Encrypt digital content transfer approach and server end
Technical field
The present invention relates to a kind of encrypt digital content transfer approach and a kind of server end that is used for providing digital content with cipher mode.
Background technology
Along with rapid development of Internet and universal, users count the transmission of a tree name, the issue of resource and the download of resource etc. by the Internet more and more.It is of common occurrence already to download various digital resources such as music, download movie and television play or download computer software from the Internet.The demand that the high speed development of the Internet has no doubt made things convenient for the user that information is obtained has fast also been brought challenge to the copyright protection of various digital resources but then.In daily life, provide the website of unwarranted music sources, movie and television play resource, software resource varied, the user can obtain free pirate resource easily from these websites.And extensively popularizing and using of P2P softwares such as electric donkey (eMule) software further facilitated the diffusion of pirate resource, for copyright protection has been brought bigger difficulty.Propagating wantonly of interconnected Internet piracy resource is no doubt not high relevant with users' legal consciousness, has some relations but lack corresponding copyright management system with legal digital resource.Though also there is copy-right protection method in the prior art to digital resource; as digital resource being done encryption, being done authentication etc. for the taker that obtains of digital content; but these methods do not realize in a complete copyright management system; though make existing method realize protection, also be not easy to validated user obtaining digital resource through a legal device simultaneously to digital resource.In addition, the owner of digital resource to enlarge its business impact, equally also needs a safe and reliable copyright management system if will issue digital resource on the net safely.Digital copyright management (Digital Right Management, be called for short DRM) be along with digital media programs such as digital audio/video program in environment such as the Internet wide-scale distribution and the relevant new technology of a kind of and application demand that grows up.DRM can adopt encryption technology usually: for the digitized program through encoding compression processing, set up digital program authorization center (License Issuer), utilize key that the content that needs protection in the program is encrypted.During the above-mentioned program of user's playback, the association key that provides that need obtain the digital program authorization center is decrypted program, can play.Because program is encrypted,,, thereby protected the copyright of program if the checking mandate that does not obtain the digital program authorization center also can't playback even preserved and disseminate to other people by user's download.Under the DRM condition, the media processor that only has decoding function is no longer suitable, and need add decipher function on the basis of decoding.In the prior art, a kind of Media Processor with decipher function is arranged, the deciphering module of this processor and decoder module are on two devices independently, for example, deciphering module and decoder module adhere to independently two chip blocks or software separately, and the media data flow after the deciphering still may illegally be intercepted before decoding.In the prior art; also has a kind of Media Processor; the deciphering of this processor and decoding function module concentrate in the device; like this; media data flow after the deciphering can be protected effectively; but the key of in this kind device, come from the outside (normally digital program authorization center) still might be stolen, and needs special solution.
On the other hand, in the carrying out of the various related services of Streaming Media, streaming medium content is easy to duplicate and distribute, and when lacking safety measure and protect streaming medium content, problem of piracy just inevitably occurs.Introduced the media stream encryption resist technology thus, by the encipherment protection to streaming medium content, content supplier can protect the distribution of oneself content and control content.CA system (Conditional Access System, condition receiving system) is one of existing media stream encryption protection system, and it is by realizing the protection to streaming medium content to the encryption of streaming medium content and access control.The CA system mainly produces two class messages, first ECM (Entitlement Control Message, Entitlement Control Message) message, claim Entitlement Control Message again, it is a kind of electronic key signal of special shape, it is sent to receiving terminal in the encrypted back of transmitting terminal with streaming medium content, and at receiving terminal, ECM is used to control descrambler.Another kind is EMM (Entitlement Management Message, an Entitlement Management Message) message, claims Entitlement Management Message again, and it is a kind of information of authorizing certain or certain user certain or some business to be carried out descrambling.It is the same with Entitlement Control Message, is sent to receiving terminal in the encrypted back of transmitting terminal with streaming medium content.
Owing to the fail safe that the encipherment protection of streaming medium content has improved streaming medium content greatly, contained piracy to a certain extent, protected content supplier and benefits of operators, so this technology is used widely.The encipherment protection scheme of the streaming medium content that provides in the prior art is provided.Disclose a kind of like this technical scheme in the prior art, wherein, the real time flow medium business arrives subscriber terminal equipment by transmission network immediately after encrypting through encryption device.The media content that sends from the streaming medium content source generates the streaming medium content ciphertext through the processing of CA system, encryption device and other relevant device, and the streaming medium content ciphertext is through transmission network incoming terminal equipment.Wherein media stream encryption equipment can be the part of CA system, specifically decides on the realization of each business men.
According to the also known such a solution of prior art; wherein; media content can be stored on the network storage equipment through behind the encipherment protection in the non real-time streaming media service; when treating that the user need watch this media content; terminal equipment is from network storage equipment application and obtain related media content ciphertext, and this network storage equipment is commonly referred to as the streaming server end.The non real-time streaming medium content is not directly given terminal equipment by Network Transmission after encryption, but store on the streaming server end with the form of file, ECM and media content store on the streaming server end simultaneously, and are stored in the same file by certain time sequence and media content.
Since existing digital copyright protection technology only considered usually digital content on server safe storage and key in the fail safe of transmission course; protection to copyright has just stopped along with decruption key sends to authorized user safely, does not guarantee that media data is in reading process and read fail safe after the end.This general framework is static, disposable to the encryption of digital content, and digital content exposes fully through once cracking then, and coefficient of safety is lower.
Summary of the invention
At above-mentioned problems of the prior art, the present invention proposes a kind of encrypt digital content transfer approach and a kind of server end that is used for providing with cipher mode digital content, can send digital content by utilizing this method and this server end saferly.
In order to reach this purpose of the present invention, a kind of encrypt digital content transfer approach is disclosed according to a preferred embodiment of the present invention, wherein, provide digital content by server end to client, described server end comes encrypted digital content in the mode relevant with the hardware ID of described client.In this preferred implementation, digital content is preserved in advance by server end or this server end can call and be handled from other servers." mode relevant with the hardware ID of client " means in this article: the hardware ID information of client directly or indirectly is used for encrypting, wherein, can be with hardware ID information all directly as encryption key, also can perhaps also hardware ID information can be handled (logical operation or arithmetical operation) with wherein part as encryption key.Client's hardware ID information includes but not limited to: the combination of CPU id information, hard disk reel number information, BIOS information, MAC Address of Network Card, IP address, other collectable hardware encodings or above information.
According to a preferred embodiment of the present invention, described encrypt digital content transfer approach comprises successively: digital content partiting step, initial encryption step, follow-up encrypting step, escape controller generate step and decryption step; In described digital content partiting step, digital content is divided into a plurality of content pieces according to a predefined procedure or a scheduled timing; In described initial encryption step, utilize the information relevant as the initial encryption key with the hardware ID of client, the first content piece of encrypted digital content is to obtain the first ciphertext content piece; In described follow-up encrypting step, with the first ciphertext content piece is that second encryption key comes the second content piece of encrypted digital content to obtain the second ciphertext content piece, be that the 3rd encryption key comes the 3rd content piece of encrypted digital content to obtain the 3rd ciphertext content piece, by that analogy till whole digital contents are all encrypted with the second ciphertext content piece subsequently; Generate in the step at described escape controller, read the value of passing through the described first ciphertext content piece assigned address of encrypting and generate identification code by described server end, and described server end record corresponding to the order of the described first ciphertext content piece or sequential as timestamp, and described server end writes down described identification code and described timestamp in the escape controller, by that analogy, till described server end will all be recorded in the described escape controller at all described identification codes of each ciphertext content piece and described timestamp, described subsequently server end sent to described client with described escape controller; In described decryption step, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, position and described order or sequential that described identification code and described timestamp by described escape controller finds each ciphertext content piece, utilize described initial solution decryption key that the described first ciphertext content piece is decrypted to obtain described first content piece subsequently, described identification code and described timestamp by the described second ciphertext content piece position and described order or the sequential that find the described second ciphertext content piece and utilize described first content piece that the described second ciphertext content piece is decrypted to obtain described second content piece subsequently, then described first content piece and second content piece are made up by described order or sequential, utilize described second content piece that described the 3rd ciphertext content piece is decrypted to obtain described the 3rd content piece again, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, all decrypted and by the combination of described order or sequential up to all ciphertext contents, final described client obtains the plaintext of described digital content.
In this preferred implementation, digital content partiting step, initial encryption step, follow-up encrypting step, escape controller generate step and decryption step is carried out successively, but can also increase extra method step between each step He before the first step.In the digital content partiting step,, can divide this digital content according to predefined procedure so if the digital content of being asked is the static digital content as text message, PDF file, JPG picture; If the digital content of being asked is the streaming digital content as online Streaming Media, can divide this digital content according to scheduled timing so.Certainly the invention is not restricted to this dual mode, but can adopt the common mode of various those skilled in the art to divide these digital contents.For example can adopt the deblocking method of being mentioned in the Chinese patent application 200510021479, and at " computer science " 2004 08 interim disclosed a kind of quick original place conflation algorithms based on deblocking.Client receives the ciphertext content piece behind the block encryption and it is arranged, and belongs to technology well known by persons skilled in the art.For example can adopt the mode that increases index to realize herein; Also can pass through treaty rule, the feature of each ciphertext content piece is provided to client by server end; In view of the above, client can be arranged each ciphertext content piece according to described treaty rule after receiving corresponding each ciphertext content piece.And each ciphertext content piece is decrypted according to " opposite sequence " of encrypting.
According to a preferred embodiment of the present invention, before described digital content partiting step, also comprise registration step, wherein, described client sends to described service end with its hardware ID information, described service end writes down described hardware ID information, and described server end generates private cipher key and public keys, and described server end sends to described client with described private cipher key, and described private cipher key and described public keys are stored in described server end.In this preferred implementation, adopted extra registration step, registered in advance helps the authentication in later stage, has guaranteed the specific aim and the validity of request.Adopt private cipher key and this asymmetric encryption mode of public keys, further promoted fail safe.Certainly herein, the present invention also can adopt symmetric key.
According to a preferred embodiment of the present invention, after described registration step, before the described digital content partiting step, described encrypt digital content transfer approach also comprises service request steps, wherein, described client utilizes described private cipher key to come cryptographic service request message, described service request information comprises the hardware ID information of described client and described client to digital requests for content message, and the described service request information after described subsequently client will be encrypted is sent to described server end; Described server end utilizes the described service request information after described public keys comes enabling decryption of encrypted, with the hardware ID information that obtains described client and described client to digital requests for content message.In this preferred implementation, in service request steps, utilized hardware ID information, this mode is reliable and quick in authentication process.
According to a preferred embodiment of the present invention, after described service request steps, described encrypt digital content transfer approach also comprises hardware ID coupling step, wherein, described server end by decipher described service request information obtain the hardware ID information of described client and described client to digital requests for content message after, described server end compares hardware ID information and described hardware ID information by its storage.In this preferred implementation, utilize hardware ID information to carry out authentication, and hardware ID information send to server end through encryption.How server end judges this service request information belongs to prior art from which client when receiving service request information, no longer repeat for simplicity.Server end can obtain hardware ID information after utilizing publicly-owned secret key decryption, whether can clearly judge this client in this course is " personation " client.
According to a preferred embodiment of the present invention, after described hardware ID coupling step, described encrypt digital content transfer approach comprises that also the initial encryption key generates step, wherein, if the hardware ID information that hardware ID information that is received by described server end and described server end are stored in advance matches each other, then described server end generates authorization key, described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain described initial encryption key.Herein concrete regulation a kind of preferred initial encryption key generating mode, but the invention is not restricted to this mode, as long as but hardware ID information indirect ground can be used to generate the initial encryption key, just fall into protection scope of the present invention.
Provided in the encrypt digital content transfer approach of digital content to client by server end according to of the present invention, wherein, described client is deciphered the digital content that is sent by described server end in the mode relevant with its hardware ID.This manner of decryption is cipher mode " inverse operation " according to the present invention.Here, client is also carried out decryption oprerations according to " mode relevant with its hardware ID ".Herein, how server end handles the hardware ID information of client to be used for encryption, and then client is also correspondingly handled the hardware ID information of client to be used for deciphering.
According to a preferred embodiment of the present invention, described method comprises that also licence generates step, and wherein, thereby described service end utilizes described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client; The described licence through encrypting that described client is utilized described private cipher key to decipher and received obtains described initial encryption key, as the initial solution decryption key of described client.Adopt licence can further strengthen fail safe.Also can not adopt licence, but directly send the initial encryption key to client by server end.
According to a preferred embodiment of the present invention, after described licence generates step, described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtain hardware ID information, the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually; If the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out described decryption step.According to this preferred implementation, client can judge in advance whether the digital content that is received is the wrong content that sends to it mistakenly before carrying out deciphering.Thereby avoided deciphering with taking time and effort, and the situation of the digital content that can't use of getting back.
According to another aspect of the present invention, the invention also discloses a kind of server end that is used for providing digital content with cipher mode, it comprises: user management module, authorization module content module and escape controller, wherein, described user management module is responsible for the registered task of client at described server end, and be responsible for the hardware ID information of the described client of storage, after client succeeds in registration, described user management module generates private cipher key and public keys, and described user management module sends to described client with described private cipher key, and described private cipher key and described public keys are stored in the described user management module, described user management module also is responsible for utilizing hardware ID information to come Authentication Client simultaneously, only after authentication was passed through, described user management module was just provided described public keys to described authorization module; Described authorization module is responsible for the request in response to client, utilize described public keys to decipher received service request information, so that obtain described hardware ID information and the digital content request of described client institute, and described authorization module is submitted described hardware ID information to described user management module, only when consistent with the hardware ID information matches of described user management module storage, described authorization module just generates authorization key and described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain the initial encryption key; And thereby described authorization module can utilize described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client, and described authorization module also is transmitted to described content module with described client to digital requests for content; Described content module is responsible for carrying out piecemeal in response to the digital content that the described request of described client is asked the described client of being come by described authorization module forwarding, and utilize described initial encryption key that a plurality of content pieces are encrypted to obtain a plurality of ciphertext content pieces successively according to predefined procedure or sequential, and be responsible for these ciphertext content pieces are sent to described client, described content module of while also reads through the value of the described first ciphertext content piece assigned address of encrypting and generates identification code, and record corresponding to the order of the described first ciphertext content piece or sequential as timestamp, and the like, up to described server end with all described identification code and described timestamp record in the escape controller till, described subsequently server end sends to described client with described escape controller.
The method disclosed in the present and equipment utilization data cutting techniques are divided into a plurality of with digital content, utilize " information relevant with the hardware ID of client " to each content piece encryption and decryption successively.Finally encrypted digital content piecemeal transmission even if stolen also and must resequence to the digital content piece behind elder generation's analysis encryption principle again by the hacker, cracks one by one, breaks through difficulty and significantly improves with content piece number.This method has also been included the checking procedure of user's hardware ID in addition, has further prevented to illegally copy and illegal the propagation.This method utilize the hardware information binding technology solved conventional art only to the protection of copyright along with decruption key sends to the drawback that authorized user promptly stops safely; utilizing piecemeal escape multiplexing technique to solve conventional art is static, disposable to the encryption of digital content; through once cracking the drawback that digital content then exposes fully; realized the high security of digital content in propagating overall process, prevented to illegally copy and illegally propagate, distort.
Although this paper has only described the one or more combination mode in the above-mentioned execution mode of the present invention, and do not mean that the present invention only limits to these compound modes, but can be made up these preferred implementations with any meaningful ways.
Description of drawings
Fig. 1 illustrates the inventive method according to first preferred implementation;
Fig. 2 illustrates the inventive method according to second preferred implementation;
Fig. 3 illustrates the encryption method according to the inventive method;
Fig. 4 illustrates the decryption method according to the inventive method;
Fig. 5 illustrates the schematic diagram of escape controller model;
Fig. 6 illustrates the data packet format schematic diagram of record in the escape controller.
Embodiment
Below in conjunction with accompanying drawing, describe in detail according to the embodiment of the present invention.It is pointed out that these accompanying drawings only are schematically, do not constitute the qualification to protection scope of the present invention.
Fig. 1 illustrates the flow chart of first preferred implementation of the inventive method.As shown in Figure 1, carrying out digital content by server end to client and transmit, wherein is to utilize the mode relevant with the hardware ID of described client to carry out encryption and decryption.This method comprises successively: digital content partiting step S104, initial encryption step S105, follow-up encrypting step S106, escape controller generate step S110 and decryption step S109.Described digital content transmits can utilize wireless transmission method such as bluetooth, GPRS, GSM, WCDMA, WiFi, ZigBee, microwave communication and/or TD-SCDMA to realize, also can realize, for example by modes such as packet switching and optical fiber communications according to wire transmission mode.Utilizing the mode relevant with the hardware ID of described client to carry out encryption and decryption means: " with the hardware ID information translation is directly described code to be carried out encryption and decryption as key behind the binary code; perhaps its part is used as key, also can be this code is carried out after the computing of certain rule operation result being carried out encryption and decryption as key ".
In digital content partiting step S104, according to a predefined procedure or a scheduled timing digital content is divided into a plurality of content pieces, the division of digital content can utilize the data cutting techniques, for example according to one section of every 128bit, initial data is divided into multistage.Because the division methods of digital content is a known technology, therefore omitted the specific implementation of this method, see the patent No. for details and be the introduction in 200380106529.1 " data dividing method and use the device of XOR "; Described predefined procedure or scheduled timing are meant because sound, media datas such as video or stream medium data and text data are to carry out with the form of divided data bag in transmission course, the route that each packet is selected in transmission course may be not quite similar, it is also just different to arrive the required time of client, the situation that the packet sent out earlier arrives after but might appear, cause obtaining incorrect result after the transmission, therefore can be earlier before the data packet transmission with the order of fixing or gomma in corresponding packet, client obtains correct result thereby according to the order of institute's mark or sequential packet is arranged according to the order of sequence when receiving packet.
In described initial encryption step S105, utilize the information relevant as the initial encryption key with the hardware ID of client, the first content piece of encrypted digital content to be obtaining the first ciphertext content piece, and the described first ciphertext content piece is sent to described client.Client's hardware ID information includes but not limited to: the combination of CPU id information, hard disk reel number information, BIOS information, MAC Address of Network Card, IP address, other collectable hardware encodings or above information.
In described follow-up encrypting step S106, be that second encryption key comes the second content piece of encrypted digital content to obtain the second ciphertext content piece with the first ciphertext content piece subsequently, and the described second ciphertext content piece is sent to described client, be that the 3rd encryption key comes the 3rd content piece of encrypted digital content to obtain the 3rd ciphertext content piece with the second ciphertext content piece subsequently, and described the 3rd ciphertext content piece is sent to described client, by that analogy until whole digital contents all encrypted and be sent to described client till.
Generate among the step S110 at described escape controller, read the value of passing through the described first ciphertext content piece assigned address of encrypting and generate identification code by described server end, and described server end record corresponding to the order of the described first ciphertext content piece or sequential as timestamp, and described server end with described identification code and described timestamp record in the escape controller; By that analogy, till described server end will all be recorded in the described escape controller at all described identification codes of each ciphertext content piece and described timestamp, described subsequently server end sent to described client with described escape controller.Wherein, described server end can read the combination of the first place value of described each ciphertext blocks, last place value or any one or more value or these modes as identification code, also the value that is read can be carried out calculated result as identification code according to pre-defined rule such as functional transformation rule.
In described decryption step S109, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, described identification code by described escape controller, described timestamp finds position and the described order or the sequential of each ciphertext content piece, utilize described initial solution decryption key that the described first ciphertext content piece is decrypted to obtain described first content piece subsequently, described identification code by the described second ciphertext content piece subsequently, described timestamp finds position and the described order or the sequential of the described second ciphertext content piece and utilizes described first content piece that the described second ciphertext content piece is decrypted to obtain described second content piece, then described first content piece and second content piece are made up by described order or sequential, utilize described second content piece that described the 3rd ciphertext content piece is decrypted to obtain described the 3rd content piece again, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, all decrypted and by the combination of described order or sequential up to all ciphertext contents, final described client obtains the plaintext of described digital content.Fig. 2 shows the flow chart of second preferred implementation of the inventive method.
As shown in Figure 2, the method according to this invention comprises successively: registration step S200, service request steps S201, hardware ID coupling step S202, initial encryption key generate step S203, digital content partiting step S104, initial encryption step S105, follow-up encrypting step S106, escape controller generation step S110, licence generation step S207, client hardware ID coupling step S208 and decryption step S109.
In described registration step S200, the user management module of user end to server end is applied for the registration of, client sends to described user management module with its hardware ID information, described hardware ID information can comprise as hardware sequence number, the ID of CPU, all have one or more combination in the hardware fingerprint information of uniqueness the addresses of MAC etc., described user management module record hardware ID information, after succeeding in registration, user management module generates private cipher key and the public keys as a pair of unsymmetrical key, and user management module sends to client with private cipher key, and private cipher key and public keys are stored in the user management module.
In service request steps S201, described client generates service request information, described service request information comprises that the hardware ID information of described client and described client are to digital requests for content message, and client utilizes private cipher key to come cryptographic service request message, and the service request information after will encrypting is sent to the authorization module of server end, subsequently, described user management module is provided described public keys to authorization module, described authorization module utilizes the service request information after public keys comes enabling decryption of encrypted, with the hardware ID information that obtains client and client to digital requests for content message.
Among the hardware ID coupling step S202, described authorization module sends to described user management module to hardware ID information, and described user management module compares the hardware ID information that receives and hardware ID information by its storage.
Generate among the step S203 at the initial encryption key, if the described hardware ID information that user management module is received and its hardware ID information of storing in advance match each other, then described authorization module generates authorization key, authorization key is sent to client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain described initial encryption key, and described authorization module is transmitted to the digital content of being asked the content module of described server end.
In digital content partiting step S104, described content module is divided into a plurality of content pieces according to a predefined procedure or a scheduled timing with described digital content.
In initial encryption step S105, described content module is utilized described initial encryption key, and the first content piece of encrypted digital content is to obtain the first ciphertext content piece.
In follow-up encrypting step among the S106, described content module is that second encryption key comes the second content piece of encrypted digital content to obtain the second ciphertext content piece with the first ciphertext content piece, be that the 3rd encryption key comes the 3rd content piece of encrypted digital content to obtain the 3rd ciphertext content piece, by that analogy till whole digital contents are all encrypted with the second ciphertext content piece subsequently.
Generate among the step S110 at described escape controller, read the value of passing through the described first ciphertext content piece assigned address of encrypting and generate identification code by described server end, and described server end record corresponding to the order of the described first ciphertext content piece or sequential as timestamp, and described server end with described identification code and described timestamp record in the escape controller; By that analogy, till described server end will all be recorded in the described escape controller at all described identification codes of each ciphertext content piece and described timestamp, described subsequently server end sent to described client with described escape controller.
Generate among the step S207 at described licence, generate licence thereby described authorization module utilizes described public keys to encrypt described initial encryption key, and described authorization module sends to described client with described licence; The described licence through encrypting that described client is utilized described private cipher key to decipher and received obtains described initial encryption key, as the initial solution decryption key of described client.
In client hardware ID coupling step S208, described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtain hardware ID information, the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually.
If the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out decryption step S109.
In decryption step S109, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, described identification code by described escape controller, described timestamp finds position and the described order or the sequential of each ciphertext content piece, utilize described initial solution decryption key that the described first ciphertext content piece is decrypted to obtain described first content piece subsequently, the described identification code of the described second ciphertext content piece that provides by described escape controller subsequently, described timestamp finds position and the described order or the sequential of the described second ciphertext content piece and utilizes described first content piece that the described second ciphertext content piece is decrypted to obtain described second content piece, then described first content piece and second content piece are made up by described order or sequential, utilize described second content piece that described the 3rd ciphertext content piece is decrypted to obtain described the 3rd content piece again, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, all decrypted and by the combination of described order or sequential up to all ciphertext contents, final described client obtains the plaintext of described digital content.
Though not shown, above-mentioned these steps are not must be according to according to flow performing shown in Figure 2.Wherein some step also can be omitted so that constitute other preferred implementations, and some step can make up mutually so that form other preferred implementation.
Fig. 3 shows a kind of server end that is used for providing with cipher mode digital content, it comprises: user management module, authorization module content module and escape controller, wherein, described user management module is responsible for the registered task of client at described server end, and be responsible for the hardware ID information of the described client of storage, after client succeeds in registration, described user management module generates private cipher key and public keys, and described user management module sends to described client with described private cipher key, and described private cipher key and described public keys are stored in the described user management module, described user management module also is responsible for utilizing hardware ID information to come Authentication Client simultaneously, only after authentication was passed through, described user management module was just provided described public keys to described authorization module; Described authorization module is responsible for the request in response to client, utilize described public keys to decipher received service request information, so that obtain described hardware ID information and the digital content request of described client institute, and described authorization module is submitted described hardware ID information to described user management module, only when consistent with the hardware ID information matches of described user management module storage, described authorization module just generates authorization key and described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain the initial encryption key; And thereby described authorization module can utilize described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client, and described authorization module also is transmitted to described content module with described client to digital requests for content; Described content module is responsible for carrying out piecemeal in response to the digital content that the described request of described client is asked the described client of being come by described authorization module forwarding, and utilize described initial encryption key that a plurality of content pieces are encrypted obtaining a plurality of ciphertext content pieces successively according to predefined procedure or sequential, and be responsible for these ciphertext content pieces are sent to described client; Described content module of while also reads through the value of the described first ciphertext content piece assigned address of encrypting and generates identification code, and record corresponding to the order of the described first ciphertext content piece or sequential as timestamp, and the like, up to described server end with all described identification code and described timestamp record in the escape controller till, described subsequently server end sends to described client with described escape controller.
Fig. 4 shows the decryption method of client.This decryption method comprises the following steps: that the described licence through encrypting that client is utilized described private cipher key to decipher to receive obtains described initial encryption key, as the initial solution decryption key of described client; Described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtains hardware ID information, and the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually; If the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out described decryption step S109, promptly, described escape controller provides the described identification code of the described first ciphertext content piece, thereby the described client that makes described timestamp finds position and the described order or the sequential of the described first ciphertext content piece, described subsequently client utilizes described initial solution decryption key that the described first ciphertext content piece is decrypted to obtain described first content piece, described then escape controller provides the described identification code of the described second ciphertext content piece, thereby the described client that makes described timestamp finds position and the described order or the sequential of the described second ciphertext content piece, utilize described first content piece that the described second ciphertext content piece is decrypted to obtain described second content piece again, described first content piece and second content piece are made up by described order or sequential, by that analogy, utilize described second content piece that described the 3rd ciphertext content piece is decrypted to obtain described the 3rd content piece again, and by described order or sequential and described first content piece and the combination of described second content piece, all decrypted and by the combination of described order or sequential up to all ciphertext contents, final described client obtains the plaintext of described digital content.
Fig. 5 is an escape controller model schematic diagram, it wherein is the last place value that reads described each ciphertext content piece with described escape controller, and the situation that directly generates identification code without computing is the example explanation, wherein A, B ..., described each ciphertext content piece of N representative last place value, with sequence number 1,2 ..., n directly constitutes the identification code of described each ciphertext content piece as position mark.Other execution modes be can expect herein, the first place value of each ciphertext content piece, value or a plurality of values of diverse location or the combination of these modes of ad-hoc location for example gathered.
Fig. 6 is the data packet format schematic diagram behind record identification code, timestamp, the ciphertext content piece in the escape controller.Wherein, timestamp is to be illustrating of prerequisite with described digital content by described sequential piecemeal, and Data Field represents to deposit the part of ciphertext content piece, and the storage order of identification code, timestamp and ciphertext content piece can be exchanged arbitrarily.The position mark of each encrypted content piece of record in the escape controller, make described client each the received ciphertext content piece of " amalgamation " that can conveniently find the sequential of each ciphertext blocks to be convenient to, simultaneously, the combination of " identification code+timestamp " has also ensured the uniqueness of each ciphertext content piece identification.
Server end according to the present invention is suitable for carrying out method of the present invention.
The method disclosed in the present and equipment utilization data cutting techniques are divided into a plurality of with digital content, utilize " information relevant with the hardware ID of client " to each content piece encryption and decryption successively.Finally encrypted digital content piecemeal transmission even if stolen also and must resequence to the digital content piece behind elder generation's analysis encryption principle again by the hacker, cracks one by one, breaks through difficulty and significantly improves with content piece number.This method has also been included the checking procedure of user's hardware ID in addition, has further prevented to illegally copy and illegal the propagation.This method utilize the hardware information binding technology solved conventional art only to the protection of copyright along with decruption key sends to the drawback that authorized user promptly stops safely; utilizing piecemeal escape multiplexing technique to solve conventional art is static, disposable to the encryption of digital content; through once cracking the drawback that digital content then exposes fully; realized the high security of digital content in propagating overall process, prevented to illegally copy and illegally propagate, distort.
Specific embodiment described herein only is to illustrating that the present invention's spirit is done.The technical staff of the technical field of the invention can make various modifications or replenishes or adopt similar mode to be substituted described specific embodiment, but can not depart from spirit of the present invention or surmount the defined scope of appended claims.