JP2006254234A - Meta data utilization control system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a meta data utilization control system capable of protecting the right of a broadcasting station by utilizing contents while using only meta data signed by a meta data provider permitted by the broadcasting station. <P>SOLUTION: A server device comprises: a signature imparting means for imparting a digital signature to meta data; a signer identification information imparting means for imparting signer identification information with which a signer of the meta data can be identified; and a permitted signer identification information imparting means for imparting permitted signer identification information indicating the range of meta data signers permitted in utilization in a license. A terminal device comprises: a signature verifying means for verifying a signature of meta data; signer identification information of meta data; and a meta data availability determining means for permitting the utilization of contents using meta data if the signature verification in the signature verifying means is made successful and signer identification information is included within the permission range indicated by the permitted signer identification information. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a system for managing the right to use digital content such as video and music distributed over digital broadcasting, the Internet, and the like, and more particularly to a terminal device in which a user uses digital content based on the right to use. The present invention relates to a system, a server device, and a terminal device capable of reliably controlling whether or not digital content using the distributed digital content metadata can be used according to the intention of the operator.

  In recent years, digital content such as music and video (hereinafter referred to as content) is distributed from a broadcasting station to a terminal device through digital broadcasting, digital CATV (Cable Television), the Internet, etc., and the content can be used in the terminal device. Possible content distribution services are entering the stage of practical application. In this content distribution service, copyright protection technology is generally used to protect the copyright of the content and prevent unauthorized use of the content by a malicious user or the like. Specifically, copyright protection technology is a technology that securely controls the use of content such as the user playing back content or copying it to a recording medium using encryption technology or authentication technology. is there. By using the copyright protection technology, a content provider such as a broadcasting station and a service provider can securely control the user's content usage in the terminal device.

  By the way, in recent years, in a terminal device having a large capacity storage means such as an HDD (Hard Disk Drive), the distributed content (program) is temporarily stored in the terminal device, and the stored content is viewed when the user likes it. The usage form with high user convenience is being studied. In ARIB (Association of Radio Industries and Businesses), a standardization organization for digital broadcasting in Japan, a server-type broadcasting system is standardized as a digital broadcasting system that utilizes a large-capacity storage function. As a method for limiting the reproduction in, a limited reproduction method has been formulated. As for the limited playback system in the server type broadcasting system, ARIB STD-B25 4.1 version is detailed.

  One of the features of server-type broadcasting is that content information called metadata is sent together with the content, and the content information included in the metadata is used in the terminal device to meet the needs of individual users. Has been proposed. The content of the metadata includes the content identifier (content ID), content genre, information on performers and directors, information on content scenes and chapters, segmentation information such as content location information and temporal information, etc. It is possible to improve user convenience in various scenes such as content search, special selection such as scene navigation and digest viewing.

  However, in particular, when the metadata of segmentation information is generated by a third party who is not involved in the broadcasting station and distributed over the Internet, the usage mode differs from the usage mode of the content originally intended by the broadcasting station. As a result, there is a risk that the rights of the broadcasting station will be significantly impaired.

  In Patent Document 1, as a metadata use control system that solves such a problem, when a digital signature is given to metadata and verification using the digital signature is performed, an illegal metadata is used using a CRL (Certificate Revocation List). By revoking (invalidating) the data signer's public key certificate, the use of metadata signed by an unauthorized metadata signer is eliminated.

Note that Non-Patent Document 1 provides details on digital signatures, public key certificates, and CRLs.
JP 2003-51816 A Warwick Ford and Michael Baum, “Digital Signatures and Cryptography”, Pearson Education, 1997

  However, the broadcasting station intends to use only metadata signed only by a signer authorized by the broadcaster even if it is a valid metadata signer who has not been revoked. However, in the conventional metadata usage control system, it is impossible to identify whether or not the signer is authorized by the broadcasting station. There is a possibility that the content is used by using the metadata that has been set.

  In addition, since the CRL is not information issued for each content, it cannot cope with a case where the broadcasting station wants to designate a signer permitted for each content. Furthermore, CRL is a means to use as a post-measure to prevent further fraud after the fraud is detected, and can fully cope with the broadcasting station's intention to use only the metadata signed by the signer who has been granted in advance. Absent.

  As described above, the metadata use control system proposed in Patent Document 1 has a problem that the rights of the broadcasting station cannot be sufficiently protected.

  The present invention solves such a conventional problem, and a metadata usage control system, a server device, and the like that can use content only using metadata signed by a signer licensed by a broadcasting station, And it aims at providing a terminal device.

In order to achieve the above object, a metadata use control system according to the present invention includes a server device that distributes a license for granting a content use license and content metadata to a user, the license, and the license A terminal device that acquires metadata and uses the content securely using the metadata based on the license; and
A metadata usage control system comprising: a license generation unit that generates the license; a metadata generation unit that generates the metadata; and a signature that adds a digital signature to the metadata. Granting means, signer identification information adding means for adding signer identification information capable of identifying a signer of a digital signature to the metadata, and permission to use the content using the metadata for the license A license signer identification information adding unit for granting license signer identification information indicating a range of a signer to the metadata, and a sending unit for sending the license and the metadata to the terminal device, The terminal device includes a receiving unit that receives the license and the metadata, and a license that processes the license. Based on the signature processing means, the signature verification means for verifying the digital signature of the metadata, the content use means for using the content using the metadata, the signer identification information and the license signer identification information Metadata availability determination means for determining availability of the metadata in the content use means, the metadata availability determination means, when the signature verification in the signature verification means is successful, and The use of the metadata is permitted only when the signer identification information is included in the permitted range indicated by the permitted signer identification information.

  With this configuration, it is possible to identify legitimate metadata, and therefore it is possible to use content using only metadata signed by a signer licensed by a broadcasting station. Further, since the range of metadata signers permitted by the broadcasting station is specified by the license, the range of metadata signers permitted for each content or license can be flexibly changed. Also, by including the license signer identification information in the license, it is possible to make the terminal device reliably determine whether the metadata is valid. Furthermore, since it is configured to identify whether or not the metadata is valid before using the metadata, there is no possibility of using unauthorized metadata.

  Further, in the metadata use control system according to the present invention, the license signer identification information and the signer identification information are IDs, and the license signer identification information adding means further includes the license signer identification information. It is specified whether the range to be performed is only a signer specified by the ID of the licensed signer identification information or a subordinate signer including the signer specified by the ID of the licensed signer identification information License range designation information is added, and the metadata availability determination unit determines whether the license range designation information is only a signer specified by an ID of the license signer identification information. When the signature verification is successful and the signer identification information matches the licensed signer identification information, the use of the metadata is licensed, and the license range designation information is the license signer identification information. If it is a lower-order signer including the signer specified by D, at least one or more public key certificates that have been successfully verified by the signature verification unit and referred to in the signature verification of the metadata The use of the metadata is licensed when any one of the signer IDs of the document matches the licensed signer identification information.

  With this configuration, the broadcast station can specify the signers to be licensed in addition to individually specifying the signers to be licensed, so that the size of the license signer identification information included in the license can be reduced. In addition, even when the number of metadata providers licensed by the broadcasting station increases after the license is issued, it is not necessary to renew the license signer identification information of the license. Efficient operation is possible.

  According to the present invention, since the license for granting the use of content includes the information specifying the metadata signer licensed by the broadcast station, only the metadata signed by the signer licensed by the broadcast station is used. Thus, the content can be used reliably. In addition, since it is determined whether or not the metadata is valid before using the metadata, there is no possibility of using unauthorized metadata.

  Furthermore, since the license includes information for collectively specifying the signers to be permitted, the size of the signer identification information included in the license can be reduced, and the metadata provider licensed by the broadcasting station after the license is issued Even when the number of licenses increases, it is not necessary to update the issued license, so that it is possible to flexibly deal with actual operation.

Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 is a diagram showing an overall schematic configuration of a metadata usage control system according to an embodiment of the present invention.

  The metadata usage control system 1 allows a user to use a terminal device while securely controlling the usage of encrypted content and metadata transmitted through a digital broadcast from a content distribution server installed in a broadcasting station using a license. A license server 101 that generates and distributes a license for encrypted content, a encrypted content (hereinafter referred to as encrypted content), a license, A content distribution server 102 that multiplexes and transmits metadata and the like and a metadata distribution server 103a to 103c that generates and distributes signed metadata (hereinafter simply referred to as metadata) as a user-side system , Terminal device 110 using content and metadata It includes, and is further composed of a network 120 which connects them to each other.

  Although there may be a plurality of broadcasters on the business side, in FIG. 1, only one broadcast station is shown as a representative for simplicity. Similarly, there may be a plurality of terminal devices 110 on the user side, but only one terminal device 110 is shown as a representative.

  First, a broadcaster station on the business side is a content provider that generates content, has the copyright, and is a service provider that provides a broadcast service.

  The broadcasting station system includes a license server 101, a content distribution server 102, and a metadata distribution server 103a.

  The license server 101 is a server device that generates a license including an encryption key (content key) for decrypting encrypted content and distributes the license to the terminal device 110 via the network 120. The license includes at least a content key for decrypting the encrypted content and a usage condition for the encrypted content.

  The content distribution server 102 generates encrypted content, multiplexes the license generated by the license server 101 and the metadata generated by the metadata distribution server 103, and distributes it to the terminal device 110 via the network 120 It is.

  The metadata distribution server 103a is a server device that generates metadata corresponding to content, adds a digital signature (hereinafter referred to as a signature), and distributes it to the terminal device 110 through the network 120.

  Next, the provider-side metadata provider α and metadata provider β are businesses that are permitted to generate metadata corresponding to the content broadcast by the broadcast station, and give a signature to the metadata. After that, it is distributed to the user through the network 120 or the like.

  The system of the metadata provider α and the metadata provider β includes a metadata distribution server 103b and a metadata distribution server 103c having the same functions as the metadata distribution server 103a of the broadcasting station. Therefore, in the following, the metadata distribution servers 103a to 103c will be described as the metadata distribution server 103 when the metadata distribution server 103a is a representative example and it is not necessary to distinguish between them. Similarly, the metadata provider α and the metadata provider β will be described as metadata providers when there is no need to distinguish between them.

  On the other hand, the terminal device 110 on the user side receives content from the network 120 such as digital broadcasting or a communication network, receives a license and metadata for decrypting the encrypted content, decrypts the encrypted content, It is a device for using content using metadata.

  The terminal device 110 includes a high security card such as a B-CAS card in which a domestic digital broadcasting standard CAS is mounted, and a tamper-resistant hardware module (such as a smartSD card (TM)). Security module), and processing that requires high security, such as processing of licenses and encryption keys, may be executed by cooperation between the terminal device 110 and the security module.

  The network 120 is a wireless digital broadcast such as BS (Broadcasting Satellite) digital broadcast, CS (Communication Satellite) digital broadcast, or terrestrial digital broadcast, or a wired digital broadcast such as digital CATV. Alternatively, it is a network that connects a broadcaster, a provider such as a metadata provider, and the terminal device 110 to each other, for example, ADSL (Asymmetric Digital Subscriber Line), FTTH (Fiber To The Home), and bidirectional digital CATV. Such as high-speed Internet network and mobile network.

  This is the end of the description of the overall schematic configuration of the metadata usage control system 1 of FIG.

  Next, the configuration of the server device on the provider side and the data generated by the server device such as licenses and metadata will be described with reference to FIGS.

FIG. 2 is a functional block diagram showing the configuration of the license server 101 shown in FIG.
The license server 101 includes a use condition database 201, a license generation unit 211, a license encryption unit 212, and a communication unit 213.

The use condition database 201 is a database that manages information related to licenses of contents transmitted from broadcasting stations.

  Information managed by the use condition database 201 will be described later with reference to the drawings.

  The license generation unit 211 is a unit that generates a license including a content key and usage conditions. Specifically, the license generation unit 211 uses the information in the usage condition database 201 to generate a content license. The generated license is included in a digital broadcast ECM (Entitlement Control Message), an ECM for Kc transmission, and the like, and is transmitted to the license encryption unit 212.

  As for ECM and ECM for Kc transmission, ARIB STD-B25 4.1 version is detailed.

  The license generated by the license generation unit 211 will be described later with reference to the drawings.

  The license encryption unit 212 is a unit that encrypts the license generated by the license generation unit 211. Specifically, the license encryption unit 212 uses AES (Advanced Encryption Standard) or the like to encrypt the license with an encryption key held only by the terminal device 110 that has made a viewing contract with the broadcasting station. For example, the license server 101 includes a license encryption key holding unit (not shown in FIG. 2), and the license encryption key holding unit holds a work key described in ARIB STD-B25 4.1 version or the like. It is conceivable to encrypt using the work key.

  The communication unit 213 is a unit that transmits the license encrypted by the license encryption unit 212 to the content distribution server 102. Specifically, the communication unit 213 transmits the encrypted license to the content distribution server 102 as necessary in order to distribute the generated license to the terminal device 110 through the content distribution server 102.

  Here, information managed by the use condition database 201 will be described with reference to FIG.

  FIG. 3 is a diagram illustrating an example of the use condition table 300 of the use condition database 201.

  The use condition table 300 includes a content ID 301, a license ID 302, a content key 303, a use condition 304, a signer ID 305, and a permission range 306.

  In FIG. 3, the content ID 301 is an ID for uniquely specifying the content within the metadata usage control system 1. The license ID 302 is an ID for uniquely identifying a license in the metadata usage control system 1. The content key 303 is a decryption key for decrypting the encrypted content specified by the content ID 301. The usage condition 304 is information indicating the usage condition of the encrypted content in the terminal device 110. The signer ID 305 specifies the signer of the signed metadata corresponding to the encrypted content specified by the content ID 301 (hereinafter sometimes referred to as a metadata signer), and uses the metadata to identify the encrypted content. This ID is used to identify the signer of the metadata licensed by the broadcast station when used. The permission range 306 is information for designating a permission range related to the signer ID permitted by the signer ID 305.

  Here, the range of permission specified by the permission range 306 will be described with reference to FIG.

  FIG. 4 is a diagram showing a hierarchical structure of authentication based on a chain of public key certificates used in the metadata usage control system 1 (hereinafter also referred to as a hierarchical structure of public key certificates).

  In a system using PKI (Public Key Infrastructure), that is, a public key cryptosystem, CA (Certification Authority), that is, a certification authority is used. This guarantees the validity of the public key certificate by using a certificate (public key certificate) for the public key that is authenticated by the CA, that is, the digital signature is given by the CA.

For public key certificates, see ITU X. 509 can be used.
As shown in FIG. 4, a root CA 401 exists as the highest CA, and the broadcast station A 411 and the broadcast station B 412 are further subordinate metadata as lower CAs (referred to as intermediate CAs) authenticated by the root CA 401. A public key certificate authenticated by itself can be issued to the provider α421 to the metadata provider γ423. Thus, in an actual system, the CA is generally configured in a hierarchical manner. This is called a public key certificate chain.

  That is, in the CA hierarchical structure as shown in FIG. 4, the broadcasting station A411 and the broadcasting station B412 are authenticated from the root CA401, and the metadata provider α421 and the metadata provider β422 are authenticated from the broadcasting station A411. As a result, the validity of the public key certificates of the metadata provider α 421 and the metadata provider β 422 is guaranteed. Further, since the metadata provider γ 423 is authenticated by the broadcasting station B 412, the validity of the public key certificate of the metadata provider γ 423 is similarly guaranteed.

Regarding the chain of CA and public key certificate, Non-Patent Document 1 is detailed.
In such a case, in the metadata usage control system 1, there are the following two permission ranges specified by the permission range 306.

(1) Only the signer identified by the signer ID 305 is the signer of the metadata (2) The signer identified by the signer ID 305 is the signer identified by the signer ID 305 and the signer authenticated by the signer ID 305

  That is, the case where the signer ID 305 is “SID-C001” (broadcasting station A411) in FIG. 4 will be described as an example. If the permission range 306 is “signer only”, the ID of the metadata signer Is the metadata whose ID is “SID-C001”, that is, the metadata to which the broadcasting station A 411 has added a signature. On the other hand, when the permitted range is “signer and lower-order signer”, metadata whose metadata signer ID is any one of “SID-C001”, “SID-M001”, and “SID-M002”. That is, the metadata to which the signature is given by any of the broadcasting station A411, the metadata provider α421, and the metadata provider β422 is within the scope of permission.

  When there is a metadata provider (hereinafter referred to as a child metadata provider) authenticated by the metadata provider α or the metadata provider β, that is, in the hierarchical structure of FIG. A signer can exist, and when “signer and lower-order signer” is specified in the permission range 306, the metadata to which the child metadata provider has given a signature is also within the permission range. .

Note that the permission range 306 may use a format such as an ID, a flag, or a bitmap.
This is the end of the description of the permission range specified by the signer ID 305 and the permission range 306 in FIGS. 3 and 4.

Returning to FIG. 3, the usage condition table 300 will be described.
For example, the license ID 302 corresponding to the content whose content ID 301 is “CID-001” is “LID-001”, the content key 303 is “123456”, and “2005/3/9” ”Indicates that the content can be used. Further, since the signer ID 305 is “SID-C001” and the permission range 306 is “signer only”, the signer ID of the metadata is “SID-C001” when using the content using the metadata. Only the metadata with “” can be used. Therefore, if the broadcasting station here is broadcasting station A411 in FIG. 4 (ID is SID-C001), the broadcasting station gives only the metadata signed by the signer SID-C001 to the user, that is, It becomes possible to use the content using only the metadata signed by itself.

  Also, for the content whose content ID 301 is “CID-002”, since the signer ID 305 is “SID-C001” and the permission range 306 is “signer and lower-order signer”, the broadcasting station here is also broadcast. Assuming that the station is A411, in addition to the metadata that the broadcasting station has signed to the user, the broadcasting station has the metadata signed by the metadata provider within the range permitted by the broadcasting station by the chain of public key certificates. It is possible to use the content using only the content.

  Further, for the content whose content ID 301 is “CID-003”, since the signer ID 305 is “SID-M002” and the permission range 306 is “signer only”, the metadata provider β 422 (ID is SID in FIG. 4). The content can be used using only the metadata signed by -M002).

This is the end of the description of the use condition table 300 of FIG.
Next, the configuration of the license generated by the license generation unit 211 will be described with reference to FIG.

FIG. 5 is a diagram illustrating a configuration of a license generated by the license generation unit 211.
The license 500 includes a license ID 302, a content ID 301, a content key 303, a use condition 304, a signer ID 305, and a permission range 306. The license 500 is a license specified by the license ID 302 and corresponding to the content specified by the content ID 301. In addition, the metadata signer is limited to the range specified by the signer ID 305 and the permission range 306, and it is permitted to use the content using only the metadata signed by the metadata signer in this range. is doing.

FIG. 9 is a functional block diagram showing the configuration of the content distribution server 102 shown in FIG.
The content distribution server 102 includes a content database 901, a communication unit 911, a content management unit 912, a multiplexing unit 913, and a transmission unit 914.

  The content database 901 is a database that stores content broadcast by a broadcasting station. Specifically, the content database 901 stores the encrypted content 1000 shown in FIG. The content 1000 includes a content ID 301 and a content main body 1001. The content main body 1001 is encrypted with a content key using a common key encryption such as AES or Multi-2.

  Here, an example in which the content stored in the content database 901 is an encrypted content has been shown, but there may be a case where the content is encrypted and transmitted each time.

  The communication unit 911 is a unit that receives the license 500 and metadata generated by each raw server device from the license server 101 and the metadata distribution server 103.

  The content management unit 912 is a unit that manages the content 1000 stored in the content database 901. Specifically, the content management unit 912 reads and multiplexes the content 1000 from the content database 901 based on a transmission request from a scheduler that manages transmission of the content 1000 from the content distribution server 102 (not shown in FIG. 9). To the unit 913.

  The multiplexing unit 913 is a unit that multiplexes the content 1000 received from the content management unit 912 and the license 500 and metadata received from the communication unit 911. Specifically, the multiplexing unit 913 multiplexes the content 1000, the license 500 (ECM), metadata, and the like as MPEG-2 TS (Transport Stream) based on MPEG (Moving Picture Expert Group) -2 Systems or the like. To do. The content 1000 is PES (Packetized Elementary Stream) such as video, audio, and data. The metadata is multiplexed by being included in a private section of MPEG-2 Systems or the like.

  For PES, MPEG-2 Systems, and MPEG-2 TS, ISO / IEC 13818-1 is detailed.

  The sending unit 914 is a unit that sends the stream multiplexed by the multiplexing unit 913 to the terminal device 110 through the network 120.

This is the end of the description of the configuration of the content distribution server 102 in FIG.
Next, the configuration of the metadata distribution server 103 shown in FIG. 1 will be described with reference to FIG.

FIG. 11 is a functional block diagram showing the configuration of the metadata distribution server 103.
The metadata distribution server 103 includes a metadata database 1101, a key management database 1102, a metadata storage unit 1103, a metadata generation unit 1111, a metadata signature unit 1112, a metadata management unit 1113, and a communication unit 1114. With.

  The metadata database 1101 is a database that manages information related to metadata of content transmitted by a broadcasting station.

  Information managed by the metadata database 1101 will be described later with reference to the drawings.

  The key management database 1102 is a database for managing a public key encryption private key used for a signature to be added to metadata.

  Information managed by the key management database 1102 will be described later with reference to the drawings.

  The metadata storage unit 1103 is a database that stores the signed metadata generated and signed by the metadata generation unit 1111 and the metadata signature unit 1112.

  The metadata generation unit 1111 is a unit that generates metadata including segmentation information and the like. Specifically, the metadata generation unit 1111 generates metadata using information in the metadata database 1101.

  The metadata signature unit 1112 is a unit that gives a digital signature to the metadata generated by the metadata generation unit 1111. Specifically, the metadata signature unit 1112 digitally signs metadata using a public key encryption private key managed by the key management database 1102. Note that the digital signature may use public key cryptography such as EC-DSA (Elliptic Curve Digital Signature Algorithm). The digital signature calculates a hash value of a necessary part of the metadata and signs the hash value. As a hash algorithm, SHA-1 (Secure Hash Algorithm 1) or SHA-256 is used. And good.

  Note that metadata generated by the metadata generation unit 1111 and the metadata signature unit 1112 and given a signature will be described later with reference to the drawings.

  The metadata management unit 1113 is a unit that manages the signed metadata stored in the metadata storage unit 1103. Specifically, the metadata management unit 1113 receives metadata that the metadata generation unit 1111 and the metadata signature unit 1112 generate and give a signature, writes the metadata to the metadata storage unit 1103, and if necessary, The signed metadata stored in the data storage unit 1103 is read out.

  The communication unit 1114 is a unit that transmits the metadata generated by the metadata distribution server 103 to the outside. Specifically, when the communication unit 1114 transmits metadata to the content distribution server 102 or receives a request for metadata from the terminal device 110 through the network 120 as necessary, the communication unit 1114 receives a request from the metadata management unit 1113. Send received metadata to the outside.

  Here, information managed by the metadata database 1101 will be described with reference to FIG.

  FIG. 12 is a diagram illustrating an example of the metadata table 1200 of the metadata database 1101.

  The metadata table 1200 includes a metadata ID 1201, a content ID 301, and a metadata main body 1202.

  The metadata ID 1201 is an ID for uniquely identifying metadata within the metadata usage control system 1. Since the content ID 301 has already been described with reference to FIG. 3, the description thereof is omitted here. The metadata main body 1202 is information indicating the content of the content ID 301, segmentation information, and the like.

  In FIG. 12, for example, the metadata with the metadata ID 1201 “MID-001” corresponds to the content with the content ID 301 “CID-001”, and the content of the metadata main body 1202 is “Aiueo ...”. It is shown that.

This is the end of the description of the configuration of the metadata table 1200 of FIG.
Next, information managed by the key management database 1102 will be described with reference to FIG.

  FIG. 13 is a diagram illustrating an example of the key management table 1300 of the key management database 1102.

  The key management table 1300 includes an operator ID 1301, a private key 1302, and a public key certificate 1303.

  The provider ID 1301 is an ID for uniquely identifying a provider such as a broadcasting station or a metadata provider in the metadata usage control system 1. Note that the operator ID 1301 is used as the signer ID 305 described in FIG. The secret key 1302 is a secret key for public key encryption corresponding to the provider ID 1301, and is securely managed by the metadata distribution server 103.

  The public key certificate 1303 includes a public key of public key encryption corresponding to the private key 1302, and indicates the validity of the public key. This is a public key certificate based on the 509 base.

FIG. 14 is a diagram illustrating an example of the configuration of the public key certificate 1303.
The public key certificate 1303 includes a provider ID 1301, a public key 1401, an extension area 1402, a signer ID 305, and a signature 1403.

  The public key 1401 is a public key encryption public key corresponding to the private key 1302 of the business operator ID 1301. The extension area 1402 is a field that can store arbitrary information. The signer ID 305 is an ID for identifying the signer of the signature 1403. A signature 1403 is a digital signature assigned by the metadata signature unit 1112.

  Note that the provider ID 1301 has already been described with reference to FIG.

  For example, in the case of the public key certificate 1303 of the broadcasting station A 411 in FIG. 4, the provider ID 1301 is “SID-C001”, the signer ID 305 is “SID-R001”, and the metadata provider α 421 in FIG. In the case of the key certificate 1303, the provider ID 1301 is “SID-M001” and the signer ID 305 is “SID-C001”.

  FIG. 13 shows that the private key 1302 of the carrier whose carrier ID 1301 is “SID-C001” is “111111” and the public key certificate 1303 is a public key certificate of “CERT-C001”. Yes.

This is the end of the description of the configuration of the key management table 1300 in FIG.
FIG. 15 is a diagram illustrating a configuration of the signed metadata 1500 generated by the metadata signature unit 1112.

  The metadata 1500 includes a metadata ID 1201, a content ID 301, a metadata body 1202, a signer ID 305, and a signature 1403. Here, the signer ID 305 is set to the provider ID 1301 that gives a signature to the metadata 1500.

  Normally, the creator of the metadata 1500 and the metadata signer are the same business operator, but different business operators may be metadata signers.

  This is the end of the description of the configuration of the server device on the provider side and the data generated by the server device such as licenses and metadata.

Next, the configuration of the terminal device 110 on the user side will be described using FIG.
FIG. 20 is a functional block diagram showing the configuration of the terminal device 110 shown in FIG.

  The terminal device 110 includes a storage unit 2001, a public key certificate storage unit 2002, a reception unit 2011, a separation unit 2012, a communication unit 2013, a license processing unit 2014, a content use unit 2015, and metadata availability. A determination unit 2016 and a metadata signature verification unit 2017 are provided.

  The accumulation unit 2001 is a unit that accumulates content 1000, a license 500, metadata 1500, and the like received from a broadcast station or a metadata provider, and is realized by an HDD, a BD (Blu-ray Disc), or the like.

  The public key certificate accumulation unit 2002 is a unit that accumulates the public key certificate 1303 of a provider such as a root CA 401, a broadcasting station, or a metadata provider, and is realized by an HDD, a flash memory, or the like.

  Note that the public key certificate 1303 of the root CA 401 is already stored in the public key certificate storage unit 2022 at the time of shipment of the terminal device 110, and the public key certificate 1303 of the broadcasting station or metadata provider is stored as necessary. , Acquired through the network 120 or the like, and stored in the public key certificate storage unit 2022. Of course, the public key certificate 1303 of the root CA 401 may be acquired from a portable medium such as the network 120 or an SD (Secure Digital) card as necessary, or a public key certificate of a broadcasting station or a metadata provider. It is also possible to acquire 1303 together with any of the content 1000, the license 500, and the metadata 1500.

  The receiving unit 2011 is a unit that receives content from the network 120 such as digital broadcasting or the Internet.

  The separation unit 2012 is a unit that separates the MPEG-2 TS multiplexed with the content 1000, the license 500, and the metadata 1500 received by the reception unit 2011, and extracts the content 1000, the license 500, and the metadata 1500.

  The communication unit 2013 is a unit that acquires the metadata 1500 from the metadata distribution server 103 of the metadata provider via the network 120. Specifically, the communication unit 2013 acquires the corresponding metadata 1500 by transmitting the metadata ID 1201 or the like to the metadata distribution server 103 based on a user request or the like.

  When the license processing unit 2014 acquires the license 500 stored in the storage unit 2001 or the like, refers to the use condition 304 included in the license 500, determines whether or not the license can be used, and is usable The content key 303, the signer ID 305, and the permission range 306 are transmitted to the content use unit 2015. The license processing unit 2014 also performs processing for reflecting the usage status of the content 1000 in the license 500 after the usage of the content 1000 is completed.

  Since the terminal device 110 needs to securely manage the license 500 acquired by the user, when the license 500 is stored in the storage unit 2001, the content key 303 of the license 500 is used as a unique key of the terminal device 110, etc. And the hash value of the license 500 is managed by a secure memory (not shown in FIG. 20). Alternatively, the license 500 itself may be stored in a secure memory not shown in FIG.

  The content use unit 2015 reads the encrypted content 1000 and metadata 1500 from the storage unit 2001, decrypts the encrypted content 1000 using the content key 303 received from the license processing unit 2014, and decrypts the content This is a unit that decodes 1000 to perform reproduction, recording, and the like. At this time, the content 1000 is reproduced using the metadata 1500. The reproduced content 1000 is output as video, audio, or the like on a display, a recording medium or the like not shown in FIG.

  The metadata availability determination unit 2016 is a unit that determines whether the content 1000 can be used using the metadata 1500 based on the license 500. Specifically, the metadata availability determination unit 2016 broadcasts based on the signer ID 305 and permission range 306 set in the license 500 and the signer ID 305 of the metadata 1500 received from the license processing unit 2014. It is determined whether the station permits the use of the metadata.

  The metadata signature verification unit 2017 is a unit that verifies the digital signature attached to the metadata 1500. Specifically, the metadata signature verification unit 2017 reads the public key certificate 1303 corresponding to the signer ID 305 of the metadata 1500 from the public key certificate storage unit 2002 and verifies the signature 1403 of the public key certificate 1303. After that, the signature 1403 of the metadata 1500 is verified using the public key 1401 included in the public key certificate 1303, and whether or not the signature verification is successful is transmitted to the metadata availability determination unit 2016.

  The details of the digital signature verification process are described in Non-Reference Document 1, and thus the description thereof is omitted here.

  In addition, in order to securely perform license processing and content usage processing using metadata in the terminal device 110, the license processing unit 2014, content usage unit 2015, metadata availability determination unit 2016, and metadata signature verification unit 2017 include hardware Tamper resistant by hardware or software.

Above, description about the structure of the terminal device 110 of FIG. 20 is completed.
In such a metadata usage control system 1, content (program), license, metadata, and the like are distributed from the content distribution server 102 via the network 120, and the content, license, and metadata are stored in the HDD or the like in the terminal device 110. FIG. 21 shows a process of controlling the use of content based on the license and using the content using only the metadata provided by the metadata signer (ie, metadata provider) licensed by the broadcasting station. Description will be made with reference to FIG.

<License generation processing flow>
First, a process for transmitting the generated license 500 to the content distribution server 102 so that the license server 101 generates the license 500 and sends the license 500 together with the content 1000 from the content distribution server 102 will be described with reference to the flowchart of FIG. To do.

  The license generation unit 211 reads the information of the corresponding content ID 301 from the use condition table 300 of the use condition database 201 based on a request from an upper system such as a program operation management system of the broadcasting station (step S2101).

  The license generation unit 211 generates a license 500 based on the information read in step S2101 and sets the license 500 in the ECM (step S2102).

  The license encryption unit 212 receives the license 500 (ECM) generated by the license generation unit 211, and encrypts the license 500 by AES or the like using the latest work key of the broadcasting station (step S2103).

  The transmission unit 213 transmits the license 500 encrypted by the license encryption unit 212 to the content distribution server 102 (step 2104).

  This is the end of the description of the license generation process flow of FIG.

<Metadata generation process flow>
Next, using FIG. 22, the metadata distribution server 103 generates the metadata 1500 and transmits the generated metadata 1500 to the content distribution server 102 in order to send the metadata 1500 together with the content 1000 from the content distribution server 102. Processing to be performed will be described.

  The metadata generation unit 1111 reads the information of the corresponding metadata ID 1201 or content ID 301 from the metadata table 1200 of the metadata database 1101 based on a request from an upper system such as a program operation management system of a broadcasting station ( Step S2201).

  The metadata generation unit 1111 generates metadata 1500 based on the information read in step S2201 (step S2202).

  The metadata signature unit 1112 receives the metadata 1500 generated by the metadata generation unit 1111 and gives a digital signature by EC-DSA or the like using the secret key 1302 of the key management table 130 of the key management database 1102. (Step S2203). At the same time, the operator ID 1301 of the key management table 1300 is set to the signer ID 305 of the metadata 1500.

  The metadata management unit 1113 stores the metadata 1500 received from the metadata signature unit 1112 in the metadata storage unit 1103 and transmits it to the transmission unit 1114 (step S2204).

  The transmission unit 1114 transmits the metadata 1500 received from the metadata management unit 1113 to the content distribution server 102 (step 2205).

  This is the end of the description of the metadata generation processing flow in FIG.

<Content transmission processing flow and content reception processing flow>
Next, a process in which the content distribution server 102 transmits the content 1000, the license 500, and the metadata 1500 and the terminal device 110 receives the content 1000, the license 500, and the metadata 1500 via the network 120 will be described with reference to FIG. To do.

  The content management unit 912 of the content distribution server 102 reads the designated content 1000 from the content database 901 based on a request from an upper system such as a program operation management system of the broadcast station (step S2301).

  The multiplexing unit 913 multiplexes the content 1000 received from the content management unit 912, the license 500 and the metadata 1500 received from the communication unit 911 as MPEG-2 TS, and generates multiplexed data (step S2302). . At this time, it is assumed that the communication unit 911 has received the license 500 and the metadata 1500 corresponding to the content 1000 from the license server 101 and the metadata distribution server 103, respectively.

  The sending unit 914 sends the multiplexed data received from the multiplexing unit 913 to the network 120 (step S2303).

  The receiving unit 2011 of the terminal device 110 receives the multiplexed data transmitted from the content distribution server 102 via the network 120 (step S2304).

  The separation unit 2012 separates the multiplexed data received from the reception unit 2011, and extracts the content 1000, the license 500, and the metadata 1500 (step S2305).

  The separation unit 2012 stores the separated content 1000, license 500, and metadata 1500 in the storage unit 2001 after associating them with each other (step S2306).

  Here, it is not always necessary to separate the content 1000, the license 500, and the metadata 1500. For example, the content 1000 and the license 500 (ie, ECM) are left multiplexed, and only the metadata 1500 is stored. It may be separated and stored in the storage unit 2001. Alternatively, in some cases, the content 1000, the license 500, and the metadata 1500 may be stored in the storage unit 2001 while being multiplexed.

  Prior to the content transmission processing flow and the content reception processing flow, it is necessary to register the user and the terminal device 110 using a contract management server provided by the business operator and to make a contract with the service that the user wants to view. However, since these processes are not the main point of the present invention, the description is omitted here, and it is assumed that the processes such as user registration, registration of the terminal device 110, and service subscription are completed.

  This is the end of the description of the content transmission processing flow and the content reception processing flow of FIG.

<Metadata acquisition process flow>
Next, with reference to FIG. 24, when the terminal device 110 requests metadata 1500 having higher convenience, for example, the metadata 1500 generated by the metadata provider licensed from the broadcasting station via the network 120 is used. The process of acquiring the will be described.

  The communication unit 2013 of the terminal device 110 receives a request from a user application (not shown in FIG. 20) and transmits a request for metadata 1500 to the metadata distribution server 103 (step S2401). Specifically, the communication unit 2013 generates a request message including the metadata ID 1201 requested by the metadata distribution server 103 based on a request from the user or a request from another application of the terminal device 110, and Transmit to the data distribution server 103.

  The communication unit 1114 of the metadata distribution server 103 receives the request message from the terminal device 110 (step S2402).

  The metadata management unit 1113 receives the metadata ID 1201 from the communication unit 1114, and searches for the metadata 1500 that matches the metadata ID 1201 (step S2403). Specifically, the metadata management unit 1113 determines whether or not the metadata 1500 having the metadata ID 1201 received from the communication unit 1114 exists in the metadata 1500 stored in the metadata storage unit 1103. The metadata storage unit 1103 is searched using the metadata ID 1201 as a key.

  The metadata management unit 1113 confirms the search result in step S2403 (step S2404).

  If YES in step S2404, that is, if the metadata 1500 requested by the terminal device 110 exists in the metadata storage unit 1103, step S2405 is executed. If NO in step S2404, that is, if the metadata 1500 requested by the terminal device 110 does not exist in the metadata storage unit 1103, step S2406 is executed.

  The metadata management unit 1113 reads the retrieved metadata 1500 from the metadata storage unit 1103 (step S2405).

  The communication unit 1114 generates a response message for the request to the terminal device 110 and transmits the response message to the terminal device 110 (step S2406). Specifically, if YES in step S2404, the communication unit 1114 generates a response message including the read metadata 1500 and transmits it to the terminal device 110. If NO in step S2404, A response message indicating that the requested metadata 1500 does not exist is generated and transmitted to the terminal device 110.

  The communication unit 2013 of the terminal device 110 receives the response message from the metadata distribution server 103 (step S2407).

  The communication unit 2013 confirms whether or not the requested metadata 1500 has been acquired (step S2408).

  If YES in step S2408, that is, if the requested metadata 1500 can be acquired, step S2409 is executed. If NO in step S2408, that is, if the requested metadata 1500 could not be acquired, an error message indicating that fact is presented to the user, and the metadata acquisition processing flow ends.

  The communication unit 2013 accumulates the acquired metadata 1500 in the accumulation unit 2001 (step S2409). Specifically, the communication unit 2013 stores the metadata 1500 and the corresponding content 1000 in association with each other in the storage unit 2001.

  This is the end of the description of the metadata acquisition process flow of FIG.

<Content and metadata usage processing flow>
Next, a process of using (reproducing) the content 1000 using the metadata 1500 acquired from the content distribution server 102 or the metadata distribution server 103 in the terminal device 110 will be described with reference to FIG.

  The content use unit 2015 and the license processing unit 2014 read the content 1000, the metadata 1500, and the license 500 in the storage unit 2001 based on a request from the user (step S2501). Specifically, when the content utilization unit 2015 receives a content and metadata utilization request from a user, the content utilization unit 2015 reads the content 1000 stored in the storage unit 2001 and the metadata 1500 corresponding to the content 1000. At the same time, the license processing unit 2014 reads the license 500 corresponding to the content 1000 from the storage unit 2001.

  The license processing unit 2014 verifies the validity of the read license 500 (step S2502). Specifically, the license processing unit 2014 refers to the use condition 305 of the license 500 and verifies whether or not the use condition 305 is satisfied. For example, in the case of the license 500 shown in FIG. 6, the use condition 305 (604 in FIG. 6) is “until 2005/3/9”, so the clock managed by the terminal device 110 (see FIG. 20). It is determined whether or not the current time has passed "2005/3/9". Further, in the case of the license 500 shown in FIG. 7, the use condition 305 (704 in FIG. 7) is “indefinite period, 10 times of reproduction”, so whether or not the number of reproducible times remains 1 or more remains. judge.

  The license processing unit 2015 confirms the verification result in step S2502 (step S2503).

  If YES in step S2503, that is, if the usage condition 305 of the license 500 is satisfied, step S2504 is executed. For example, in the case of the license 500 shown in FIG. 6, the current time has not passed “2005/3/9”, and in the case of the license 500 shown in FIG. This is the case when one or more remain.

  If NO in step S2503, that is, if the usage condition 305 of the license 500 is not satisfied, a message notifying the user is displayed, and the content and metadata usage processing flow is terminated.

  The license processing unit 2015 extracts the content key 303, the signer ID 305, and the permission range 306 from the license 500, and transmits them to the content use unit 2015 (step S2504).

  The metadata availability determination unit 2016 determines whether the metadata 1500 read from the storage unit 2001 is available (step S2505). Specifically, the metadata availability determination unit 2016 receives the metadata 1500, the signer ID 305 set in the license 500, and the permission range 306 from the content usage unit 2015, and based on these, the metadata is used. Judge whether or not to use. Note that the metadata availability determination process in step S2505 will be described later with reference to FIG.

  The content use unit 2015 confirms the determination result in the metadata availability determination process in step S2505 (step S2506). Specifically, the content use unit 2015 executes step S2507 if YES in step S2506, that is, if the metadata 1500 is “usable”.

  If NO in step S2506, that is, if the metadata 1500 is “unusable”, a message or the like for notifying the user is displayed, and the content and metadata utilization processing flow is displayed. finish.

  The content use unit 2015 decrypts the encrypted content 1000 using the content key 303 acquired from the license processing unit 2015 (step S2507).

  The content use unit 2015 uses the metadata 1500 to reproduce the decrypted content 1000 (step S2508). Specifically, the content use unit 2015 performs special playback such as digest viewing and scene search by using segmentation information described in the metadata 1500.

  In the content and metadata usage processing flow, the reproduction of the content 1000 is terminated when it is determined that the metadata is not available in the metadata availability determination process in step S2505. The normal reproduction may be performed without using the metadata 1500.

  Further, the content decoding process in step S2507 and the content reproduction process in step S2508 may be performed in parallel.

  In the content and metadata usage processing flow, the availability of the metadata 1500 is determined when the usage of the content 1000 is started. However, it may be performed while the content 1000 is being used as necessary. good. Alternatively, whether or not the metadata 1500 can be used may be determined at a timing when it becomes necessary to use the metadata 1500 during the reproduction of the content 1000.

  This is the end of the description of the content and metadata use processing flow of FIG.

<Metadata availability decision processing flow>
Next, the metadata availability determination process in step S2505 in FIG. 25 will be described with reference to the flowchart in FIG.

  The metadata availability determination unit 2016 reads the signer ID 305 of the metadata 1500 (step S2601). Specifically, the metadata availability determination unit 2016 reads the signer ID 305 that can identify the signer of the metadata 1500 with reference to the metadata 1500 received from the content usage unit 2015, and is currently paying attention. The signer ID 305 is stored in the memory.

  The metadata availability determination unit 2016 refers to the permission range 306 of the license 500 and checks whether or not the permission range 306 is “signer only” (step S2602).

  If YES in step S2602, that is, if the permitted range 306 is "signer only", step S2607 is executed. This is the case, for example, when processing the permission range 306 (606 in FIG. 6) of the license 500 in FIG.

  Here, the reason for executing step S2607 is that, when the permission range 306 is “signer only”, only the metadata 1500 signed by the signer that matches the signer ID 305 described in the license 500 is used. This is because it is not permitted to follow the chain of the public key certificate 1303. Incidentally, the verification of the validity of the chain of the public key certificate 1303 in the signature verification is performed in step S2609 described later.

  If NO in step S2602, that is, if the permitted range 306 is "signer and lower-order signer", step S2603 is executed in order to trace the chain of public key certificates 1303 to the root CA 401. This is the case, for example, when the permission range 306 (706 in FIG. 7) of the license 500 in FIG. 7 is processed.

  The metadata availability determination unit 2016 compares the signer ID 305 stored in the memory with the provider ID 1301 of the root CA 401 read from the public key certificate storage unit 2002 (that is, an ID that can identify the root CA 401) ( Step S2603). Specifically, the metadata availability determination unit 2016 reads the public key certificate 1303 of the root CA 401 from the public key certificate storage unit 2002 and stores the business operator ID 1301 (ID of the root CA 401) in the internal memory. Next, by comparing the ID of the root CA 401 with the signer ID 305 currently focused on, it is confirmed whether or not the signer ID 305 currently focused on matches the ID of the root CA 401.

  Here, an example in which only one root CA 401 exists is shown, but when there are a plurality of root CAs 401 and there are a plurality of public key certificates 1303 of the root CA 401 in the public key certificate storage unit 2002. In advance of the processing in step S2603, the root CA 401 public key certificate 1303 to be used is specified in advance by tracing the chain of the public key certificate 1303 of the signer ID 305 of the metadata 1500. And good.

  The metadata availability determination unit 2016 confirms the comparison result in step S2603 (step S2604).

  If YES in step S2604, that is, if the signer ID 305 currently focused on matches the ID of the root CA 401, the chain of the public key certificate 1303 has been traced to the root CA 401, and step S2607 is executed. To do.

  If NO in step S2604, that is, if the signer ID 305 currently focused on does not match the ID of the root CA 401, the process continues to follow the chain of public key certificates 1303 to the root CA 401. S2605 is executed.

  However, if the signer ID 305 currently focused on does not match the ID of the root CA 401, but the signer ID 305 currently focused on is the root CA 401 (for example, the public key certificate storage unit 2002 has a different root CA 401). In the case where only the public key certificate 1303 is held), the validity of the public key certificate 1303 cannot be confirmed, so the metadata availability determination process is immediately terminated.

  The metadata availability determination unit 2016 stores the signer ID 305 currently focused on in the internal memory as a signer ID list (step S2605). Specifically, since the metadata availability determination unit 2016 leaves the history of the signer ID of interest in the process of following the chain of the public key certificate 1303 from the signer ID 305 of the metadata 1500 to the root CA 401, The signer ID 305 sequentially read is added to the celebrity ID list created in the internal memory of the terminal device 110.

  The metadata availability determination unit 2016 reads the signer ID 305 which is higher than the signer ID 305 currently focused on, and updates the signer ID 305 currently focused on the memory (step S2606). Specifically, the metadata availability determination unit 2016 creates a public key certificate storage unit 2002 by using a public key certificate 1303 in which the signer ID 305 currently focused on matches the operator ID 1301 of the public key certificate 1303. The signer ID 305 of the public key certificate 1303 is extracted. Next, “signer ID 305 currently focused” on the memory is replaced with the extracted signer ID 305 as a new “signer ID 305 currently focused”.

  After executing step S2606, step S2603 is subsequently executed. That is, by repeating the processing of steps S2603 to S2606, the public key certificate chain shown in FIG. 4 is traced from the lower hierarchy to the root CA 401, which is the upper hierarchy.

  The metadata availability determination unit 2016 adds the signer ID 305 currently focused on to the signer ID list (step S2607). This process is the same as the process in step S2605.

  The metadata availability determination unit 2016 confirms whether or not the signer ID 305 of the license 500 is included in the signer ID list (step S2608). Specifically, the metadata availability determination unit 2016 uses the signer ID list created in steps S2603 to S2607 to change the chain of public key certificates shown in FIG. 4 from the lower hierarchy to the upper hierarchy. As it is traced toward the root CA 401, it is confirmed whether or not the signer ID 305 permitted by the license 500 is included.

  If YES in step S2608, that is, if signer ID 305 of license 500 is included in the signer ID list, step S2609 is executed.

  If NO in step S2608, that is, if the signer ID 305 of the license 500 is not included in the signer ID list, it is determined that the metadata 1500 cannot be used (step S2612), and the metadata can be used. The determination process ends.

  The metadata signature verification unit 2017 verifies the signature of the metadata 1500 (step S2609). Specifically, the metadata signature verification unit 2017 confirms the validity of the metadata 1500 received from the metadata availability determination unit 2016 and the public key 1401 of the public key certificate 1303 read from the public key certificate storage unit 2002. Confirm by. In this process, when the public key certificate 1303 of the metadata signer is chained, the necessary public key certificate 1303 is sequentially obtained until the validity can be verified by the public key certificate 1303 of the root CA 401. Read from the public key certificate storage unit 2002 and verify the signature.

  Note that this process is a general digital signature verification process and is described in detail in Non-Reference Document 1, and thus the description thereof is omitted here.

  The metadata availability determination unit 2016 receives the signature verification result of step S2609 in the metadata signature verification unit 2017, and confirms the verification result (step S2610).

  If YES in step S2610, that is, if the signature verification of the metadata 1500 is successful, it is determined that the metadata 1500 is usable (step S2611), and the metadata availability determination process is terminated. .

  If NO in step S2610, that is, if the signature verification of the metadata 1500 has failed, it is determined that the metadata 1500 cannot be used (step S2612), and the metadata availability determination process ends. .

This is the end of the description of the metadata availability determination processing flow in FIG.
Here, in the flowcharts described with reference to FIGS. 25 and 26, specific examples of cases where the metadata 1500 can be used and cannot be used are shown in FIGS. 6 to 8, FIGS. 16 to 19 and FIG. I will explain. Here, the three licenses 500 shown in FIGS. 6 to 8 are used as the license 500, and the four metadata 1500 shown in FIGS. 16 to 19 are used as the metadata 1500. FIG. 27 is a diagram showing a range of metadata signers permitted by each of the licenses 500 in FIGS.

  The license 500 in FIG. 6 has the signer ID 305 “SID-C001” (605 in FIG. 6) and the permission range 306 is “signer only” (606 in FIG. 6), so the broadcasting station A411 in FIG. Only the metadata 1500 to which the signature is attached can be used.

  In the license 500 of FIG. 7, the signer ID 305 is “SID-C001” (705 in FIG. 7) and the permission range 306 is “signer and lower-order signer” (706 in FIG. 7). Only the broadcast station A411 and the metadata 1500 signed by the metadata provider α421 and the metadata provider β422, which are signers lower than the broadcast station A411, can be used.

  The license 500 in FIG. 8 provides the metadata in FIG. 27 because the signer ID 305 is “SID-M002” (805 in FIG. 8) and the permission range 306 is “signer only” (806 in FIG. 8). Only the metadata 1500 that is signed by the person β 422 can be used.

  Therefore, when considering the metadata 1500 in FIG. 16 to FIG. 19, the metadata 1500 in FIG. 16 includes the signer ID 305 “SID-C001” (1604 in FIG. 16), that is, metadata signed by the broadcasting station A 411. Accordingly, the metadata 1500 is granted by the license 500 illustrated in FIG. 6, and the content 1000 can be used using the metadata 1500. On the other hand, since the metadata 1500 in FIG. 17 is the signer ID 305 “SID-M001” (1704 in FIG. 17), that is, the metadata 1500 signed by the metadata provider α 421, the license 500 shown in FIG. The metadata 1500 is not given permission, and the content 1000 using the metadata 1500 cannot be used.

  Since the metadata 1500 in FIG. 18 is the signer ID 305 “SID-M001” (1804 in FIG. 18), that is, the metadata 1500 signed by the metadata provider α 421, the license 500 shown in FIG. The given metadata 1500 is used, and the content 1000 can be used using the metadata 1500. Similarly, the metadata 1500 signed by the broadcasting station A411 and the metadata provider β422 can be used, and the metadata signed by a metadata signer other than the broadcasting station A411, the metadata provider α421, and the metadata provider β422. Data 1500 is not available.

  Since the metadata 1500 in FIG. 19 is the signer ID 305 “SID-M002” (1904 in FIG. 19), that is, the metadata 1500 signed by the metadata provider β 422, the license 500 shown in FIG. The given metadata 1500 is used, and the content 1000 can be used using the metadata 1500. The metadata 1500 signed by a metadata signer other than the metadata provider β422 cannot be used.

  This is the end of the description of the specific examples when the metadata 1500 is available and unavailable.

  As described above, since the metadata usage control system 1 includes the information for designating the metadata signer licensed by the broadcast station in the license for granting the content usage, the signer signed by the broadcast station is signed. It is possible to use the content reliably using only the metadata that has been set. In addition, since it is determined whether or not the metadata is valid before using the metadata, there is no possibility of using unauthorized metadata.

  Furthermore, since the license includes information for collectively specifying the signers to be permitted, the size of the signer identification information included in the license can be reduced, and the metadata provider licensed by the broadcasting station after the license is issued Even when the number of licenses increases, it is not necessary to update the issued license, so that it is possible to flexibly deal with actual operation.

  Note that the signer ID 305 described in the license 500 and the metadata 1500 described in the embodiment of the present invention needs to be assigned so as to be uniquely identifiable in the metadata usage control system 1. In particular, care should be taken when using a chain of public key certificates 1303. Therefore, for example, as the signer ID 305 described in the license 500 and the metadata 1500, the business ID 1301 of the public key certificate 1303 (subject of the public key certificate 1303) and the signer ID 305 (issue of the public key certificate 1303) To be used in pairs.

  Further, regarding the signer ID 305 and the business operator ID 1301 shown in the embodiment of the present invention, X. 509 or the like of a public key certificate such as serial number, issuer, subject (subject), issuer UniqueID (issuer unique identifier), subjectUniqueID (subject unique ID), etc. The signer ID assigned by the metadata usage control system 1 may be described.

  In the embodiment of the present invention, an example in which the permission range 306 of the license 500 has two types of “signer only” and “signer and lower-order signer” has been described. It may be specified by the number of layers in the chain of the public key certificate 1303 from the signer ID 305. For example, as shown in FIG. 28, in addition to the chain of public key certificates 1303 shown in FIG. 4, in the case where “metadata provider X2801” exists further below the metadata provider β 422, the license 500 When the signer ID 305 is “SID-C001” (broadcasting station A411 in FIG. 28) and the permission range 306 is designated as “1”, the permission range of the metadata signer is 1 when viewed from the broadcasting station A411. The range up to the lower level, that is, the broadcasting station A411, the metadata provider α421, and the metadata provider β422 are the permitted range, and the metadata provider X2801 is not the permitted range. When the permitted range 306 is designated as “2”, the range up to one level lower than the broadcasting station A 411 is the permitted range, and the metadata provider X 2801 is also included in the permitted range. In this way, by designating the permission range 306 by the number of layers of the public key certificate 1303 chain, the broadcast station indirectly limits the metadata signers to which permission is granted through the public key certificate chain. It becomes possible.

  The signer ID 305 may issue a public key certificate 1303 to a group of a plurality of signers, or a group identifier for identifying a group in both the public key certificate 1303 and the license 500. The metadata availability determination unit 2016 may determine that the metadata 1500 is available only when these group identifiers match. In this case, since the metadata providers to which the broadcasting station grants permission can be grouped into a plurality of groups, it is possible to control the availability of various metadata. In addition, by including information used for determining whether or not metadata can be used in both the public key certificate 1303 and the license 500, it is possible to control the availability of various metadata. The group identifier and other information to be added are preferably set in the extension area 1402 of the public key certificate 1303.

  In the embodiment of the present invention, the root CA 401 and the broadcasting station (intermediate CA) are not shown in the metadata use control system 1 of FIG. And the terminal device 110 may be connected to each other online.

  Further, when the signer ID 305 is not designated in the license 500, the terminal device 110 may determine that all metadata can be used. If the permission range 306 is not designated, it may be determined that only metadata signed by only the signer individually designated by the signer ID 305 can be used, or the signer ID 305 can use the metadata. It may be determined that only metadata signed only by a signer designated in a batch can be used.

  In the embodiment of the present invention, the case where the validity verification of the public key certificate 1303 is performed only by the verification of the digital signature is shown. The public key certificate 1303 of a simple business operator may be revoked.

  In the embodiment of the present invention, the example in which the license 500 generated by the license server 101 is distributed together with the content 1000 and the metadata 1500 from the content distribution server 102 has been described. However, the present invention is not limited to this. The license 500 may be distributed through the network 120 separately from the content 1000 or the like in response to a request from the user (terminal device 110). In this case, the license server 101 may manage usage rights for each user. Also, in this case, the license 500 may be encrypted using an individual encryption key for each terminal device 110, or the terminal device 110 and the license server 101 establish a SAC (Secure Authenticated Channel), and the terminal device Encryption may be performed using an encryption key shared by the license server 110 and the license server 101.

  Further, the license 500 and the metadata 1500 may further include a signer type indicating the type of the metadata signer. Examples of the signer type include a content provider, a service provider, a metadata provider, and a user. By including the signer type in the license 500 and the metadata 1500, the content 1000 using the metadata 1500 is used only when the signer type of the license 500 matches the signer type of the metadata 1500. It is possible to control so as to be possible.

  Furthermore, in order to control the usable range of metadata created by the user (hereinafter referred to as user metadata), the usable range of user metadata may be described in the license 500. The usable range is, for example, a range within the user's domain (a group of a plurality of terminal devices 110 owned by the user) or only the terminal device 110 that has created user metadata. In this case, identification information indicating user metadata is described in the user metadata, and alteration detection information generated using domain-specific information or information specific to the terminal device 110 is added. When using content using user metadata, if the usable range is “inside the domain”, falsification detection of user metadata is executed using domain-specific information, and the usable range is “terminal In the case of “only device”, it is determined whether or not the user metadata is created by another terminal device 110 using information unique to the terminal device 110. Further, when alteration of user metadata is detected, the use of content may be stopped.

(Other variations)
Although the present invention has been described based on the above embodiment, it is needless to say that the present invention is not limited to the above embodiment. The following cases are also included in the present invention.

  (1) Each of the above devices is specifically a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or hard disk unit. Each device achieves its functions by the microprocessor operating according to the computer program. Here, the computer program is configured by combining a plurality of instruction codes indicating instructions for the computer in order to achieve a predetermined function.

  (2) A part or all of the constituent elements constituting each of the above-described devices may be configured by one system LSI (Large Scale Integration). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip, and specifically, a computer system including a microprocessor, ROM, RAM, and the like. . A computer program is stored in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program.

  (3) Part or all of the constituent elements constituting each of the above devices may be configured from an IC card that can be attached to and detached from each device or a single module. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

  (4) The present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal composed of the computer program.

  The present invention also provides a computer-readable recording medium such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc). ), Recorded in a semiconductor memory or the like. The digital signal may be recorded on these recording media.

  In the present invention, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like.

  The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.

  In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, and executed by another independent computer system. It is good.

  (5) The above embodiment and the above modifications may be combined.

  The metadata usage control system according to the present invention has an effect that the content can be used with certainty using only the metadata signed by the metadata signer licensed by the broadcasting station. This is useful as a metadata usage control system in content distribution services such as CATV and the Internet. It can also be applied to a metadata usage control system in a content distribution service using portable media such as package media.

The figure which shows schematic structure of the whole metadata utilization control system 1 which concerns on embodiment of this invention. The figure which shows the structure of the license server 101 which concerns on embodiment of this invention. The figure which shows an example of the use condition table of the use condition database 201 in the license server 101 which concerns on embodiment of this invention. The figure which shows an example of the chain | strand of the public key certificate used with the metadata utilization control system 1 which concerns on embodiment of this invention The figure which shows the structure of the license 500 which concerns on embodiment of this invention. The figure which shows an example of the license 500 which concerns on embodiment of this invention. The figure which shows an example of the license 500 which concerns on embodiment of this invention. The figure which shows an example of the license 500 which concerns on embodiment of this invention. The figure which shows the structure of the content delivery server 102 which concerns on embodiment of this invention. The figure which shows the structure of the encrypted content 1000 which concerns on embodiment of this invention. The figure which shows the structure of the metadata delivery server 103 which concerns on embodiment of this invention. The figure which shows an example of the metadata table 1200 of the metadata database 1101 in the metadata delivery server 103 concerning embodiment of this invention. The figure which shows an example of the key management table 1300 of the key management database 1102 in the metadata delivery server 103 concerning embodiment of this invention. The figure which shows the structure of the public key certificate 1303 which concerns on embodiment of this invention. The figure which shows the structure of the metadata 1500 with a signature which concerns on embodiment of this invention. The figure which shows an example of the metadata 1500 with a signature which concerns on embodiment of this invention The figure which shows an example of the metadata 1500 with a signature which concerns on embodiment of this invention The figure which shows an example of the metadata 1500 with a signature which concerns on embodiment of this invention The figure which shows an example of the metadata 1500 with a signature which concerns on embodiment of this invention The figure which shows the structure of the terminal device 110 which concerns on embodiment of this invention. Flowchart of license generation processing in license server 101 according to the embodiment of the present invention Flowchart of metadata generation processing in the metadata distribution server 103 according to the embodiment of the present invention Flowchart of content transmission processing in content distribution server 102 and content reception processing in terminal device 110 according to the embodiment of the present invention. Flowchart of metadata acquisition processing according to the embodiment of the present invention Flowchart of content and metadata use processing in terminal device 110 according to the embodiment of the present invention Flowchart of metadata availability determination process in terminal device 110 according to the embodiment of the present invention. The figure which shows an example of the range of the signer of the available metadata 1500 which concerns on embodiment of this invention The figure which shows an example of the range of the signer of the available metadata 1500 which concerns on embodiment of this invention

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Metadata usage control system 101 License server 102 Content delivery server 103, 103a-103c Metadata delivery server 110 Terminal device 120 Network 201 Usage condition database 211 License generation part 212 License encryption part 213, 911, 1114, 2013 Communication part 300 Usage condition table 301 Content ID
302 License ID
303 Content key 304 Terms of use 305 Signer ID
306 Permission range 401 Root CA
411, 412 Broadcasting station 421, 422, 423, 2801 Metadata provider 500 License 901 Content database 912 Content management unit 913 Multiplexing unit 914 Sending unit 1000 Content 1001 Content body 1101 Metadata database 1102 Key management database 1103 Metadata storage unit 1111 Metadata generation unit 1112 Metadata signature unit 1113 Metadata management unit 1200 Metadata table 1201 Metadata ID
1202 Metadata body 1300 Key management table 1301 Provider ID
1302 Private Key 1303 Public Key Certificate 1401 Public Key 1402 Extended Area 1500 Metadata 2001 Storage Unit 2002 Public Key Certificate Storage Unit 2011 Receiving Unit 2012 Separation Unit 2014 License Processing Unit 2015 Content Usage Unit 2016 Metadata Usage Availability Determination Unit 2017 Meta Data signature verification unit

Claims (4)

A server device that distributes a license for granting use permission of content to the user and metadata of the content;
A metadata usage control system configured to acquire the license and the metadata, and based on the license, the terminal device securely uses the content using the metadata,
The server device includes license generation means for generating the license;
Metadata generating means for generating the metadata;
A signature providing means for providing a digital signature to the metadata;
Signer identification information giving means for giving signer identification information capable of identifying a signer of a digital signature to the metadata;
Licensed signer identification information giving means for granting licensed licenser identification information indicating a range of a signer to the metadata, which grants the license to use the content using the metadata;
Sending means for sending the license and the metadata to the terminal device;
The terminal device
Receiving means for receiving the license and the metadata;
License processing means for processing the license;
Signature verification means for verifying a digital signature of the metadata;
Content using means for using the content using the metadata;
Based on the signer identification information and the licensed signer identification information, metadata availability determination means for determining the availability of the metadata in the content use means,
The metadata availability determination unit is only when the signature verification by the signature verification unit is successful and when the signer identification information is included in the permitted range indicated by the license signer identification information. A metadata usage control system characterized by permitting the use of metadata. The licensed signer identification information and the signer identification information are IDs,
The metadata availability determination unit permits the use of the metadata when the signature verification by the signature verification unit is successful and the signer identification information matches the license signer identification information. The metadata use control system according to claim 1, wherein: The licensed signer identification information and the signer identification information are IDs,
The metadata availability determination unit is any one of IDs of signers of at least one or more public key certificates that have been successfully verified by the signature verification unit and referred to in the signature verification of the metadata. 2. The metadata use control system according to claim 1, wherein use of the metadata is permitted when the license signer identification information matches the license signer identification information. The licensed signer identification information and the signer identification information are IDs,
The license signer identification information adding unit further determines whether a range permitted by the license signer identification information is only a signer specified by an ID of the license signer identification information, Grant scope specification information that specifies whether the signer is a lower-order signer including the signer identified by the ID,
The metadata availability determination unit, when the license range designation information is only a signer specified by the ID of the license signer identification information, the signature verification by the signature verification unit is successful, and When the signer identification information matches the licensed signer identification information, the use of the metadata is permitted,
When the license range designation information is a lower-order signer including a signer specified by the ID of the license signer identification information, signature verification by the signature verification unit is successful, and the metadata The use of the metadata is permitted when any one of the signer IDs of at least one public key certificate referenced in the signature verification matches the license signer identification information. The metadata use control system according to claim 1.

Images