Digital content encryption transmission method and server end
Technical field
The present invention relates to a kind of digital content encryption transmission method and a kind of for the server end of digital content is provided with cipher mode.
Background technology
Along with the develop rapidly of the Internet and universal, users carry out the transmission of several a tree names, the issue of resource and the download of resource etc. by the Internet more and more.Download the various digital resources such as music, download movie and television play or download computer software from the Internet of common occurrence already.The high speed development of the Internet has no doubt facilitated the demand of user to the information quick obtaining, also the copyright protection of various digital resources has been brought challenge but then.In daily life, provide the website of unwarranted music sources, movie and television play resource, software resource varied, the user can obtain free pirate resource easily from these websites.And the extensively universal and application of the P2P softwares such as electric donkey (eMule) software has further facilitated the diffusion of pirate resource, for copyright protection has been brought larger difficulty.Wantonly propagating of interconnected Internet piracy resource is no doubt not high relevant with users' legal consciousness, has some relations but lack corresponding copyright management system with legal digital resource.Although also there is the copy-right protection method to digital resource in prior art; as digital resource being done encryption, being done authentication etc. for the taker that obtains of digital content; but these methods do not realize in a complete copyright management system; although make existing method realize digital protection of resources, also be not easy to validated user obtaining digital resource through a legal device simultaneously.In addition, if the owner of digital resource will issue digital resource on the net safely, to enlarge its business impact, equally also need to have a safe and reliable copyright management system.Digital copyright management (Digital Right Management, be called for short DRM) is the wide-scale distribution in the environment such as the Internet and the relevant new technology of a kind of and application demand that grows up along with digital media programs such as digital audio/video programs.DRM can adopt encryption technology usually: for the digitized program through encoding compression processing, set up digital program authorization center (License Issuer), utilize key that the content that needs protection in program is encrypted.During the above-mentioned program of user's playback, the association key that provides that need to obtain the digital program authorization center is decrypted program, can play.Because program is encrypted, preserve and disseminate to other people even downloaded by the user, if the checking mandate that does not obtain the digital program authorization center also can't playback, thereby protected the copyright of program.Under the DRM condition, the media processor that only has decoding function is no longer applicable, and need to add decipher function on the basis of decoding.In prior art, a kind of Media Processor with decipher function is arranged, the deciphering module of this processor and decoder module are on two devices independently, for example, deciphering module and decoder module adhere to independently two chip blocks or software separately, and the media data flow after deciphering still may illegally be intercepted before decoding.In prior art; also has a kind of Media Processor; the deciphering of this processor and decoding function module concentrate in a device; like this; media data flow after deciphering can be protected effectively; but the key of in this kind device, come from the outside (normally digital program authorization center) still might be stolen, and needs special solution.
On the other hand, in the carrying out of the various related services of Streaming Media, streaming medium content is easy to copy and distribute, and when lacking safety measure and protect streaming medium content, problem of piracy just inevitably occurs.Introduced thus the media stream encryption resist technology, by the encipherment protection to streaming medium content, content supplier can protect the content of oneself and the distribution of Control the content.CA system (Conditional Access System, condition receiving system) is one of existing media stream encryption protection system, and it is by realizing the protection to streaming medium content to the encryption of streaming medium content and access control.The CA system mainly produces two class messages, first ECM (Entitlement Control Message, Entitlement Control Message) message, claim again Entitlement Control Message, it is a kind of electronic key signal of special shape, it is sent to receiving terminal together with streaming medium content after transmitting terminal is encrypted, at receiving terminal, ECM is used to control descrambler.Another kind is EMM (Entitlement Management Message, Entitlement Management Message) message, claims again Entitlement Management Message, and it is a kind ofly to authorize certain or certain user certain or some business to be carried out the information of descrambling.It is the same with Entitlement Control Message, is sent to receiving terminal after transmitting terminal is encrypted together with streaming medium content.
Owing to the encipherment protection of streaming medium content having been improved greatly the fail safe of streaming medium content, contained to a certain extent piracy, protected the interests of content supplier and operator, so this technology is used widely.The encipherment protection scheme of the streaming medium content that provides in prior art is provided.Disclose in the prior art a kind of like this technical scheme, wherein, the real time flow medium business arrives subscriber terminal equipment by transmission network immediately after encrypting through encryption device.The media content that sends from the streaming medium content source generates the streaming medium content ciphertext through the processing of CA system, encryption device and other relevant device, and the streaming medium content ciphertext is through transmission network incoming terminal equipment.Wherein media stream encryption equipment can be the part of CA system, specifically depending on the realization of each business men.
According to prior art known such a solution also; wherein; in non real-time streaming media service, media content can be stored on the network storage equipment through after encipherment protection; when the user need to watch this media content; terminal equipment applies for and obtains related media content ciphertext from the network storage equipment, and this network storage equipment is commonly referred to as the streaming server end.Non real-time streaming medium content encryption afterwards not directly by Internet Transmission to terminal equipment, but store on the streaming server end with the form of file, ECM and media content store on the streaming server end simultaneously, and are stored in same file by certain sequential and media content.
Due to existing digital copyright protection technology usually only considered digital content on server safe storage and key in the fail safe of transmitting procedure; protection to copyright has just stopped along with decruption key sends to authorized user safely, the fail safe after not guaranteeing media data in reading process and reading end.This general framework is static, disposable to the encryption of digital content, and digital content exposes fully through once cracking, and coefficient of safety is lower.
Summary of the invention
For above-mentioned problems of the prior art, the present invention proposes a kind of digital content encryption transmission method and a kind of for the server end of digital content is provided with cipher mode, can send digital content by utilizing the method and this server end saferly.
In order to reach this purpose of the present invention, a kind of digital content encryption transmission method is disclosed according to a preferred embodiment of the present invention, wherein, provide digital content by server end to client, described server end comes encrypted digital content in the mode relevant with the hardware ID of described client.In this preferred implementation, digital content can be called and be processed from other servers by server end pre-save or this server end." mode relevant with the hardware ID of client " means in this article: the hardware ID information of client directly or indirectly is used for encrypting, wherein, can be with hardware ID information all directly as encryption key, also can with wherein part as encryption key, perhaps also hardware ID information can be processed (logical operation or arithmetical operation).Client's hardware ID information includes but not limited to: the combination of CPU id information, hard disk reel number information, BIOS information, MAC Address of Network Card, IP address, other collectable hardware encodings or above information.
according to a preferred embodiment of the present invention, described digital content encryption transmission method comprises successively: digital content partiting step, initial encryption step, follow-up encrypting step, escape controller generate step and decryption step, in described digital content partiting step, according to a predefined procedure or a scheduled timing, digital content is divided into a plurality of content blocks, in described initial encryption step, utilize the information relevant with the hardware ID of client as the initial encryption key, the first content piece of encrypted digital content is to obtain the first ciphertext content blocks, in described follow-up encrypting step, come the second content piece of encrypted digital content to obtain the second ciphertext content blocks take the first ciphertext content blocks as the second encryption key, come subsequently the 3rd content blocks of encrypted digital content to obtain the 3rd ciphertext content blocks take the second ciphertext content blocks as the 3rd encryption key, by that analogy until all digital content all encrypted till, generate in step at described escape controller, read through the value of described the first ciphertext content blocks assigned address of encrypting and generate identification code by described server end, and described server end record corresponding to the order of described the first ciphertext content blocks or sequential as timestamp, and described server end is recorded in described identification code and described timestamp in the escape controller, by that analogy, until described server end will all be recorded in described escape controller for all described identification codes and the described timestamp of each ciphertext content blocks, described server end sends to described client with described escape controller subsequently, in described decryption step, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, position and described order or sequential that described identification code and described timestamp by described escape controller finds each ciphertext content blocks, utilize subsequently described initial solution decryption key to be decrypted to obtain described first content piece to described the first ciphertext content blocks, described identification code and described timestamp by described the second ciphertext content blocks position and described order or the sequential that find described the second ciphertext content blocks and utilize described first content piece to be decrypted to obtain described second content piece to described the second ciphertext content blocks subsequently, then described first content piece and second content piece are made up by described order or sequential, recycle described second content piece described the 3rd ciphertext content blocks is decrypted to obtain described the 3rd content blocks, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, until all ciphertext contents are all decrypted and by the combination of described order or sequential, final described client obtains the plaintext of described digital content.
In this preferred implementation, digital content partiting step, initial encryption step, follow-up encrypting step, escape controller generate step and decryption step is carried out successively, but can also increase extra method step between each step He before first step.In the digital content partiting step, if the digital content of asking is the static digital content as text message, PDF file, JPG picture, can divide this digital content according to predefined procedure so; If the digital content of asking is the streaming digital content as online Streaming Media, can divide this digital content according to scheduled timing so.Certainly the invention is not restricted to this dual mode, but can adopt various modes common to those skilled in the art to divide these digital contents.For example can adopt the deblocking method of mentioning in Chinese patent application 200510021479, and at the quick original place conflation algorithm of " computer science " 08 interim disclosed a kind of based on data piecemeal in 2004.Ciphertext content blocks after the client block encryption is also arranged it, belongs to technology well known by persons skilled in the art.For example can adopt the mode that increases index to realize herein; Also can pass through treaty rule, the feature of each ciphertext content blocks is provided to client by server end; Accordingly, client can after receiving corresponding each ciphertext content blocks, be arranged each ciphertext content blocks according to described treaty rule.And according to " opposite sequence " of encrypting, each ciphertext content blocks is decrypted.
According to a preferred embodiment of the present invention, also comprised registration step before described digital content partiting step, wherein, described client sends to described service end with its hardware ID information, described service end records described hardware ID information, and described server end generates private cipher key and public keys, and described server end sends to described client with described private cipher key, and described private cipher key and described public keys are stored in described server end.In this preferred implementation, adopted extra registration step, registered in advance is conducive to the authentication in later stage, has guaranteed specific aim and the validity of request.Adopt private cipher key and this asymmetric encryption mode of public keys, further promoted fail safe.Certainly herein, the present invention also can adopt symmetric key.
According to a preferred embodiment of the present invention, after described registration step, before described digital content partiting step, described digital content encryption transmission method also comprises service request steps, wherein, described client utilizes described private cipher key to come cryptographic service request message, described service request information comprises the hardware ID information of described client and described client to the request message of digital content, and the described service request information after described client will be encrypted subsequently is sent to described server end; Described server end utilizes the described service request information after described public keys comes enabling decryption of encrypted, with the hardware ID information that obtains described client and the described client request message to digital content.In this preferred implementation, utilized hardware ID information in service request steps, this mode is reliable and quick in authentication process.
According to a preferred embodiment of the present invention, after described service request steps, described digital content encryption transmission method also comprises hardware ID coupling step, wherein, after described server end obtains the hardware ID information and the request message of described client to digital content of described client by deciphering described service request information, described server end to hardware ID information with compared by the described hardware ID information of its storage.In this preferred implementation, utilize hardware ID information to carry out authentication, and hardware ID information send to server end through encryption.How server end judges this service request information belongs to prior art from which client when receiving service request information, no longer repeat for simplicity.Server end can obtain hardware ID information after utilizing the Public Key deciphering, whether can clearly judge in this course this client is " personation " client.
According to a preferred embodiment of the present invention, after described hardware ID coupling step, described digital content encryption transmission method comprises that also the initial encryption key generates step, wherein, if the pre-stored hardware ID information of the hardware ID information that is received by described server end and described server end matches each other, described server end generates authorization key, described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain described initial encryption key.Herein concrete regulation a kind of preferred initial encryption key generating mode, but the invention is not restricted to this mode, as long as but hardware ID information indirect ground can be used for generating the initial encryption key, just fall into protection scope of the present invention.
Providing the digital content encryption transmission method of digital content by server end to client according to of the present invention, wherein, described client is deciphered the digital content that is sent by described server end in the mode relevant with its hardware ID.This manner of decryption is cipher mode " inverse operation " according to the present invention.Here, client is also carried out decryption oprerations according to " mode relevant with its hardware ID ".Herein, how server end processes the hardware ID information of client to be used for encryption, and client is also correspondingly processed the hardware ID information of client to be used for deciphering.
According to a preferred embodiment of the present invention, described method comprises that also licence generates step, and wherein, thereby described service end utilizes described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client; The described licence through encrypting that described client is utilized described private cipher key to decipher and received obtains described initial encryption key, as the initial solution decryption key of described client.Adopt licence can further strengthen fail safe.Also can not adopt licence, but directly send the initial encryption key to client by server end.
According to a preferred embodiment of the present invention, after described licence generates step, described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtain hardware ID information, the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually; If the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out described decryption step.According to this preferred implementation, client can before carrying out deciphering, judge in advance whether the digital content that receives is the wrong content that sends to mistakenly it.Thereby avoided deciphering with taking time and effort, and the situation of the digital content that can't use of getting back.
according to another aspect of the present invention, the invention also discloses a kind of for the server end of digital content is provided with cipher mode, it comprises: user management module, authorization module content module and escape controller, wherein, described user management module is responsible for client at the registered task of described server end, and be responsible for the hardware ID information of the described client of storage, after client succeeds in registration, described user management module generates private cipher key and public keys, and described user management module sends to described client with described private cipher key, and described private cipher key and described public keys are stored in described user management module, described user management module also is responsible for utilizing hardware ID information to come Authentication Client simultaneously, only after authentication is passed through, described user management module is just provided described public keys to described authorization module, described authorization module is responsible for the request in response to client, utilize described public keys to decipher received service request information, in order to obtain described hardware ID information and the digital content request of described client institute, and described authorization module is submitted described hardware ID information to described user management module, only when consistent with the hardware ID information matches of described user management module storage, described authorization module just generates authorization key and described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain the initial encryption key, and thereby described authorization module can utilize described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client, and described authorization module also is transmitted to described content module with described client to the request of digital content, described content module is responsible for carrying out piecemeal in response to the digital content that the described request of described client is asked the described client of being come by described authorization module forwarding, and utilize described initial encryption key to encrypt successively to obtain a plurality of ciphertext content blocks to a plurality of content blocks according to predefined procedure or sequential, and be responsible for these ciphertext content blocks are sent to described client, described content module of while also reads through the value of described the first ciphertext content blocks assigned address of encrypting and generates identification code, and record corresponding to the order of described the first ciphertext content blocks or sequential as timestamp, the like, until described server end is recorded in all described identification codes and described timestamp in the escape controller, described server end sends to described client with described escape controller subsequently.
The method disclosed in the present and equipment utilization Data Segmentation technology are divided into a plurality of with digital content, utilize " information relevant with the hardware ID of client " to each content blocks encryption and decryption successively.Final encrypted digital content piecemeal transmission also must first be analyzed after encryption principle again to digital content blocks rearrangement even if stolen by the hacker, cracks one by one, breaks through difficulty and significantly improves with the content blocks number.This method has also been included the checking procedure of user's hardware ID in addition, has further prevented from illegally copying and illegal the propagation.This method utilize the hardware information binding technology solved conventional art only to the protection of copyright along with decruption key sends to the drawback that authorized user namely stops safely; utilizing piecemeal escape multiplexing technique to solve conventional art is static, disposable to the encryption of digital content; the drawback that exposes fully through once cracking digital content; realized the high security of digital content in propagating overall process, prevented from illegally copying and illegally propagating, distort.
Although this paper has only described the one or more combination mode in the above-mentioned execution mode of the present invention, and do not mean that the present invention only limits to these compound modes, but can be made up these preferred implementations in any significant mode.
Description of drawings
Fig. 1 illustrates the inventive method according to the first preferred implementation;
Fig. 2 illustrates the inventive method according to the second preferred implementation;
Fig. 3 illustrates the encryption method according to the inventive method;
Fig. 4 illustrates the decryption method according to the inventive method;
Fig. 5 illustrates the schematic diagram of escape controller model;
Fig. 6 illustrates the data packet format schematic diagram of record in the escape controller.
Embodiment
Below in conjunction with accompanying drawing, describe in detail according to the embodiment of the present invention.It is pointed out that these accompanying drawings are only schematically, do not consist of the restriction to protection scope of the present invention.
Fig. 1 illustrates the flow chart of first preferred implementation of the inventive method.As shown in Figure 1, carrying out digital content by server end to client and transmit, is wherein to utilize the mode relevant with the hardware ID of described client to be encrypted and to decipher.The method comprises successively: digital content partiting step S104, initial encryption step S105, follow-up encrypting step S106, escape controller generate step S110 and decryption step S109.Described digital content transmits can utilize wireless transmission method such as bluetooth, GPRS, GSM, WCDMA, WiFi, ZigBee, microwave communication and/or TD-SCDMA to realize, also can realize according to wire transmission mode, such as by modes such as packet switching and optical fiber communications.Utilize the mode relevant with the hardware ID of described client to be encrypted and deciphering means: " directly described code being encrypted and deciphering as key after hardware ID information is converted to binary code; perhaps its part is used as key, can be also that this code is carried out after the computing of certain rule, operation result being encrypted and deciphering as key ".
In digital content partiting step S104, according to a predefined procedure or a scheduled timing, digital content is divided into a plurality of content blocks, the division of digital content can utilize the Data Segmentation technology, for example according to one section of every 128bit, initial data is divided into multistage.because the division methods of digital content is known technology, therefore omitted the specific implementation of the method, see the patent No. for details and be the introduction in 200380106529.1 " data dividing method and use the device of XOR ", described predefined procedure or scheduled timing refer to due to sound, the media datas such as video or stream medium data and text data are to carry out with the form of divided data bag in transmitting procedure, the route that each packet is selected in transmitting procedure may be not quite similar, arrive the required time of client also just different, the situation that the packet that might occur first sending out but arrives afterwards, cause obtaining incorrect result after transmission, therefore can be first before data packet transmission with the order of fixing or gomma in corresponding packet, client is when receiving packet, according to order or the sequential of institute's mark, thereby the packet arranged in sequence is obtained correct result.
In described initial encryption step S105, utilize the information relevant with the hardware ID of client as the initial encryption key, the first content piece of encrypted digital content to be obtaining the first ciphertext content blocks, and described the first ciphertext content blocks is sent to described client.Client's hardware ID information includes but not limited to: the combination of CPU id information, hard disk reel number information, BIOS information, MAC Address of Network Card, IP address, other collectable hardware encodings or above information.
In described follow-up encrypting step S106, come subsequently the second content piece of encrypted digital content to obtain the second ciphertext content blocks take the first ciphertext content blocks as the second encryption key, and described the second ciphertext content blocks is sent to described client, come subsequently the 3rd content blocks of encrypted digital content to obtain the 3rd ciphertext content blocks take the second ciphertext content blocks as the 3rd encryption key, and described the 3rd ciphertext content blocks is sent to described client, by that analogy until all digital content all encrypted and be sent to described client till.
Generate in step S110 at described escape controller, read through the value of described the first ciphertext content blocks assigned address of encrypting and generate identification code by described server end, and as timestamp, and described server end is recorded in described identification code and described timestamp in the escape controller described server end record corresponding to the order of described the first ciphertext content blocks or sequential; By that analogy, until described server end will all be recorded in described escape controller for all described identification codes and the described timestamp of each ciphertext content blocks, described server end sends to described client with described escape controller subsequently.Wherein, described server end can read the combination of the first place value of described each ciphertext blocks, last place value or any one or more value or these modes as identification code, also the value that reads can be carried out result after computing as identification code according to pre-defined rule such as functional transformation rule.
in described decryption step S109, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, described identification code by described escape controller, described timestamp finds position and described order or the sequential of each ciphertext content blocks, utilize subsequently described initial solution decryption key to be decrypted to obtain described first content piece to described the first ciphertext content blocks, described identification code by described the second ciphertext content blocks subsequently, described timestamp finds position and described order or the sequential of described the second ciphertext content blocks and utilizes described first content piece to be decrypted to obtain described second content piece to described the second ciphertext content blocks, then described first content piece and second content piece are made up by described order or sequential, recycle described second content piece described the 3rd ciphertext content blocks is decrypted to obtain described the 3rd content blocks, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, until all ciphertext contents are all decrypted and by the combination of described order or sequential, final described client obtains the plaintext of described digital content.Fig. 2 shows the flow chart of second preferred implementation of the inventive method.
As shown in Figure 2, the method according to this invention comprises successively: registration step S200, service request steps S201, hardware ID coupling step S202, initial encryption key generate step S203, digital content partiting step S104, initial encryption step S105, follow-up encrypting step S106, escape controller generation step S110, licence generation step S207, client hardware ID coupling step S208 and decryption step S109.
in described registration step S200, the user management module of user end to server end is applied for the registration of, client sends to described user management module with its hardware ID information, described hardware ID information can comprise as hardware sequence number, the ID of CPU, all have one or more combination in the hardware fingerprint information of uniqueness the addresses of MAC etc., described user management module records hardware ID information, after succeeding in registration, user management module generates private cipher key and the public keys as a pair of unsymmetrical key, and user management module sends to client with private cipher key, and private cipher key and public keys are stored in user management module.
in service request steps S201, described client generates service request information, described service request information comprises that the hardware ID information of described client and described client are to the request message of digital content, and client utilizes private cipher key to come cryptographic service request message, and the service request information after encrypting is sent to the authorization module of server end, subsequently, described user management module is provided described public keys to authorization module, described authorization module utilizes the service request information after public keys comes enabling decryption of encrypted, with the hardware ID information that obtains client and the client request message to digital content.
In hardware ID coupling step S202, described authorization module sends to described user management module to hardware ID information, and described user management module compares the hardware ID information that receives and hardware ID information by its storage.
Generate in step S203 at the initial encryption key, if the received described hardware ID information hardware ID information pre-stored with it of user management module matches each other, described authorization module generates authorization key, authorization key is sent to client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain described initial encryption key, and described authorization module is transmitted to the digital content of asking the content module of described server end.
In digital content partiting step S104, described content module is divided into a plurality of content blocks according to a predefined procedure or a scheduled timing with described digital content.
In initial encryption step S105, described content module is utilized described initial encryption key, and the first content piece of encrypted digital content is to obtain the first ciphertext content blocks.
In follow-up encrypting step in S106, described content module comes the second content piece of encrypted digital content to obtain the second ciphertext content blocks take the first ciphertext content blocks as the second encryption key, come subsequently the 3rd content blocks of encrypted digital content to obtain the 3rd ciphertext content blocks take the second ciphertext content blocks as the 3rd encryption key, by that analogy until all digital content all encrypted till.
Generate in step S110 at described escape controller, read through the value of described the first ciphertext content blocks assigned address of encrypting and generate identification code by described server end, and as timestamp, and described server end is recorded in described identification code and described timestamp in the escape controller described server end record corresponding to the order of described the first ciphertext content blocks or sequential; By that analogy, until described server end will all be recorded in described escape controller for all described identification codes and the described timestamp of each ciphertext content blocks, described server end sends to described client with described escape controller subsequently.
Generate in step S207 at described licence, generate licence thereby described authorization module utilizes described public keys to encrypt described initial encryption key, and described authorization module sends to described client with described licence; The described licence through encrypting that described client is utilized described private cipher key to decipher and received obtains described initial encryption key, as the initial solution decryption key of described client.
In client hardware ID coupling step S208, described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtain hardware ID information, the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually.
If the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out decryption step S109.
in decryption step S109, described client utilizes the described information relevant with the hardware ID of client as the initial solution decryption key, described identification code by described escape controller, described timestamp finds position and described order or the sequential of each ciphertext content blocks, utilize subsequently described initial solution decryption key to be decrypted to obtain described first content piece to described the first ciphertext content blocks, the described identification code of described the second ciphertext content blocks that provides by described escape controller subsequently, described timestamp finds position and described order or the sequential of described the second ciphertext content blocks and utilizes described first content piece to be decrypted to obtain described second content piece to described the second ciphertext content blocks, then described first content piece and second content piece are made up by described order or sequential, recycle described second content piece described the 3rd ciphertext content blocks is decrypted to obtain described the 3rd content blocks, and by described order or sequential and described first content piece and the combination of described second content piece, by that analogy, until all ciphertext contents are all decrypted and by the combination of described order or sequential, final described client obtains the plaintext of described digital content.
Although not shown, above-mentioned these steps are not must be according to according to flow performing shown in Figure 2.Wherein some step also can be omitted in order to consist of other preferred implementations, and some step can make up mutually in order to form other preferred implementation.
Fig. 3 shows a kind of for the server end of digital content is provided with cipher mode, it comprises: user management module, authorization module content module and escape controller, wherein, described user management module is responsible for client at the registered task of described server end, and be responsible for the hardware ID information of the described client of storage, after client succeeds in registration, described user management module generates private cipher key and public keys, and described user management module sends to described client with described private cipher key, and described private cipher key and described public keys are stored in described user management module, described user management module also is responsible for utilizing hardware ID information to come Authentication Client simultaneously, only after authentication is passed through, described user management module is just provided described public keys to described authorization module, described authorization module is responsible for the request in response to client, utilize described public keys to decipher received service request information, in order to obtain described hardware ID information and the digital content request of described client institute, and described authorization module is submitted described hardware ID information to described user management module, only when consistent with the hardware ID information matches of described user management module storage, described authorization module just generates authorization key and described authorization key is sent to described client, and described authorization module utilizes described authorization key to encrypt described hardware ID information to obtain the initial encryption key, and thereby described authorization module can utilize described public keys to encrypt described initial encryption key generation licence, and described licence is sent to described client, and described authorization module also is transmitted to described content module with described client to the request of digital content, described content module is responsible for carrying out piecemeal in response to the digital content that the described request of described client is asked the described client of being come by described authorization module forwarding, and utilize described initial encryption key to encrypt successively to obtain a plurality of ciphertext content blocks to a plurality of content blocks according to predefined procedure or sequential, and be responsible for these ciphertext content blocks are sent to described client, described content module of while also reads through the value of described the first ciphertext content blocks assigned address of encrypting and generates identification code, and record corresponding to the order of described the first ciphertext content blocks or sequential as timestamp, the like, until described server end is recorded in all described identification codes and described timestamp in the escape controller, described server end sends to described client with described escape controller subsequently.
Fig. 4 shows the decryption method of client.this decryption method comprises the following steps: that the described licence through encrypting that client is utilized described private cipher key to decipher to receive obtains described initial encryption key, as the initial solution decryption key of described client, described client utilizes received authorization key that described initial solution decryption key is decrypted, thereby obtains hardware ID information, and the hardware ID information of the hardware ID information that described client will obtain by deciphering and its oneself compares mutually, if the hardware ID information of described client with match each other by deciphering the hardware ID information that described initial solution decryption key obtains, so described client utilizes described initial solution decryption key to carry out described decryption step S109, namely, described escape controller provides the described identification code of described the first ciphertext content blocks, thereby the described client that makes described timestamp finds position and described order or the sequential of described the first ciphertext content blocks, described client utilizes described initial solution decryption key to be decrypted to obtain described first content piece to described the first ciphertext content blocks subsequently, then described escape controller provides the described identification code of described the second ciphertext content blocks, thereby the described client that makes described timestamp finds position and described order or the sequential of described the second ciphertext content blocks, recycle described first content piece described the second ciphertext content blocks is decrypted to obtain described second content piece, described first content piece and second content piece are made up by described order or sequential, by that analogy, recycle described second content piece described the 3rd ciphertext content blocks is decrypted to obtain described the 3rd content blocks, and by described order or sequential and described first content piece and the combination of described second content piece, until all ciphertext contents are all decrypted and by the combination of described order or sequential, final described client obtains the plaintext of described digital content.
Fig. 5 is escape controller model schematic diagram, wherein to read the last place value of described each ciphertext content blocks with described escape controller, and the situation that directly generates identification code without computing is the example explanation, wherein A, B ..., N represents the last place value of described each ciphertext content blocks, with sequence number 1,2 ..., n directly constitutes the identification code of described each ciphertext content blocks as position mark.Other execution modes be can expect herein, the first place value of each ciphertext content blocks, value or a plurality of values of diverse location or the combination of these modes of ad-hoc location for example gathered.
Fig. 6 is the data packet format schematic diagram after record identification code in the escape controller, timestamp, ciphertext content blocks.Wherein, timestamp be take described digital content by described sequential piecemeal as the illustrating of prerequisite, Data Field represents to deposit the part of ciphertext content blocks, and the storage order of identification code, timestamp and ciphertext content blocks can be exchanged arbitrarily.Record the position mark of each encrypted content piece in the escape controller, make described client each the received ciphertext content blocks of " amalgamation " that can conveniently find the sequential of each ciphertext blocks to be convenient to, simultaneously, the combination of " identification code+timestamp " has also ensured the uniqueness of each ciphertext content blocks identification.
Server end according to the present invention is suitable for carrying out method of the present invention.
The method disclosed in the present and equipment utilization Data Segmentation technology are divided into a plurality of with digital content, utilize " information relevant with the hardware ID of client " to each content blocks encryption and decryption successively.Final encrypted digital content piecemeal transmission also must first be analyzed after encryption principle again to digital content blocks rearrangement even if stolen by the hacker, cracks one by one, breaks through difficulty and significantly improves with the content blocks number.This method has also been included the checking procedure of user's hardware ID in addition, has further prevented from illegally copying and illegal the propagation.This method utilize the hardware information binding technology solved conventional art only to the protection of copyright along with decruption key sends to the drawback that authorized user namely stops safely; utilizing piecemeal escape multiplexing technique to solve conventional art is static, disposable to the encryption of digital content; the drawback that exposes fully through once cracking digital content; realized the high security of digital content in propagating overall process, prevented from illegally copying and illegally propagating, distort.
Specific embodiment described herein is only to illustrating that the present invention's spirit is done.Those skilled in the art can make various modifications or replenish or adopt similar mode to be substituted described specific embodiment, but can not depart from spirit of the present invention or surmount the defined scope of appended claims.