns secret key for group, encrypted with open key of device 121 for reproduction, after that device 121 of reproduction by protected method receives secret key of group and may decrypt file 141 of license.

EFFECT: creation of system for loading and reproducing protected unit of content, making it possible to constantly control usage of unit of content.

3 cl, 4 dwg

FIELD: digital audio and video technologies.

SUBSTANCE: device for storing information is made with possible receipt of data carrier, decoder is made with possible receipt of compressed encoded signals from data carrier and transmitting signals to decrypter. Decrypter is made with possible decryption of compressed encoded data encrypted data and transmitting these to decompressor. Decompressor is made with possible receipt of compressed encoded signals from decrypter and decompression of compressed encoded signals to reproduce the image.

EFFECT: higher precision, higher efficiency.

3 cl, 17 dwg

FIELD: access control systems.

SUBSTANCE: proposed signal processing method involves reception of digital input signal incorporating first component of scrambled signal and second component of scrambled signal; binding of input signal with detachable intelligent card unit for processing first scrambled signal component and generation of first descrambled signal which is internal with respect to intelligent card unit and for processing second scrambled signal component in case of response to first descrambled signal to generate second descrambled signal and to integrate first scrambled signal component of input signal and second descrambled signal so as to produce output signal; reception of output signal from intelligent card unit and processing of second descrambled signal to shape signal adapted for display.

EFFECT: improved control of access.

1 cl, 9 dwg

FIELD: television.

SUBSTANCE: device converts signals to digital video information. Compression device is made in such a way, that it receives digital video data, coming from source data generator, and compresses digital images. Encoding device receives compressed digital video data coming from compression device and encodes compressed digital video data. Recording device stores encoded compressed digital audio data at data carrier.

EFFECT: higher data transfer speed.

3 cl, 17 dwg

FIELD: broadcasting systems.

SUBSTANCE: method includes broadcasting of message, including text portion intended to reach user, while said message is transferred in form of conditional access message.

EFFECT: broader functional capabilities.

5 cl, 7 dwg

FIELD: digital audio and video technologies.

SUBSTANCE: device for storing information is made with possible receipt of data carrier, decoder is made with possible receipt of compressed encoded signals from data carrier and transmitting signals to decrypter. Decrypter is made with possible decryption of compressed encoded data encrypted data and transmitting these to decompressor. Decompressor is made with possible receipt of compressed encoded signals from decrypter and decompression of compressed encoded signals to reproduce the image.

EFFECT: higher precision, higher efficiency.

3 cl, 17 dwg

FIELD: engineering of systems for loading and reproducing protective unit of content.

SUBSTANCE: in accordance to invention, in receiving device 110 for protected preservation of unit 102 of content on carrier 111 of information unit 102 of content is stored in protected format and has associated license file, file 141 of license being encrypted with usage of open key, associated with a group of reproduction devices 120,121, and, thus, each reproduction device 121 in group can decrypt file 141 of license and reproduce unit 102 of content, and devices not belonging to group can not do that, while device 121 for reproduction may provide the open key, specific for given device, to system for controlling content distribution, and then system for controlling content distribution returns secret key for group, encrypted with open key of device 121 for reproduction, after that device 121 of reproduction by protected method receives secret key of group and may decrypt file 141 of license.

EFFECT: creation of system for loading and reproducing protected unit of content, making it possible to constantly control usage of unit of content.

3 cl, 4 dwg

FIELD: copy/access protection.

SUBSTANCE: audio/video stream processing system includes module for inputting audio/video stream, which receives audio/video stream, containing field of information about audio/video content, including first copy control information, and audio/video content field, including second copy control information; reading module which extracts first and second copy control information from received audio/video stream and determines whether first copy control information is modified; and module for decoding audio/video stream, which processes received audio/video stream in accordance to predetermined criteria, if first copy control information is modified.

EFFECT: protection of content, prevented unsanctioned processing of content.

15 cl, 8 dwg

FIELD: cryptographic protocols, in particular, efficient encoding at content level.

SUBSTANCE: method is provided for generation of digital data with cryptographic protection, encoding content and composed into messages. Encoding of at least a part of the message is performed and encoded messages are provided in form of output signal in format, allowing the interface of server service to compose a message in form of at least one packet, including at least one header and useful load, where at least one header includes information, which allows the service interface in the client to assemble each message for decoding application using useful load of packets. Each message is divided onto the first and at least one additional section of the message. At least one of the message sections is encoded in such a way that it may be decoded independently from other message sections. Assembly of encrypted message is performed by addition of resynchronization marker, separating the message section from adjacent message section and including precise information about synchronization, at least for additional sections of the message.

EFFECT: synchronized decoding process in case of data loss.

14 cl, 8 dwg

FIELD: receivers/decoders of services, provided in conditional access mode, in particular, receivers having storage block (memorization device), such as a hard drive.

SUBSTANCE: method is claimed for storing an event, encrypted with usage of at least one control word (CW) in receiver/decoder (STB), connected to safety block (SC), where at least one control word and access privileges for aforementioned event are contained in access control messages (ECM-messages), method includes following operations: recording of encrypted event, and also of at least one ECM-message in storage block; transmission of at least one ECM-message into safety block (SC), verification of the fact that safety block (SC) contains access privileges for aforementioned event, generation of receipt (Q), which contains data related to management of event in reproduction mode, where receipt (Q) contains signature (SGN), generated on basis of the whole ECM-message or its part with usage of secret key (K) contained in safety block (SC) and specific for every safety block, where during later consumption of event the authenticity of the receipt (Q) is verified in prioritized manner compared to conventional access privileges, stored in safety block (SC), storage of aforementioned receipt (Q) in storage block.

EFFECT: provision of method for storing an event.

6 cl, 3 dwg

FIELD: receivers/decoders of services, provided with certain conditions, in particular in a system for accessing an encrypted data stream, priced per time unit.

SUBSTANCE: system contains control center (2), which transmits a data stream through a broadcasting channel, encrypted by means of control words, which are included in composition of access control messages, and meant for receipt by at least one user device (1), connected to safety block (3), having unique address and containing credit, which is reduced with purchase of products or consumption of data stream, where safety block (3) is provided with means for reducing credit for value, dependent on product, or for value, dependent on duration of access to data stream, where aforementioned values and/or duration are determined in access control messages or in conditional access messages, and system contains means, made independent from user device (1), for transmitting identifier, representing a unique number, and price code which indicates size of credit subject to load, in control center (2), and control center (2) additionally contains devices for receipt and verification of price code and for transmission of an encrypted message through broadcasting channel, having a unique address, corresponding to identifier, and giving a command to the safety block (3) to load the credit in defined amount.

EFFECT: development of a new approach to provision of access to paid television for broad clientele, substantially reduced subscriber management related costs.

5 cl, 1 dwg

FIELD: information encryption.

SUBSTANCE: system contains an encrypted data broadcasting centre, at least one control centre, a terminal device, a decoder located between the encrypted data broadcasting centre and the terminal device, the decoder includes an encrypted data reception and decryption module and a data access authority control module; the data access authority control module contains a protection module.

EFFECT: provision of system allowing to simplify access authority control at broadcasting centre level and ensuring optimal data security.

12 cl, 2 dwg

Up!