Data stream authentication. RU patent 2509424.

FIELD: radio engineering, communication.

SUBSTANCE: disclosed is a method and a system for decoding a data stream which includes a series of data frames, where the method includes a step of generating a cryptographic value for a block of N consecutive data frames and configuration information, characterised by that the configuration information includes information for rendering the data stream; the method then inserts the cryptographic value into the data stream, following the N consecutive data frames.

EFFECT: enabling to make a distinction between a data stream, or a bit stream, or a bit stream generated by a corresponding Dolby Pulse encoder and a data stream, or a bit stream, generated by any arbitrary encoder compatible with HE-AACv2.

38 cl, 8 dwg

THE AREA OF TECHNICAL APPLICATIONS

The present invention relates to a method of authentication and verification of data streams. In particular, the invention relates to insert ID's in this data flow, as bitstream Dolby Pulse, AAC or HE-AAC, and for authentication and verification of the data stream based on the ID.

THE BACKGROUND TO THE INVENTION

In conditions of the increasing distribution of digital television and radio data streams, including, for example, video and/or audio data aired more often. In addition to the actual video and/or audio content on these data streams also include metadata, which allow, for example, control volume, dynamic range of programs at the receiver side, and manage stereo decreasing mixing, and other properties.

In a typical network scenarios footage and/or audiometry and associated metadata encoded in the system of the head node of a network broadcast. This can be used by different encoding, such as Dolby E, Dolby Digital, AAC, HE AAC, DTS, or Dolby Pulse. Some of these coding schemes, Dolby Pulse, AAC and HE-AAC, to the greatest extent and are especially well suited for transfer through a variety of media, such as radio (for example, the FM frequency range, DVB-s/T, ATSC), stranded copper wire (DSL), coaxial cables (e.g. CATV) or optical fiber. Receiver, such as a TV, a radio, a personal computer or an external device that contains the corresponding decoder and creates a media stream is decoded. In addition, the receiver is usually provides management functions that are initiated through metadata accompanying video and/or audio data.

Examples of schemes for encoding/decoding defined in the ISO/IEC 14496-3 (2005) "Information technology - Coding of audio-visual objects - Part 3: Audio" is for MPEG-4 AAC, and in ISO/IEC 13818-7 (2003) Generic Coding of Moving Pictures and Associated Audio information - Part 7: Advanced Audio Coding (AAC)for MPEG-2 AAC that the link included in this description.

There are several methods of authentication and/or identification. Some of them rely on the implementation of the authentication data and/or identification encoded in multimedia data. These methods are also known as «watermarks» and are intended primarily for the protection of copyright. Another authentication method and/or identification is a digital signature, authentication data provided along with the data files, such as files, email, and is used in decoder for the purposes of authentication and identification.

In order for the receiver of data flows was able to identify the encoder stream of data that is required along with the flow of data to provide a means of authentication. Also you might want to check the integrity of the data stream. In addition, it may be useful to ensure the correct configuration of a receiver in respect of the data stream, which is subject to reproduction and processing. May also be useful tolerance implementation of additional paid services or special functionality for data flows, duly authenticated and/or verified. These and other issues, addresses the present patent document.

BRIEF DESCRIPTION

The proposed method and system use an identifier that can be provided in the form of metadata in the data stream. These data streams, preferably, represent data streams that are transmitted through wired or wireless data communication, but streams of data can also be provided on a storage device, such as a CD, DVD or flash memory. The identifier allows the decoder on the receiving side to check whether the data stream that it takes originating from a reliable coder, i.e. from legal coder-side transfer and/or encoding. This verification can be particularly useful in the case when the decoder is compatible with the coders of various types. For example, the decoder Dolby Pulse can be compatible with encoder HE-AAC version 2. In such a scenario may be required to provide decoder Dolby Pulse possible to provide some non-standard or optional, possible only in case, if the network traffic, i.e. traffic comes from relevant coders Dolby Pulse. When using the specified ID decoder Dolby Pulse will have the ability to distinguish between the stream of data or bit stream that is generated by the relevant encoder Dolby Pulse, and the stream of data or bit stream that is generated any random coder, compatible with HE-AACv2. In this regard, it can provide whatever additional features, such as the use of dynamic metadata, are considered by the decoder only in case, if the data flow comes from a reliable coder. Thus, it might provide correct functioning of additional opportunities.

Additional advantage of the identifier is that it may provide the decoder can verify that the bit stream was received correctly, and that the bit stream is not subjected to modification or unauthorized interference during transmission. In other words, the ID allows the decoder can verify the integrity of the received bit stream.

Also, the identifier can be used to ensure that the decoder is set correctly configuring processing, such as playback, with the purpose of proper rendering media/multimedia signal. For example, this configuration can be directed to the sample rate, which plays . The configuration can also be focused on configuring channels, such as 2-channel stereo signals, other settings surround sound, etc. that will be used during playback. Another feature configuration can be directed to the length of the frame, for example, 1024 frames of discrete values, or 960 frames of discrete values in the case of AAS, which is used in the specific encoding scheme.

In addition to identification purposes encoder and authentication ID can be used to verify the authenticity of the payload data flow. To this end, the identifier should not easily be fake, but manipulations with the protected segment must be identifiable. In addition, it is desirable that the decoder defined the authenticity of the bitstream for relatively short periods of time. Preferably, the maximum time for which a decoder, or a decoding device capable identify the original bit stream stream does not exceed 1 second. In addition, the complexity introduced by the verification of ID, the decoder must be maintained at a low level, i.e. an increase in the complexity of the decoder should be negligible. Finally, should maintain a low overhead when transferring deposited by the ID.

According to one of the embodiments of the invention of the above advantages are achieved through the use of cryptographic values, or identifier, obtained in accordance with the following method. The identifier may be determined in the encoder by applying a one-way function to a group of one or more data frames. The frame as a rule, includes data associated with a particular segment of the audio and/or video, for example, by segment, including specified number of discrete values of the media stream. For example, the frame of the audio stream may include 1024 discrete values of audio data and related metadata.

As mentioned above, to determine the ID of a certain number of frames are grouped. The number of frames in each group may be selected by the encoder, and, as a rule, it is unknown beforehand decoder. The one-way function, preferably, is a cryptographic hash function HMAC-MD5 (hash message authentication code), though instead of MD5 can be used and other hash function such as SHA-1. Possible criteria for the selection of suitable cryptographic hash functions can be its size, which should remain small in order to reduce the necessary overhead to the transmission. The size of cryptographic hash functions, as a rule, is given number of bits.

After the ID for the group personnel calculated, for example, use the procedure of HMAC-MD5, it can be associated with a frame next frame, for example inserted in the frame of the next group of frames. As an example, the identifier can be recorded in the data field of the syntactic element of the frame. Preferably, the identifier is inserted into the first frame of the next group of frames. This allows us to calculate the identity during operations in one pass without making an additional wait time encoder/decoder, which is especially useful for passing the media in real time. The data flow, including the ID, can then be sent to the corresponding receivers/decoders.

In the receiver inserted ID can be used to identify coder, authentication, verification, and/or configuration. The receiver, as a rule, includes the decoder that can synchronize with the GOP, i.e. it can determine frames, including the ID. On the basis of the distance between two successive frames that include ID, you can specify the number of frames per group of frames that were used for the calculation of ID. In other words, it may allow the decoder to determine the length of the frame without notice from the relevant encoder.

At the next stage, the decoder can extract the ID passed by the encoder, from the corresponding frame next frame. And again, if the encoder identifiers are inserted into the first frame of the next frame, the receiver also retrieves the ID of this first frame. This ID is retrieved from the data stream can be compared with the ID verification, i.e. with the identifier, which is calculated by the decoder on the basis of the data stream. If both IDs are the same, decoder, as a rule, can't take that in the course of transmission errors are encountered, a group of frames adopted unaffected, the GOP has not been modified during transmission and a group of frames received from reliable and/or legitimate encoder. In addition, if both IDs are the same, the decoder can choose unlock one or more features, depending on the codec, or improvements that would not be permitted when decoding random bit stream. For example, additional functions can be resolved if the decoder identifies bitstream-specific Dolby Pulse, while these additional features were not available for the standard of the encoded bit stream HE-AAC 2-nd version. However, the decoder may be granted the ability to decode standard encoded bitstream HE-AAC 2nd version, however, without additional functions.

It should be noted that the identifier may be granted the possibility to install the decoder configuration, the corresponding correct decoding and/or playback the media stream. In these cases, the coincidence of ID verification and passed identifier must indicate that the decoder uses the correct configuration settings.

If, on the other hand, identifiers, i.e. the ID verification and passed the ID do not match, the decoder will know that during transmission error has occurred, the group personnel was not adopted unaffected, the GOP has been modified during transmission or a group of frames transmitted from a trusted encoder. In these cases, the decoder can be completely blocked or, alternatively, can block specific features or improvements.

It should be noted that the identifier can also be used to inform the decoder that set incorrect configuration settings. In these cases, the mismatch between the ID verification and passed ID can be related to the fact that the decoder uses an incorrect configuration settings, even if the GOP was adopted unchanged from a reliable coder. It may be provided that in these cases, the decoder can act to modify its configuration settings and to determine the appropriate identity verification up until the ID verification will not coincide with the passed identifier. This modification can provide decoder important opportunity to set the configuration in accordance with the requirements of the received bit stream.

The following describes the various features of the proposed method. In accordance with the first thing which describes a method of encoding data flow, including a number of data frames. Data streams can represent streams of audio, video and/or other media and multimedia data. In particular, the data flows can be a data streams Dolby Pulse, AAC or HE-AAC. Data streams are typically organized into data frames that include a certain number of discrete values of data and cover a certain segment of the data stream. For example, the frame may include 1024 discrete values of a sound signal, the sample at 44.1 KHz, i.e. it covers the segment, approximately 23 MS. It should be noted that discrete values can be encoded with constant or variable bit rates and the actual number of bits in the frame can vary.

The method may include stage grouping of a number of N consecutive shots data for formation of the first message. N number of consecutive shots data, as a rule, selected in accordance with the considerations overhead transmission speed. Usually unproductive costs decrease with the increase of the number N. N preferably more than one. Typical values of N are about 20. In a preferred embodiment of the invention N can be chosen so that N consecutive frames covered 0.5 seconds signal when playing a relevant decoder with the appropriate configuration of the decoder. It should be noted that the stage grouping may include a concatenation of N consecutive shots in their natural, i.e. the threaded order.

At the next stage the first message can be grouped with the configuration information for the formation of the second message. The specified configuration information includes information out of the data stream, which generally refers to the flow of data, in particular, the information for rendering stream data at the receiver side. Configuration information can include information related to the setting of corresponding receiver and/or decoder, which must be applied to the data flow. Because the specified configuration information, as a rule, is not passed, or not included in the data flow, it may also be called " out-of-band data in contrast to the flow of data, which may also be called in-band data.

Configuration information can in many ways be grouped with the first message. It can with the first message, i.e. be placed at the beginning and/or end of the first message. Configuration information can also be found in certain provisions within the first message, for example through some or all successive frames.

Typical examples of configuration information include the pointer sample rate used when sampling basic analogue of flow media. Configuration information can also include a pointer configuration system channels coding of audio signal, such as mono configuration of channels 2-channel stereo configuration, or 5.1 configuration ambient sound. Configuration information can also include a pointer to the number of discrete values in the data frame, for example 960, 1024 or 2048 discrete values attributable to the frame data.

The method includes the step of generating cryptographic values for the first and/or second message. Cryptographic value may also be called ID. Specified cryptographic value can be generated using key values and cryptographic hash functions. In particular, cryptographic value can be generated by calculating the value of the HMAC-MD5 for the first and/or second message. In addition, generating cryptographic values may include the truncated value HMAC-MD5, for example truncated to 16, 24, 32, 48, or 64 bits. This can be useful because of the decrease overhead required for cryptographic values in the data stream.

Furthermore, the method enables implementation of cryptographic values in the data stream after N serial data frames. Preferably, cryptographic value is inserted into the first frame of the next N successive frames of data to allow its fast decoding and authentication and verification of the encoder in the appropriate decoder. May also be useful to insert a pointer synchronization after N serial data frames where the pointer synchronization indicates the insertion of a cryptographic values. The specified index synchronization can be placed next to a cryptographic value, allowing convenient to derive cryptographic value in the corresponding decoder.

Illustrative embodiment of the invention, the flow of data is a stream MPEG4-AAC or MPEG2-AAC, and cryptographic value is inserted as element<DSE>data flow. The specified element<DSE>data flow can be inserted at the end of the block before<TERM>. Additionally, the contents of the specified element<DSE>data flow, preferably, can be aligned at the border of bytes of data flow in order to simplify extraction<DSE>data flow, in particular cryptographic value and/or a pointer synchronization in the appropriate decoder.

It should be noted that the step of generating cryptographic values, preferably, can be run iteratively on separate frames groups of N consecutive frames. With this purpose for each of N consecutive shots with the original state can be generated intermediate cryptographic value. The baseline could be an intermediate cryptographic the value of the previous iteration. For example, intermediate cryptographic value can be generated for the first frame. This intermediate cryptographic amount can then be used as the source state to generate intermediate cryptographic values of the second frame. This process repeats until then, until it is generated intermediate cryptographic N-th frame. This latest interim cryptographic value, as a rule, represents a cryptographic value for a group of N consecutive frames. In order to take into account the information about the configuration of the initial state of the first iteration may represent an intermediate cryptographic value for configuration information.

According to other features may include the stage of interaction with the video and/or data flow. This step can be implemented through the execution of encoding video and/or audio, as well as generating cryptographic values in an integrated way. In particular, the interaction between the video and/or data flow and generating cryptographic values can be aimed at installing a maximum bit rate of data transmission for video and/or so that the bit transfer rate of data flow that includes cryptographic the value that does not exceed a predetermined value. This can be particularly useful if the underlying codec data flow set a higher limit of bit rate of data transfer for the full flow of the data.

The following features are described way of verification of the data flow in the decoder and/or the receiver. It should be noted that the described methods and systems can be applied in the context of transmitted data streams and streams of data required on the data carrier. As described above, data flow, as a rule, includes a number of data frames and cryptographic value related near by the N preceding consecutive shots data. Here you should contact the discussion made in this document, in particular, concerning the possible values of N and structure of the data flow and its personnel.

The method includes the stage of extraction of N consecutive shots data for formation of the first message. How could also include the identification stage the values of N. This step can be performed on the data stream, which includes a number of N consecutive shots data and related cryptographic values. If N serial data frames to call the GOP, then the specified data flow, as a rule, includes a number of groups of frames and cryptographic values associated with each group of personnel. In these cases, the number N can be defined as the number of frames between two consecutive cryptographic values.

It should be noted that the current group of frames, which is used to calculate a second cryptographic values may include cryptographic the value for the previous frame. Alternatively, cryptographic value to the previous frame and any associated pointer synchronization and/or syntax element should be removed from the current frame before the calculation of the second cryptographic values. The latter decision may be preferable to prevent changes and deviations from distribution during the transition from one frame to the next.

The method may also include a stage grouping first error message configuration information with the purpose of formation of the second message, where configuration information typically includes information out of the data stream, such as information for the rendering of the data stream. Stage grouping and various features related to configuration information described above. These features are equally applicable to the decoder.

The method proceeds by the second generation of cryptographic values for the first and/or second message, by extracting cryptographic values from the data stream and comparison cryptographic values from the second cryptographic value. Second cryptographic value may also be called a cryptographic value for verification, or identity verification.

It should be noted that the second cryptographic value can be generated by the iterative method, as described in the context of generating cryptographic values.

In a preferred embodiment of the invention cryptographic value is generated in the relevant encoder and/or the transmitter of N consecutive shots data and configuration information according to the mode that matches the method used to generate the second cryptographic values. In other words, the method of generating cryptographic values in the corresponding encoder conforms to the way the second generation of cryptographic values in the decoder. In particular, cryptographic value and the second cryptographic value generated using a unique key values and/or a unique cryptographic hash functions.

In addition, the set of N consecutive shots that is used to generate cryptographic values in the encoder is the set of N consecutive frames used for generation of the second cryptographic values in the decoder. As mentioned above, cryptographic value and the second cryptographic value can be defined on the set of N consecutive shots that include, or not include, cryptographic the value for the previous set of N consecutive frames. The same rule should apply to both the encoder and decoder.

In accordance with the following feature, the method may include stage flag is set when a cryptographic value corresponds to the second cryptographic size and/or stage provide visual indication of a receiver and/or decoder and if the flag is set. Similarly, the flag and/or a visual indication can be removed if a cryptographic value does not match the second cryptographic size, or if a cryptographic value cannot be extracted from the data stream. This can be useful to provide user decoder and the viewer/listener data flow of information about the authenticity of the data stream.

According to another characteristics described the flow of data, includes cryptographic value generated and inserted in accordance with the methods described in the present patent document.

According to another characteristics described encoder, valid for encoding data flow, including a number of data frames. Encoder acts to perform steps of the method described in the present patent document. In particular, the encoder can be made to include the processor, operating as a group from a number of N consecutive shots data with the purpose of formation of the first message; where N is greater than one; for grouping the first message with information about the configuration with the purpose of formation of the second message; where the configuration information includes information out of the data stream, such as information for the rendering of the data stream; to generate cryptographic values for the second message; and to insert cryptographic values in the data flow, followed by N successive frames of data.

The following features are described decoder that works for verification of data flow that includes a range of frames and cryptographic data value associated with the number N of the preceding consecutive shots data, where N is greater than one. Decoder acts to perform steps of the method described in the present patent document. In particular, the decoder may include the processor, valid for extraction of N consecutive shots data with the purpose of formation of the first message; to group the first error message configuration information with the purpose of formation of the second message; where the configuration information includes information for rendering stream data; to the second generation of cryptographic values for the second message; to retrieve the cryptographic values from the data stream; and for comparison cryptographic values from the second cryptographic value.

The following features are described program, implemented in software. The program, implemented in software, adapted for execution on the processor and to perform steps of the method described in the present patent document, in the implementation on a computing device.

According to the following features described a data carrier. Data carrier includes a program that is implemented in software, which is adapted for execution on the processor and to perform steps of the method described in the present patent document, in the implementation on a computing device.

According to the following peculiarity of the described computer software product. Computer software product includes executable commands to perform steps of the method described in the present patent document, in the implementation on the computer.

The following features are described additional external device, portable electronic device (e.g. mobile phone, PDA, smartphone, etc.) or computer (for example, desktop computer, laptop, etc.)designed to decode the data stream. Data stream can turn the beep. Additional external device, preferably includes a decoder that corresponds to the features described in this patent document.

The following features are described broadcasting system, intended for data flow. Data stream can turn the beep. Broadcasting system, preferably includes encoder, corresponding to the features described in this patent document.

According to another characteristics described method of concatenating the first and second bit streams at the point of concatenation. Each of the two bit streams can include a range of frames and cryptographic data value associated with the specified number of frames in the data. The first bit stream may include cryptographic value for each N1 consecutive frames, while the second bit stream may include cryptographic value for each N2 consecutive frames. Numbers N1 and N2 can be identical, i.e. both the bit stream have the same period of cryptographic repetition, or numbers N1 and N2 can be different, i.e. bit streams can be a different number of frames after which included cryptographic values.

Concatenated bitstream includes cryptographic value generated and inserted in accordance with the methods described in the present patent document. Mainly, cryptographic values in concatenated bit stream smoothly cover point concatenation so that the receiver/decoder was not noticeable interruption authenticity of the bitstream. This can be achieved by generating explicit new cryptographic values concatenated bitstream after the point of concatenation.

New cryptographic values can be generated, at least for a certain number of consecutive shots in section concatenated bit stream, starting at point of concatenation. In some cases cryptographic values of the second bit stream can be re-used and copied in a concatenated bitstream after the section that includes the new cryptographic values. This reuse is applied, in particular, when cryptographic value for the previous group personnel included in the first frame of the next group is not counted when computing a cryptographic values of the next group, and groups are treated independently, i.e. changes in cryptographic values is not spread from one group to another.

Generating cryptographic values explicitly in accordance with the methods described in the present patent document may be useful on the borders between the first bit stream and the second bit stream, i.e. for the final frames of the first bit stream and for the first frames of the second bitstream included in concatenated bit stream. In General, when concatenating two bit streams the number of the final frame of the first bit stream, usually less than or equal N1, and/or the number of frames taken from the second bit stream before the first inclusion of cryptographic values, usually less than or equal to N2. In other words, the point of concatenation, as a rule, is not located on the borders of groups of the first and second bit streams.

According to one of the features of the method concatenate, or join, a new cryptographic value is generated for the final frames of the first bit stream and inserted in the next frame concatenated bit stream, which is the first frame, taken from the second bit stream. This new cryptographic value is «final» first bit stream. New cryptographic values can then be generated for the second bit stream and included in the relevant provisions of concatenated bit stream. It is especially suitable in cases when without additional cryptographic values inserted in the first frame, taken from the second bit stream, the number of frames between the last cryptographic value generated for the frames of the first bit stream, and the first cryptographic value generated for the frames of the second bit stream, will exceed the maximum number allowed by the system.

If the point of concatenation is not aligned with groups of staff to the first and second bit streams, the way concatenation can generate cryptographic value for a mixed group, which includes footage taken from the first and second bit streams. As already mentioned, cryptographic values, as a rule, included in the frame for the GOP used to calculate the corresponding cryptographic values.

According to the following peculiarity of the described device for concatenation and/or the head node of a network broadcast. The specified device for concatenation and/or the head node broadcasting network operates to concatenate the first and second bit streams, each of which includes a number of data frames and cryptographic values associated with the specified number of frames in the data. The device can include decoder containing any combination of the characteristic features described in this patent document. The specified decoder can be used to decode the final frame of the first bit stream, the first frames of the second bit stream and related cryptographic values. The device for concatenation and/or the head node broadcast networks may also include encoder containing any combination of the characteristic features described in this patent document. The encoder can be used to encode the final frames of the first bit stream and the first frame of the second bit stream. In addition, the device for concatenation and/or the head node broadcasting network may include a block redirection designed to redirect those shots and related cryptographic values of the first and second bit streams that are not decoded and encoded. In other words, the progress chunk can simply copy or redirect, or transfer, personnel and related cryptographic values concatenated in the bitstream.

It should be noted that the device for concatenation can also act for decoding and encoding the full data streams, i.e. to decode cryptographic values incoming data stream and for generating cryptographic values for the outgoing data stream. This can be useful to generate a continuous interconnectedness bit stream via cryptographic values. In fact, the number of bit streams can be decoded and concatenated bitstream, including parts of bit streams from a number, it can be coded by continuously interrelated cryptographic values. Thus, the receiver concatenated bit stream will perceive concatenated bit stream as a bit stream, originating from a single encoder, trustworthy.

It should also be noted that for the purpose of decoding and/or encoding bit flows, including cryptographic values, device for concatenation may not feel the need to be aware of the underlying codec data flow. For example, a device for concatenation is not needed to perform decoding/encoding, HE-AAC in order to extract and/or generate cryptographic values for data streams. In some situations, such as when a new cryptographic value is inserted into the frame, which previously did not contain cryptographic value, decoding, and then re-encoding the data flow may be necessary to create in the bit stream free space for a new cryptographic values, in particular, to meet the requirements of the bitstream.

It should be noted that the methods and systems, including the preferred embodiments of the invention, as they are described in the present patent document may be used alone or in combination with other methods and systems described in this document. In addition, all the features of the methods and systems described in this patent application, can be combined. In particular, the characteristics of the claims can arbitrarily combined with each other. It should also be noted that can change the order in which the stages of way.

DESCRIPTION GRAPHIC MATERIALS

Below the invention is explained by examples with reference to the accompanying graphic material which

Fig. 1 - illustrative way to define an identifier in accordance with the invention;

Fig. 2a and 2b of flow diagrams and illustrative way of generate-ID and insert it into the encoder;

Fig. 3 - scheme of sequence of operations for illustrative stages authentication and verification undertaken decoder;

Fig. 4 - illustrative an implementation option encoder and decoder;

Fig. 5 - example of use of the identifier in the system of broadcasting; and

Fig. 6 and 7 - examples of concatenation of bit streams to form concatenated bit stream.

The following embodiments of the invention described in the examples and do not limit the scope of the claims of this patent document. The invention will be described in the context of the AAC (Advanced Audio Coding), in particular MPEG-2 AAC and MPEG-4 AAC. It should be noted, however, that the invention is also applicable to other encoding schemes of , in particular encoding schemes audio, video, and/or other multimedia signals. In addition, the invention is applicable to the device for concatenation, creating a combined bitstream from a number of encoders.

Fig. 1 illustrates the bitstream 100 and method of determining identity for this bit stream is 100. Examples of this bit stream is encoded bit video and/or audio streams with basic codec AAC, HE-AAC (High Efficiency Advanced Audio Coding), Dolby Pulse, MPEG-4 AVC/H.264, MPEG-2 Video and MPEG-4 Video. These codecs and their format is defined, for example, the description of standard ISO/TEC 14496-3 - for MPEG-4 AAC, in the description of the ISO/IEC 13818-7 - for MPEG-2 AAC, in the description of the ISO/IEC 14496-10 - for MPEG-4 AVC/H.264, in the description of the ISO/IEC 13818-2 - for MPEG-2 Video and in the description of the ISO/IEC 14496-2 - for MPEG-4 Video. These descriptions the reference included in this description. In these codecs data streams are organized in so-called frames where frames include a certain number of discrete values of . Different codecs can use a different number of discrete values attributable to the frame. Typical examples are the number 960, 1024 or 2048 discrete values for the frame.

In addition to the actual media frames may also include so-called metadata, which can carry additional control information, such as that related to the volume or the dynamic range of the program.

Item single_channel_element(), abbreviated as SCE, which is a syntactic element of the bit stream containing the encoded data for a single channel.

Item channel_pair_element(), abbreviated as CPE, which is a syntactic element of useful load the bit stream containing the encoded data for a pair of channels.

Item coupling_channel_element(), abbreviated as SSE, which is a syntactic element containing the encoded audio data for the associated channel.

Item lfe_channel_element(), abbreviated as LFE, which is a syntactic element containing the channel increase a low sampling rate.

Item program_config_element(), abbreviated as RFE, which is a syntactic element, which contains configuration information about the program.

Item fill_element(), abbreviated FIL, which is a syntactic element that contains the data about the filling.

Item data_stream_element(), abbreviated as DSE, which is a syntactic element, which contains auxiliary information.

Syntactic TERM element that indicates the end of a block of raw data or frame.

These syntactic elements used within the frame of the block or raw data to identify the media and related management data. For example, two frame monaural audio signal can be determined by means of a syntactical elements<SCE><TERM><SCE><TERM>. Two frames of stereo audio can be defined syntax items<CPE><TERM><CPE><TERM>. Two frames 5.1 audio signal can be defined syntax items<SCE><CPE><CPE><LFE><TERM><SCE><CPE><CPE><LFE><TERM>.

The proposed method of grouping the certain number N of such frames and, thus, forms frame 111, 112 and 113. In Fig. 1 shows the full GOP 112, including N=5 frames from 103 to 105. Five frames frame 112 with the purpose of formation of the first message.

Hash message authentication code (HMAC) for the first message can be defined by using a cryptographic hash function H(.) and «the secret» key, which is usually populated with leading zeros to the right up the block size of the hash function H(.). Let the token || denotes concatenation character represents exclusive OR, as the external filling and internal filling are constants with the length of the block size of the hash function H(.) then the HMAC value for the first message can be written as

where m is the message, also referred to in this description to the first message. The block size used hash functions are MD5 or SHA-1, as a rule, is 512 bits. The size of the output signal operation HMAC is the same as the underlying hash function, i.e. 128 bit - in the case of MD5, and 160 bits in the case of SHA-1.

The HMAC value for the first message, i.e. the value of the HMAC concatenated frames 103-105 frame 112, can be used as identifiers of groups of frames 112. In order to decrease the length of the ID, the value NMAS can truncate, for example truncated to 16, 24, 32, 48, or 64 bits. However, it should be noted that the above truncation operation, as a rule, has an impact on the security hash message authentication codes. Because the identifier is inserted into the data stream, the proposed method is preferable uses the identifier truncated version HMAC values.

As shown in Fig. 1, ID 122 frame 112 inserted into the frame next frame 113. Preferably, ID 122 inserted into the first frame of 106 the following groups of frames 113. Similarly, ID 121 was determined for the previous frame 111 and inserted in the first frame 103 frame 112.

It should be noted that the identifier 122 frame 112 can be calculated on the basis of the first message m that includes the identity of the 121 previous frame 111, or it can be calculated on the basis of the first message m, which does not include the ID 121 previous frame 111. In the latter case, the information relating to the identity 121, you will need to delete from the first message m before the definition of the identifier 122. You may need to ensure that the encoder and decoder have used the same method to determine the first message m. In a preferred embodiment of the invention ID 122 is based on the first message m that includes the identity of the 121 previous frame 111. Thus, the IDs can be continuously interrelated and, therefore, you can create interconnected bit stream, which may not be modified, for example, by modifying or replacing some groups of frames bit stream. As a result, we can ensure the authenticity of the full flow of data or bit stream. On the other hand, is still provided the opportunity to re-synchronization of the receiver partially damaged bit stream, even if the IDs are interrelated.

In a preferred embodiment of the invention ID is placed in the identity element data_stream_element(), abbreviated as<DSE>and defined in ISO/IEC 14496-3, table 4.10 - for MPEG-4 AAC, or defined in ISO/IEC 13818-7, table 24 is for MPEG-2 AAC that the link included in this description. To facilitate synchronization decoder, frame AAS should include only one element data_stream_element()<DSE>carrying identifier, so the decoder can determine the length of the frame as the distance between two adopted by the IDs. In other words, the frame AAS may include several elements data_stream_element() <DSE>, but it should be only one element data_stream_element() <DSE>, including the ID. In a preferred embodiment of the invention position<DSE>is the end of the frame AAS immediately before the<TERM>.

To allow for rapid retrieval of the identifier can be any function DSE on alignment on a byte boundary. To this end, DSE, as a rule, includes a field, or the bit that indicates that the data included in the DSE are aligned on a byte boundary. This tells the decoder that the actual data DSE begin on the position of the bit at the beginning of the byte.

Bitstream, or data stream that can include multiple <DSE>. In order to be able to distinguish one <DSE>from another, each<DSE>, as a rule, includes a label element_instance_tag defined for MPEG-4 AAC in ISO/EEC 14496-3, section 4.5.2.1.1, and MPEG-2 AAC - in ISO/IEC 13818-7, section 8.2.2, while both of these sections by reference are included in this description. It should be noted that the value of the label element_instance_tag element data_stream_element(), including the ID, not limited to any specific value, i.e. the General rules of ISO / IEC standards. In other words, preferably there are no special rules for the label element_instance_tag in the<DSE>containing the ID, in addition to those established for MPEG-4 AAC document ISO/IEC 14496-3, and MPEG-2 AAC - in document ISO/IEC 13818-7.

By analogy with the above examples of possible data flow, data flow for 2-channel audio programs may include syntactic elements<CPE><FIL><DSE><TERM><CPE><FIL><DSE><TERM>.... 2-channel audio with SBR (replication of spectral bands) can include syntactic elements<CPE><SBR(CPE)><FIL><DSE><TERM><CPE><SBR(CPE)><FE><DSE><TERM>...where<SBR(CPE)>- syntactic element specific to the SBR. 5.1-channel audio can be constructed using the syntax<SCE><CPE><CPE><LFE><FIL><DSE><TERM><SCE><CPE><CPE><LFE><FIL><DSE><TERM>....

In a preferred embodiment of the invention, the ID field, placed in the<DSE>, can include a field identifier_sync and field identifier_value. Field identifier_sync can be used to allow quick identification on the basis that this particular<DSE>includes the ID. For example, the encoder can be set in advance the value of this field, for example, binary output signal to indicate that the<DSE>includes the ID field. The decoder can use this field to test the availability of an ID value. In other words, the decoder is informed that the received data flow includes an identifier that can be used with the purposes of the above authentication, verification, and possibly configuration.

In a preferred embodiment of the invention field identifier_value includes the ID value, which is defined as described in this document. This field contains the number of bits that are used for ID, i.e. for a truncated version values NMAS. As described above, the ID, as a rule, covers a N frames AAC, where N>1, and every nth frame AAS includes the identity, i.e. it includes the<DSE>, which includes the element ID as described above. As a rule, the decision on the number N of the coated frames AAC encoder accepts. The decoder is able to determine this value by a pronounced in frames of the distance between two shots AAS, including the appropriate IDs.

As described above, the ID can also be used to ensure that the decoder used the correct configuration settings. To this end, the ID can be generated on the basis of an extended message, which includes not only a concatenation of N consecutive shots, but it also includes configuration data. In other words, the first message that includes the N consecutive frames, as described above, may also include configuration information. These configuration data can include index samplingFrequencyIndex, i.e. a pointer of the base of the sampling frequency of the audio signal, index channelConfiguration, i.e. a cursor used for the configuration of channels, and the flag frameLengthFIag, i.e. the index used is the length of the frame. Also, there are other possible configuration options.

In a preferred embodiment of the invention settings "samplingFrequencyIndex" and "channelConfiguration" have the same meaning and value as the corresponding items in the "AudioSpecificConfig", described in the attached description of the ISO/IEC (for example, in the section 1.6.2.1 ISO/IEC 14496-3). Option "frameLengthFIag" has the same meaning and significance of that same element in "GASpecificConfig", described in the attached description of the ISO/IEC (for example, in section 4.4.1 and table 4.1 of ISO/IEC 14496-3).

The word configuration_word and N frames AAS , giving the message, m, which may also be called the second message, and which includes the word configuration_word in addition to the first message that includes a concatenation of N blocks AAS:

where |a| denotes concatenation. In the above example, the word configuration_word is placed before the first message. It should be noted that the word configuration_word also can be placed in other positions, such as at the end of the first message.

Similar to the above is NMAS, for example an HMAC-MD5, HMAC(m) message m is calculated using some «secret key, because the Key To can, for example, represent a specified ASCII code or any other secret value, and the value for HMAC message m is calculated using the above formula for NMAS.

It should be noted that the HMAC value for a message m can be defined consistently. This means that at the first stage can be defined value NMAS for words configuration_word. This leads to the first value NMAS as the initial condition for the definition of the NMAS to frame 1 of the AAS. The output of this operation is the second value NMAS for frame 2 AAC, etc. ultimately, using as an initial condition of values NMAS for frame N-1 AAS is NMAS for frame N AAS. Using such a consistent definition of the meaning of NMAS throughout the message, m, i.e. over the entire sequence of frames and/or the word configuration_word, you can generate the ID without increasing latency introduced in the bit stream. In addition, the memory requirements for generating values NMAS and/or identifier is maintained at a low level as to be stored in memory only the current frame bit stream and the source state, i.e. 128-bit values. The generation and storage of full message, m, is not required.

In order to reduce the overhead in the bit stream by adding ID, the value NMAS is truncated from 128-bit to a reduced number of bits by discarding the least significant bits. For example, the value NMAS "9el07d9d372bb6826bd81d3542a419d6" may be truncated to "9el07d9d". The degree of truncation, preferably chosen as a compromise between security ID and overhead required bit rate of data transmission. The possible length of the identifier can be 16, 24, 32, 48, 64, 80 or 96. The value truncated NMAS is an identifier that is inserted in the box identifier_value element DSE.

Below are additional details relating to the encoding process. As already mentioned, it is coder, as a rule, makes the decision on the number N of personnel AAC, which are covered by one ID. For example, it may be desirable to ensure the ability of the decoder to synchronize with the length of a frame within no more than 1 second. Because you have two identifiers in order decoder can synchronize with the length of the frame, which sets the number of frames between two shots, including the ID, you must ensure that the decoder will take at least two identifiers within the required time interval. Therefore, the encoder must choose the value of N so that temporary view N frames AAS did not exceed the minimum exceed 0.5 seconds. Because temporary view N frames AAC depends on the selected baseline sampling rate AAS, the value of N, selected by the encoder may vary depending on the selected baseline sampling rate AAS.

To minimize the overhead of bit rate of data, introduced by ID, encoder can choose the highest value of N, satisfying the constraint, which is that temporary view N frames AAS should not exceed 0.5 seconds. In some applications to temporarily present N frames AAS valid slight excess of 0.5 seconds. In these applications, the encoder can choose the value of N so that temporary view N frames AAS was as much as possible close to 0.5 seconds, even if, in some cases, may lead to a temporary representation of N blocks AAS, a few more than 0.5 seconds. Overhead, which made the transfer identifier, can be determined through an evaluation of the ratio between the length of the element DSE, including the ID, and the total length of the frame (in bits).

It should be noted that the first generated frame AAS may contain false ID. The purpose of the first identifier may be in transferring to the decoder signal the beginning of a sequence of frames AAS, including identifiers. However, the decoder may not be in the position to perform the authentication and verification, since the identifier may not be based on actual media.

As discussed in relation Fig. 1, first calculated ID covers frames AAS from 1 to N and stored in the frame N+1 AAS. The next ID covers frames AAS from N+1 to 2N and stored in the frame 2N+1 AAC, etc.

Fig. 2A illustrates the sequence of operations of the encoding process. At the stage 201 encoder is initialized by providing a certain number N of personnel involved in the GOP. Moreover, it provides the key K. the next stage 202 N frames in the GOP to create the first message. Then on the stage 203 first message with the word configurations, giving the second message. At the stage 204 defined identifier truncated version values NMAS, calculated according to the second message. This ID is placed in the first frame of the next group of frames (phase 205). Finally, at the stage 206 sending groups of frames. It should be noted that a group of frames transmitted contains the ID of the group of frames transmitted in front of her. Stages 202-206 repeated until, until he be given a full data stream.

As already mentioned, the process described above can be performed consistent iterative way. This means especially that the identifier may be determined by frame and without prior concatenation of N blocks and words configuration_word and performing calculations NMAS on this completely concatenated message. This process is illustrated in Fig. 2b. An iterative procedure is initialized at the stage 207 by setting the initial state. The baseline could be a value NMAS for words configuration_word, which is stored in 128 bit memory. Then the value NMAS can be determined for the first of N blocks (phase 208). The resulting value NMAS is stored in 128 bit memory (phase 209) and is used as the source state to calculate the value of NMAS the second frame (phase 208). This process repeats until then, until it is determined the value NMAS for the N-th frame, where the value NMAS for N-1 frame is taken from 128-bit memory and is used as the source state (phase 208). The identifier is defined as a truncated version of the NMS for the N-th frame (phase 210). Alternatively stage 206, each frame can be sent directly after the treatment with the purpose of computing the values NMAS without buffering the entire group of frames. The ID is then added to the N+1-th frame and sent with this frame. Thus, this frame is the first frame, which is used for iterative calculation values NMAS for the following N frames. When using this process, the encoding process can run a frame with low latency, low computational complexity and low memory requirements.

Below are additional details relating to the decoding process. As a rule, the decoder starts from the assumption that a thread that you want to decode, does not include a valid ID. I.e. a pointer to the availability of valid ID bit in the media stream is initially set to the value «false» and, as a rule, will be set to true only when the first successful reception valid ID. It may seem at the receiver, for example, on an additional external device, through a visual indicator such as LED, which indicates to the user that adopted the bitstream is authenticated and having the force of the bit stream. As a result, the ID may be used to specify the user quality of the received data stream.

On the other hand, if the pointer on the decoder is set to «true», but for more than Nmax frames missing update in relation to the ID in the bit stream pointer can be set to «false». In other words, the decoder may be aware of the maximum value of N, for example, Nmax, which should not be exceeded. If the decoder does not detect a valid ID for more than Nmax frames, it tells the decoder that adopted bit stream is no longer the case from legal coder or that adopted by bitstream, you may have changed. As a consequence, the decoder sets the appropriate pointer to the value «false». This can lead to visual display, such as LED, as a rule, returned to its original state.

Decoding procedure identifier is illustrated in Fig. 3 and can be described as follows:

• At the stage 300 decoder starts and resets the flag "ID Verified".

• Then at the stage of 301 is initialized (128-bit) internal memory space.

• At the stage 303 decoder waits to receive frame (phase 302) and checks the received frame ID bit stream. ID in the frame can be detected by means described above fields identifier_sync. On stage, 307, if the identity was discovered at the stage 304, decoder extracts identifier_value from the corresponding field in<DSE>.

• Then at the stage of 308 by truncation values NMAS contained in 128-bit condition that generated the ID verification.

• Decoder continues, comparing phase 309 ID bit stream ID verification. If it is determined that two ID does not equal (phase 310), at the stage 311 flag "ID Verified" reset, indicating that the bitstream does not come from a coder that is trustworthy. If the same ID on stage 312 flag is set "ID Verified", indicating that the ID verified and that the bitstream is valid, as it comes from the encoder, trustworthy. In this case, can be unlocked additional features decoder, and/or the user can be informed about the status of verification of the bitstream. Alternatively, some functions may be blocked, if it is determined that the bitstream does not come from a coder, credible, and/or the user can be informed accordingly.

• Decoding process continues on stage 313 by initializing 128-bit internal memory.

• Then at the stage of 314 calculates a 128-bit value NMAS for the current frame, and at the stage 315 128-bit internal memory space is updated in accordance with the calculated value NMAS. Then the decoder is returning to the stage 302 for waiting the next frame.

• If in the specified frame missing identifier (defined at the stage 304) decoder enter the stage 305, where the decoder determines if there was identifier in one of the last Nmax frames.

• If the ID was absent at one of the last Nmax frames, decoder on stage 306 resets the flag "ID verified"as accepted maximum number of frames Nmax elapsed without the ID. The decoder then returns to the stage 302 to wait for the next frame.

• If the identifier is present in one of the last Nmax frame that is specified on the stage 305, the decoder can enter the stage 314 to calculate 128-bit values NMAS for the current frame.

As described above, the decoder can determine the ID verification during consistent iterative process. This means that only processed the current frame and there is no need first to concatenate multiple frames to determine the ID verification. Accordingly, the decoding of the ID can be performed with low latency, low computational complexity and low memory requirements.

In Fig. 4 shows illustrative an implementation option encoder 400 and decoder 410 data flow. Analog data flow 405, for example, the audio stream is converted into a digital data stream 406 using analog-to-digital Converter 402. A digital data stream 406 coded using 403, such as Dolby E, Dolby Digital, AAC, HE AAC, DTS, or Dolby Pulse. Audio encoder 403, as a rule, segmenting a digital data stream 406 in frames of the sound signal and performs data compression. In addition, audio encoder 403 can perform adding metadata. Output 403 is a data stream 407, including the number of personnel of a sound signal. Then the data flow 407 is coder 404 frames, which adds to the data flow 407 identifiers, or cryptographic values. Encoder 404 personnel functioning in accordance with the characteristics described in this patent document. It should be noted that identifiers, typically defined and added sequentially, and thus, each frame comes from 403, directly handled by the encoder 404 frames. Preferably, 403 and audio encoder encoder 404 frames form the United encoder 401, which can be implemented on the processor digital signal processing. Thus, coding features of a sound signal and features generate the identifier can affect each other. In particular, the encoding of the audio stream may be required given the additional overhead caused by the ID. This means that the available bit rate of data transfer for the bit stream can be reduced. This interaction between and generating the ID can be used to match the total bandwidth and/or limitation of bit rate of data transmission in some encoding schemes, such as HE-AAC.

United encoder 401 displays the data flow 408, including a number of groups of personnel and related identifiers. Data flow 408, usually served in a linked decoder and/or the receiver 410 using different means of transmission of data and/or data carriers. He reaches decoder 410 in a data stream 418, which could be changed for the flow of data 14. Data flow 418 included in the decoder 414, frames, which performs the verification and authentication of the data flow 418 in accordance with the methods and systems described in this patent document. Decoder 414 frame displays the data flow 417, which generally corresponds to the data stream 418 without identifiers and corresponding data fields or syntax elements. Data flow 417 decoded in audio decoder 413, where he unpacked and where are removed added metadata. As described above, the decoding of frames, as a rule, is consistent iterative way, and, thus, the processing is done frame by frame.

It should also be noted that the various components of decoding/reception can be grouped with the aim of forming a United decoder. For example, the decoder 414, frames and audio decoder audio 413 can form a United decoder/receiver 411, which can be implemented on the processor digital signal processing. As described above, it may be useful to allow interaction between audio decoder and verification of ID. Ultimately, the United decoder/receiver 411 displays the data flow 416, which is converted to analog audio signal 415 using digital to analogue Converter 412.

It should be noted that in this document the term «encoder» can refer to a complete encoder 400, United encoder 401 or encoder 404 frames. The term «decoder» can refer to a complete decoder 410, United decoder 411 or decoder 414 frames. On the other hand, the so-called «unreliable coders» are coders, who generally do not generate the identifier or do not generate the identifier in accordance with the methods described in this document.

Fig. 5 illustrates illustrative system 500 broadcasting, which includes the head node 504 broadcast. The head node 504 also enables the device to concatenate, or means of concatenation, which is valid for the combination of bit streams 501, 502, 503, originating from different coders. In the broadcasting system differs bit streams 501, 502, 503 can be a bit streams that typically encoded by different . Bit streams 501, 502, 503 consist of a series of frames that are presented differently shaded blocks. In the illustrated example bitstream 501 includes five frames, bitstream 502 includes four frame, and the bitstream 503 includes six frames. The device for concatenation and/or the head node 504 applies to a combination of bit streams for the purpose of creating a joint bitstream 505. As shown in the example, this combination can be done by attaching the bit stream 501 to the bit stream 503 and by attaching bitstream 502 to the bit stream 501. However, that is also shown in Fig. 5, you may need to select only parts of the original bit streams 501, 502 and 503, for example, only part of bit streams. As such combined bitstream 505 includes only two frames of the bitstream 503, followed by three frames bitstream 501 and the following two frame bitstream 502.

The original bit streams 501, 502, 503 may include identifiers, i.e. bit streams 501, 502, 503 can originate from a reliable coders. Each ID can be based on different numbers N of personnel. Derogating from the generality one can assume that the identity of bit streams 501 503 defined for the group personnel, including two frames. On the other hand, the bitstream 502 does not come from a reliable coder and therefore does not include the ID.

It is desirable that the device for concatenation and/or the head node 504 aired bitstream 505, which would also include the ID if the incoming bit streams 501 503 come from a reliable coder. The specified identifier must be sent to the bit stream 505 for all parts of the bitstream 505, which come from a reliable coder. On the other hand, part of the bitstream 505, which does not originate from a reliable coder, i.e. parts taken from the bit stream 502, should not include an identifier.

To achieve this goal, the device for concatenation can act, performing decoding and/or encoding identifier. As shown in Fig. 5, the first two frames outgoing bitstream 505 come from bitstream 503. If these two frames correspond to the group of the personnel, then the ID of this group of frames can be placed in the third frame of the bitstream 505. This accommodation is described in relation Fig. 1. If, on the other hand, two frames belong to different groups of personnel, the head node can act 504 for

• checks whether the bitstream 503 trusted encoder; and

The number N is used to generate the ID on outgoing bit stream 505, is not necessarily equal to the number N that is used to generate the ID on outgoing bit streams 501 503. This can be seen in the context of the bitstream 501, for which only three frames are included in the outgoing bitstream 505. The first identifier could be generated for the first two frames, while the second identifier could be generated for the third frame. In other words, N can be equal to two for the first two frames, and N can be equal to one for the third frame. Therefore, in General, it can be argued that N can be changed within the bit stream 505. It is connected with the fact that N can be determined in decoder independently. Preferably, the number N is used for outgoing bitstream 505 less than or equal to N, used for incoming bit streams 501 503.

In addition, it should be noted that the incoming bit stream 502 does not include the identifier, i.e. the bitstream 502 does not come from a reliable coder. Accordingly, the device for concatenation and/or the head node does not bit stream 505 identifier for frames originating from bitstream 502. As described above, decoder, as a rule to detect the absence of the identifier in the bit stream 505. If the number of frames, not including the ID exceeds a predetermined maximum number Nmax, decoder, as a rule, would find that the bit stream 505 no longer trusted the coder.

As shown in the example in Fig. 5, bitstream 505 is made up of parts that come from a reliable coder, and other parts that do not come from a reliable coder. Accordingly, the bitstream 505 may include parts that include a valid ID, and other parts that do not include a valid ID. The device for concatenation and/or the head node can act 504 for

• incoming bit streams, including the ID;

• redirection of the bitstream, including the ID as outgoing bit stream;

• authentication of incoming bit stream ID-based; and

• encoding of the bit stream by means of a new identifier.

In other words, the device for concatenation and/or the head node 504 may include features of the encoder and/or decoder mode, described in the present patent document. I.e. the device for concatenation and/or the head node 504 can function as a decoder at reception of an incoming bit stream, and it can function as a coder for generating outgoing bit stream. In addition, it can act to redirect the bitstream, including the ID, without performing authentication and re-encoding. Redirection can be run for continuous transmission of the same bitstream, while decoding and re-encoding, preferably, can be used on the borders between bitstreams from different coders. Using redirection, you can reduce the computational load on the device for concatenation and/or the head node 504.

It should be noted that redirection can be used in those cases when the ID of the previous frame does not affect the value of the ID of the current frame. In these cases, the GOP and the associated identifier can be considered as an independent entity that can be directly forwarded to the output bit stream. On the other hand, if you use continuous interconnected IDs where the ID of the current frame depends on the ID of the previous frame, device for concatenation, preferably, be re-encode the whole bit stream to generate outgoing bit stream flow continuously interrelated identifiers. It can guarantee that unauthorized party will not have the opportunity to replace outgoing segments of the bitstream.

It should be noted that in most cases re-encoding device for concatenation is limited only by generating new identity. By itself bitstream, i.e. in particular, the bitstream encoding of audio signal, as a rule, is not affected. Accordingly, re-coding of the bitstream can be performed with low computational complexity. However, if a cryptographic value is inserted into the frame, which previously did not contain cryptographic value, you may need to re-encode the audio signal.

Vertical lines in the figure indicate points of the concatenation. As can be seen from the figures, outgoing bit stream contains the first section I, corresponding to the incoming bit stream 1, the second section II, corresponding to the incoming bit stream 2, third section III, corresponding to the incoming bit stream 3, and the fourth section IV, corresponding to the incoming bit stream 4, where the sections are concatenated in the points of concatenation. Before the first point of the concatenation of the incoming bit stream 1, including cryptographic values can be copied in a concatenated bit stream. However, cryptographic first value in the section II requires re-calculation, because the concatenation it relates to other personnel data than the corresponding cryptographic the value of the bit stream 2. More, this cryptographic value based on a 5 frames: one belonging to the incoming bit stream 1 (to the point of concatenation), and four - owned incoming stream 2 (after the dot concatenation). Re-calculation of cryptographic values indicated by the arrows above the bit stream and change hatch. Because the changes in the first recomputed cryptographic value at concatenated bit stream, the following cryptographic values bitstream 2 must also calculate again.

The second point concatenation selected bitrate varies from 2 to 3. Cryptographic the value of the first frame of the bitstream III recomputed on the basis of the previous 6 frames bit stream 2. The next point of concatenation is selected unreliable bit stream 4, and section IV concatenated flow cryptographic values cannot be inserted. Alternatively, cryptographic value can be generated for the final frames of the bitstream 3, copied concatenated in the bitstream, in order to indicate the end of a credible sections are concatenated bit stream. This additional cryptographic value, preferably, is inserted into the first frame of section IV, which is shown in figure dotted circle. Depending on the requirements of bit rate of the data transfer may need to be re-encoding the frame with the aim of creating a space to insert additional cryptographic values.

Fig. 7 illustrates another example of concatenating the incoming bit threads 1 and 2 in the outgoing bit stream. Here's point of concatenation is the first bit stream right in front of the frame, bearing cryptographic value), and the second bit stream is immediately after a frame carrying cryptographic value. If you take the position of cryptographic values from the first and second bit streams, resulting in a concatenated bit stream may occur big gap between cryptographic values. The distance between cryptographic values in this section concatenated bit stream may exceed the maximum value Nmax acceptable to the decoder, without specifying a loss of confidence in the bit stream. Therefore, it is preferable to insert additional cryptographic values at the point of concatenation, for example, in the first frame of the second bit stream, and, thus, the number of frames in groups will not exceed Nmax. And again, depending on the requirements of bit rate of the data transfer, you may need to re-encode this frame with the aim of creating a space to insert bitstream additional cryptographic values. It should be noted that the cryptographic value in this case can be copied from the first frame of the bitstream 1 after point concatenation, as the additional cryptographic value concatenated bit stream belongs to the same 6 HR bitstream 1. The content of the data frame, which includes additional cryptographic terms, however, belongs to the bit-stream-2 (or rather, it corresponds to the first frame of the bitstream after 2 points concatenation).

This document describes a method and system, which enable you to enter an ID, or cryptographic value in the data stream. The identifier can be used for authentication and verification of the data stream. Also, the identifier can be used to ensure proper configuration settings decoder for data stream which is produced or processed. In particular, the method and system add to the bit stream HE-AAC additional data, i.e. an identifier which authenticates this bit stream, originating both from legal encoder or transmitter. This authentication can tell the receiver that the bitstream HE-AAC holds a certain specifications and/or to a standard of quality. Preferably, the identifier is obtained by calculating the HMAC-MD5.

Method and system can be used for authentication multimedia files, and multimedia streams, and also they can find a concatenation of several protected streams without breaking authentication in General. This means that compliance is checked not only the full thread, but a set of consecutive shots. This test supports typical broadcast scenarios, i.e. the so-called «concatenation», which often have to create the actual output device switches between different encoders bit stream. Furthermore, the method and the system can also be used to secure in-band and vneshnetorgovoe information, where in-band information typically includes media and associated metadata, and vesnebolotskaya information typically includes configuration data. Thus, the method and system allows you to manage and/or detect a correct reproduction and/or decoding multimedia stream.

Method and system described in this document can be implemented as software, firmware and/or hardware. Some components can be implemented, for example, as the software running on the processor digital signal processing or a microprocessor. Other components can be implemented, for example, as the hardware or as application-specific integrated circuits. The signals to be concluded in the described methods and systems that can be stored on storage media such as memory and optical data storage media. They can be transmitted over networks such as the radio, satellite network, wireless network or wired network such as the Internet. Typical devices using the method and the system described in this document are additional external device or other equipment on the territory of the user, which decodes sound signals. Side coding method and system can be used as broadcast stations, such as in audio and video systems head nodes broadcast.

1. A method of encoding data flow, including a number of data frames where the method includes the steps where - generate cryptographic value for the block of N consecutive shots data from a number of personnel data and information on configuration using a cryptographic hash function; where the configuration information includes information for rendering data flow; and - carry a box of cryptographic values in the frame data flow, followed by N successive frames of data; and - carry generating intermediate cryptographic values for each of N consecutive shots unit using the initial state; where the initial condition is intermediate cryptographic the value of the previous frame of the unit; and where the original state of the first frame of the unit is a intermediate cryptographic value for configuration information, and where cryptographic value represents the intermediate cryptographic value N-th frame of the unit.

2. Way under item 1, different in that the cryptographic value is inserted into the <DSE> data flow; where the <DSE> data flow is a syntactic element of the frame data flow; and where the flow of data is a stream MPEG4-AAC or MPEG2-AAC.

3. Way under item 1, different in that the number of frames N is greater than one.

4. Way under item 1, different in that the data frames represent the video or audiometry.

5. Way under item 1, different in that the data frames represent frames AAC or HE-AAC.

6. Way under item 1, different in that the configuration information includes at least one of the following signs: - pointer sampling frequency; - pointer configuration system channels coding of audio signals; - the indicator of number of discrete values in the data frame.

7. Way under item 1, different in that the cryptographic generate value using a key value.

8. Way under item 7, wherein the step of generating cryptographic value includes the value calculation HMAC-MD5 for a block of N consecutive shots data and configuration information.

9. Way under item 8, wherein said step of generating cryptographic value includes the truncated value HMAC-MD5 to obtain cryptographic values.

10. Way under item 9, wherein the value of the HMAC-MD5 is truncated to 16, 24, 32, 48, 64, 80, 96 or 112 bits.

11. The method according to claim 1, characterized in that the cryptographic value for the block of N consecutive shots data is inserted into the next frame data flow data, following the block of N consecutive frames.

12. Way under item 1, different in that additionally includes a stage where - insert index synchronization after a block of N consecutive frames where the pointer synchronization indicates that the cryptographic value was inserted.

13. Way under item 1, different in that the <DSE> data flow insert at the end of the block before <TERM>.

14. Way under item 1, different in that the content of <DSE> data flow aligned at the border of bytes of data flow.

19. The method according to claim 4, wherein includes in addition to the stage where - interact with video and/or data flow.

20. Way under item 19,wherein on the stage of interaction with the video and/or data flow carry out the installation for video and/or such maximum bit rate data to the specified bit rate data for stream data, includes cryptographic the value that does not exceed a predetermined value.

21. Method of decoding for verification of data flow the decoder where the flow of data includes the number of personnel and cryptographic data value associated with a block of N consecutive shots data, where the method includes the stages at which generate the second cryptographic value for the block of N consecutive shots data and configuration information using cryptographic hash function; where the configuration information includes information for rendering data; where the second generation of cryptographic value includes the generation of intermediate cryptographic values for each of N consecutive shots using initial state; where the initial state is a second interim cryptographic the value of the previous frame of the unit; where the initial state of the first frame of the block represents an intermediate second cryptographic value for configuration information; where the second cryptographic value represents the intermediate cryptographic value N-th frame of the unit; - remove cryptographic the amount of data flow; and - compare cryptographic value from the second cryptographic value for verification of the data stream.

22. Way under item 21, wherein the flow of data is a stream MPEG4-AAC or MPEG2-AAC; where cryptographic value is retrieved from a <DSE> data flow; and where the <DSE> data flow is a syntactic element of the frame data flow.

23. Way under item 21, wherein the data flow includes a number of blocks of N consecutive frames of data and related cryptographic values, and where the method includes in addition to the stage at which determine the number N as the number of frames between two consecutive cryptographic values.

24. Way under item 21, wherein the cryptographic generate value in the corresponding coder of N consecutive shots data and configuration information according to the mode that matches the method used to generate the second cryptographic values.

25. Way under item 24, wherein the cryptographic value and the second cryptographic generate value using a unique key values and unique cryptographic hash functions.

26. The way one by one p.p. from 21-25, characterized in that it additionally includes the stages, which is set a flag in case, when a cryptographic value corresponds to the second cryptographic amount; and - provide a visual indication if the flag is set.

27. Way under item 21, characterized in that it additionally includes a stage at which carry out reset flag, cryptographic if the value does not match the second cryptographic size, or if a cryptographic value cannot be extracted from the data stream.

28. The encoder to encode the data flow, including a number of data frames where the encoder contains the processor, valid to: - generate cryptographic values for a block of N consecutive shots data from a number of personnel data and configuration information using cryptographic hash function; where the configuration information includes information for rendering stream of data; - insert cryptographic values in the frame data flow, followed by N successive frames data; and generate intermediate cryptographic values for each of N consecutive shots unit using the initial state; where the source the condition is intermediate cryptographic the value of the previous frame of the unit; and where the original state of the first frame of the block represents an intermediate cryptographic value for configuration information, and where cryptographic value represents the intermediate cryptographic value N-th frame of the unit.

29. Decoder for verification of data flow that includes a range of frames and cryptographic data value associated with a block of N consecutive shots data, where the decoder contains the processor, valid for: - the second generation of cryptographic values for a block of N consecutive shots data and configuration information using cryptographic hash function; where the configuration information includes information for rendering data; where the second generation of cryptographic value includes the generation of intermediate cryptographic values for each of N consecutive shots with original state; where the initial state is a second interim cryptographic the value of the previous frame of the unit; where the initial state of the first frame of the block represents an intermediate second cryptographic value for configuration information; where the second cryptographic value represents the intermediate cryptographic value N-th frame of the unit; - extraction of cryptographic values of the frame data flow; and - comparisons cryptographic values from the second cryptographic value for verification of the data stream.

30. Data carrier, which includes a programme that is implemented in software, adapted for execution on the processor and execution phases of the way through one of the PP. 1-20 when exercising on a computing device.

31. Data carrier, which includes a programme that is implemented in software, adapted for execution on the processor and execution phases of the way through one of the PP. 21-27 when exercising on a computing device.

32. The external device designed to decode the data stream, including the audio signal, where the external device includes a decoder p. 29, intended for verification of the received data stream.

33. Portable electronic device designed to decode the data stream, including the audio signal, where the portable electronic device includes decoder p. 29, intended for verification of the received data stream.

34. Computer designed to decode the data stream, including the audio signal; where the computer includes a decoder p. 29, intended for verification of the received data stream.

35. Broadcasting system, intended for data flow, including the audio signal; where broadcasting system includes the encoder p. 28.

36. Method of concatenating the first and second bit streams, each of which includes a number of data frames and cryptographic value associated with the specified number of frames in the data, where the method includes the stage where - generate concatenated bit stream from the first and second bit streams, where concatenated bitstream includes at least the part of a number of data frames from the first and second bit streams and includes cryptographic value generated and inserted into compliance with the way one of the PP. 1-20.

37. The device for concatenation, applicable to concatenate the first and second bit streams, each of which includes a number of data frames and cryptographic values associated with the specified number of frames in the data, where device for concatenation contains the encoder p. 28, designed to encode the last frame of the first bit stream and the first frame of the second bit stream.

38. The device for concatenation under item 37, characterized in that it additionally contains: - decoder p. 29, intended for verification of the last frame of the first bit stream, the first frames of the second bit stream and related cryptographic values; and the control unit unlocks the encoder to insert cryptographic values concatenated bit stream only in case if the corresponding first and second bit streams authenticated.