CN100401285C - Method of managing metadata - Google Patents
Method of managing metadata Download PDFInfo
- Publication number
- CN100401285C CN100401285C CNB038243091A CN03824309A CN100401285C CN 100401285 C CN100401285 C CN 100401285C CN B038243091 A CNB038243091 A CN B038243091A CN 03824309 A CN03824309 A CN 03824309A CN 100401285 C CN100401285 C CN 100401285C
- Authority
- CN
- China
- Prior art keywords
- metadata
- information
- authentication
- fragment
- container
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
A method for managing metadata in a metadata transmission server is provided. The method involves generating a plurality of fragment data by partitioning metadata to be transmitted on the basis of a predetermined segment unit, selecting predetermined fragment data among the plurality of fragment data, generating metadata-related information using the selected fragment data, and transmitting the selected fragment data and the metadata-related information with data format information indicating the type of the selected fragment data.
Description
Technical field
The present invention relates to a kind of method that is used at the client computer management of metadata of send server and reception metadata, more particularly, relate to a kind of metadata that management comprises message source and message integrity and confidentiality authentication, method till client computer receives metadata of being used for.
Background technology
In multimedia system, be sent to the broadcast system of client computer or data by the video-on-demand service system that is sent out alternately between server and the client computer as data from server, service provider provides content of multimedia the metadata related with it to client computer.
The metadata that is sent to client computer can be used for various purposes.For example, metadata can be used to select content of multimedia reproduced, that write down or send by client computer.
In recent years, the amount and the complicacy that can be comprised in the data in the metadata of being used by the client computer of broadcast system increases.Therefore, existence is to the increased requirement of the safety of this metadata.Specifically, producing metadata and it is sent to from send server under the situation of client computer, whether the integrality of the source of authorize metadata and checking metadata and confidentiality are affected in sending processing is very important.Yet, realize that the metadata management method of effective metadata authentication also is not suggested.
Summary of the invention
The invention provides a kind of method that is used for the metadata that will be sent out, thereby the authentication of the metadata that is sent out can be carried out effectively in metadata send server management.
The present invention also provides a kind of and has been used in the method for client management from the metadata of send server reception, thereby the authentication of the metadata that receives can be carried out effectively.
According to an aspect of the present invention, provide a kind of method that is used at metadata send server management of metadata.This method comprises: (a) produce a plurality of fragment datas by cutting apart the metadata that will be sent out based on predetermined segment unit; (b) in a plurality of fragment datas, select predetermined fragment data; (c) use the fragment data generation of selection and the information of metadata association; (d) send fragment data of selecting and data format information and information metadata association with the type of indicating the fragment data of selecting.
According to a further aspect in the invention, provide a kind of method that is used in the client management metadata that receives metadata.This method comprises: the data format information that (a) reads the type of the information of predetermined fragment data and its corresponding and metadata association and indicating predetermined fragment data from the metadata that receives; (b) use predetermined fragment data and its corresponding data format information to produce information with metadata association; (c) by relatively step (b) that produce with information metadata association and step (a) that read with information metadata association, determine whether the metadata that receives certified.
According to a further aspect in the invention, provide a kind of in receiving the client computer of metadata the method for management of metadata.This method comprises: the fragment data of the metadata that (a) receive to receive, with first encryption key of data format information, metadata authentication information and the encryption of the type of the information of metadata association, indicating piece segment data; (b) fragment data of the metadata that use to receive and its corresponding data format information produce the information with metadata association; (c) use the first encryption key deciphering of second encryption key that is stored in the client computer to encrypting; (d) use first encryption key with information metadata association and deciphering that produce to produce metadata authentication signature information; (e) by the metadata authentication signature information of relatively generation and the metadata authentication signature information of reception, determine whether the metadata that receives is certified.
The present invention relates to a kind of in send server and client apparatus the method for management of metadata, it can be identified in whether metadata is damaged between transmission period from send server to client apparatus, and verifies that effectively which service provider or content metadata provide device to send corresponding metadata to client apparatus.
Description of drawings
Fig. 1 is the block scheme that metadata authentication level is shown;
Fig. 2 is the diagrammatic sketch that the method for using different transmission unit transmission data is shown;
Fig. 3 illustrates the diagrammatic sketch that is used at the form of the metadata container of the metadata container-level authentication of one-way channel;
Fig. 4 illustrates the diagrammatic sketch that is used at the soap message of the metadata container-level authentication of two-way channel;
Fig. 5 is the block scheme that the meta data category method of the index information that uses metadata is shown;
Fig. 6 is the block scheme that is used for according to the preferred embodiment of the invention in the method for metadata send server management of metadata;
Fig. 7 is the process flow diagram that is used for according to the preferred embodiment of the invention in the method for metadata client computer management of metadata;
Fig. 8 be according to the present invention another preferred embodiment be used for process flow diagram in the method for metadata send server management of metadata;
Fig. 9 be according to the present invention another preferred embodiment be used for process flow diagram in the method for metadata client computer management of metadata;
Figure 10 is the diagrammatic sketch that is illustrated in the form of the data capsule in the one-way channel; With
Figure 11 is the diagrammatic sketch that is illustrated in soap message in the two-way channel.
Embodiment
When receiving metadata, the metadata that needs authentication to receive.Metadata authentication can send rank or come source level to be performed.
Specifically, transmission-level metadata authentication comprises the authentication of message source and message integrity and confidentiality.Here, message source is not that to produce message from it be the source of content metadata, but sends the source of message from it.
For example, as shown in Figure 1, provide under device 120 and the situation of service provider 140 being provided with content metadata respectively, can verify whether the metadata A that is received by client computer is sent from service provider 140 by the transmission-level authentication of message source as SK telecommunications company.
In addition, whether the checking of the transmission-level authentication of message integrity is changed at metadata A from the processing of 140 pairs of client computer of service provider, 160 transmission unit data A.
Whether metadata A during transmission process is not open to the third party in the transmission-level authentication checking of message confidentiality.Use SSL/TLS algorithm, the DTCP algorithm in IEEE 1394 agreements and the HDCP algorithm in the DVI agreement in the TIP/IP agreement to carry out this three transmission-level authentication processing.
As transmission-level authentication, source-level metadata authentication also comprises the authentication of message source and message integrity and confidentiality.
Specifically, the checking of the source-level authentication of message source is the source of content metadata from its generation message.For example, as shown in Figure 1, the source-level authentication of the message source of metadata A has shown that the metadata A that is received by client computer 160 is provided device 120 to send from content metadata.
Whether the source-level authentication checking of message integrity is providing device 120 metadata A to the processing of client computer 160 transmission unit data A to be changed from content metadata.
The checking of the source-level authentication of message confidentiality metadata A content metadata provide transmission between device 120 and the client computer 160 during, whether metadata A open to the third party.
When carrying out this source-level metadata authentication, can need not to carry out transmission-level metadata authentication.
(a) among Fig. 2 is presented at the method for Physical layer with different transmission unit transmission data to (c).
More particularly, (a) among Fig. 2 shows and will stand the transmission package of transmission-level metadata authentication.Each transmission package shown in (a) among Fig. 2 is carried out transmission-level metadata authentication.Each transmission package has scale-of-two XML form.
(c) among Fig. 2 shows the metadata that stands source-level metadata authentication.Metadata shown in (c) among Fig. 2 has text XML form.
(b) among Fig. 2 shows the metadata container that stands metadata container-level authentication.The predetermined semantic primitive of each of metadata is accommodated in the metadata container.The example of this metadata container as shown in Figure 3 and Figure 4.
Fig. 3 is illustrated in the diagrammatic sketch of the form of the metadata container that stands metadata container-level authentication in the one-way channel.As shown in Figure 3, metadata container comprises header, fragment data and metadata authentication information, and header comprises the control information that is used for metadata container-level authentication.
This control information comprises the first control information F_1, the second control information F_2, the 3rd control information F_3, the 4th control information F_4 and the 5th control information F_5.Form by signal or mark in the control information in the first control information F_1 to the, five control information F_5 scopes.
The first control information F_1 indicates the certification mark of whether fragment data being carried out metadata container-level authentication.Here, can use medium authentication code (MAC) or Digital Signature Algorithm (DSA) to carry out metadata container-level authentication.
The second control information F_2 is the information about the special algorithm that is used to produce metadata container-level authentication information.The second control information F_2 can be represented by one group of binary code.Relation between special algorithm and the binary code is limited and is submitted to server that service is provided and the client computer that receives metadata container in advance.
The 3rd control information F_3 shows the data format information that special algorithm is applied to the method for fragment data in detail.This fragment can have scale-of-two XML form or text XML form, and the method that therefore special algorithm is applied to fragment data changes according to the form of fragment data.
Metadata authentication information in the present invention is by forming by metadata being updated to value such as the Hash Value that hash function (hashfunction) obtains.Therefore, the authentication information of fragment data with text XML form is irrelevant with the authentication information of the fragment data with scale-of-two XML form, and Here it is needs the reason of the 3rd control information F_3.In other words, in order to determine based on the metadata and the Hash Value that are included in the metadata container that receives by client computer whether authentication signature is effective, need identification to be used to obtain the form of the metadata of Hash Value.
The 4th control information F_4 is the encryption key message about metadata authentication.Encryption key message is inserted in the metadata container with metadata, subsequently by directly from the Server Transport to the client computer.Perhaps, encryption key message can be through other safe lane from the Server Transport to the client computer.
The 5th control information F_5 is other authentication level flag of level of indicating the metadata authentication that has been performed.For example, when the 5th control information F_5 was set to " 0 ", its indication transmission-level metadata authentication was performed.When the 5th control information F_5 was set to " 1 ", its indication source-level metadata authentication was performed.Under the help of the certification mark of indicating transfer level or source-level metadata authentication whether to be performed, can use the application program of client computer to determine how reliably have from the metadata of Server Transport.Based on the reliability of the metadata that receives, can also determine whether to use the metadata of reception based on the reliability of the metadata that receives.
Metadata container comprises the fragment data memory block that holds at least one fragment data.In the present embodiment, the predetermined semantic primitive of metadata, fragment data for example, the information as about program is inserted in the metadata container.Yet metadata container of the present invention can also be used for optionally carrying any unit of metadata.In addition, when the set of metadata of association was carried by a series of metadata containers, this set of metadata was transferred to client computer from service provider.In addition, a metadata container comprises one or more metadata clips.For example, metadata fragment data subtree of representing the XML tree construction of whole metadata.
Metadata container-level authentication information comprises metadata and metadata authentication signature information.
Metadata is represented the value that obtains by in the hash function of a substitution one-way function as appointment in the second control information F_2 in the fragment data that will be stored in the fragment data memory block.Use the predetermined its corresponding fragment data association of each metadata of pointer.For example, use predetermined pointer first metadata related with first fragment data.In the present embodiment, hash function has been used to produce metadata.Yet other function that has sometimes with one-way function such as hash function identical characteristics also can be used to obtain metadata.
Metadata authentication signature information is the value that obtains by in the hash function as appointment in the second control information F_2 with metadata and encryption key K substitution one-way function.As each metadata, use predetermined pointer, its corresponding fragment data association of each metadata authentication signature information.For example, use predetermined pointer, first metadata authentication signature information is related with first fragment data.In the present embodiment, hash function has been used to produce metadata authentication signature information.Yet other function that has sometimes with one-way function such as hash function identical characteristics also can be used to obtain metadata.
Fig. 4 illustrates the diagrammatic sketch that is used at the form of the SOAP big envelope (envelope) of the metadata container-level authentication of two-way channel.As shown in Figure 4, be included in the SOAP packet header (header) with authentication associated information, and metadata fragment data is included in the inclusion (body) of this SOAP big envelope.
In in being included in SOAP packet header and the authentication associated information, " Algorithm ID " information, " SignatureValueBaseType " information and " KeyInfo " information are corresponding with the second control information F_2, the 3rd control information F_3 and the 4th control information F_4 among Fig. 3 respectively." Digest " information and " SignatureValue " information are respectively with above corresponding with reference to described metadata of Fig. 3 and metadata authentication signature information." AuthenticationLevel " information has been specified the rank of metadata authentication and has been that the 5th control information F_5 among Fig. 3 is corresponding with authentication level flag.
As described in Fig. 3 and Fig. 4, can carry out encryption handling and metadata management in the metadata container effectively by being inserted into by the fragment data of cutting apart the metadata acquisition based on predetermined semantic primitive.
For example, by index information being assigned to each fragment data and using the index be stored in the index storage unit, can be only will be input to the predetermined metadata store selected in the metadata of the cache memory (cache) 520 Fig. 5 in data storage 540 from all.In addition, because metadata is split into predetermined semantic primitive,, as shown in Figure 4, can on basis, optionally encrypt metadata fragment data with the predetermined predetermined semantic primitive of semantic primitive as program information, frag info etc.
Fig. 6 is to use the process flow diagram of the metadata container-level authentication method of the metadata container that shows among Fig. 3 and Fig. 4.More particularly, Fig. 6 is the process flow diagram that content metadata provides the operation of device 120 or service provider 140 among Fig. 1.
With reference to Fig. 6,, produce a plurality of fragment datas by cutting apart metadata based on predetermined semantic primitive in step 610.Each fragment data of Chan Shenging is the predetermined semantic primitive with metadata of prospective significance in the present embodiment, as program information.
In step 620, from a plurality of fragment datas that produce in step 610, select predetermined fragment data.
In step 630, produced data summarization information by the fragment data substitution hash function that will select such as safety hash algorithm such as SHA-1.In the present embodiment, hash function is used to produce message digest information.Yet other function that has sometimes with one-way function such as hash function identical characteristics also can be used.
In step 640, the form that comprises the fragment data of selection, the metadata of generation and the fragment data that indication is selected is that the metadata container of the data format information of scale-of-two XML or text XML is produced and be transferred to then client computer.
Here, even because two fragment datas are the same substantially, but in step 620, two kinds of dissimilar fragment datas can carry two kinds of dissimilar metadata, so need to use data format information to specify the form of the fragment data of selection.
Fig. 3 and Fig. 4 show the example of the metadata container that produces in step 640.In step 640, predetermined certification mark is configured to indicate has carried out metadata container-level authentication to the fragment data of the metadata of being carried by metadata container.
The algorithm information that has been used to produce metadata can be inserted in the metadata container.For example, using hash function to produce in step 630 under the situation of metadata, the algorithm information that the indication hash function has been used as authentication information generation algorithm is inserted in the metadata container.Yet the two is under the known situation to server and client computer at algorithm information, does not need this algorithm information is inserted in the metadata container.
In addition, also the mark of the specifying metadata authentication level data configuration information with the fragment data of selection can be inserted in the metadata container.Whether mark specifies the metadata authentication of use metadata container to be performed in transfer level or source level.
Under a plurality of fragment datas are inserted into situation in the metadata container, be comprised in the metadata container with each corresponding metadata of a plurality of fragment datas, indicate the pointer information of the association between each and its corresponding metadata summary info in a plurality of fragment datas to be also contained in the metadata container.
In addition, under a plurality of fragment datas were inserted into situation in the metadata container, each the index information that is used for a plurality of fragment datas was also contained in metadata container.
Fig. 7 is to use the process flow diagram of the metadata container-level authentication method of metadata container as shown in Figure 3 and Figure 4.More particularly, Fig. 7 is the process flow diagram of the operation of client computer 160 among Fig. 1.With reference to Fig. 7,, provide device 120 or service provider 140 to receive metadata container from content metadata in step 710.
In step 720, read the first control messages F_1 of header of the metadata container of reception, the authentication authorization and accounting mark.
In step 730, if showing, the result of the certification mark that reads the fragment data that is included in the metadata container has been carried out metadata container-level authentication, then this method moves to step 740.Otherwise this method moves to step 742.
In step 740, read the algorithm that is used for producing the metadata that is included in metadata container by discerning the second control information F_2, promptly be used to produce the algorithm of authentication information.In the present embodiment, the algorithm that is used to produce authentication information is a hash function.The algorithm that is used to produce authentication information determined in advance and content metadata provided device 120 (or service provider 140) and client computer 160 the two be under the known situation, the processing of reading the algorithm that is used to produce authentication information can be omitted.
In step 740, by distinguishing the 3rd control information F_3, promptly metadata format information is identified in the form that calculates the fragment data that uses in the metadata that is included in the metadata container.
In step 742, this metadata container-level authentication is finished.
In step 750, read the predetermined fragment data and the metadata corresponding summary info thereof of metadata.
In step 760, based on fragment data and the data format information that reads in step 740, be used to produce the algorithm of metadata by use, produce metadata as hash function.
In step 770, the metadata of the predetermined fragment data that reads by the metadata that relatively produces in step 760 with in step 750 determines whether the metadata that provides device 120 or service provider 140 to send from content metadata to be carried out metadata container-level authentication.
Metadata authentication level flag also can be included in from content metadata and provide the metadata container of device 120 or service provider 140 transmissions.In this case, can conclude that metadata container-level authentication is transmission-level metadata authentication or source-level metadata authentication by the application reads metadata authentication level flag of using client computer 160.In addition, also can determine whether to use the metadata that provides device 120 or service provider 140 to send from content metadata based on the reliability of metadata.
Fig. 8 is to use the process flow diagram of the metadata container-level authentication method of metadata container as shown in Figure 3 and Figure 4.More particularly, Fig. 8 is the process flow diagram that as shown in Figure 1 content metadata provides the operation of device 120 or service provider 140.
With reference to Fig. 8,, produce a plurality of fragment datas by cutting apart metadata based on predetermined semantic primitive in step 810.Each fragment data of Chan Shenging is the semantic primitive of being scheduled in the present embodiment, as program information.
In step 820, in a plurality of fragment datas, select predetermined fragment data.
In step 830, produce metadata by the fragment data substitution hash function that will select.In the present embodiment, hash function is used to produce metadata.Yet other function that has with one-way function such as hash function identical characteristics also can be used.
In step 840, by producing metadata authentication signature in metadata and the encryption key K substitution hash function that step 830 produces.Encryption key K is appointments to service provider 140.In the present embodiment, hash function is used to produce metadata.Yet other function that has with one-way function such as hash function identical characteristics also can be used.Use another encryption key L to being used to produce the encryption key K encryption of metadata authentication signature.Below, use the encryption key value of the encryption of encryption key L acquisition to represent by E (K).The encryption key value E (K) that encrypts is carried by metadata container and is transferred to client computer 160.Perhaps, the encryption key value E of encryption (K) is transferred to client computer 160 through safe lane.Encryption key L is transferred to client computer 160 through another safe lane.
In step 850, comprise that the metadata container of data format information of the fragment data of metadata, metadata authentication signature and selection is produced, be transferred to client computer 160 subsequently.
Fig. 3 and Fig. 4 have shown the example of the metadata container that produces in step 850.In step 850, the metadata container that the metadata container-level authentication mark is assigned to generation is carried out metadata container-level authentication to the fragment data of the metadata of being carried by metadata container with indication.
Information about the algorithm that is used for producing metadata can be inserted into metadata container.
In addition, to be used to produce the form of fragment data of the selection of metadata and authentication information be scale-of-two XML or text XML for the data format information of the fragment data of selection indication.
Under a plurality of fragment datas were inserted into situation in the metadata container, each metadata and the metadata authentication signature information that is used for a plurality of fragment datas was also included within metadata container.In addition, indicate the pointer information of the relation between each and its metadata corresponding summary info and the metadata authentication signature information of a plurality of fragment datas to be also included within the metadata container.
Fig. 9 is to use the process flow diagram of the metadata container-level authentication method of metadata container as shown in Figure 3 and Figure 4.More particularly, Fig. 9 is the process flow diagram of the operation of client computer 160 among Fig. 1.
With reference to Fig. 9,, provide device 120 or service provider 140 to receive metadata container from content metadata in step 910.
In step 920, read first control information in the header that is included in metadata container, the authentication authorization and accounting mark.
In step 930, the fragment data that is included in the metadata container is carried out metadata container-level authentication if read result's demonstration of certification mark, then this method moves to step 940.Otherwise this method moves to step 942.
In step 940, read the algorithm that is used for producing the metadata that is included in metadata container by distinguishing the second control information F_2, promptly be used to produce the algorithm of authentication information.In the present embodiment, the algorithm that is used to produce authentication information is a hash function.The algorithm that is used to produce authentication information determined in advance and content metadata provided device 120 (or service provider 140) and client computer 160 the two be under the known situation, the processing of reading the algorithm that is used to produce authentication information can be omitted.
In step 940, by discerning the 3rd control information F_3, promptly metadata format information is identified in the form that calculates the fragment data that uses in the metadata that is included in the metadata container.
In step 942, metadata container-level authentication is finished.
In step 950, read predetermined fragment data and corresponding metadata summary info, metadata authentication signature information and the data format information of the metadata that is included in the metadata container.
In step 960,, produce metadata by using the algorithm such as the hash function that read in step 940 based on predetermined fragment data that reads in step 950 and corresponding data format information thereof.
In step 970, use another encryption key L that is stored in the client computer 160 to encrypted encryption key K deciphering.Encryption key L is provided device 120 or service provider 140 to be transferred to client computer 160 from content metadata.
In step 980, use the metadata of generation in step 960 and the key K of deciphering to produce metadata authentication signature S.
In step 990,, determine whether be verified by the metadata authentication signature that client computer 160 receives by metadata authentication signature S that relatively in step 980, produces and the metadata authentication signature information that reads in step 950.
Metadata container also can comprise indication other authentication level flag of level to the metadata authentication of metadata container execution, under the situation of the application reads metadata certification level of using client computer 160, and, determine whether to use the metadata that is included in the metadata container according to metadata authentication level.
In addition, the whole bag of tricks that is used for the detect-message integrality is effective.One of those the whole bag of tricks are to use the cryptographic system of public keys.According to this method, service provider have pair of secret keys (K_s, K_p) and use key K _ s to information signature.Here, K_s indicates private key, and K_p indication public keys.Client computer can obtain public keys K_p by reliable resource.Therefore, the metadata that has the signature of service provider in the client computer reception provides under the situation of device, and client computer concludes who is to have sent the service provider of metadata container and the corresponding public keys K_p of service provider who has obtained and has discerned.Whether the signature that client computer uses public keys K_p checking to receive is effective.
Below, will be described in more detail below the key element that is used for metadata authentication and be used to keep the metadata authentication method of the security of metadata.
In order to keep the security of metadata, the visit and the use of necessary authorize metadata keep the integrality and the confidentiality of metadata, and protect the binary format or the text formatting of the subgroup of metadata effectively.
Must carry out authentication according to predetermined authenticate ruler to the visit of whole metadata or part metadata.Each application program or each metadata are carried out this metadata access authentication processing.
Carry out the various operations that comprise " watching ", " modification " and " duplicating " based on the visit of whole metadata or part metadata." watch " and be one of simple example of using of metadata and be performed simply by accesses meta-data.On the other hand, revising or duplicating under the situation of all or part metadata, need metadata file management system.In addition, under the situation of using the remote application replication meta, for example, under with the situation of metadata, need the metadata and the source authentication information of request metadata, transmission requests from client transmission to service provider.
In addition, in order to keep the reliability of metadata, need to keep the confidentiality of metadata.In some cases, metadata can comprise high secret or private data.For this or other reason, metadata need be encrypted before being transmitted or storing, thereby can prevent to be exposed to undesirably the public.In other words,, can promptly the container of transmission unit or metadata be encrypted, keep the confidentiality of metadata by metadata is carried out transmission-level encryption even during the transmission unit data.Except the transmission-level encryption of metadata, the encryption of the source level of metadata can solve in transfer level or store the rank shangguan in all possible problem of the confidentiality of metadata.
Below, will be described in greater detail in about the one-way channel environment of condition receiving system (conditional access system) and the reliability of the metadata in two-way channel (TLS) environment.
Here, the one-way channel environment about condition receiving system comprises terrestrial broadcasting such as ATSC or DVB, satellite broadcasting such as Direct TV, wired TV and IP multicast.In one-way channel environment about condition receiving system, use the situation that Return Channel is performed as transaction except exchanges data, use one-way channel.The function that provides in the one-way channel environment about condition receiving system is as follows.
Receiver and transmitter authentication mutually automatically with hardware unit.In addition, receiver and transmitter can be shared common secret through predetermined channel.Here, this common secret is represented by receiver and the shared code of transmitter.Encrypted and the transmission of bag load.Subsequently, use common secret or use that the key of the use deciphering of common secret is come the bag load of encrypting is deciphered.
In bi-directional channel environment, use Handshake Protocol and server and client computer to authenticate mutually by the certificate that third party's certificate verification mechanism issues by exchange and authentication.Common secret is shared by client-server, and produces secret key (session key) subsequently.Use secret key to bag load encryption and then with its transmission.Use the bag load deciphering of secret key to encrypting.Can use algorithm such as DSA or MAC to come the authentication of execution source.
In addition, in bi-directional channel environment, the authentication of the certificate by third party's certificate verification mechanism issue and the authentication that client-server is carried out in exchange.The data of transmitting between client-server keep by encryption and the message authentication that wraps load other side's confidentiality.
In order to keep the reliability of metadata between the transmission period of metadata, public secret need be received device and transmitter in the mode of safety and share, thereby receiver and transmitter can authenticate mutually and the data of transmission betwixt can send encrypted and then.
Below, will the method that be used to protect in the metadata of transfer level or source level be described in further detail.
As for the protection of metadata between the transmission period of metadata, the authentication of receiver and transmitter is performed in transfer level, and the broadcast system rank that remains on of the confidentiality of the authentication of metadata and metadata is performed.
For example, in one-way channel, each soap message of being made up of packet header and inclusion can be used as protected location, as shown in figure 10.On the other hand, in two-way channel, under data message is included in situation in the inclusion of soap message, use soap message to send data signature information, as shown in figure 11.The data that are included in the inclusion of soap message can be encrypted.
Below, keeping the integrality and the confidentiality of metadata and control the method for the visit and the use of metadata at broadcast system describing a kind of being used for, it is classified as the metadata protection in source level.
The maintenance of metadata integrity and confidentiality realizes by authentication signature being assigned to metadata and metadata being encrypted in broadcast system.Because be not the integrality that must keep whole metadata; suppose that whole metadata always are not subjected to this encryption; so need to describe the specific part encrypted and metadata that adopts predetermined pointer authentication, and can carry out this processing by the source level of using copyright management protection (RMP) system held to be scheduled to pointer.By using source level signature, metadata sources can be by actual authentication.Certainly, metadata must comprise the information as the authentication signature of source.
For visit and the use of controlling metadata, need the standard to describe of the metadata access and the right to use and realization thereof.Standard to describe can have XML graphic (schema) form maybe can suppose one group of form with element of prospective significance.Can use conventional markup language such as XrML, XACML or SAML to produce this standard to describe.Permission is described and service regeulations can be from separated from meta-data.Under the situation of the metadata clips that exists a lot of its use values of information to describe, visit/use control can be performed by following plain mode.In case the visit of application programs is certified, think that then this application program follows the predetermined service regeulations that are set to default value and operate.
In this case, the accessed by the user or use metadata of the application programming interfaces of RMP system (API).When by TVA RMP system management visit/use control information, need API.For example, API issue and authentication are to the request of accesses meta-data.In addition, API revises, duplicates and export metadata.
As mentioned above, have the authentication that can be performed of several types, and they are transmission-level authentication, metadata container-level authentication or soap message level authentication and source-level authentication in predetermined structure rank.
Under the situation of source-level authentication, use pointer to provide about the authentication message of the specific part of authentic metadata.Under the situation of soap message level authentication, the pointer of the pointer of the part metadata of authentication message in the inclusion that is included in soap message or whole metadata is included in the packet header of soap message.
Under the situation of having only metadata integrity to be required to keep during the metadata transport, only need transmission-level authentication.On the other hand, guarantee that at needs metadata container-level authentication or soap message level authentication can satisfy these needs under the situation of transmission independence.Be included in the size of the size of the metadata in the inclusion of metadata container or soap message much larger than transmission package.Therefore, transmission-level authentication helps to have reduced the load of system, and safe lane not necessarily in this case.
The authentication of metadata sources needs metadata container-level authentication and soap message level authentication.Figure 11 shows the sentence structure of the metadata container that makes the source-level authentication realization.
The source of carrying out metadata for each node between source and terminal point authenticates, and need provide the source authentication information to each node between source and the terminal point.
More particularly, the authentication information that uses before front nodal point to send, the predetermined node of metadata between source and terminal point is certified, produces new authentication information, and metadata and new authentication information are passed to next node.Perhaps, the authentication information that uses before front nodal point to send, metadata is certified at predetermined node, and metadata and authentication information directly be passed to next node, thereby uses authentication information, and metadata can be certified once more at next node.
Therefore, simultaneously the metadata of each node between source and terminal point is carried out under the situation of source-level authentication metadata being transferred to terminal point from the source, indication can be inserted in this authentication information at whether the authentication information that uses before front nodal point to send produces new authentication information after predetermined entity authentication metadata mark or signal.The mark of the existence of indication source authentication information or signal help receiver to determine whether to receive corresponding metadata.
Although illustrate and described the present invention particularly with reference to exemplary embodiment of the present invention, but it should be appreciated by those skilled in the art under the situation that does not break away from the spirit and scope of the present invention defined by the claims, can make various modifications on form or the details the present invention.
The above embodiment of the present invention can be used as the computer-readable code that writes on the computer readable recording medium storing program for performing and realizes.Computer readable recording medium storing program for performing comprises that mechanized data can be stored all types of storeies thereon, as ROM, RAM, CD-ROM, tape, hard disk, floppy disk, flash memory, optical data memories and the carrier wave as transmitting by internet data.Computer readable recording medium storing program for performing can be distributed on the computer system that connects by network, thus write on the computer readable recording medium storing program for performing computer-readable code independently mode be performed.
Utilizability on the industry
As mentioned above, according to of the present invention for management of metadata method make it possible to hold in metadata Device level authentication metadata. Therefore, can in any channel circumstance, carry out transmission-level authentication. In addition, The data format information of the form by will indicating metadata is inserted in the metadata container, and the present invention can Selectively carry out transmission-level authentication or source-level authentication or carry out the two. Consider metadata container-level The size of bag is greater than the size of transfer level bag, and the present invention has reduced the quantity of the bag that will be transmitted, therefore The simplification system.
Claims (12)
1. method that is used at metadata send server management of metadata comprises:
(a) produce a plurality of fragment datas by cutting apart the metadata that to be sent out based on predetermined segment unit;
(b) in a plurality of fragment datas, select predetermined fragment data;
(c) use the fragment data generation of selection and the information of metadata association; With
(d) send fragment data of selecting and data format information and information metadata association with the type of indicating the fragment data of selecting.
2. method according to claim 1 wherein, the fragment data of selection, is sent out in metadata container with the data format information of the fragment data of the information of metadata association and selection.
3. method according to claim 1, wherein, it still is text XML form that the fragment data that the data format information indication is selected has scale-of-two XML form.
4. method according to claim 1, wherein, a plurality of fragment datas are predetermined semantic primitives of metadata.
5. method according to claim 2 wherein, specifies the authentication level flag of metadata authentication level to be also contained in the metadata container.
6. method according to claim 1, wherein, with the information of metadata association be the metadata that obtains by the fragment data substitution one-way function that will select.
7. method according to claim 6, wherein, one-way function is a hash function.
8. method according to claim 1 comprises that also the information and first encryption key that use with metadata association produce metadata authentication signature information, and metadata authentication signature information is inserted in the metadata container of the fragment data that comprises selection.
9. method according to claim 8, wherein, by obtaining metadata authentication signature information with the information and the first encryption key substitution one-way function of metadata association.
10. method according to claim 9 also comprises and use second encryption key to first encryption keys, and first encryption key that will encrypt is inserted in the metadata container of the fragment data that comprises selection.
11. method according to claim 2, wherein, a plurality of fragment datas and be inserted in the metadata container separately with information metadata association, and each of a plurality of fragment datas and the information of corresponding and metadata association thereof interconnect by pointer information.
12. method according to claim 8, wherein, a plurality of fragment datas and be inserted in the metadata container separately with information metadata association and metadata authentication signature information, and a plurality of fragment datas each and be connected with another by one of pointer information with the information of metadata association and metadata authentication signature information accordingly.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US41816002P | 2002-10-15 | 2002-10-15 | |
| US60/418,160 | 2002-10-15 | ||
| US60/425,259 | 2002-11-12 | ||
| KR1020030013002 | 2003-03-03 |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007103004235A Division CN101216869B (en) | 2002-10-15 | 2003-04-09 | Method of managing metadata |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1688992A CN1688992A (en) | 2005-10-26 |
| CN100401285C true CN100401285C (en) | 2008-07-09 |
Family
ID=35306376
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB038243091A Expired - Fee Related CN100401285C (en) | 2002-10-15 | 2003-04-09 | Method of managing metadata |
| CN2007103004235A Expired - Fee Related CN101216869B (en) | 2002-10-15 | 2003-04-09 | Method of managing metadata |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007103004235A Expired - Fee Related CN101216869B (en) | 2002-10-15 | 2003-04-09 | Method of managing metadata |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN100401285C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI640928B (en) * | 2017-04-24 | 2018-11-11 | 台新國際商業銀行股份有限公司 | System for generating and decrypting two-dimensional codes and method thereof |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1852786A1 (en) * | 2006-05-02 | 2007-11-07 | Research In Motion Limited | System and method for the fragmentation of mobile content |
| US8438130B2 (en) * | 2010-12-13 | 2013-05-07 | International Business Machines Corporation | Method and system for replicating data |
| CN107066503A (en) * | 2017-01-05 | 2017-08-18 | 郑州云海信息技术有限公司 | The method and device of magnanimity metadata burst distribution |
| PL3820712T3 (en) * | 2018-07-10 | 2022-11-28 | Sicpa Holding Sa | Article anti-forgery protection |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5915027A (en) * | 1996-11-05 | 1999-06-22 | Nec Research Institute | Digital watermarking |
| KR20000033213A (en) * | 1998-11-20 | 2000-06-15 | 이계철 | Method for transfering multimedia contents using meta data |
| CN1270346A (en) * | 1999-04-13 | 2000-10-18 | 佳能株式会社 | Digit processing method and apparatus |
| WO2001052178A1 (en) * | 2000-01-13 | 2001-07-19 | Digimarc Corporation | Authenticating metadata and embedding metadata in watermarks of media signals |
-
2003
- 2003-04-09 CN CNB038243091A patent/CN100401285C/en not_active Expired - Fee Related
- 2003-04-09 CN CN2007103004235A patent/CN101216869B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5915027A (en) * | 1996-11-05 | 1999-06-22 | Nec Research Institute | Digital watermarking |
| KR20000033213A (en) * | 1998-11-20 | 2000-06-15 | 이계철 | Method for transfering multimedia contents using meta data |
| CN1270346A (en) * | 1999-04-13 | 2000-10-18 | 佳能株式会社 | Digit processing method and apparatus |
| WO2001052178A1 (en) * | 2000-01-13 | 2001-07-19 | Digimarc Corporation | Authenticating metadata and embedding metadata in watermarks of media signals |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI640928B (en) * | 2017-04-24 | 2018-11-11 | 台新國際商業銀行股份有限公司 | System for generating and decrypting two-dimensional codes and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101216869B (en) | 2011-08-24 |
| CN1688992A (en) | 2005-10-26 |
| CN101216869A (en) | 2008-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8301884B2 (en) | Method of managing metadata | |
| KR100965886B1 (en) | Method for managing metadata | |
| KR100753932B1 (en) | contents encryption method, system and method for providing contents through network using the encryption method | |
| US9648027B2 (en) | Segment authentication for dynamic adaptive streaming | |
| EP3055805B1 (en) | System and method for signaling and verifying url signatures for both url authentication and url-based content access authorization in adaptive streaming | |
| US9332320B2 (en) | PC secure video path | |
| CN101496327B (en) | Rights management system for streamed multimedia content | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| US8638929B2 (en) | System and method for encrypting and decrypting data | |
| JP2011019222A (en) | Processing recordable content in stream | |
| JP5710160B2 (en) | Process recordable content in the stream | |
| BRPI0615147A2 (en) | protecting digital media from various types of content | |
| JP2003530635A (en) | System and method for securely storing confidential information, and digital content distribution device and server used in the system and method | |
| EP1619896A2 (en) | System and method for protecting information | |
| CN101501724A (en) | Rights management system for streamed multimedia content | |
| JP4740923B2 (en) | How to manage metadata | |
| KR100773388B1 (en) | content combination providing system and method thereof | |
| CN100401285C (en) | Method of managing metadata | |
| JP5350021B2 (en) | File generation device, file reproduction device, and computer program | |
| CN114501069A (en) | HLS-based multimedia playing method, system, device and storage medium | |
| JP2005149437A (en) | Information distribution system and terminal authentication method | |
| JP2004139170A (en) | E-mail system | |
| CN115225934B (en) | Video playing method, system, electronic device and storage medium | |
| US20220027481A1 (en) | Systems and methods for remote ownership and content control of media files on untrusted systems | |
| KR100811470B1 (en) | Drm system and method using index to make new moving picture contents from multiple moving picture contents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080709 Termination date: 20170409 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |