A media stream encryption transmission method and a media stream transmission system

Abstract

This application provides a method and system for encrypted media stream transmission. Quantum key encryption is used to encrypt encryption identification information to obtain a ciphertext token. The playback device sends the ciphertext token to the streaming media server, enabling the server to obtain encryption identification information based on the token. The server then encrypts the media stream data to be transmitted using the encryption identification information, obtaining encrypted media stream data, and transmits the encrypted media stream data to the playback device. The playback device can then obtain the media stream data to be transmitted based on the encrypted media stream data and play the video accordingly. This reduces the risk of leakage of encryption identification information and media stream data during IP network transmission, thereby enhancing the data security of media stream transmission.

Description

Technical Field

[0001] This application relates to the field of streaming media transmission technology, and in particular to a method and system for encrypted transmission of media streams. Background Technology

[0002] With the development and popularization of video surveillance technology, cloud-based streaming media services have become a trend, storing video stream data on cloud servers. In this scenario, when a user needs to play a video, the video stream data is forwarded by the streaming media service to the client app (application) of the playback device. During this forwarding process, the video stream data is exposed to the public internet, making it vulnerable to theft and potential data leakage. Therefore, it is evident that existing technologies suffer from low data security. Summary of the Invention

[0003] The purpose of this application is to address at least one of the aforementioned technical deficiencies, particularly the low data security of existing technologies.

[0004] In a first aspect, embodiments of this application provide a media stream encryption transmission method, applied to a media stream transmission system, the media stream transmission system including a playback device and a streaming media server; the method includes:

[0005] The playback device acquires the media stream address information, the quantum key, and the ciphertext token, and generates a media stream acquisition request; wherein, the ciphertext token is obtained by encrypting a plaintext token according to the quantum key, and the plaintext token includes encrypted identification information; the media stream acquisition request carries the media stream address information and the ciphertext token;

[0006] The playback device sends the media stream acquisition request to the streaming media server;

[0007] The streaming media server extracts the media stream address information and the encrypted token from the media stream acquisition request, respectively;

[0008] The streaming media server reads the media stream data to be transmitted based on the media stream address information;

[0009] The streaming media server obtains the quantum key and decrypts the ciphertext token using the quantum key to obtain the encrypted identification information;

[0010] The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data;

[0011] The streaming media server returns the encrypted media stream data to the playback device;

[0012] The playback device decrypts the encrypted media stream data using the quantum key to obtain the media stream data to be transmitted.

[0013] In one embodiment, the media streaming system further includes a service platform and a quantum security shield server;

[0014] The playback device obtains media stream address information, quantum key, and ciphertext token, including:

[0015] The playback device sends an address acquisition request to the service platform;

[0016] In response to the address acquisition request, the business platform determines the media stream address information and the plaintext token, and generates a request identifier.

[0017] The business platform sends the first key acquisition request to the quantum security shield server through a quantum channel; wherein the first key acquisition request carries the request identifier;

[0018] In response to the first key acquisition request, the quantum security shield server generates the quantum key corresponding to the request identifier;

[0019] The quantum security shield server returns the quantum key to the business platform via a quantum channel;

[0020] The business platform encrypts the plaintext token using the quantum key to obtain the ciphertext token, and then concatenates the ciphertext token, the media stream address information, and the request identifier to obtain the address response information.

[0021] The service platform returns the address response information to the playback device;

[0022] The playback device extracts the encrypted token, the media stream address information, and the request identifier from the address response information, respectively;

[0023] The playback device sends a first key query request to the quantum security shield server via a quantum channel; wherein the first key query request carries the request identifier;

[0024] In response to the first key query request, the quantum security shield server returns the quantum key to the playback device via a quantum channel;

[0025] The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token.

[0026] In one embodiment, before the playback device sends an address retrieval request to the service platform, the following steps are included:

[0027] The playback device sends a network access authentication request to the quantum security shield server via a quantum channel;

[0028] In response to the network access authentication request, the quantum security shield server performs network access verification on the playback device and generates a verification result.

[0029] The quantum security shield server returns the verification result to the playback device via a quantum channel.

[0030] In one embodiment, the media stream acquisition request also carries the request identifier;

[0031] The streaming media server acquires the quantum key, including:

[0032] The streaming media server extracts the request identifier from the media stream acquisition request;

[0033] The streaming media server sends a second key query request to the quantum security shield server via a quantum channel; wherein the second key query request carries the request identifier;

[0034] In response to the second key query request, the quantum security shield server returns the quantum key to the streaming media server via the quantum channel.

[0035] In one embodiment, the encryption identification information includes an encryption algorithm identifier, a video encryption type identifier, and a video encryption length.

[0036] In one embodiment, the media stream data to be transmitted includes video data to be transmitted, and the encrypted media stream data includes encrypted video data;

[0037] The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data, including:

[0038] The streaming media server determines the media stream encryption algorithm based on the encryption algorithm identifier;

[0039] When the video encryption type identifier is a keyframe encryption identifier, the streaming media server encrypts the first N bytes of each keyframe in the video data to be transmitted according to the media stream encryption algorithm to obtain keyframe encrypted data, and generates the encrypted video data based on the keyframe encrypted data; where N is the video encryption length.

[0040] When the video encryption type identifier is a partial encryption identifier, the streaming media server encrypts the first N bytes of each frame in the video data to be transmitted according to the media stream encryption algorithm to obtain the encrypted video data.

[0041] When the video encryption type identifier is set to full encryption, the streaming media server encrypts all bytes of each frame in the video data to be transmitted according to the media stream encryption algorithm to obtain the encrypted video data.

[0042] In one embodiment, the encryption identification information further includes an audio encryption identification.

[0043] In one embodiment, the media stream data to be transmitted includes audio data to be transmitted, and the encrypted media stream data includes encrypted audio data;

[0044] The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data, including:

[0045] The streaming media server determines the media stream encryption algorithm based on the encryption algorithm identifier;

[0046] The streaming media server encrypts all bytes of the audio data to be transmitted according to the media stream encryption algorithm to obtain the encrypted audio data.

[0047] In one embodiment, the playback device decrypts the encrypted media stream data using the quantum key to obtain the media stream data to be transmitted, including:

[0048] The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token;

[0049] The playback device determines the encrypted identifier information based on the plaintext token and decrypts the encrypted media stream data to obtain the media stream data to be transmitted.

[0050] Secondly, embodiments of this application provide a media stream transmission system based on the media stream encryption transmission method described in any of the above embodiments, comprising: a playback device and a streaming media server; wherein:

[0051] The playback device is used to obtain media stream address information, quantum key and ciphertext token respectively, and generate media stream acquisition request; wherein, the ciphertext token is obtained by encrypting plaintext token according to quantum key, and the plaintext token includes encrypted identification information; the media stream acquisition request carries the media stream address information and the ciphertext token;

[0052] The playback device is used to send the media stream acquisition request to the streaming media server;

[0053] The streaming media server is used to extract the media stream address information and the encrypted token from the media stream acquisition request, respectively.

[0054] The streaming media server is used to read the media stream data to be transmitted according to the media stream address information;

[0055] The streaming media server is used to obtain the quantum key and decrypt the ciphertext token according to the quantum key to obtain the encrypted identification information;

[0056] The streaming media server is used to encrypt the media stream data to be transmitted according to the encryption identification information to obtain encrypted media stream data;

[0057] The streaming media server is used to return the encrypted media stream data to the playback device;

[0058] The playback device is used to decrypt the encrypted media stream data according to the quantum key to obtain the media stream data to be transmitted.

[0059] In the media stream encryption transmission method and system provided in some embodiments of this application, quantum key distribution can be used to encrypt encryption identification information to obtain a ciphertext token. The playback device can send the ciphertext token to the streaming media server, enabling the streaming media server to obtain encryption identification information based on the ciphertext token, encrypt the media stream data to be transmitted according to the encryption identification information, obtain encrypted media stream data, and transmit the encrypted media stream data to the playback device. The playback device can obtain the media stream data to be transmitted based on the encrypted media stream data and play the video accordingly. This reduces the risk of leakage of encryption identification information and media stream data during IP (Internet Protocol) network transmission, thereby enhancing the data security of media stream transmission. Attached Figure Description

[0060] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0061] Figure 1 This is one of the flowcharts illustrating a media stream encryption transmission method in one embodiment;

[0062] Figure 2 This is a second flowchart illustrating a media stream encryption transmission method in one embodiment;

[0063] Figure 3This is a schematic diagram of the data structure of keyframe encrypted data in one embodiment;

[0064] Figure 4 This is one of the data structure diagrams for encrypted video data in one embodiment;

[0065] Figure 5 This is a second schematic diagram of the data structure of encrypted video data in one embodiment;

[0066] Figure 6 This is a schematic diagram of the data structure for encrypted audio data in one embodiment. Detailed Implementation

[0067] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0068] The following is an explanation of the terms used in this application.

[0069] AES (Advanced Encryption Standard) algorithm: A symmetric encryption algorithm that uses the same key for both encryption and decryption.

[0070] SM4 Algorithm: The SM4 block cipher algorithm, which is a national standard, is a symmetric encryption algorithm.

[0071] CBC (Cipher-block chaining): A encryption mode. In CBC mode, each plaintext block is first XORed with the previous ciphertext block before being encrypted, thus ensuring the uniqueness of each message.

[0072] NAL: Video data encoded with H.264.

[0073] In one embodiment, this application provides a method for encrypted transmission of media streams. This method can be applied to a media stream transmission system, which may include a playback device and a streaming media server. The streaming media server refers to a server used to provide streaming media services, and this server can be used to store media stream data. The playback device refers to an electronic device used to play video, and may include, but is not limited to, smartphones, tablets, desktop computers, laptops, wearable devices, IoT devices, home appliances, etc. In one example, the playback device may have a media player installed.

[0074] like Figure 1As shown, the media stream encryption transmission method of this application may include the following steps:

[0075] S102: The playback device obtains the media stream address information, quantum key and ciphertext token respectively, and generates a media stream acquisition request.

[0076] The media stream retrieval request carries media stream address information and a ciphertext token. The media stream address information is used to retrieve the address of the media stream to be played. The ciphertext token is token data obtained by encrypting a plaintext token using a quantum key, and the plaintext token includes encrypted identification information. This encrypted identification information reflects the encryption information used to encrypt the media stream data to be transmitted, and may include any one or any combination of information such as encryption method identifier, encryption algorithm identifier, and media stream encryption / decryption key.

[0077] In one example, the plaintext token may also include an expiration timestamp for validating the plaintext token.

[0078] In this step, the playback device can obtain the media stream address information, quantum key and ciphertext token respectively, and generate a media stream acquisition request based on the media stream address information and ciphertext token, so that the media stream acquisition request carries the media stream address information and ciphertext token.

[0079] S104: The playback device sends a media stream retrieval request to the streaming media server.

[0080] In this step, the playback device establishes a communication connection with the streaming media server and can send a media stream retrieval request to the streaming media server to attempt to call the streaming media service provided by the streaming media server and obtain the media stream data to be played.

[0081] S106: The streaming media server extracts the media stream address information and the encrypted token from the media stream acquisition request.

[0082] In this step, since the media stream acquisition request carries media stream address information and a encrypted token, the streaming media server can extract the media stream address information and encrypted token from the request after receiving it from the playback device. For example, the streaming media server can parse the media stream acquisition request according to pre-set parsing rules to obtain the media stream address information and encrypted token.

[0083] S108: The streaming media server reads the media stream data to be transmitted based on the media stream address information.

[0084] In this step, after obtaining the media stream address information, the streaming media server can read the media stream data to be played by the playback device based on the media stream address information, and obtain the media stream data to be transmitted. It can be understood that the media stream data to be transmitted mentioned in this application refers to the media stream data that needs to be transmitted to the playback device, i.e., the aforementioned media stream data to be played.

[0085] S110: The streaming media server obtains the quantum key and decrypts the ciphertext token based on the quantum key to obtain the encrypted identification information.

[0086] In this step, after obtaining the ciphertext token, the streaming media server needs to decrypt it to obtain encrypted identification information. This information is then used to encrypt the media stream data to be transmitted, achieving encrypted transmission of the media stream. Therefore, the streaming media server can obtain a quantum key and decrypt the ciphertext token using the quantum key to obtain a plaintext token, and then use the plaintext token to obtain the encrypted identification information.

[0087] S112: The streaming media server encrypts the media stream data to be transmitted based on the encryption identifier information to obtain encrypted media stream data.

[0088] In this step, the streaming media server can encrypt the media stream data to be transmitted based on the encryption identifier information. For example, when the encryption identifier information includes an encryption algorithm identifier and a media stream encryption / decryption key, the streaming media server can use the media stream encryption / decryption key as the encryption key and use the target encryption algorithm corresponding to the encryption identifier algorithm to encrypt the media stream data to be transmitted, thereby generating encrypted media stream data.

[0089] S114: The streaming media server returns encrypted media stream data to the playback device.

[0090] In this step, after obtaining the encrypted media stream data, the streaming media server can return the encrypted media stream data to the playback device to achieve encrypted transmission of the media stream.

[0091] S116: The playback device decrypts the encrypted media stream data using the quantum key to obtain the media stream data to be transmitted.

[0092] In this step, after receiving the encrypted media stream data, the playback device can decrypt the encrypted media stream data according to the quantum key to obtain the media stream data to be transmitted, and play the media based on the media stream data to be transmitted.

[0093] In one example, S116 may include the following steps:

[0094] Step A1: The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token;

[0095] Step A2: The playback device determines the encryption identifier information based on the plaintext token and decrypts the encrypted media stream data to obtain the media stream data to be transmitted.

[0096] Specifically, during the decryption process, the playback device can first use a quantum key to decrypt the ciphertext token to obtain the plaintext token. Since the streaming media server encrypts the media stream data based on the encrypted identifier information in the plaintext token, the playback device can decrypt the encrypted media stream data based on the encrypted identifier information in the plaintext token to obtain the plaintext data corresponding to the encrypted media stream data, which is the media stream data to be transmitted.

[0097] In this embodiment, quantum key distribution can be used to encrypt the encryption identification information to obtain a ciphertext token. The playback device can send the ciphertext token to the streaming media server, enabling the streaming media server to obtain the encryption identification information based on the ciphertext token, encrypt the media stream data to be transmitted according to the encryption identification information, obtain encrypted media stream data, and transmit the encrypted media stream data to the playback device. The playback device can obtain the media stream data to be transmitted based on the encrypted media stream data and play the video accordingly. This reduces the risk of leakage of encryption identification information and media stream data during IP network transmission, thereby enhancing the data security of media stream transmission.

[0098] In one embodiment, the media streaming system further includes a service platform and a quantum security shield server. The service platform refers to a platform used to manage the streaming media server (i.e., video source information), and the quantum security shield server refers to a platform used to generate, publish, and manage quantum keys.

[0099] like Figure 2 As shown, the playback device obtains the media stream address information, quantum key, and ciphertext token through the following steps:

[0100] S208: The playback device sends an address acquisition request to the service platform;

[0101] S210: In response to the address acquisition request, the business platform determines the media stream address information and the plaintext token, and generates a request identifier;

[0102] S212: The business platform sends a first key acquisition request to the quantum security shield server through the quantum channel; wherein, the first key acquisition request carries a request identifier;

[0103] S214: In response to the first key acquisition request, the quantum security shield server generates a quantum key corresponding to the request identifier;

[0104] S216: The quantum security shield server returns the quantum key to the business platform through the quantum channel;

[0105] S218: The business platform encrypts the plaintext token using the quantum key to obtain the ciphertext token, and then concatenates the ciphertext token, media stream address information, and request identifier to obtain the address response information;

[0106] S220: The service platform returns address response information to the playback device;

[0107] S222: The playback device extracts the encrypted token, media stream address information, and request identifier from the address response information, respectively;

[0108] S224: The playback device sends a first key query request to the quantum security shield server via the quantum channel; wherein, the first key query request carries a request identifier;

[0109] S226: In response to the first key query request, the quantum security shield server returns the quantum key to the playback device via the quantum channel;

[0110] S228: The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token.

[0111] In practical applications, different media streams may correspond to different streaming media servers. When playing audio, video, or other media data, the playback device needs to initiate a media stream retrieval request from a specified streaming media server to obtain the media stream data to be played. Therefore, the playback device can obtain the media stream address information from the service platform.

[0112] Meanwhile, different media stream data can be encrypted using different encryption algorithms, encryption methods, and / or different media stream encryption / decryption keys, and this encryption identification information can be centrally managed by the service platform. In this case, the playback device can interact with the service platform to obtain the encryption identification information from the service platform.

[0113] Specifically, in this embodiment, the playback device can send an address acquisition request to the service platform via an IP channel to attempt to obtain the media stream address information corresponding to the media stream to be played from the service platform. Upon receiving the address acquisition request, the service platform can determine the media stream address information and the plaintext token corresponding to the media stream to be played, and generate a request identifier sid. The plaintext token includes encrypted identification information corresponding to the media stream to be played. The request identifier sid can identify the acquisition process of this media stream data and can be used to manage quantum keys.

[0114] The business platform can generate a first key acquisition request based on the request identifier sid, and send the first key acquisition request to the quantum security shield server through a quantum channel. Upon receiving the first key acquisition request, the quantum security shield server can generate a quantum key corresponding to the request identifier sid, and return the quantum key to the business platform through the quantum channel.

[0115] In one example, the business platform can acquire quantum keys using the QMS server-side SDK (Software Development Kit). In this example, the business platform sends a second key acquisition request carrying a request identifier sid to the QMS server-side SDK. In response to the second key acquisition request, the QMS server-side SDK sends the request identifier sid to the quantum security shield server via a quantum channel. The quantum security shield server returns the quantum key to the QMS server-side SDK based on the request identifier sid. The QMS server-side SDK then forwards the quantum key to the business platform, enabling the business platform to obtain the quantum key corresponding to the request identifier sid.

[0116] The service platform can encrypt the plaintext token using a quantum key to obtain a ciphertext token. For example, the AES256 algorithm can be used for encryption. After obtaining the ciphertext token, the service platform can concatenate the ciphertext token, media stream address information, and request identifier sid to obtain address response information, and return this address response information to the playback device. In one example, the address response information could be wss: / / videoaddress.cn / live.flv?token=aaa&sid=123. wss: / / videoaddress.cn / live.flv is the media stream address information based on the WSS (WebSocket Secure) protocol, aaa is the ciphertext token, and 123 is the request identifier.

[0117] After receiving the address response information from the service platform, the playback device can extract the encrypted token, media stream address information, and request identifier SID from the address response information. For example, the playback device can parse the address response information according to preset parsing rules and obtain the encrypted token, media stream address information, and request identifier SID respectively.

[0118] The playback device can generate a first key query request based on the request identifier sid, and send the first key query request to the quantum security shield server through a quantum channel. Upon receiving the first key query request, the quantum security shield server can return the quantum key corresponding to the request identifier sid to the playback device through the quantum channel, enabling the playback device to decrypt the ciphertext token and obtain the plaintext token based on the received quantum key.

[0119] In one example, the playback device may have a player and the Quantum Security Shield SDK installed. The player can obtain the quantum key through the Quantum Security Shield SDK. In this example, the playback device can send a third-key retrieval request (SID) carrying a request identifier to the Quantum Security Shield SDK. In response to the third-key retrieval request, the Quantum Security Shield SDK sends the request identifier SID to the Quantum Security Shield server via a quantum channel. Based on the request identifier SID, the Quantum Security Shield server returns the quantum key to the Quantum Security Shield SDK. The Quantum Security Shield SDK then forwards the quantum key to the player.

[0120] In this embodiment, the quantum security shield server can interact with other platform devices through a quantum channel and transmit key acquisition requests, key query requests, and quantum keys through the quantum channel to reduce the risk of leakage of request identifiers and quantum keys, thereby further improving data security.

[0121] In one embodiment, such as Figure 2 As shown, before the playback device sends an address retrieval request to the service platform, it includes:

[0122] S202: The playback device sends a network access authentication request to the Quantum Security Shield server via the quantum channel;

[0123] S204: The Quantum Security Shield server responds to the network access authentication request, performs network access verification on the playback device, and generates the verification result;

[0124] S206: The quantum security shield server returns the verification result to the playback device through the quantum channel.

[0125] In this embodiment, the playback device may first perform network access authentication before initiating an address acquisition request, so as to further improve data security.

[0126] In one example, when the playback device has both a player and the Quantum Security Shield SDK installed, the player can first perform local shield settings and monitoring, and then call the Quantum Security Shield SDK to initialize and perform network access verification. The Quantum Security Shield SDK can send a network access authentication request to the Quantum Security Shield server via the quantum channel. The Quantum Security Shield server responds to the network access authentication request, performs network access verification, generates a verification result, and returns the verification result to the Quantum Security Shield SDK. Based on the verification result, the Quantum Security Shield SDK returns the initialization result to the player.

[0127] In one embodiment, the media stream acquisition request also carries a request identifier. A description of the request identifier can be found above, and will not be repeated here.

[0128] The streaming media server obtains the quantum key, including:

[0129] The streaming media server extracts the request identifier from the media stream retrieval request;

[0130] The streaming media server sends a second key query request to the quantum security shield server via a quantum channel; the second key query request carries a request identifier.

[0131] In response to the second key query request, the quantum security shield server returns the quantum key to the streaming media server via the quantum channel.

[0132] In this embodiment, the streaming media server can interact with the quantum security shield server through a quantum channel to obtain quantum keys, thereby reducing the risk of quantum key leakage and further improving data security.

[0133] Specifically, the streaming media server can extract the request identifier sid from the media stream acquisition request, generate a second key query request based on the request identifier sid, and send the second key query request to the quantum security shield server through a quantum channel. In response to the second key query request, the quantum security shield server returns the quantum key to the streaming media server through the quantum channel, enabling the streaming media server to obtain the quantum key corresponding to the request identifier sid.

[0134] In one embodiment, the encryption identification information includes an encryption algorithm identifier, a video encryption type identifier, and a video encryption length. The encryption algorithm identifier reflects the encryption algorithm used in the encryption process of the media stream data. The media stream data may include video data, and the video encryption type identifier reflects the data within the video data that needs to be encrypted. For example, the video data may include keyframes (I-frames), prediction frames (P-frames), and bidirectional prediction frames (B-frames). This application can choose to encrypt keyframes, prediction frames, or bidirectional prediction frames, or it can choose to encrypt keyframes and prediction frames, or it can choose to encrypt all frames, etc. Furthermore, after determining the frame type to be encrypted, for each video frame that needs encryption, this application can choose to encrypt a portion of the bytes of the video frame, or it can choose to encrypt all the bytes of the video frame. If only a portion of the bytes of the video frame needs to be encrypted, the length of bytes to be encrypted can be determined by the video encryption length.

[0135] In one embodiment, the media stream data may include audio data, and the encryption identification information may include an audio encryption identifier. This audio encryption identifier can be used to indicate whether the audio data is encrypted. In one example, the parameters and related descriptions of the encryption identification information are shown in Table 1.

[0136] Table 1

[0137]

[0138] For example, a plaintext token could be:

[0139] ts=1714978040&venc=1&algori=1&vtype=0&vencl=16&aenc=1&atype=1

[0140] The expiration timestamp is 1714978040. When transmitting media stream data, the AES256 encryption algorithm is required to encrypt the key frames of the video data and to fully encrypt the audio data.

[0141] In one embodiment, the media stream data to be transmitted includes video data to be transmitted, and the encrypted media stream data includes encrypted video data. The encrypted video data is obtained by encrypting the video data to be transmitted based on encryption identification information.

[0142] The streaming media server encrypts the media stream data to be transmitted based on the encryption identifier information, resulting in encrypted media stream data, including:

[0143] Step B1: The streaming media server determines the media stream encryption algorithm based on the encryption algorithm identifier;

[0144] Step B2: When the video encryption type identifier is keyframe encryption identifier, the streaming media server encrypts the first N bytes of each keyframe in the video data to be transmitted according to the media stream encryption algorithm to obtain keyframe encrypted data, and generates encrypted video data based on the keyframe encrypted data; where N is the video encryption length.

[0145] Step B3: When the video encryption type is identified as partially encrypted, the streaming media server encrypts the first N bytes of each frame of the video data to be transmitted according to the media stream encryption algorithm to obtain encrypted video data.

[0146] Step B4: When the video encryption type is set to full encryption, the streaming media server encrypts all bytes of each frame in the video data to be transmitted according to the media stream encryption algorithm to obtain encrypted video data.

[0147] It is understood that streaming media servers can use any format to encapsulate encrypted media stream data, and the encrypted video length can be determined based on the actual length. For ease of explanation, the following embodiment uses FLV format with a video encryption length of 32 bytes as an example. When encapsulating media stream data in FLV format, the streaming media server can encrypt the video data within the FLV format data. Video data encryption methods can include keyframe encryption, partial encryption, and full encryption.

[0148] If the video encryption identifier is a keyframe encryption identifier, the streaming media server can use keyframe encryption to encrypt the video data. Keyframe encryption involves encrypting the first 32 bytes of each keyframe (I-frame). This improves encryption efficiency while ensuring data security, thereby enhancing the real-time performance of video playback.

[0149] In one example, such as Figure 3 As shown, the keyframe encrypted data may include an FLV header, the previous tag length (previous tag len), a video tag header, and a video body. The video body may include the length of the NAL Unit (nal_unit_len) and NAL data (nal). The NAL data includes encrypted data obtained by AES256 / SM4 encryption of the first 32 bytes of the keyframe, as well as the remaining unencrypted bytes of the keyframe.

[0150] If the video encryption type is identified as partial encryption, the streaming media server can use partial encryption to encrypt the video data. Partial encryption means encrypting the first 32 bytes of each video frame (including I-frames, P-frames, and B-frames). This balances real-time playback and data security. In one example, the data structure for encrypted video data could be as follows: Figure 4 As shown.

[0151] If the video encryption type is set to full encryption, the streaming media server can use full encryption to encrypt the video data. Full encryption means encrypting all bytes of each video frame (including I-frames, P-frames, and B-frames) to obtain the encrypted video data. This further enhances data security. In one example, the data structure of the encrypted video data could be as follows: Figure 5 As shown.

[0152] In one embodiment, the media stream data to be transmitted includes audio data to be transmitted, and the encrypted media stream data includes encrypted audio data. The encrypted audio data refers to data obtained by encrypting the audio data to be transmitted according to encryption identification information.

[0153] The streaming media server encrypts the media stream data to be transmitted based on the encryption identifier information, resulting in encrypted media stream data, including:

[0154] The streaming media server determines the encryption algorithm for the media stream based on the encryption algorithm identifier;

[0155] The streaming media server encrypts all bytes of the audio data to be transmitted according to the media stream encryption algorithm, thus obtaining encrypted audio data.

[0156] In this embodiment, the streaming media server can encrypt the audio data in the media stream data using a fully encrypted method to obtain encrypted audio data. This reduces the risk of audio leakage, thereby further improving data security. For example, the data format of the encrypted audio data can be as follows: Figure 6 As shown, the encrypted audio data includes an FLV header, the previous tag length, an audio tag header, and an audio body. The audio body may include the data obtained after AES256 encryption of the audio data to be transmitted.

[0157] In another example, encrypted audio and video data can be padded using the pcks7 padding algorithm so that the padded data length is a multiple of 16.

[0158] In one embodiment, this application provides a media stream transmission system based on the media stream encryption transmission method of any of the above embodiments, the system comprising: a playback device and a streaming media server. Wherein:

[0159] The playback device is used to obtain the media stream address information, quantum key, and ciphertext token respectively, and generate a media stream acquisition request; wherein, the ciphertext token is obtained by encrypting the plaintext token according to the quantum key, and the plaintext token includes encrypted identification information; the media stream acquisition request carries the media stream address information and the ciphertext token;

[0160] The playback device is used to send a media stream retrieval request to the streaming media server;

[0161] The streaming media server is used to extract the media stream address information and the encrypted token from the media stream retrieval request, respectively;

[0162] The streaming media server is used to read the media stream data to be transmitted based on the media stream address information;

[0163] The streaming media server is used to obtain the quantum key and decrypt the ciphertext token based on the quantum key to obtain the encrypted identification information;

[0164] The streaming media server is used to encrypt the media stream data to be transmitted based on the encryption identifier information, so as to obtain encrypted media stream data;

[0165] Streaming media servers are used to return encrypted media stream data to playback devices;

[0166] The playback device is used to decrypt encrypted media stream data using a quantum key to obtain the media stream data to be transmitted.

[0167] In one embodiment, the media streaming system may further include a service platform and a Quantum Shield security server. Wherein:

[0168] The playback device is used to send an address retrieval request to the business platform;

[0169] The business platform is used to respond to address acquisition requests by determining the media stream address information and plaintext token, and generating a request identifier.

[0170] The business platform is used to send a first key acquisition request to the quantum security shield server via a quantum channel; wherein the first key acquisition request carries a request identifier;

[0171] The quantum security shield server is used to generate a quantum key corresponding to the request identifier in response to the first key acquisition request;

[0172] The quantum security shield server is used to return quantum keys to the business platform via a quantum channel;

[0173] The business platform is used to encrypt plaintext tokens using quantum keys to obtain ciphertext tokens, and then concatenate the ciphertext tokens, media stream address information, and request identifiers to obtain address response information.

[0174] The business platform is used to return address response information to the playback device;

[0175] The playback device is used to extract the encrypted token, media stream address information, and request identifier from the address response information, respectively;

[0176] The playback device is used to send a first key query request to the quantum security shield server via a quantum channel; wherein the first key query request carries a request identifier;

[0177] The quantum security shield server is used to respond to the first key query request by returning the quantum key to the playback device through the quantum channel;

[0178] The playback device is used to decrypt the ciphertext token using a quantum key to obtain the plaintext token.

[0179] For details on the interaction process between the playback device, streaming media server, quantum security shield server, and business platform, please refer to the relevant descriptions of the above-mentioned media stream encryption transmission method; these will not be repeated here.

[0180] In one example, the playback device may have a player and the Quantum Security Shield SDK installed, and the business platform can interact with the Quantum Security Shield server through the QMS server-side SDK. For related descriptions, please refer to the relevant notes on the media stream encryption transmission method described above; they will not be repeated here.

[0181] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element. In this document, "a," "an," "the," "the," and "its" may also include plural forms unless the context clearly indicates otherwise. "Multiple" refers to at least two, such as 2, 3, 5, or 8, etc. "And / or" includes any and all combinations of the related listed items.

[0182] The various embodiments in this specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments. The various embodiments can be combined as needed, and the same or similar parts can be referred to each other.

[0183] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method for encrypted transmission of media streams, characterized in that, The method is applied to a media streaming system, which includes a playback device and a streaming media server; the method includes: The playback device acquires the media stream address information, the quantum key, and the ciphertext token, and generates a media stream acquisition request. The ciphertext token is obtained by encrypting a plaintext token using the quantum key. The plaintext token includes encrypted identification information, which reflects the encrypted information used to encrypt the media stream data to be transmitted. The media stream acquisition request carries the media stream address information and the ciphertext token. The playback device sends the media stream acquisition request to the streaming media server; The streaming media server extracts the media stream address information and the encrypted token from the media stream acquisition request, respectively; The streaming media server reads the media stream data to be transmitted based on the media stream address information; The streaming media server obtains the quantum key and decrypts the ciphertext token using the quantum key to obtain the encrypted identification information; The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data; The streaming media server returns the encrypted media stream data to the playback device; The playback device decrypts the encrypted media stream data using the quantum key to obtain the media stream data to be transmitted.

2. The method of claim 1, wherein, The media streaming system also includes a service platform and a quantum security shield server; The playback device obtains media stream address information, quantum key, and ciphertext token, including: The playback device sends an address acquisition request to the service platform; In response to the address acquisition request, the business platform determines the media stream address information and the plaintext token, and generates a request identifier. The business platform sends a first key acquisition request to the quantum security shield server through a quantum channel; wherein the first key acquisition request carries the request identifier; In response to the first key acquisition request, the quantum security shield server generates the quantum key corresponding to the request identifier; The quantum security shield server returns the quantum key to the business platform via a quantum channel; The business platform encrypts the plaintext token using the quantum key to obtain the ciphertext token, and then concatenates the ciphertext token, the media stream address information, and the request identifier to obtain the address response information. The service platform returns the address response information to the playback device; The playback device extracts the encrypted token, the media stream address information, and the request identifier from the address response information, respectively; The playback device sends a first key query request to the quantum security shield server via a quantum channel; wherein the first key query request carries the request identifier; In response to the first key query request, the quantum security shield server returns the quantum key to the playback device via a quantum channel; The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token.

3. The method according to claim 2, characterized in that, Before the playback device sends an address retrieval request to the service platform, it includes: The playback device sends a network access authentication request to the quantum security shield server via a quantum channel; In response to the network access authentication request, the quantum security shield server performs network access verification on the playback device and generates a verification result. The quantum security shield server returns the verification result to the playback device via a quantum channel.

4. The method according to claim 2, characterized in that, The media stream acquisition request also carries the request identifier; The streaming media server acquires the quantum key, including: The streaming media server extracts the request identifier from the media stream acquisition request; The streaming media server sends a second key query request to the quantum security shield server via a quantum channel; wherein the second key query request carries the request identifier; In response to the second key query request, the quantum security shield server returns the quantum key to the streaming media server via the quantum channel.

5. The method according to any one of claims 1 to 4, characterized in that, The encryption identification information includes the encryption algorithm identifier, the video encryption type identifier, and the video encryption length.

6. The method according to claim 5, characterized in that, The media stream data to be transmitted includes video data to be transmitted, and the encrypted media stream data includes encrypted video data; The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data, including: The streaming media server determines the media stream encryption algorithm based on the encryption algorithm identifier; When the video encryption type identifier is a keyframe encryption identifier, the streaming media server encrypts the first N bytes of each keyframe in the video data to be transmitted according to the media stream encryption algorithm to obtain keyframe encrypted data, and generates the encrypted video data based on the keyframe encrypted data; where N is the video encryption length. When the video encryption type identifier is a partial encryption identifier, the streaming media server encrypts the first N bytes of each frame in the video data to be transmitted according to the media stream encryption algorithm to obtain the encrypted video data. When the video encryption type identifier is set to full encryption, the streaming media server encrypts all bytes of each frame in the video data to be transmitted according to the media stream encryption algorithm to obtain the encrypted video data.

7. The method according to claim 5, characterized in that, The encryption identifier information also includes an audio encryption identifier.

8. The method according to claim 7, characterized in that, The media stream data to be transmitted includes audio data to be transmitted, and the encrypted media stream data includes encrypted audio data; The streaming media server encrypts the media stream data to be transmitted according to the encryption identifier information to obtain encrypted media stream data, including: The streaming media server determines the media stream encryption algorithm based on the encryption algorithm identifier; The streaming media server encrypts all bytes of the audio data to be transmitted according to the media stream encryption algorithm to obtain the encrypted audio data.

9. The method according to claim 5, characterized in that, The playback device decrypts the encrypted media stream data using the quantum key to obtain the media stream data to be transmitted, including: The playback device decrypts the ciphertext token using the quantum key to obtain the plaintext token; The playback device determines the encrypted identifier information based on the plaintext token and decrypts the encrypted media stream data to obtain the media stream data to be transmitted.

10. A media stream transmission system based on the media stream encryption transmission method according to any one of claims 1 to 9, characterized in that, include: Playback devices and streaming media servers; among which: The playback device is used to obtain media stream address information, quantum key and ciphertext token respectively, and generate media stream acquisition request; wherein, the ciphertext token is obtained by encrypting plaintext token according to quantum key, and the plaintext token includes encryption identification information, which is used to reflect the encryption information used to encrypt the media stream data to be transmitted; the media stream acquisition request carries the media stream address information and the ciphertext token; The playback device is used to send the media stream acquisition request to the streaming media server; The streaming media server is used to extract the media stream address information and the encrypted token from the media stream acquisition request, respectively. The streaming media server is used to read the media stream data to be transmitted according to the media stream address information; The streaming media server is used to obtain the quantum key and decrypt the ciphertext token according to the quantum key to obtain the encrypted identification information; The streaming media server is used to encrypt the media stream data to be transmitted according to the encryption identification information to obtain encrypted media stream data; The streaming media server is used to return the encrypted media stream data to the playback device; The playback device is used to decrypt the encrypted media stream data according to the quantum key to obtain the media stream data to be transmitted.

Images