JP2001136507A - Device and method for data processing, and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily limit users which are able to acquire data normally. SOLUTION: In entries #1 of a key table, MAC addresses MACaddress#i of terminals, and deciphering keys KEven#i and KOdd#i assigned to the MAC addresses are registered, while being made to correspond to each other. To a MAC address MACaddress#i of each entry #i, a 'Valid bit' is added, which represents whether the entry #i is valid. In this case, the same MAC address as that arranged in the section header of a received section is retrieved from the key table and according to the Valid bit, it is decided whether the entry of the MAC address is Valid. Only when the entry is effective, are the data arranged in the payload of the section decoded and outputted.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data processing apparatus, a data processing method, and a recording medium.
A terminal (user) that can acquire the data
The present invention relates to a data processing device, a data processing method, and a recording medium that can be easily restricted.

[0002]

2. Description of the Related Art For example, in the case of transmitting images and voices as digital data, a plurality of channels are secured in the same transmission band as in the case of transmitting analog signals,
It is possible to provide higher quality images and audio,
2. Description of the Related Art In the field of satellite broadcasting, satellite communication, and the like, systems for providing images and sounds as digital data have been widely used. For example, digital satellite broadcasting services such as SkyPerfecTV! And DirecTV in Japan, DirecTV in North America, and Canal Plus in Europe have been launched. Digitization of broadcasting enables reduction of transmission cost per channel, provision of programs and data handled by a computer, and the like. Services are also spreading.

[0003] In digital satellite broadcasting services, digital data of images and sounds is stored in a moving picture (MPEG).
Experts Group) 2 and DV derived from this MPEG2
It is converted into a format conforming to the B (Digital Video Broadcasting) standard, further multiplexed, and transmitted as radio waves. The radio wave is received by a satellite transponder, subjected to amplification and other necessary processing, and transmitted to the ground.

The transmission band of the transponder is, for example, 3
0 Mbps (Mega bit per second), which is large (however, a transponder generally has an error correction code, so even if it has a transmission bandwidth of 30 Mbps, a substantial transmission bandwidth is about 27 Mbps at the maximum), By utilizing all of such a large transmission band, digital data can be distributed with high quality and at high speed.

However, in general, the transmission band of the transponder is often used by being divided into multiple channels mainly for cost reasons. In this case, even if the contents of the digital data transmitted in each channel are different, the mechanism of the receiving side that receives the digital data of each channel is common, so that only a specific user is provided with certain digital data. A conditional access (CA) mechanism is required.

That is, in particular, for example, when performing so-called data broadcasting, the amount of data per program is small compared to the case of distributing images and sounds, and the billing unit or billing form becomes complicated. To cope with this, a conditional access mechanism capable of performing more detailed reception control is required. Also, a conditional access mechanism is required to prevent leakage of confidential information even when it is distributed.

Generally, the conditional access mechanism is realized by encrypting a data stream to be distributed. As encryption methods, there are broadly known a common key encryption method (secret key encryption method) and a public key encryption method. In digital satellite broadcasting, since the load of encryption / decryption processing is lighter than that of a public key encryption method, a common key encryption method is often used.

In the common key encryption method, a code string that is the same as the encryption key and is used as a decryption key is passed to a certain contractor A by some method, and data is encrypted with the encryption key and distributed. It is difficult for the encrypted data to be inferred from the encryption key (decryption key) or the original data by inverse calculation or the like.
Cannot receive the encrypted data and correctly restore it to the original data. Also, the user A, who is a contractor, can restore the original data by decrypting the encrypted data with the decryption key passed by contracting. Therefore, a receiving contract is equivalent to delivering a decryption key.

[0009]

By the way, for example, when the users A and C are contractors and the contract with the user A alone is terminated or the user A performs an improper act, If the encryption key used so far is changed and the same decryption key as the changed encryption key is provided only to the user C, then the user who is no longer a contractor or has performed an improper act A cannot recover the data encrypted with the new encryption key, and the user C, who is a valid contractor,
The data encrypted with the new encryption key can be normally restored by decrypting the data with the new decryption key.

[0010] However, every time a user's contract is terminated or an illegal act is discovered, the encryption key is changed.
Further, it is troublesome to provide the same decryption key as the changed encryption key to a valid contractor.

The present invention has been made in view of such a situation, and is intended to easily limit users who can normally acquire (receive) data.

[0012]

A data processing apparatus according to the present invention includes a table having an entry in which a destination and entry validity information indicating whether the entry in which the destination is registered is valid are registered. A search unit that refers to, and searches, from the table, an entry having a destination that matches the destination of the data block as a target entry, and based on entry valid information registered in the target entry,
It is characterized by comprising a determining means for determining whether the entry of interest is valid, and an output control means for controlling the output of data arranged in the data block based on the determination result by the determining means.

The output control means can output the data to the destination arranged in the data block when the entry of interest is valid, and can discard the data when the entry of interest is not valid.

When the data is encrypted, the data processing device may further include a decryption means for decrypting the encrypted data.

The data is encrypted using a key assigned to the destination of the data, and each entry in the table contains:
When the key assigned to the destination is registered in addition to the destination and the entry validity information, the decryption unit can decrypt the data using the key registered in the table.

[0016] The decrypting means can decrypt the data arranged in the data block by using the key assigned to the destination of the data block in the table.

If each table entry also registers destination, entry validity information, and key, as well as key validity information indicating whether the key is valid, the decryption means:
Based on the key validity information of the key assigned to the destination of the data block, whether or not the key is valid is determined, and when the key is valid, the data can be decrypted using the key.

In each entry of the table, two or more keys assigned to the destination can be registered in addition to the destination and entry validity information.

In each entry of the table, for two or more keys, key validity information indicating whether or not the key is valid can also be registered.

The data processing device of the present invention may further include a table storage unit for storing a table.

The destination is the M of the communication terminal to receive data.
It may be an AC (Media Access Control) address.

Data blocks are DVB (Digital Video).
Broadcasting).

The data processing apparatus of the present invention has a
It can be composed of C (Integrated Circuit).

The data processing method of the present invention refers to a table having an entry in which a destination and entry validity information indicating whether the entry in which the destination is registered is valid are referred to. A search step of searching for an entry having a destination that matches the destination of the data block as a target entry, and a determining step of determining whether the target entry is valid based on entry validity information registered in the target entry. An output control step of controlling the output of the data arranged in the data block based on the determination result of the step.

The recording medium according to the present invention refers to a table having an entry in which a destination and entry validity information indicating whether the entry in which the destination is registered is valid, and from the table, A search step of searching for an entry having a destination that matches the destination of the data block as a target entry; a determining step of determining whether the target entry is valid based on entry validity information registered in the target entry; And an output control step of controlling the output of the data arranged in the data block based on the result of the determination.

In the data processing apparatus, the data processing method, and the recording medium according to the present invention, an entry in which a destination and entry validity information indicating whether the entry in which the destination is registered is valid is registered. The entry having the destination matching the destination of the data block is searched from the table as an entry of interest by referring to the table having the destination. Then, based on the entry validity information registered in the entry of interest, it is determined whether or not the entry of interest is valid, and based on the determination result, the output of the data arranged in the data block is controlled.

[0027]

DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 shows a broadcasting system to which the present invention is applied (a system refers to a system in which a plurality of devices are logically assembled, and whether or not the devices of each configuration are in the same housing. The configuration example of one embodiment is shown.

In the embodiment shown in FIG. 1, the broadcasting system includes a transmitting system 1, a satellite 2, a receiving system 3, and a network 4. Although FIG. 1 shows only one receiving system (receiving system 3) to avoid complicating the drawing, two or more receiving systems can be provided.

The transmission system 1 includes a control device 11, a data server 12, a transmission processing device 13, an antenna 14, a line connection device 15, and a cable 16, and the control device 11, the data server 12, the transmission processing device 13, The line connection devices 15 are connected to each other via a cable 16 to form a LAN (Local Area Network).

The control device 11 controls the data server 12 to supply the transmission processing device 13 with data to be distributed by satellite broadcasting. The control device 11
Controls the line connection device 15 to acquire data to be distributed by satellite broadcasting from the external network 4 such as the Internet, and supply the data to the transmission processing device 13. Further, the control device 11 includes a transmission processing device 13
Controls various kinds of processing.

The data server 12 stores data to be distributed by satellite broadcasting, and supplies necessary data to the transmission processing device 13 under the control of the control device 11.

Under the control of the control device 11, the transmission processing device 13 converts the data supplied from the data server 12 or the line connection device 15 into, for example, an IP (Internet Protocol).
l) Packetize the packet and further convert the IP packet into a section conforming to the DVB data broadcasting specification, for example, EN 301 192 V1.1.1 (1997-12), DVB specif
ication for data broadcasting ETSI (European Teleco
mmunications Standards Institute).
It is divided into data blocks called sections described by descriptors based on Encapsulation). Then, the transmission processing device 13 divides the section into payloads of a predetermined length, and assigns MPEG2 to each payload.
A packet similar to a TS packet is formed by adding a header of a packet constituting a transport stream (hereinafter, referred to as a TS (Transport Stream) packet as appropriate), and necessary processing such as modulation and amplification is performed. From the antenna 14 as satellite broadcast waves.

Further, the transmission processing device 13 includes the MAC addresses of the terminals 24 ₁ , 24 ₂ ,... Constituting the receiving system 3 (the same applies to the terminals constituting the receiving system not shown in FIG. 1). , Each MAC (Media A
ccess Control), and has an encryption key table storage unit 13A that stores an encryption key table in a table format in which encryption keys assigned to addresses are stored. The encryption keys assigned to each MAC address are basically different from each other. However, the same encryption key may be assigned to some MAC addresses.

Here, the MAC address is defined as IEEE (I
nstitute of Electrical Electronics Engineers) 80
This is an address system applied to 2.3 and the like, and is a unique 48-bit value for each communication port, and is guaranteed not to overlap. For the 48-bit MAC address, the upper 24 bits are the manufacturer (vendor) identification number registered / managed by IEEE, and the lower 24 bits are the device identification number managed by each vendor. It has become. According to the MAC address, each terminal 24 _i (i = 1, 2,...) Of the receiving system 3 can be specified.

According to the above-described multi-protocol encapsulation, the header of a section (section header) is set as the destination of the terminal 24 _i that distributes the data arranged in the payload of the section, and the M of the terminal is used as the destination.
An AC address is arranged. The data placed in the section payload, ie, here,
When the IP packet needs to be encrypted, the transmission processing device 13 stores the encryption key assigned to the MAC address of the terminal 24 _i as the destination arranged in the header of the section in the encryption key table storage unit 13A. Is read from the encryption key table stored in the section, and the encryption key is used to encrypt the IP packet arranged in the payload of the section.

The encryption key table is stored in the receiving system 3
The key table may be of the same type as a key table of the receiving device 22 described later, or may be of a different type. Also, here, the encryption key table is
Although the encryption key table is stored in the transmission system 1, the encryption key table is stored in, for example, a server (not shown) on the network 4.
It is also possible to read out and use via.

The line connection device 15 includes, for example, a modem,
TA (Terminal Adapter) and DSU (Digital Service
Unit) for controlling communication via the network 4.

The receiving system 3 includes an antenna 21, a receiving device 22, a line connecting device 23, terminals 24 ₁ , 24 ₂ ,.
, And the cable 25, and the receiving device 2
2, the line connection device 23, the terminals 24 ₁ , 24 ₂ ,.
They are connected to each other via a cable 25, thereby forming a LAN such as Ethernet (trademark).

The receiving device 22 and the terminals 24 ₁ , 2
4 _2, ... it is, for example, may be constituted by a computer.

Here, the receiving device 22 and the terminal 2
4 _1, 24 _2, and is ..., by connecting to each other by a cable 25, but so as to constitute a LAN, the receiving apparatus 22, the terminal 24 _1, 24 _2, and ..., directly It is also possible to connect.

Further, the receiving device 22 has one terminal 24
_It can be configured as a board that can be installed in a slot of a computer as _i .

The receiving device 22 and the line connection device 23 can be constituted by one computer.

The satellite broadcast wave transmitted from the transmission system 1 via the satellite 2 is received by the antenna 21, and the received signal is supplied to the receiving device 22. Receiver 2
2 performs a process described below on the signal received from the antenna 21 and supplies the resulting data to a predetermined terminal 24 _i .

The line connection device 23 is configured similarly to the line connection device 15 and controls communication via the network 4.

Each of the terminals 24 ₁ , 24 ₂ ,... Is composed of, for example, a computer and receives necessary data from the receiving device 22 and displays, outputs, or stores the data.

Next, referring to the flowchart of FIG.
The data transmission process performed by the transmission system 1 will be described.

[0047] First, in step S1, the control unit 11 determines whether there is data to be transmitted to the terminal 24 _i.

Here, the control device 11 has a schedule table in which a schedule for transmitting data is described. Based on the schedule table, the control device 11 determines whether there is data to be transmitted to the terminal _24i . judge. Also,
The terminal 24 _i can request data from the transmission system 1 via the network 4 by controlling the line connection device 23.
Controller 11 determines that such a request is by whether they have been received by the line connecting device 15 via the network 4, whether there is data to be transmitted to the terminal 24 _i.

[0049] In step S1, a determination is made as to whether or when it is determined that there is no data to be transmitted to the terminal 24 _1, the process proceeds to step S2, the control unit 11 changes the duration.

Here, in the transmission system 1, the encryption key described in the encryption key table in the encryption key table storage unit 13 is updated regularly or irregularly. The period in which encryption is performed using the encryption key obtained by the update is called an Even period, and the period in which encryption is performed using the encryptor obtained by the odd-numbered update is called the Odd period . Therefore, although the Even period and the Odd period appear alternately, in step S2, the period from the Even period to the Odd period, or the period from the Odd period.
It is determined whether it is time to change to the Even period.

In step S2, when it is determined that the period is not changed, that is, when data encryption is continued using the encryption key currently used for encryption as it is,
Returning to step S1, the same processing as in the above case is repeated.

In step S2, when it is determined that the period is to be changed, that is, when the period is changed to the Odd period when the period is the Even period, the period is changed to the Even period when the period is the Odd period, the process proceeds to step S3. Then, the control device 11 updates the encryption key stored in the encryption key table to the encryption key generated last time in step S4, which will be described later, so that the transmission processing device 13 thereafter updates the updated encryption key. Encryption is performed using the key.

Then, the process proceeds to a step S4, wherein the control device 1
1 generates (or obtains) an encryption key to be used in the next period, supplies the encryption key to the transmission processing device 13 and transmits it as a decryption key, and returns to step S1. It is. The transmission of the decryption key can be performed via the network 2 in addition to the transmission via the satellite 2.

That is, a new decryption key to be used in the next period is
If the data is transmitted to the receiving system 3 immediately before the start of the next period, the setting of a new decryption key in the receiving system 3 may not be completed by the start of the next period.
Therefore, in the present embodiment, a new encryption key used in the next period is delivered to the receiving system 3 in the period immediately before that.

On the other hand, in step S1, the terminal 24 _i
If it is determined that there is data to be transmitted to the data server 12, the control device 11
5, the data to be transmitted is supplied to the transmission processing device 13. The transmission processing device 13 receives the data supplied from the data server 12 or the line connection device 15, packetizes the data into an IP packet, and proceeds to step S5.

In step S5, the transmission processing device 13 determines whether or not the IP packet requires encryption. If it determines that the IP packet does not require encryption, it skips steps S6 and S7. To step S8.

If it is determined in step S5 that the IP packet needs to be encrypted, the process proceeds to step S6, where the transmission processing device 13 determines whether the IP packet of the terminal 24 _i is the destination of the IP packet. The encryption key assigned to the address is read from the encryption key table, and the process proceeds to step S7. In step S7, the transmission processing device 13
Encrypts the IP packet with the encryption key read in step S6, and proceeds to step S8.

In step S8, the transmission processing device sets the IP
CRC (Cyclic Redundancy Checkin)
g) Calculate the code (or checksum) and calculate its I
A section as shown in FIG. 3A is configured by arranging a CRC code at the end of the P packet as a payload and arranging a section header at the beginning. Note that a stuffing byte is inserted between the payload and the CRC code as needed.

The section header is composed of 3 bytes (96 bits) as shown in FIG. here,
For more information on section headers see EN 301 192 above
Since it is described in V1.1.1 (1997-12), its description is omitted, but MAC addresses 1 to 6 in FIG.
A destination 48-bit MAC address is arranged.
Here, 8 bits from the most significant bit of the MAC address are arranged in MAC address 1, and MAC address 2 is
The next upper 8 bits are arranged. And MAC addr
For each of ess 3 to 5, the MAC address is 8
The least significant 8 bits of the MAC address are arranged in MAC address 6.

After constructing the section, the transmission processing device 13 divides the section into payloads of a predetermined length, and adds a TS packet header constituting an MPEG2 transport stream to each payload, thereby forming a TS. Performs encapsulation to configure a packet similar to a packet. Then, the transmission processing device 13 performs step S9.
To the resulting packet (this packet is
Basically, it can be processed in the same manner as a TS packet.
After performing necessary processing such as modulation and amplification, the signal is transmitted from the antenna 14 as a satellite broadcast wave, and the process returns to step S1.

In the section header shown in FIG. 3B, a 2-bit PSC (payload_scr) arranged at the 43rd bit and the 44th bit from the top is used.
ambling_control) is, for example, an encryption determination flag indicating whether or not the data arranged in the section payload is encrypted, and a period indicating whether the data belongs to the Even period or the Odd period It is used as a judgment flag.

Specifically, for example, the lower bit of the PSC is used as an encryption determination flag, and is set to 1 when data is encrypted, and is set to 0 when data is not encrypted. The upper bit of the PSC is used as a period determination flag, and is set to 0 in the Even period and to 1 in the Odd period. However, it is also possible to use the upper bits of the PSC as an encryption determination flag and to use the lower bits as a period determination flag. Further, the assignment of the encryption determination flag 0 and 1 and the assignment of the period determination flag 0 and 1 can be reversed from the above-described case.

Here, EN 301 192 V, which is a DVB standard, is used.
In 1.1.1 (1997-12), when the PSC is 00B (B indicates that the value placed before it is a binary number),
This means that the data is not encrypted. Therefore, it is better to set the encryption determination flag to 1 when the data is encrypted and to 0 when the data is not encrypted, according to the DVB standard. It is desirable because it does not violate.

As described above, in the broadcasting system of FIG.
The encryption key assigned to a unique MAC address to each terminal 24 _i, since the data is encrypted, that reception control of each terminal 24 _i, so to speak can be the ultimate limitation receiving mechanism.

A method of realizing a conditional access mechanism for performing fine-grained reception control by assigning an encryption key to a value unique to a receiving side such as a MAC address or an IP address has been proposed by the applicant of the present invention. For example, JP
No. 0-215244 discloses the details. However, communication satellite broadcasting in Japan is DVB-S
I (Digtal Video Broadcasting-Service Information
/ EN300 468), in the current situation where the specification is derived, the use of the MAC address conforms to the specification as described above.

FIG. 4 shows an example of the configuration of the receiving device 22 shown in FIG.

The antenna 21 receives the satellite broadcast wave transmitted from the transmission system 1 via the satellite 2 and outputs the received signal to the front end unit 31. The front end unit 31 selects a signal of a predetermined channel from a signal received from the antenna 21 under the control of the CPU 34, further demodulates the signal into a digital stream (IP_datagram_data_byte) of a TS packet, and demultiplexes the signal. 32. Demultiplexer 32
Corresponds to the front end unit 3 according to the control of the CPU 34.
A predetermined TS packet is extracted from the digital stream from No. 1 and decoded LSI (Large Scale Integrated Circuit)
uit) 33. That is, the demultiplexer 32
Is the PI arranged in the header of the TS packet constituting the digital stream from the front end unit 31.
Based on D (Packet Identification), selection of TS packets is performed, and only the selected TS packets are output to the decoding LSI 33.

The decoding LSI 33 is a one-chip LSI.
It comprises a filter 41, a decoder 42, a key table storage unit 43, a checker 44, and a FIFO (First In First Out) buffer 45.

According to the control of the CPU 34, the filter 41 converts the data arranged in the payload of the section composed of the TS packets from the demultiplexer 32 into
Inspect if necessary, discard unnecessary TS packets,
Only necessary TS packets are output to the decoder 42.

The decoder 42 decodes the data (here, the IP packet) arranged in the payload of the section constituted by the TS packet from the filter 41 with the decoding key stored in the key table storage unit 43. Output to the checker 44. As described with reference to FIG. 2, when the encryption key is updated in the transmission system 1 and the updated encryption key is transmitted, the decryptor 42 decrypts the encryption key in accordance with the control of the CPU 34, as described with reference to FIG. The storage content of the key table storage unit 43 is updated as a key. Therefore, here, the common key encryption method is used as the encryption method. However, a public key encryption method can be used as the encryption method.

The key table storage 43 stores the terminals 24 ₁ , 24 ₂ ,... Connected to the receiver 22 via the cable 25.
··· Stores a key table in which each MAC address is associated with a decryption key assigned to each MAC address.

Under the control of the CPU 34, the checker 44 performs error detection on the IP packet output from the decoder 42 by using the CRC code of the section in which the IP packet is located.
Then, it is determined whether or not the decryption has been performed normally.
The IP packet processed by the checker 44 is supplied to a FIFO buffer 45. The FIFO buffer 45 temporarily stores the IP packet from the checker 44, and transfers the stored IP packet according to the control of the CPU 34. , I / F (Interface) 35. Thereby, the data rate of the IP packet is adjusted.

The CPU 34 includes a front end unit 31, a demultiplexer 32, a decoding LSI 33, and an I / F 3
5 is controlled. The I / F 35 functions as an interface for supplying an IP packet from the FIFO buffer 45 to the terminal 24 _i via the cable 25 under the control of the CPU 34.

FIG. 5 shows the key table storage unit 4 shown in FIG.
3 shows a configuration example of a key table stored in the key table 3.

The key table is composed of the same number of entries as the number of terminals 24 ₁ , 24 ₂ ,... Connected to the cable 25, for example. In Figure 5, the key table has N entries # 1 to #N, therefore, in this embodiment, the cable 25 is the N terminal 24 ₁ through 24 _N are connected . Note that the maximum number of entries in the key table is limited by the storage capacity of the key table storage unit 43 and the like.

Each entry #i (I = 1, 2,...,
N) includes the 48-bit MAC address MAC of the terminal 24 _i
address # i and m assigned to the MAC address
A bit decryption key (m is in accordance with an encryption format to be used) is registered in association with the decryption key. Note that, in the present embodiment, as described above, the Even period and the Odd period exist,
Since encryption is performed with different encryption keys in each period, each entry #i has a decryption key for decrypting data encrypted in the Even period (hereinafter, appropriately referred to as an Even decryption key) K _Even. Two decryption keys, _#i and a decryption key K _{Odd #i} for decrypting data encrypted during the Odd period (hereinafter, appropriately referred to as an Odd decryption key), are registered.

Further, the MAC address of each entry #i
At the beginning of the MAC address #i, a Valid bit indicating whether the entry #i is valid (hereinafter referred to as an entry V as appropriate)
alid bit). Also, the Even decryption key K _{Even # i} and Odd decryption key K _{Odd # i} of each entry #i are
Valid bits indicating whether each is valid (hereinafter, appropriately referred to as a decryption key Valid bit) are added.

Here, the entry Valid bit, the decryption key Val
The id bit indicates, for example, that it is valid when it is 1 and that it is not valid when it is 0. However, the assignment of the entry Valid bit and the decryption key Valid bit of 0 and 1 can be reversed from the case described above.

As described above, in the transmission system 1, the same decryption key as the new encryption key used in the next period is
The data is distributed to the receiving system 3 in a period immediately before that. Accordingly, in the Even period, the same decryption key (Odd decryption key) as the encryption key used in the next Odd period is delivered, and in the Odd period, the next Even key is delivered.
The same decryption key as the encryption key used during the period (Even decryption key)
Is delivered. Then, under the control of the CPU 34, the decryption key thus distributed is set (for example, overwritten) in the key table in the decryptor 42. Therefore, in this case, the decryption key used in the next period is set in the key table until the end of the current period, and further, the decryption key is changed with the change of the period without the intervention of the CPU 34. Since it is only necessary to switch the position (address) of the key table from which the decryptor 42 reads out, it can be performed instantaneously.

Next, referring to the flowchart of FIG.
The operation of the receiving device 22 in FIG. 4 will be described.

The antenna 21 receives a satellite broadcast wave transmitted from the transmission system 1 via the satellite 2,
The received signal obtained as a result is converted into a digital stream of a TS packet through the front end unit 31 and the demultiplexer 32,
Supplied to

In the decoding LSI 33, the demultiplexer 3
2 is composed of TS packets output by
The signal is supplied to a decoder 42 via a filter 41. The decoder 42 receives the section, and in step S11, sets the MAC address arranged in the section header to a variable MA as a built-in register.

The decoder 42 searches for an entry of the MAC address that matches the variable MA by referring to the key table, that is, in order from the entry # 1 of the key table.
The MAC address registered in each entry #i is read, and the MAC address is compared (matched) with the variable MA. In step S12, it is determined whether there is an entry of the MAC address that matches the variable MA. I do. In step S12, MA matching variable MA
When it is determined that the entry of the C address does not exist,
That is, when the terminal having the MAC address arranged in the section header is not connected on the cable 25, the process proceeds to step S13, where the decoder 42 discards the section supplied thereto and ends the processing.

In step S12, the variable MA
If it is determined that there is an entry having a MAC address that matches with, the entry is set as a target entry, and the process proceeds to step S14.

In step S14, the decoder 42 determines whether or not the entry of interest is valid based on the entry Valid bit of the entry of interest. Step S
In 14, when it is determined that the target entry is not valid, that is, when the entry Valid bit of the target entry is 0
If so, the process proceeds to step S13, where the decoder 42 discards the section supplied thereto and ends the processing.

Therefore, even if the terminal having the MAC address arranged in the section header of the section supplied to the decoder 42 is connected on the cable 25, if the entry of the MAC address is not valid, , The section is not provided to the terminal on cable 25.

If it is determined in step S 14 that the entry of interest is valid, that is, if the entry Valid bit of the entry of interest is 1,
Proceeding to 15, the decoder 42 determines the PSC of the section header.
Referring to the lower bits of FIG. 3B, that is, the encryption determination flag, it is determined whether the data (IP packet) of the payload of the section is encrypted. If it is determined in step S15 that the encryption determination flag is 0, that is, if the IP packet placed in the payload of the section is not encrypted, the process proceeds to step S15.
Skipping steps 17 and S18, proceeding to step S19, the decryptor 42 outputs the unencrypted IP packet to the FIFO buffer 45 via the checker 44, and ends the processing.

Then, the IP packet stored in the FIFO buffer 45 is transmitted via the I / F 35 to the cable 25 specified by the MAC address in the section header of the section where the IP packet is located.
It is supplied to the terminal 24 _i above.

On the other hand, if it is determined in step S15 that the encryption determination flag is 1, that is, if the IP packet arranged in the payload of the section has been encrypted, the process proceeds to step S16, where the decoder 42 Is the PSC of the section header of that section (Fig. 3
The upper bit of (B)), that is, the period determination flag is set in a variable EO as a built-in register, and the process proceeds to step S17.

In step S17, the decoder 42
The decryption key Valid bit # (() of the decryption key of the period corresponding to the variable EO in the entry of interest whose C address matches the variable MA, that is, the Even period when the variable EO is 0 and the Odd period when the variable EO is 1 MA, EO) is valid. In step S17, the decryption key Vali
If it is determined that the d bit # (MA, EO) is not valid, that is, if the decryption key Valid bit # (MA, EO) is 0, the process proceeds to step S13, and the decoder 42 is supplied there. Discard the section and end the process.

Therefore, the terminal having the MAC address arranged in the section header of the section supplied to the decoder 42 is connected on the cable 25 and its M
Even if the AC address entry is valid,
When the decryption key in the period indicated by the period determination flag is not valid, the section is not supplied to the terminal on the cable 25.

On the other hand, in step S17, the decryption key Va
When it is determined that the ild flag # (MA, EO) is valid, that is, when the decryption key Valid bit # (MA, EO) is 1
In step S18, the decoder 42 determines that M
The decryption key Key (MA, E, E) for the period corresponding to the variable EO in the entry of interest whose AC address matches the variable MA.
O) is read from the key table and its decryption key Key is read out.
At (MA, EO), the IP packet arranged in the payload of the section is decoded, and the process proceeds to step S19.

In step S19, the decoder 42 sends the decoded IP packet to the
The data is output to the O buffer 45, and the process ends.

Then, the IP packet stored in the FIFO buffer 45 is transmitted via the I / F 35 to the cable 25 specified by the MAC address in the section header of the section where the IP packet is located.
It is supplied to the terminal 24 _i above.

The processing according to the flowchart of FIG. 6 is performed every time a section is supplied to the decoder 42.

As described above, whether the entry is valid is determined based on the entry Valid bit registered in the entry of the key table, and the output of data to the terminal is controlled. It is possible to easily limit the users (terminals) that can acquire (receive).

Further, since the output of data is controlled based on the decryption key Valid bit of the key table, for example, for a certain terminal, the data for only one of the Even period and the Odd period , And prohibiting the reception of data in the other period can be easily performed.

Note that the entry Valid bit and the decryption key V
The setting of the alid bit can be performed voluntarily in the receiving device 22, so to speak.
It is also possible to carry out based on information transmitted from.

In the present embodiment, the decryption key (and the encryption key) is assigned to the MAC address unique to the terminal. However, the decryption key may be, for example, a terminal ID (Identification) unique to the terminal. May be set and assigned to the terminal ID. Furthermore, it is also possible to set a unique group ID for each of a plurality of terminals and assign a decryption key to each of the group IDs. However, when a decryption key is assigned to a MAC address, the fine-grained conditional access mechanism described above is used in accordance with the DVB standard EN 301 192 V1.1.1 (1997-12).
It can be easily incorporated into the framework of digital satellite broadcasting conforming to.

In this embodiment, the filter 41,
The decryptor 42, the key table storage unit 43, the checker 44, and the FIFO buffer 45
3, the filter 41 and the decoder 4
2. Key table storage unit 43, checker 44, and FI
The FO buffer 45 can be configured as separate chips. However, the filter 41 and the decoder 4
2. Key table storage unit 43, checker 44, and FI
If the FO buffer 45 is configured by the one-chip decoding LSI 33, the data can be decoded in a form completely hidden from the outside of the decoding LSI 33, so that the security can be improved. Further, from the viewpoint of reducing the mounting area of the circuit and increasing the processing speed, the filter 41, the decoder 42, the key table storage unit 43, the checker 44, and the FIFO buffer 45 are constituted by a one-chip decoding LSI 33. It is desirable.

Although the present embodiment has been described with reference to the case where data is distributed by digital satellite broadcasting, the present invention is also applicable to, for example, a case where data is distributed by multicast.

Further, in this embodiment, even period and Od
Although two periods of the period d are provided, such a period may not be provided, or three or more periods may be provided. Similarly,
The number of decryption keys registered in each entry of the key table can be one or three or more.

In the present embodiment, the data is
Although the distribution is performed in conformity with the B standard, the data can be distributed in a form that does not conform to the DVB standard.

Next, the above-described series of processing can be performed by hardware or software. When a series of processing is performed by software, a program constituting the software is
It is installed in a general-purpose computer or a one-chip microcomputer.

FIG. 7 shows a configuration example of an embodiment of a computer in which a program for executing the above-described series of processing is installed.

The program is stored in a hard disk 105 or a ROM 1 as a recording medium built in the computer.
03 can be recorded in advance.

Alternatively, the program may be a floppy (registered trademark) disk, a CD-ROM (Compact Disc Read Onl
y Memory), MO (Magneto optical) disc, DVD (Digita
l Versatile Disc), a magnetic disk, a semiconductor memory, etc., can be temporarily or permanently stored (recorded) in a removable recording medium 111. Such a removable recording medium 111 can be provided as so-called package software.

The program may be installed in the computer from the removable recording medium 111 as described above, or may be wirelessly transferred from a download site to the computer via a digital satellite broadcasting artificial satellite, or transmitted to a LAN (Local Area). Network), the Internet, and the like, and can be transferred to a computer by wire. In the computer, the transferred program can be received by the communication unit 108 and installed on the built-in hard disk 105.

The computer has a CPU (Central Processing)
Unit) 102. The CPU 102 has a bus 1
01, an input / output interface 110 is connected. The CPU 102 receives a command via the input / output interface 110 by operating the input unit 107 including a keyboard, a mouse, and the like. Then, according to it, ROM (Read Only Memory)
The program stored in 103 is executed. Alternatively, the CPU 102 transmits the program stored in the hard disk 105, a satellite, or a network, receives the program by the communication unit 108, and
The program installed in the hard disk 105 is read from the removable recording medium 111 installed in the drive 109 and loaded into the RAM (Random Access Memory) 104 and executed. Accordingly, the CPU 102 performs the processing according to the above-described flowchart or the processing performed by the configuration of the above-described block diagram. And
The CPU 102 transmits the processing result to an LCD (Liquid
Output unit 1 consisting of CryStal Display) and speakers
06, or transmitted from the communication unit 108, and further recorded on the hard disk 105.

Here, in this specification, processing steps for writing a program for causing a computer to perform various types of processing do not necessarily have to be processed in chronological order in the order described in the flowchart, and may be performed in parallel. Alternatively, it also includes processing executed individually (for example, parallel processing or processing by an object).

The program may be processed by one computer, or may be processed in a distributed manner by a plurality of computers. Further, the program may be transferred to a remote computer and executed.

[0112]

According to the data processing apparatus, the data processing method, and the recording medium of the present invention, a destination and entry validity information indicating whether an entry in which the destination is registered is valid are registered. By referring to the table having the entry, the entry having the destination matching the destination of the data block is searched as the entry of interest. Then, based on the entry validity information registered in the entry of interest, it is determined whether or not the entry of interest is valid, and based on the determination result, the output of the data arranged in the data block is controlled.
Therefore, it is possible to easily limit users who can normally acquire data.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration example of a broadcast system according to an embodiment of the present invention;

FIG. 2 is a flowchart for explaining processing of a transmission system 1 of FIG. 1;

FIG. 3 is a diagram showing a format of a section and a section header.

FIG. 4 is a block diagram illustrating a configuration example of a receiving device 22 in FIG. 1;

FIG. 5 is a diagram showing a key table.

FIG. 6 is a flowchart for explaining processing of the receiving device 22 of FIG. 4;

FIG. 7 is a block diagram illustrating a configuration example of a computer according to an embodiment of the present invention.

[Explanation of symbols]

 1 transmitting system, 2 satellites, 3 receiving system,
 4 networks, 11 controllers, 12 data
Server, 13 transmission processing unit, 13A encryption key table
Storage unit, 14 antennas, 15 line connection device,
 16 cables, 21 antennas, 22 receivers
23, Line connection device, 24 ₁, 24_Two Terminal,
31 front end part, 32 demultiplexer,
 33 decoding LSI, 34 CPU, 35 I /
F, 41 filter, 42 decoder, 43 key
Bull storage unit, 44 checkers, 45 FIFO
, 101 bus, 102 CPU, 103 RO
M, 104 RAM, 105 hard disk, 106
 Output unit, 107 input unit, 108 communication unit, 1
09 drive, 110 input / output interface,
111 Removable Recording Medium

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 9/00 601E 11/26 F-term (Reference) 5B085 AE29 5C064 CA14 CB01 CB05 CC04 5J104 AA01 AA16 AA34 BA03 EA01 EA06 EA17 EA26 JA03 NA02 NA03 NA05 NA20 NA27 NA31 PA04 PA05 5K030 GA15 HB02 HD09 JL02 KA04 LD06 LD07 LD19 LD20

Claims (14)

[Claims] 1. A data processing apparatus for processing a data block in which a destination of the data is arranged together with the data, the destination and entry validity information indicating whether an entry in which the destination is registered is valid A search unit that refers to a table having entries in which the destinations of the data blocks are registered, and searches the table for an entry having a destination that matches the destination of the data block, as an entry of interest; and the entry registered in the entry of interest. Determining means for determining whether the entry of interest is valid based on validity information; and output control means for controlling output of data arranged in the data block based on a result of the determination by the determining means. A data processing device characterized by the above-mentioned. 2. The output control means, when the entry of interest is valid, outputs the data,
The data processing apparatus according to claim 1, wherein the data is output to a destination arranged in the data block, and the data is discarded when the target entry is not valid. 3. The data processing apparatus according to claim 1, wherein the data is encrypted, and further comprising a decryption unit for decrypting the encrypted data. 4. The data is encrypted using a key assigned to a destination of the data, and each entry of the table is assigned to the destination in addition to the destination and entry validity information. 4. The data processing apparatus according to claim 3, wherein a key is also registered, and wherein the decryption unit decrypts the data using the key registered in the table. 5. The apparatus according to claim 4, wherein the decryption unit decrypts the data arranged in the data block by using the key assigned to the destination of the data block in the table. Data processing equipment. 6. In each entry of the table, in addition to the destination, the entry validity information, and the key, key validity information indicating whether the key is valid is also registered. Determining whether or not the key is valid based on key validity information of the key assigned to the destination, and decrypting the data using the key when the key is valid. A data processing device according to claim 1. 7. The data processing according to claim 4, wherein in each entry of the table, in addition to the destination and the entry validity information, two or more keys assigned to the destination are registered. apparatus. 8. Each of the entries of the table has the 2
The key validity information indicating whether or not the key is valid is registered for each of the keys.
A data processing device according to claim 1. 9. The data processing apparatus according to claim 1, further comprising table storage means for storing the table. 10. The data processing apparatus according to claim 1, wherein the destination is a MAC (Media Access Control) address of a communication terminal to receive the data. 11. The data block may be a DVB (Digit).
2. The data processing apparatus according to claim 1, wherein the data processing apparatus conforms to the standard of Video Broadcasting. 12. A one-chip IC (Integrated Circuit)
The data processing device according to claim 1, wherein the data processing device is configured by: 13. A data processing method for processing, together with data, a data block in which a destination of the data is arranged, the destination and entry validity information indicating whether an entry in which the destination is registered is valid or not. A search step of referring to a table having an entry in which the entry is registered, and searching the table for an entry having a destination that matches the destination of the data block as an entry of interest; and the entry registered in the entry of interest. A determination step of determining whether the entry of interest is valid based on validity information; and an output control step of controlling output of data arranged in the data block based on a determination result of the determination step. A data processing method characterized by the following. 14. A recording medium in which a program for causing a computer to process a data block in which a destination of the data is arranged together with the data is recorded, wherein the destination and an entry in which the destination is registered are valid. A search step of referring to a table having an entry in which entry validity information indicating whether there is an entry is registered, and searching an entry having a destination matching the destination of the data block from the table as an entry of interest; A judging step of judging whether or not the noted entry is valid based on the entry validity information registered in the noted entry; and controlling output of data arranged in the data block based on a judgment result of the judging step. That a program having an output control step of Characteristic recording medium.