JP5941356B2 - Broadcast communication cooperative receiver, application authentication program, and broadcast communication cooperative system - Google Patents

Description

  The present invention relates to a technique for managing the execution of an A application in a broadcasting / communication cooperation system using broadcasting and a network such as the Internet or a dedicated IP (Internet Protocol) line.

  In recent years, various services that link broadcasting and communication (hereinafter referred to as “broadcast communication cooperation service”) have been studied along with digitization of broadcasting and high-speed / broadband communication (for example, see Non-Patent Documents 1 and 2). ). In this broadcasting / communication cooperation service, it is assumed that various information related to broadcasting programs are acquired via a network and presented in combination with broadcasting.

  In addition, in order to enjoy the broadcasting / communication cooperation service, the receiver is assumed to use an application adapted to the broadcasting / communication cooperation service. Therefore, in order to realize a more attractive service for viewers in this broadcasting / communication cooperation service, viewers can create applications (A applications) created based on certain rules by broadcasting stations, various service providers, and individuals. The environment that can be provided to is being prepared.

“Summary of Broadcast and Communication Collaboration Technology Research at STRL”, NHK STRL R & D, No. 124, 2011.11, P4-P9 “Overview and Technology of Hybridcast ™”, NHK STRL R & D, No. 124, 2011.11, P10-P17

  The application A described above may include an application that causes a disadvantage to the viewer, such as an application in which a serious defect (bug) has occurred or an application that operates like a computer virus. For this reason, in the conventional broadcasting / communication cooperation service, it is necessary to prevent a situation in which the A application that causes a disadvantage to the viewer is executed by the receiver. However, when an A application that is detrimental to the viewer is being activated (running) in the receiver, there is a problem in that the A application cannot be forcibly terminated and execution of the A application cannot be appropriately managed.

  Here, in the conventional broadcasting / communication cooperation service, it is also conceivable to distribute the revocation list including the identification information of the A application to the receiver via the network and manage the execution of the A application. However, with this execution management technique, the revocation list distribution source server is accessed, and the load on the network increases. For this reason, there is a strong demand for the implementation of an execution management method that efficiently uses broadcasting and communication.

  Accordingly, the present invention provides a broadcasting / communication cooperative reception that can effectively manage the execution of an A application that is disadvantageous to viewers by efficiently using broadcasting and communications in a broadcasting / communication cooperation service that links broadcasting and communications. It is an object to provide an apparatus, an application authentication program, and a broadcasting / communication cooperation system.

  In view of the above-described problems, a broadcast communication cooperative receiving apparatus according to the first invention of the present application includes a broadcast transmitting apparatus that transmits a broadcast program, a signature key that is secret information, and a verification key that is public information corresponding to the signature key. A signature key issuing device to be issued, an application signature generated by a signature key, and an application registration device for adding identification information generated by a predetermined naming convention to the application, and an application to which the application signature and the identification information are added A repository that stores a certain A application, an emergency revocation list that includes identification information of the A application to be forcibly terminated, and a revocation list management device that stores a normal revocation list that includes identification information of the A application that is to be stopped. It is placed in a broadcasting / communication cooperation system that includes broadcasting programs. Broadcast communication cooperation receiving apparatus, verification key storage means for storing a verification key in advance, application acquisition means, emergency revocation list acquisition means, normal revocation list acquisition means, application authentication means, activation control means, And an end control means.

According to such a configuration, the broadcasting / communication cooperation receiving apparatus acquires the A application from the repository via the network by the application acquiring unit.
Here, the “A (Authorized) application” is an application approved by the system administrator. For example, the system administrator manually or automatically verifies whether a certain application performs an operation expected in the broadcasting / communication cooperation system, and approves an application having no problem as a result of the verification.

  Also, the broadcasting / communication cooperation receiving device acquires the emergency revocation list from the revocation list management device via the broadcast wave by the emergency revocation list acquisition means, and outputs an application revocation information notification indicating that the emergency revocation list has been acquired. To do. This emergency revocation list is a revocation list including identification information of the A application that is forcibly terminated even during activation, and can be said to be highly urgent.

The broadcast communication cooperative receiving apparatus acquires the normal revocation list from the revocation list management apparatus via the network by the normal revocation list acquisition means. This normal revocation list is a revocation list that includes identification information of the A application whose activation is to be stopped, and can be said to be less urgent than the emergency revocation list.
That is, the broadcasting / communication cooperation receiving apparatus acquires an emergency revocation list with high urgency in real time via a broadcast wave, and acquires a normal revocation list with low urgency via a network.

  In addition, the broadcast communication cooperative receiving apparatus performs at least an application authentication process by the application authentication unit to determine whether or not the authentication target application is revoked by using the verification key, the emergency revocation list, and the normal revocation list. Do. When the activation control unit activates the A application, the broadcasting / communication cooperation receiving apparatus instructs the application authentication unit to perform an application authentication process using the activated A application as the authentication target application, and the activated A application expires. If it is determined that the application A is present, the activation of the A application is stopped.

In addition, when the application revocation information notification is input from the emergency revocation list acquisition unit by the termination control unit, the broadcasting / communication cooperation receiving apparatus instructs the application authentication unit to perform application authentication processing with the active A application as an authentication target application. If it is determined that the active A application has expired, the A application is forcibly terminated.
That is, the broadcasting / communication cooperation receiving apparatus can forcibly terminate the A application immediately even if the A application that causes a disadvantage to the viewer is being activated.

  In the broadcast communication cooperative receiving device according to the second invention of the present application, the verification key storage means for storing the verification key in advance and the normal revocation list acquisition means are used for the hash value, MAC value or revocation list as the revocation list verification information. The normal revocation list to which the signature is further added is acquired, and the application authentication means determines whether or not the application signature of the authentication target application is valid by using the verification key as the application authentication processing, and the application signature If it is not valid, it is determined that the application to be authenticated is revoked, the revocation list verification information is used to determine whether the normal revocation list is valid, and if the normal revocation list is not valid, the authentication target It is determined that the application has expired, and the identification information of the application to be authenticated is displayed in the emergency revocation list or It is determined whether or not it is included in the normal revocation list, and if the identification information is not included in the emergency revocation list and the normal revocation list, the authentication target application is authenticated (determined) as the A application, and the identification information is the emergency revocation list or normal If it is included in the revocation list, it is determined that the authentication target application has expired.

  According to such a configuration, the broadcasting / communication cooperation receiving apparatus can further determine the validity of the application signature and the validity of the normal revocation list in the application authentication process.

The broadcast communication cooperative receiving apparatus according to the third invention of the present application further includes a revocation list storage means for storing a normal revocation list, wherein the normal revocation list acquisition means requests the revocation list management apparatus for a normal revocation list, Accordingly, the difference between the latest normal revocation list, which is the normal revocation list acquired from the revocation list management device, and the stored normal revocation list, which is the normal revocation list stored in the storage means, is stored in the normal revocation list of the revocation list storage means. It is characterized by reflecting.
According to such a configuration, the broadcasting / communication cooperation receiving apparatus can differentially update the normal revocation list.

Also, the broadcasting / communication cooperation receiving device according to the fourth invention of the present application is any one or more of the timing determined by the grouping of device codes when the application is started, the launcher is started, or the waiting time of the broadcasting / communication cooperation receiving device. The normal revocation list is requested from the revocation list management device.
According to such a configuration, the broadcasting / communication cooperation receiving apparatus requests the normal revocation list at different timings.

  In view of the above-described problems, a broadcast communication cooperative system according to the fifth invention of the present application includes a broadcast communication cooperative receiver according to the first invention of the present application, a broadcast transmitter that transmits a broadcast program, a signature key, and the verification key. A signing key issuing device for issuing the application, an application registration device for adding the application signature and identification information to the application, a repository for storing the A application to which the application signature and identification information are added, an emergency revocation list, and a normal revocation list And a revocation list management device for storing.

  According to such a configuration, the broadcasting / communication cooperation system distributes an emergency revocation list with high urgency in real time via a broadcast wave, and distributes a normal revocation list with low urgency via a network. Furthermore, the broadcasting / communication cooperation system can immediately forcibly terminate the A application by the distributed emergency revocation list even when the A application that causes a disadvantage to the viewer is being activated.

  The broadcasting / communication cooperation receiving apparatus according to the first invention of the present application is a computer including hardware resources such as a CPU, a memory, and a hard disk (including a verification key storage unit), the above-described application acquisition unit, emergency revocation list acquisition unit, It can also be realized by an application authentication program for cooperative operation as normal revocation list acquisition means, application authentication means, activation control means, and termination control means. This application authentication program may be distributed via a network, or may be distributed by writing in a recording medium such as a CD-ROM or a flash memory.

According to the present invention, the following excellent effects can be obtained.
According to the first and fifth inventions of the present application, an emergency revocation list with high urgency is distributed in real time via a broadcast wave, and a normal revocation list with low urgency is distributed via a network. Further, according to the first and fifth inventions of the present application, even if the A application that causes a disadvantage to the viewer is being activated, the A application is immediately forcibly terminated by the emergency revocation list. As described above, according to the first and fifth aspects of the present invention, it is possible to appropriately manage the execution of the A application that causes a disadvantage to the viewer by efficiently using broadcasting and communication.

  According to the second aspect of the present invention, it is possible to determine the validity of the application signature and the validity of the normal revocation list, and perform more appropriate application authentication processing.

According to the third invention of the present application, the normal revocation list can be differentially updated, and the update process can be speeded up.
According to the fourth aspect of the present invention, since the timing for requesting the normal revocation list is distributed among the broadcasting / communication cooperation receiving devices, it is possible to prevent a situation where requests are concentrated on the revocation list management device and to suppress the load on the network. .

It is the schematic which shows the whole structure of the broadcast communication cooperation system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the application server of FIG. It is a block diagram which shows the structure of the application ID production | generation apparatus of FIG. It is a block diagram which shows the structure of the signature key issuing apparatus of FIG. It is a block diagram which shows the structure of the application registration apparatus of FIG. It is a block diagram which shows the structure of the repository of FIG. It is a block diagram which shows the structure of the revocation list management apparatus of FIG. (A) is a figure which shows the data structure of the emergency revocation list which the revocation list management apparatus of FIG. 7 produces | generates, (b) is a figure which shows the data structure of a normal revocation list. It is a block diagram which shows the structure of the receiver of FIG. It is a figure which shows the data structure of the resource access control table preset in the receiver of FIG. It is a sequence diagram which shows the operation | movement which starts A application in the broadcast communication cooperation system of FIG. It is a sequence diagram which shows the operation | movement which starts a general application in the broadcast communication cooperation system of FIG. It is a flowchart which shows the application authentication process of FIG. 11, FIG. It is the schematic which shows the whole structure of the broadcast communication cooperation system which concerns on the modification of this invention.

[Outline of broadcasting / communication cooperation system]
With reference to FIG. 1, the structure of the broadcast communication cooperation system 1 which concerns on embodiment of this invention is demonstrated.
The broadcasting / communication cooperation system 1 links broadcasting and communication, and provides various services to users (viewers) together with broadcasting programs. Specifically, the broadcasting / communication cooperation system 1 transmits a broadcast program to a broadcasting / communication cooperation receiving apparatus (hereinafter, “receiver”) 100 via a broadcast wave W, and various services via the network N. To the receiver 100. Then, the broadcasting / communication cooperation system 1 provides various services related to the broadcast program to the user by the application in the receiver 100. At this time, the broadcasting / communication cooperation system 1 manages the execution of the A application that causes a disadvantage to the viewer in the receiver 100.

The “application” is software that can be used by the receiver 100, including software that operates on a browser of HTML (HyperText Markup Language) 5.
This application can be classified into an A application and a general application depending on the presence or absence of an application signature.
The application may be abbreviated as “application” (the same applies to the drawings).
In each drawing, the application signature is illustrated as “signature”.

  An application approved by the system administrator is called an “A application”. In this embodiment, it is assumed that the application created by the service provider B is “A application”. The application A is guaranteed for the operation expected in the broadcasting / communication cooperation system 1, and is stored in the repository 80, which will be described later, after the application signature and application ID are added by the application registration device 70 which will be described later. .

  An application that is not approved by the system administrator is called a “general application”. In the present embodiment, it is assumed that the application created by the service provider A is a “general application”. The general application is not guaranteed for the operation expected in the broadcasting / communication cooperation system 1, and is stored in the application server 30 described later in a state where an application signature and an application ID are not added.

The “broadcast station” is a program that sends a program with composition, and distributes the broadcast program to the user (viewer) through the broadcast wave W or the network N.
A “service provider” provides a service, and creates and distributes content and an application for providing the service.

  The “system administrator” is an organization that approves the A application. For example, when a system administrator approves an application created by a certain service provider as an A application, it verifies manually or automatically whether or not this application performs an operation expected in the broadcasting / communication cooperation system 1.

As shown in FIG. 1, the broadcast communication cooperative system 1 includes a broadcast transmission device 10, content distribution servers 20A and 20B, an application server 30, an application management device 40, an application ID generation device 50, and a signature key issuing device. 60, an application registration device 70, a repository 80, a revocation list management device (revocation list management device) 90, and a receiver 100.
In the broadcasting / communication cooperation system 1, the content distribution servers 20A and 20B, the application server 30, the repository 80, the revocation list management device 90, and the receiver 100 are connected via a network N.
In the following drawings, the alternate long and short dash line indicates offline or online transmission.

The broadcast transmission apparatus 10 transmits a broadcast program (broadcast signal) to the receiver 100 via the broadcast wave W, the network N, or a cable (not shown). The broadcast transmitting apparatus 10 transmits an emergency revocation list input from a revocation list management apparatus 90 to be described later via a broadcast wave W (carousel). For example, the broadcast transmission apparatus 10 is a broadcasting facility for digital broadcasting that is installed in a broadcasting station and includes a program organization facility, a program transmission facility, a transmission facility, etc. (not shown).
Since the broadcast transmitting apparatus 10 has a general configuration, detailed description thereof is omitted.

  The content distribution server 20 provides content to the receiver 100 via the network N in response to a request from an application of the receiver 100. Examples of the content distribution server 20 include a VOD (video on demand) distribution server, a caption distribution server, and a multi-view distribution server.

In the present embodiment, the content distribution server 20A is managed by the service provider A, and the content distribution server 20B is managed by the service provider B.
Since the content distribution server 20 has a general configuration, detailed description thereof is omitted.

  The application server 30 is a server that is managed by the service provider A and stores and manages general applications. For example, the application server 30 transmits a general application to the receiver 100 via the network N in response to a request from the receiver 100.

The application management apparatus 40 is managed by the service provider B, and stores and manages applications created by the service provider B. Here, the application stored in the application management apparatus 40 is transmitted to the application registration apparatus 70 via the network N, for example. Further, the recording medium storing this application may be transmitted to the system administrator by offline such as mailing, and the system administrator may manually input this application to the application registration apparatus 70.
Since the application management apparatus 40 has a general configuration, detailed description thereof is omitted.

  The application ID generation device 50 generates an application ID as identification information for uniquely identifying the A application. Then, the application ID generation device 50 outputs the generated application ID to the application registration device 70.

  The signature key issuing device 60 has a signature key (secret key) for generating an application signature indicating that it is an A application, and a verification key (public key) necessary for determining the validity of the application signature. Is issued. The signature key generated by the signature key issuing device 60 is output to the application registration device 70. Further, the verification key generated by the signature key issuing device 60 is distributed to the receiver 100 by an arbitrary method. For example, the verification key is transmitted to the manufacturer that manufactures the receiver 100 and is recorded (preinstalled) in the receiver 100 in advance. In addition, the IC card in which the verification key is recorded may be transmitted to the user offline, and each user may cause the receiver 100 to read the verification key stored in the IC card.

  The application registration apparatus 70 adds an application signature and an application ID to the application from the application management apparatus 40 and registers the application as an A application. Here, for example, the system administrator verifies manually or automatically whether or not the application of the service provider B performs the operation expected in the broadcasting / communication cooperation system 1. Thereafter, the system administrator approves an application having no problem in the verification result as the A application, and inputs it to the application registration apparatus 70. Then, the application registration device 70 generates an application signature with the signature key from the signature key issuing device 60, and adds the generated application signature and the application ID from the application ID generation device 50 to this application. Thereafter, the application registration apparatus 70 outputs the A application to which the application signature and the application ID are added to the repository 80.

The repository 80 stores and manages the A application. The repository 80 transmits the stored A application to the receiver 100 via the network N in response to a request from the receiver 100, for example.
In the present embodiment, the application ID generating device 50, the signature key issuing device 60, the application registration device 70, and the repository 80 are managed by a system administrator.

The revocation list management device 90 stores and manages the emergency revocation list and the normal revocation list.
In this embodiment, the revocation list management device 90 is managed by a broadcasting station.

  The receiver (broadcast communication cooperative receiving device) 100 is a receiving device that is installed in each user's home or the like and can view broadcast programs such as terrestrial digital broadcasting, BS digital broadcasting, and data broadcasting. Further, the receiver 100 receives and executes the A application and the general application via the network N.

Note that the receiver 100 may perform control such as acquisition, activation, and termination of the application based on the application activation information.
The “application activation information” refers to application identification information (ID), information for specifying an application such as an application location, and additional information for controlling acquisition, activation, termination, and the like of the application. Information (information corresponding to an application information table (AIT)).

<Management method using normal revocation list>
Here, a technique will be described in which the broadcasting station manages execution of the A application that causes a disadvantage to the viewer using two types of revocation lists.
The broadcast station inputs the application ID of the A application that the receiver 100 does not want to activate to the revocation list management device 90. Then, the revocation list management apparatus 90 generates a normal revocation list including the input application ID.

  The receiver 100 requests the normal revocation list from the revocation list management apparatus 90 via the network N. In response to this request, the receiver 100 acquires a normal revocation list (in this embodiment, difference information of the normal revocation list) from the revocation list management device 90, and reflects the difference. In addition, each time the application A is activated, the receiver 100 performs application authentication processing using the normal revocation list. Here, when the application ID of the A application to be activated is included in the normal revocation list, the receiver 100 suspends the activation of the A application because the A application has expired.

<Management method using emergency revocation list>
In the first example described above, since the network N is used, the normal revocation list is not distributed to the receiver 100 in real time, and the active A application cannot be terminated.

  Therefore, the broadcasting station inputs the application ID of the A application to be forcibly terminated immediately to the revocation list management device 90 even during execution by the receiver 100. Then, the revocation list management device 90 generates an emergency revocation list including the input application ID and outputs the emergency revocation list to the broadcast transmission device 10. Then, the broadcast transmitting apparatus 10 transmits this emergency revocation list to the receiver 100 via the broadcast wave W in real time.

  Further, when the receiver 100 receives the emergency revocation list, the receiver 100 performs application authentication on the active A application using the emergency revocation list. Here, when the application ID of the active A application is included in the emergency revocation list, the receiver 100 forcibly terminates the A application because the A application has expired.

Application server configuration
The configuration of the application server 30 will be described with reference to FIG. 2 (see FIG. 1 as appropriate).
As shown in FIG. 2, the application server 30 includes an application input unit 300, an application storage unit 301, and an application transmission unit 302.

  The application input means 300 is used for inputting a general application (application of the service provider A). Then, the application input unit 300 writes the input general application in the application storage unit 301.

  The application storage unit 301 is a storage device such as a memory or a hard disk that stores general applications. Here, the location of the general application in the application storage unit 301 is described in the application activation information.

  The application transmission unit 302 transmits a general application to the receiver 100 in response to a request from the receiver 100. Specifically, when the application transmission unit 302 receives a request from the receiver 100 via the network N, the application transmission unit 302 reads a general application corresponding to the request from the application storage unit 301. Then, the application transmission unit 302 transmits the read general application to the receiver 100 via the network N.

[Configuration of Application ID Generating Device]
The configuration of the application ID generation device 50 will be described with reference to FIG. 3 (see FIG. 1 as appropriate).
As shown in FIG. 3, the application ID generation device 50 includes an application ID generation unit 500 and an application ID output unit 501.

  The application ID generation unit 500 generates an application ID. For example, the application ID generation unit 500 generates an application ID according to a preset naming convention. This naming convention includes, for example, an application ID that is the number of an organization that created an application and a number that uniquely identifies the application within the organization. Then, the application ID generation unit 500 outputs the generated application ID to the application ID output unit 501.

  The application ID output unit 501 receives the application ID from the application ID generation unit 500 and outputs the application ID to the application registration apparatus 70.

  In the application ID generation device 50, the timing for generating the application ID is arbitrary. For example, when the system administrator approves the application of the service provider B as the A application, the system administrator manually inputs an application ID generation command to the application ID generation device 50. Then, the application ID generation device 50 generates an application ID according to the input application ID generation command.

[Configuration of signing key issuing device]
The configuration of the signature key issuing device 60 will be described with reference to FIG. 4 (see FIG. 1 as appropriate).
As shown in FIG. 4, the signature key issuing device 60 includes a signature key / verification key generation unit 600, a verification key management unit 601, and a signature key management unit 602.

The signature key / verification key generation unit 600 generates a signature key and a verification key. Here, the signature key / verification key generation unit 600 generates a signature key and a verification key that are common to the broadcasting / communication cooperation system 1 by using a general public key cryptosystem such as RSA, ElGamal, Rabin, elliptic curve cryptography, for example. To do. Also, the signature key / verification key generation means 600 may use a key-insulated signature method in addition to the public key encryption method described above. The signature key / verification key generation unit 600 outputs the generated verification key to the verification key management unit 601 and outputs the generated signature key to the signature key management unit 602.
Details of the key-insulated signature scheme can be found in, for example, the reference document “Efficient provider authentication for interactive services”, Otake et al., NHK Giken R & D / No. 124 / 2010.11 ”.

The verification key management unit 601 stores and manages the verification key generated by the signature key / verification key generation unit 600. For example, the verification key management unit 601 receives the verification key from the signature key / verification key generation unit 600 and stores the verification key in a storage device (not shown) such as a memory or a hard disk. Then, the verification key management unit 601 outputs the stored verification key. The verification key output from the verification key management unit 601 is distributed to the receiver 100 by a method such as preinstalled in the receiver 100 or stored in an IC card and transmitted offline.
Note that after the verification key is distributed to the receiver 100, it is not necessary to continue to store and manage the verification key, so the verification key may be deleted from the verification key management unit 601.

  The signature key management unit 602 stores and manages the signature key generated by the signature key / verification key generation unit 600. For example, the signature key management unit 602 receives the signature key from the signature key / verification key generation unit 600 and stores the signature key in a storage device (not shown) such as a memory or a hard disk. Then, the signature key management unit 602 outputs the stored signature key to the application registration apparatus 70.

  The signing key issuing device 60 may generate the signing key and the verification key before starting the registration of the A application. For example, the system administrator manually inputs a key generation command to the signature key issuing device 60 when introducing or initializing the broadcasting / communication cooperation system 1. Then, the signature key issuing device 60 generates and outputs a signature key and a verification key according to the input key generation command.

[Configuration of application registration device]
The configuration of the application registration device 70 will be described with reference to FIG. 5 (see FIG. 1 as appropriate).
As shown in FIG. 5, the application registration device 70 includes an application input unit 700, an application ID input unit 701, an application ID addition unit 702, a signature key input unit 703, a signature generation unit 704, and a signature addition unit 705. And application output means 706.

  The application input unit 700 is used to input an application approved by the system administrator. Then, the application input unit 700 outputs the input application to the application ID adding unit 702.

  The application ID input unit 701 receives an application ID from the application ID generation device 50. Then, the application ID input unit 701 outputs the input application ID to the application ID adding unit 702.

  The application ID adding unit 702 adds the application ID input from the application ID input unit 701 to the application input from the application input unit 700. Then, the application ID adding unit 702 outputs the application with the application ID added to the signature adding unit 705.

  The signature key input unit 703 receives a signature key (secret key) from the signature key issuing device 60. Then, the signature key input unit 703 outputs the input signature key to the signature generation unit 704.

  The signature generation means 704 receives the signature key from the signature key input means 703 and generates an application signature using this signature key. For example, any one or a combination of two or more of an operator ID, an application ID, a random number, and a binary code value of an application main body that uniquely identifies a service operator is used as a signature source message that is a source of an application signature. . Then, the signature generation unit 704 generates an application signature from the signature source message using the signature key, and outputs the generated application signature to the signature addition unit 705.

Note that the above-described signature source message needs to be distributed to the receiver 100 by some method. For example, the signature source message is added to the application, and the signature source message is distributed to the receiver 100 together with the application. Further, the signature source message may be distributed by the same method as the verification key.
Hereinafter, description will be made assuming that this signature source message is added to the application.

  The signature adding unit 705 adds the application signature input from the signature generating unit 704 to the application input from the application ID adding unit 702. Then, the signature adding unit 705 outputs the application with the application ID and the application signature added to the application output unit 706.

  The application output unit 706 receives an application from the signature adding unit 705 and outputs the application to the repository 80. That is, the application output unit 706 outputs the application with the application ID and the application signature added to the repository 80 as an A application.

Repository configuration
The configuration of the repository 80 will be described with reference to FIG. 6 (see FIG. 1 as appropriate).
As shown in FIG. 6, the repository 80 includes an application input unit 800, an application storage unit 801, and an application transmission unit 802.

  The application input means 800 is for inputting the A application from the application registration device 70. Then, the application input unit 800 writes the input A application in the application storage unit 801.

  The application storage unit 801 is a storage device such as a memory or a hard disk that stores the A application. For example, the storage location of the A application in the application storage unit 801 is described in the application activation information.

  The application transmission unit 802 transmits the A application to the receiver 100 in response to a request from the receiver 100. Specifically, when the application transmission unit 802 receives a request from the receiver 100 via the network N, the application transmission unit 802 reads the A application corresponding to the request from the application storage unit 801. Then, the application transmission unit 802 transmits the read A application to the receiver 100 via the network N.

[Configuration of revocation list management device]
The configuration of the revocation list management device 90 will be described with reference to FIG. 7 (see FIG. 1 as appropriate).
As shown in FIG. 7, the revocation list management apparatus 90 includes an emergency revocation list application ID input unit 900, an emergency revocation list generation unit 901, an emergency revocation list output unit 902, and a normal revocation list application ID input unit 903. A normal revocation list generation unit 904, a normal revocation list storage unit 905, a normal revocation list request reception unit 906, and a normal revocation list transmission unit 907.

  The emergency revocation list application ID input unit 900 receives an application ID of an application that is to be forcibly terminated immediately from the outside (for example, a broadcasting station). Then, the emergency revocation list application ID input unit 900 outputs the input application ID to the emergency revocation list generation unit 901.

  The emergency revocation list generation unit 901 generates an emergency revocation list including the application ID input from the emergency revocation list application ID input unit 900. Then, the emergency revocation list generation unit 901 outputs the generated emergency revocation list to the emergency revocation list output unit 902.

<Emergency revocation list>
The emergency revocation list will be described with reference to FIG. 8 (see FIG. 7 as appropriate).
Here, the emergency revocation list generating unit 901 generates an emergency revocation list 91 including an ID list 91a as shown in FIG.
The ID list 91a is a list of all application IDs input to the emergency revocation list application ID input unit 900.

Returning to FIG. 7, the description of the configuration of the revocation list management apparatus 90 will be continued.
The emergency revocation list output unit 902 outputs the emergency revocation list input from the emergency revocation list generation unit 901 to the broadcast transmitting apparatus 10.
The normal revocation list application ID input unit 903 receives an application ID of an application whose activation is desired to be stopped from the outside (for example, a broadcasting station). Then, the normal revocation list application ID input unit 903 outputs the input application ID to the normal revocation list generation unit 904.

  The normal revocation list generation unit 904 generates a normal revocation list including the application ID input from the normal revocation list application ID input unit 903. Then, the normal revocation list generation unit 904 writes the generated normal revocation list in the normal revocation list storage unit 905 as the latest version of the normal revocation list.

<Normal revocation list>
The normal revocation list will be described with reference to FIG. 8 (see FIG. 7 as appropriate).
Here, the normal revocation list generating unit 904 generates a normal revocation list 93 including version information 93a, revocation list verification information 93b, and an ID list 93c, as shown in FIG. 8B.

  The version information 93a is information indicating the version (version number) of the normal revocation list 93, and is information necessary for updating the difference of the normal revocation list. For example, the version information 93a can be expressed in a numerical format or a time stamp format.

  The revocation list verification information 93b is information necessary for verification of the normal revocation list 93 by the receiver 100, and is either a hash value, a MAC (Message Authentication Code) value, or a revocation list signature. It is.

First, the case where the revocation list verification information 93b is a hash value will be described.
In this case, any one of a random number, a binary code value of the normal revocation list body, or a combination of two or more thereof is used as a verification source message. Then, the normal revocation list generation unit 904 applies a hash function to the verification source message to calculate a hash value of the verification source message. Further, the signature generation unit 704 adds the calculated hash value to the normal revocation list 93 as revocation list verification information 93b.

Next, the case where the revocation list verification information 93b is a MAC value will be described.
In this case, the normal revocation list generation unit 904 generates the verification source message described above. The normal revocation list generation unit 904 generates a shared key shared by the revocation list management device 90 and the receiver 100. Then, the normal revocation list generating unit 904 calculates the MAC value of the verification source message using the generated shared key. Further, the signature generation unit 704 adds the calculated MAC value to the normal revocation list 93 as revocation list verification information 93b.

Next, the case where the revocation list verification information 93b is a revocation list signature will be described.
In this case, the normal revocation list generation unit 904 generates the verification source message described above. Further, the normal revocation list generation unit 904 generates a signature key and a verification key in the same manner as the signature key issuing device 60. The normal revocation list generation unit 904 generates a revocation list signature from the verification source message using the generated verification key, as in the application registration apparatus 70. Further, the signature generation unit 704 adds the calculated revocation list signature to the normal revocation list 93 as revocation list verification information 93b.

  The ID list 93c is a list of all application IDs input to the normal revocation list application ID input means 903.

The verification source message described above needs to be distributed to the receiver 100 by some method. For example, the verification source message is added to the normal revocation list, and the verification source message is distributed to the receiver 100 together with the normal revocation list. Hereinafter, the verification source message will be described as being added to the application.
In addition, a common key or verification key for verifying the validity of the normal revocation list is distributed in advance to the receiver 100 by a method such as preinstalled in the receiver 100 or stored in an IC card and transmitted offline. May be.

Returning to FIG. 7, the description of the configuration of the revocation list management apparatus 90 will be continued.
The normal revocation list storage unit 905 is a storage device such as a memory or a hard disk that stores the normal revocation list generated by the normal revocation list generation unit 904. In the present embodiment, the normal revocation list storage unit 905 stores the normal revocation lists of all versions because there is a possibility that the versions of the normal revocation lists stored in the respective receivers 100 may not be unified. .

The normal revocation list request receiving unit 906 receives a normal revocation list request from the receiver 100. This normal revocation list request indicates a request for the latest normal revocation list stored in the revocation list management device 90. For example, the normal revocation list request includes location information (for example, IP address) of the receiver 100 and version information of the normal revocation list stored in the receiver 100. Then, the normal revocation list request reception unit 906 outputs the received normal revocation list request to the normal revocation list transmission unit 907.
The latest normal revocation list is the latest version of the normal revocation list among all normal revocation lists stored in the normal revocation list storage unit 905.

The normal revocation list transmission unit 907 receives the latest revocation list of the revocation list management device 90 and the stored normal revocation list of the receiver 100 in response to the normal revocation list request input from the normal revocation list request reception unit 906. Difference information is transmitted to the receiver 100.
The stored normal revocation list is a normal revocation list stored in the revocation list storage means 116 in FIG.

  Specifically, the normal revocation list transmission unit 907 reads the latest normal revocation list from the normal revocation list storage unit 905 when a normal revocation list request is input. The normal revocation list transmission unit 907 reads a normal revocation list corresponding to the version information of the normal revocation list request (that is, a normal revocation list that is the same as the stored normal revocation list). Then, the normal revocation list transmission unit 907 compares the application IDs of the latest normal revocation list and the read normal revocation list, and generates difference information of the normal revocation list.

Here, consider a case where an application ID that is not included in the stored normal revocation list is included in the latest normal revocation list. In this case, the normal revocation list transmission unit 907 adds this application ID to the difference information.
Also, consider a case where the application ID included in the stored normal revocation list is not included in the latest normal revocation list. In this case, the normal revocation list transmission unit 907 adds ID deletion information indicating deletion of the application ID to the difference information.
Thereafter, the normal revocation list transmission unit 907 transmits the generated normal revocation list difference information to the receiver 100.

[Configuration of receiver]
The configuration of the receiver 100 will be described with reference to FIG. 9 (see FIG. 1 as appropriate).
As shown in FIG. 9, the receiver 100 includes a broadcast receiving means 101, a broadcast signal analyzing means 102, a video / audio decoding means 103, a data broadcast decoding means 104, a communication transmitting / receiving means 105, and an application activation information acquisition. Means 106, application start information storage means 107, list control means 108, application management / execution control means 109, start application identification information storage means 110, application acquisition means 111, application storage means 112, and application execution Means 113, operation control means 114, composite display means 115, revocation list storage means 116, normal revocation list request / acquisition means (normal revocation list acquisition means) 117, security management means 118, and resource management means 121 With.

  The broadcast receiving means 101 receives a broadcast program (broadcast signal) via an antenna A, a network N or a cable (not shown), demodulates, performs error correction and decoding, and forms an MPEG2 transport stream (TS). Is output to the broadcast signal analyzing means 102.

  The broadcast signal analyzing means 102 analyzes PSI / SI (Program Specific Information / Service Information [program arrangement information]) in the stream data (TS) demodulated by the broadcast receiving means 101, and selects the current channel. Data such as video, audio, data broadcast, etc. corresponding to the organized channel is extracted. The channel selection is performed based on a channel switching instruction notified from the operation control unit 114 described later.

  The broadcast signal analyzing means 102 outputs the extracted data such as video and audio in the PES (Packetized Elementary Stream) format to the video / audio decoding means 103 and extracts the section format data such as the extracted data broadcast. Is output to the data broadcast decoding means 104.

  At this time, the broadcast signal analyzing unit 102 uses the application included in the AIT descriptor (application activation information descriptor), which is one of SI (program sequence information), from the stream data demodulated by the broadcast receiving unit 101. Activation information may be extracted. Then, the broadcast signal analysis unit 102 writes the extracted application activation information in the application activation information storage unit 107. Furthermore, when the application activation information is extracted, the broadcast signal analysis unit 102 indicates that the application activation information has been notified (activation information notification), together with information for identifying the application (application ID), and the application management / execution control unit 109. Notify

  The video / audio decoding unit 103 decodes the video / audio (MPEG2 video stream and audio stream) extracted by the broadcast signal analysis unit 102 and outputs the decoded video / audio data to the composite display unit 115. .

The data broadcast decoding unit 104 decodes the data broadcast data extracted by the broadcast signal analysis unit 102, analyzes the BML, converts the BML into display data, and outputs the display data to the composite display unit 115.
Further, the data broadcast decoding unit 104 extracts the application activation information transmitted by the carousel, and writes the extracted application activation information in the application activation information storage unit 107.

Further, the data broadcast decoding unit 104 includes an emergency revocation list acquisition unit 104a.
The emergency revocation list acquisition unit 104a acquires the emergency revocation list transmitted by the carousel, and writes the acquired emergency revocation list in the revocation list storage unit 116. At this time, the emergency revocation list acquisition unit 104a adds a value (for example, “0”) indicating that it is an emergency revocation list to the emergency revocation list as a revocation list category. Further, the emergency revocation list acquisition unit 104 a outputs an application revocation information notification indicating that the emergency revocation list has been acquired to the application management / execution control unit 109.

  The communication transmitter / receiver 105 receives data such as application, application activation information, and difference information of the normal revocation list via the network N. Further, the communication transmitting / receiving unit 105 transmits data such as a normal revocation list request via the network N.

  The application activation information acquisition unit 106 acquires activation information corresponding to the A application and the general application via the communication transmission / reception unit 105. Then, the application activation information acquisition unit 106 writes the acquired application activation information in the application activation information storage unit 107.

  The application activation information storage unit 107 is a storage device such as a memory or a hard disk that stores application activation information. Here, the application activation information is written into the application activation information storage unit 107 by the broadcast signal analysis unit 102, the data broadcast decoding unit 104, or the application activation information acquisition unit 106.

The list control means 108 is a launcher that performs display of a list of applications that can be started and control of application selection.
The list control unit 108 generates a list of applications corresponding to the application activation information stored in the application activation information storage unit 107 when the user instructs a list display via the operation control unit 114. The data is output to the composite display means 115 as display data. At this time, the list control unit 108 outputs a launcher activation notification indicating that the launcher has been activated to the normal revocation list request / acquisition unit 117.

  Further, the list control unit 108 selects an application from the displayed application list via the operation control unit 114 by the user. Then, the list control unit 108 outputs a selected application notification including a number (application ID) for identifying the selected application to the application management / execution control unit 109.

The application management / execution control means 109 controls the life cycle of the application (the process from when the application is loaded and executed until it is terminated).
Specifically, when a resource allocation request is input from the application execution unit 113 described later, the application management / execution control unit 109 outputs (transfers) the resource allocation request to the resource management unit 121 described later.

Further, when the response of the resource allocation request is input from the resource management unit 121, the application management / execution control unit 109 outputs (transfers) the response of the resource allocation request to the application execution unit 113.
When the resource allocation request response indicates that the resource allocation has succeeded, the application management / execution control unit 109 associates this resource allocation success with a memory or the like in association with the active application ID. Is written in a security information table (not shown) stored in
On the other hand, if the response to the resource allocation request is a resource allocation failure indicating that the resource allocation has failed, the application management / execution control unit 109 associates this resource allocation failure with the security information table in association with the active application ID. Write to.

Here, the application management / execution control means 109 includes a start control means 109a, an end control means 109b, and a storage management means 109c.
The activation control unit 109a controls activation of the application acquired by the application acquisition unit 111.

First, a case where the activation information notification is input from the broadcast signal analysis unit 102 will be described.
In this case, the activation control unit 109a outputs an authentication instruction to the application authentication unit 119 with the application to be activated as the authentication target application. This authentication instruction instructs the application authentication unit 119 to perform application authentication processing. For example, the authentication instruction includes the application ID of the authentication target application.

  The activation control unit 109a receives an authentication result from the application authentication unit 119 in response to the authentication instruction. For example, the authentication result includes an application ID of the authentication target application and an attribute of the authentication target application. This attribute is one of A application (for example, “0”), general application (for example, “1”), unauthorized A application (for example, “2”), or invalidation (for example, “3”). Indicates.

Here, when the authentication result indicates the A application or the general application, the activation control unit 109 a activates the application according to the application activation information stored in the application activation information storage unit 107. Then, the activation control unit 109a writes the input authentication result in the security information table in association with the activated application ID. As a result, the application management / execution control unit 109 can store and manage the success or failure of resource allocation to the running application, the allocated resource, and the authentication result.
On the other hand, when the authentication result indicates an invalid A application or revocation, the activation control unit 109a stops activation of this application.

  Next, a case where a selection application notification is input from the list control unit 108 will be described. In this case, the activation control unit 109a outputs an authentication instruction to the application authentication unit 119 as in the case where the activation information notification is input. Then, the activation control unit 109a activates the application or stops the activation of the application according to the authentication result from the application authentication unit 119. Further, when the application is activated, the activation control unit 109a notifies the application execution unit 113 that the application is to be executed (activation control instruction). As a result, the application selected from the list by the user is activated.

The activation control unit 109a manages the activated application with identification information (application ID), and writes the activated application ID in the activated application identification information storage unit 110.
Further, when the application is activated, the activation control unit 109a outputs an application activation notification indicating that the application has been activated to the normal revocation list request / acquisition unit 117.

The termination control means 109b performs termination control of the running application.
Specifically, when the activation information notification is notified from the broadcast signal analysis unit 102, the termination control unit 109b sends an application to the application execution unit 113 in accordance with the application activation information stored in the application activation information storage unit 107. Instruct the end of.

  A case where an application revocation information notification is input from the emergency revocation list acquisition unit 104a will be described. In this case, the termination control unit 109b refers to the activated application identification information storage unit 110 and acquires the application ID of the activated application. Then, the termination control unit 109b outputs the authentication instruction to the application authentication unit 119 using the active A application as the authentication target application. Further, the activation control unit 109a forcibly terminates the application or continues the processing of the application according to the authentication result from the application authentication unit 119.

Here, when the authentication result indicates revocation, the termination control unit 109b instructs the application execution unit 113 to terminate the active A application and forcibly terminates the A application.
On the other hand, when the authentication result indicates other than revocation, the termination control unit 109b does not perform any processing. In other words, the active A application is not forcibly terminated and the processing is continued.

The accumulation management unit 109c performs control for accumulating (installing) the application in the receiver 100 (specifically, the application storage unit 112).
Specifically, the accumulation management unit 109 c notifies the application acquisition unit 111 of an application acquisition instruction when the list control unit 108 is notified of the selected application notification. This application acquisition instruction is an instruction to acquire an application based on the application activation information and write it in the application storage unit 112.
As a result, the application selected by the user is stored in the application storage unit 112.

Here, when the application is stored (installed) in the application storage unit 112, the storage management unit 109c sets the stored application storage state in the application activation information storage unit 107 as “storage”.
On the other hand, the accumulation management unit 109c deletes the accumulated application in accordance with a user instruction. At this time, the accumulation management unit 109c sets the deleted application accumulation state in the application activation information storage unit 107 to “not accumulated”.

  The startup application identification information storage unit 110 is a storage device such as a memory or a hard disk that stores identification information (application ID) of an application that is being started (running). The activation application identification information storage means 110 is written with an application ID when the application is activated by the activation control means 109a, and is deleted when the application is terminated by the termination control means 109b.

  The application acquisition unit 111 acquires an application stored in either the repository 80 or the application server 30 via the communication transmission / reception unit 105 when an application acquisition instruction is notified from the accumulation management unit 109c. Then, the application acquisition unit 111 writes the acquired application in the application storage unit 112.

  The application storage unit 112 is a storage device such as a memory or a hard disk that stores the application acquired by the application acquisition unit 111. The application stored in the application storage unit 112 is read and executed by the application execution unit 113.

The application execution unit 113 starts and ends the application based on the start control instruction from the application management / execution control unit 109.
The application execution unit 113 uses an application and data (for example, metadata, icon data, etc.) necessary for executing the application based on information (application ID, location, etc.) specifying the application included in the activation control instruction. Get from the acquisition source of. Then, the application execution unit 113 develops (loads) the application in a memory (not shown) and executes the application.
Image and audio data accompanying execution of this application is output to the composite display means 115.

Here, the application execution unit 113 outputs a resource allocation request to the resource management unit 121 via the application management / execution control unit 109 when the application being started calls an API (Application Program Interface) for accessing the resource. To do.
This resource allocation request is a request for resource allocation, and includes, for example, an API name called by a running application.

The application execution unit 113 receives a resource allocation request response from the resource management unit 121.
Here, if the response to the resource allocation request is successful, the application execution unit 113 calls the API and uses the resource allocated by the resource management unit 121.
On the other hand, when the response to the resource allocation request is a resource allocation failure, the application execution unit 113 performs an arbitrary process for each application such as security-related exception processing or application termination.

In addition, when an application termination or forced termination is instructed from the termination control unit 109b, the application execution unit 113 terminates the active application by an interrupt signal or the like, for example.
Although the application execution unit 113 has been described as outputting a resource allocation request to the resource management unit 121 via the application management / execution control unit 109, the present invention is not limited to this. Specifically, the application execution unit 113 may directly output a resource allocation request to the resource management unit 121 (not shown).

  When the user gives an instruction to change the channel via the remote controller Ri, the operation control means 114 notifies the broadcast signal analysis means 102 of a channel switching instruction including the changed channel number. As a result, the channel currently being viewed is selected.

The composite display means 115 includes video data / audio data from the video / audio decoding means 103, data broadcast display data from the data broadcast decoding means 104, list display data from the list control means 108, and application execution means. The display data of the application from 113 is combined and displayed.
The synthesized display means 115 outputs the synthesized audio as an audio signal to an audio output device Sp such as a speaker connected to the outside, and the synthesized video (image) is externally connected as a video signal. Output to a video display device Mo such as a liquid crystal display.

  The revocation list storage means 116 stores an emergency revocation list and a normal revocation list. Here, the revocation list storage unit 116 stores only one type of normal revocation list in which the difference information is reflected by the normal revocation list request / acquisition unit 117 described later. That is, the revocation list storage unit 116 stores only one type of the latest version of the normal revocation list. The revocation list storage unit 116 stores only one type of emergency revocation list because the emergency revocation list is overwritten.

  For example, the revocation list storage unit 116 stores an emergency revocation list and a normal revocation list encrypted with a local cipher. The revocation list storage unit 116 may be a tamper resistant device such as an IC card.

The normal revocation list request / acquisition unit 117 transmits a normal revocation list request to the revocation list management apparatus 90 via the communication transmitting / receiving unit 105. For example, the normal revocation list request / acquisition unit 117 reads the version information of the stored normal revocation list from the revocation list storage unit 116. Then, the normal revocation list request / acquisition means 117 generates a normal revocation list request including the location information of the receiver 100 and the read version information, and transmits it to the revocation list management device 90.
The location information (for example, URL) of the revocation list management device 90 is set in the receiver 100 in advance.

Here, the normal revocation list request / acquisition means 117 can transmit a normal revocation list request at the following timing.
For example, the normal revocation list request / acquisition unit 117 transmits a normal revocation list request when an application activation notification is input from the activation control unit 109a (when the application is activated).
Further, the normal revocation list request / acquisition unit 117 may transmit a normal revocation list request when a launcher activation notification is input from the list control unit 108 (at the time of launching the launcher).
Further, the normal revocation list request / acquisition unit 117 may transmit the normal revocation list request within the time when the standby power of the receiver 100 is turned on (within the standby time of the receiver 100). For example, the normal revocation list request / acquisition unit 117 transmits a normal revocation list request at predetermined intervals within the waiting time of the receiver 100.
The normal revocation list request / acquisition unit 117 may transmit a normal revocation list request at a timing determined by grouping of device codes unique to the receiver 100.

  This device code is, for example, the ID of a B-CAS (BS Conditional Access Systems) card or the IP domain of the receiver 100. If the device code is an IP domain, the device codes are grouped in units of residence in advance. If the device code is a B-CAS card ID, the device codes are grouped in advance in a random manner. The receiver 100 stores in advance transmission timing information indicating the transmission timing of the normal revocation list request for each group. This transmission timing information may be distributed to the receiver 100 via a broadcast wave. Then, the normal revocation list request / acquisition unit 117 obtains the group to which the receiver 100 belongs from the device code, refers to the transmission timing information, and obtains the transmission timing of the obtained group.

  The normal revocation list request / acquisition unit 117 receives the normal revocation list difference information from the revocation list management device 90 in response to the normal revocation list request via the communication transmitting / receiving unit 105. Then, the normal revocation list request / acquisition unit 117 compares the received difference information with the application ID of the stored normal revocation list, and reflects the difference information in the stored normal revocation list. At this time, the normal revocation list request / acquisition means 117 adds a value (for example, “1”) indicating that it is a normal revocation list to the normal revocation list as a revocation list category.

Here, consider a case where an application ID that is not included in the stored normal revocation list is included in the difference information. In this case, the normal revocation list request / acquisition means 117 adds this application ID to the stored normal revocation list.
Also, consider a case where the ID deletion information is included in the difference information. In this case, the normal revocation list request / acquisition unit 117 deletes the application ID indicated by the ID deletion information from the stored normal revocation list.

  The security management unit 118 manages the security of the receiver 100, and includes an application authentication unit 119 and a resource access control unit 120.

  The application authentication unit 119 includes a verification key management unit (verification key storage unit) 119a that stores and manages a verification key. Further, the application authentication unit 119 performs an application authentication process described later in accordance with the authentication instruction input from the activation control unit 109a or the end control unit 109b (see FIG. 13). Further, the application authentication unit 119 outputs the result of the application authentication process (authentication result) to the activation control unit 109a or the end control unit 109b that has input the authentication instruction.

  The resource access control means 120 performs resource access control for this application according to the attribute of the application acquired by the application acquisition means 111. In this embodiment, the resource access control means 120 performs resource access control based on a preset resource access control table.

<Resource access control>
With reference to FIG. 10, the resource access control by the resource access control means 120 will be specifically described (see FIG. 9 as appropriate).
This resource access control table is a table in which resources that can be accessed and resources that cannot be accessed by each of the A application and the general application are set in advance. Further, as shown in FIG. 10, the resource access control table has data items such as an API identifier, an API name, a resource type, and an access authority.

The API identifier is an identifier that uniquely identifies an API that accesses a resource.
The API name is the name of the API that accesses the resource.
The resource type is information indicating the resource accessed by the API.
The access authority indicates whether each of the A application and the general application can access the resource.

This resource is a content element and a receiver resource that are necessary for the operation of the application, and includes, for example, a broadcast resource, a communication resource, and a receiver resource.
This broadcast resource is a resource handled by the broadcast wave W, and can include, for example, video, audio, captions, PSI (Program Specific Information) / SI (Service Information).
The communication resource is a resource handled in the network N, and examples thereof include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
Furthermore, the receiver resource is a resource related to software and hardware of the receiver 100, and examples thereof include video / audio output processing, channel selection processing, memory, and storage.

  In the resource access control table of FIG. 10, a dedicated API for accessing the resource is defined for each resource. In this example, the API for accessing the resource “video” is “subA ()”, the API for accessing the resource “audio” is “subB ()”, and the API for accessing the resource “subtitle” is “subC ( ”” And the API for accessing the resource “SI” is “subD ()”.

  In addition, this resource access control table indicates that the application A can access all resources of “video”, “audio”, “caption”, and “SI” because the access authority is “◯”.

  Furthermore, this resource access control table indicates that the general application cannot access these resources because the access authority of the broadcast resources such as “video”, “audio”, and “caption” is “x”. On the other hand, this resource access control table indicates that even a general application can access the resource “SI”.

  That is, the resource access control table of FIG. 10 is set so that the A application can access a wider range of resources than the general application. In other words, this resource access control table is set so that a general application cannot access a predetermined resource from the viewpoint of safety and publicity of broadcasting.

  Here, a system administrator or a person having authority such as a broadcasting station creates this resource access control table, transmits it to the receiver 100 via the broadcast wave W or the network N, and stores it in the receiver 100. It is also good to do. Thereby, in the receiver 100, the system administrator or the broadcast station can manage the resources that can be accessed by the general application, and the maintainability is improved.

  Note that the resource access control table is not limited to the example of FIG. For example, resources other than broadcast resources (for example, communication resources such as “TCP”) can be set in the resource access control table.

  The resource access control unit 120 receives the authentication result from the application authentication unit 119. Then, when the resource allocation availability inquiry is input from the resource management unit 121, the resource access control unit 120 determines whether the resource can be allocated based on the authentication result.

Specifically, when the authentication result is an A application, the resource access control unit 120 searches the access authority of the A application using the API name included in the resource allocation permission query as a search key of the resource access control table, Judge whether resources can be allocated. For example, when the A application calls “subA ()”, the resource access control unit 120 determines that the resource can be allocated because the access authority of the resource “video” is “◯”. Then, the resource access control unit 120 outputs to the resource management unit 121 information indicating that resource allocation is possible, indicating that resource allocation is possible.
When the access authority of the A application is “x”, the resource access control unit 120 prohibits access to the resource even for the A application (not shown in FIG. 10).

  On the other hand, when the authentication result is a general application, the resource access control unit 120 searches the access authority of the general application using the API name included in the resource allocation permission query as a search key of the resource access control table, and allocates the resource Determine whether or not. For example, when the general application calls “subA ()”, the resource access control unit 120 determines that the resource allocation is impossible because the access authority of the resource “video” is “x”. When the general application calls “subD ()”, the resource access control unit 120 determines that the resource can be allocated because the access authority of the resource “SI” is “◯”. Thereafter, the resource access control unit 120 outputs, to the resource management unit 121, based on the determination result, either resource allocation impossible indicating that resource allocation is impossible or resource allocation possible.

Returning to FIG. 9, the description of the configuration of the receiver 100 will be continued.
The resource management unit 121 manages various resources. Here, when a resource allocation request is input from the application management / execution control unit 109, the resource management unit 121 outputs a resource allocation enable / disable inquiry to the resource access control unit 120 in response to the resource allocation request.
This resource allocation availability inquiry is an inquiry to the resource access control means 120 for resource allocation availability, and includes, for example, the API name stored in the resource allocation request.

Further, the resource management unit 121 receives a resource allocation availability response from the resource access control unit 120.
Here, the resource management unit 121 allocates a resource to the running application when the resource allocation availability response is a resource allocation possible. Then, the resource management unit 121 outputs to the application management / execution control unit 109 a resource allocation success indicating that the resource allocation has been successful.
On the other hand, the resource management unit 121 outputs, to the application management / execution control unit 109, a resource allocation failure indicating that the resource allocation has failed when the resource allocation availability response is a resource allocation impossible response.

[Operation of broadcasting / communication cooperation system: Application A]
A case where the receiver 100 starts the A application (FIG. 11) and a case where the receiver 100 starts the general application (FIG. 12) will be described as operations of the broadcasting / communication cooperation system 1 in FIG.

  As shown in FIG. 11, the broadcasting / communication cooperation system 1 issues a signature key (private key) and a verification key (public key) corresponding to the signature key by the signature key issuing device 60 (step S1).

  The broadcasting / communication cooperation system 1 distributes the verification key generated by the signature key issuing device 60 to the receiver 100 by an arbitrary method. For example, this verification key is transmitted to the manufacturer that manufactures the receiver 100 and is recorded in the receiver 100 in advance (preinstalled). In addition, the IC card in which the verification key is recorded may be transmitted to the user offline, and each user may cause the receiver 100 to read the verification key stored in the IC card (step S2).

In the broadcasting / communication cooperation system 1, the signature key issuing device 60 outputs the generated signature key to the application registration device 70. For example, the signature key issuing device 60 outputs (issues) this signature key to the application registration device 70 in response to a command from the system administrator (step S3).
The processes in steps S1 to S3 may be executed once before registration of the A application is started, and may not be executed every time the A application is registered.

  The broadcasting / communication cooperation system 1 generates an application ID by the application ID generation device 50 (step S4). Then, the broadcasting / communication cooperation system 1 outputs the application ID generated by the application ID generation device 50 to the application registration device 70 (step S5).

  The broadcasting / communication cooperation system 1 outputs the application stored in the application management apparatus 40 to the application registration apparatus 70 by an arbitrary method. For example, this application is transmitted to the application registration apparatus 70 via the network N. Alternatively, the recording medium storing the application may be transmitted offline to the system administrator, and the system administrator may manually input the application to the application registration apparatus 70 (step S6).

  The broadcasting / communication cooperation system 1 adds the application ID input from the application ID generation device 50 to the application input from the application management device 40 by the application registration device 70 (step S7).

  The broadcasting / communication cooperation system 1 uses the application registration device 70 to generate an application signature using the signature key to which the signature key is input from the signature key issuing device 60 (step S8).

  The broadcasting / communication cooperation system 1 adds the generated application signature to the application with the application ID by the application registration device 70 (step S9). Then, the broadcasting / communication cooperation system 1 transmits the application with the application signature added to the repository 80 by the application registration device 70, and stores and manages the A application by the repository 80 (step S10).

  The broadcasting / communication cooperation system 1 uses the receiver 100 to request the A application from the repository 80 (step S11). Then, the broadcasting / communication cooperation system 1 acquires the requested A application from the repository 80 by the receiver 100 (step S12).

The broadcasting / communication cooperation system 1 performs application authentication processing using the acquired application as an authentication target application by the receiver 100 (step S13).
Here, since the authentication result is the A application, the broadcasting / communication cooperation system 1 starts up the acquired application as the A application by the receiver 100 (step S14).

[Broadcast communication system operation: General application]
As shown in FIG. 12, the broadcast communication cooperative system 1 requests a general application from the application server 30 (step S21). And the broadcast communication cooperation system 1 acquires the requested general application from the application server 30 by the receiver 100 (step S22).

The broadcasting / communication cooperation system 1 performs an application authentication process by using the acquired application as an authentication target application by the receiver 100 (step S23).
Here, since the authentication result is a general application, the broadcasting / communication cooperation system 1 starts up the acquired application as a general application by the receiver 100 (step S24).

[Receiver operation: Application authentication processing]
With reference to FIG. 13, an application authentication process (step S13 in FIG. 11 and step S23 in FIG. 12) will be described as the operation of the receiver 100 (see FIG. 7 as appropriate).

<Step S131: Input of Authentication Instruction>
The application authentication unit 119 receives an authentication instruction from the activation control unit 109a or the end control unit 109b (step S131).

<Step S132: Reading Application ID etc.>
The application authentication unit 119 reads the application ID, the application signature, and the signature source message added to the authentication target application from the application storage unit 112. The application authentication unit 119 reads the verification key from the verification key management unit 119a. Then, the application authentication unit 119 reads out the emergency revocation list and the normal revocation list from the revocation list storage unit 116 (step S132).

<Step S133: Judgment for Existence of Application Signature>
The application authentication unit 119 determines whether or not an application signature is added to the authentication target application (step S133).
When an application signature is added to the authentication target application (Yes in step S133), the application authentication unit 119 proceeds to the process of step S134.

<Step S134: Determination of Validity of Application Signature>
The application authentication unit 119 determines whether or not the application signature is valid based on the verification key. For example, the application authentication unit 119 determines whether the application signature is valid by using the application signature added to the authentication target application, the signature source message, and the verification key. Here, the validity of the application signature means that the application signature decrypted with the verification key matches the signature source message.

Further, when the key-insulated signature method is used, the application authentication unit 119 can determine not only the validity of the application signature but also the validity of the application body and the validity of the application ID (step S134). ).
If the application signature is valid (Yes in step S134), the application authentication unit 119 proceeds to the process of step S135.

<Step S135: Validity Determination of Normal Revocation List>
The application authentication unit 119 determines whether or not the normal revocation list is valid by using the verification information added to the read normal revocation list.

  When the revocation list verification information is a hash value, the application authentication unit 119 generates a verification source message in the same manner as the normal revocation list generation unit 904. Then, the application authentication unit 119 calculates a hash value of the verification source message by applying a hash function to the generated verification source message. Further, the application authentication unit 119 compares the revocation list verification information with the hash value of the verification source message, and determines the validity of the normal revocation list based on whether or not they match.

  When the revocation list verification information is a MAC value, the application authentication unit 119 generates a verification source message by the same method as the normal revocation list generation unit 904. Then, the application authentication unit 119 calculates the MAC value of the verification source message using the shared key. Further, the application authentication unit 119 compares the revocation list verification information with the MAC value of the verification source message, and determines the validity of the normal revocation list depending on whether or not they match.

  When the revocation list verification information is a revocation list signature, the application authentication unit 119 generates a verification source message by the same method as the normal revocation list generation unit 904. Then, the application authentication unit 119 decrypts the revocation list signature using the verification key. Further, the application authentication unit 119 compares the decrypted revocation list signature with the generated verification source message, and determines the validity of the normal revocation list based on whether or not they match (step S135). .

If the normal revocation list is valid (Yes in step S135), the application authentication unit 119 proceeds to the process of step S136.
Note that the application authentication unit 119 can distinguish between the emergency revocation list and the normal revocation list based on the value of the revocation list classification.

<Step S136: A Application Revocation Determination>
The application authentication unit 119 determines whether or not the ID of the application to be authenticated is included in the emergency revocation list and the normal revocation list (step S136).

<Steps S137 to S140: Output of authentication result>
When the application ID of the authentication target application is not included in either the emergency revocation list or the normal revocation list (Yes in step S136), the application authentication unit 119 authenticates the authentication target application as the A application (step S137), and the application The authentication process ends.

  When the application signature is not added to the authentication target application (No in step S133), the application authentication unit 119 determines that the authentication target application is a general application (step S138), and ends the application authentication process.

  If the application signature is not valid (No in step S134), the application authentication unit 119 determines that the authentication target application is an unauthorized A application (step S139), and ends the application authentication process.

  If the normal revocation list is not valid (No in step S135), the application authentication unit 119 determines that the authentication target application is revoked (step S138), and ends the application authentication process.

  When the application ID of the authentication target application is included in either the emergency revocation list or the normal revocation list (No in step S136), the application authentication unit 119 determines that the authentication target application is revoked (step S140), and the application authentication process Exit.

  As described above, the broadcasting / communication cooperation system 1 according to the embodiment of the present invention distributes an emergency revocation list with high urgency in real time via the broadcast wave W, and usually has low urgency via the network N. Distribute the revocation list. Further, the broadcasting / communication cooperation system 1 immediately forcibly terminates the A application according to the emergency revocation list even when the A application causing a disadvantage to the viewer is being activated. For this reason, the broadcasting / communication cooperation system 1 can appropriately manage the execution of the A application that is disadvantageous to the viewer by efficiently using broadcasting and communication.

  Further, when the key-insulated signature method is used, the receiver 100 can verify the validity of the application signature, the validity of the application body, the validity of the application ID, and the validity of the normal revocation list in the application authentication process. And more appropriate application authentication processing can be performed.

  Furthermore, since the receiver 100 receives the difference information of the normal revocation list, the data transmission amount can be reduced and the load on the network N can be reduced as compared with the case where the normal revocation list is received as it is. Furthermore, the receiver 100 can update the difference of the normal revocation list, and can speed up the update process.

  Furthermore, since the timing for requesting the normal revocation list is distributed among the receivers 100, the broadcasting / communication cooperation system 1 prevents a situation in which requests are concentrated on the revocation list management device 90, thereby suppressing the load on the network N. it can.

(Modification)
As mentioned above, although embodiment of this invention was described, this invention is not limited to this, It can implement in the range which does not change the meaning. The modification of embodiment is shown below.

  In the present embodiment, the broadcast station manages the revocation list management device 90 as shown in FIG. 1, but the present invention is not limited to this. For example, in the present invention, a reputable organization such as a system administrator may manage the revocation list management device 90 as shown in FIG.

In the present embodiment, the revocation list management apparatus 90 has been described as transmitting difference information to the receiver 100, but the present invention is not limited to this. For example, the revocation list management device 90 transmits the latest version of the normal revocation list to the receiver 100 as it is. Then, the receiver 100 replaces the received normal revocation list with the stored normal revocation list.
Alternatively, the receiver 100 may obtain a difference between the latest version of the normal revocation list and the stored normal revocation list, and download (receive) the obtained difference from the revocation list management device 90.

  In the present embodiment, since the broadcast wave W is safe, the revocation list verification information is not added to the emergency revocation list. However, the present invention is not limited to this. For example, in the present invention, the emergency revocation list may be added with revocation list verification information in the same manner as the normal revocation list, and the validity of the emergency revocation list may be determined in the application authentication process.

  In this embodiment, the application signature is described as being added to the application, but the present invention is not limited to this. For example, in the present invention, the application itself can be handled as an application signature by encrypting and decrypting the application with the signature key / verification key.

  In the present embodiment, the number of signature keys and the verification key is one. However, the present invention is not limited to this. For example, in the present invention, a signature key / verification key may be issued for each service provider, and a signature key / verification key may be issued for each A application.

  In the present embodiment, the service provider that creates the A application and the general application is described as one, but a plurality of service providers may be used. Moreover, the same service provider may produce both the A application and the general application. Further, a broadcast station may produce an application as a service provider.

In the present embodiment, the application A has been described as being aggregated in one repository 80 and distributed to the receiver 100. However, the present invention is not limited to this. For example, the broadcasting / communication cooperation system 1 according to the present invention includes a plurality of repositories, and each repository 80 may distribute the A application to the receiver 100 (not shown).
Alternatively, after the system administrator issues an application signature and an application ID, it may be distributed to the service provider B, and the service provider B may add the application signature / application ID to the application. In this case, the A application is distributed directly to the receiver 100 from an application server (not shown) managed by the service provider B.

DESCRIPTION OF SYMBOLS 1 Broadcast communication cooperation system 10 Broadcast transmission apparatus 100 Receiver (broadcast communication cooperation reception apparatus)
101 broadcast reception means 102 broadcast signal analysis means 103 video / audio decoding means 104 data broadcast decoding means 104a emergency revocation list acquisition means 105 communication transmission / reception means 106 application activation information acquisition means 107 application activation information storage means 108 list control means 109 application management / Execution control means 109a Start control means 109b Termination control means 109c Storage management means 110 Start application identification information storage means 111 Application acquisition means 112 Application storage means 113 Application execution means 114 Operation control means 115 Composite display means 116 Revocation list storage means 117 Normal revocation List request / acquisition means (normal revocation list acquisition means)
118 Security Management Unit 119 Application Authentication Unit 119a Verification Key Management Unit (Verification Key Storage Unit)
120 resource access control means 121 resource management means 20, 20A, 20B content distribution server 30 application server 300 application input means 301 application storage means 302 application transmission means 40 application management apparatus 50 application ID generation apparatus 500 application ID generation means 501 application ID output Means 60 Signature key issuing device 600 Signature key / verification key generation means 601 Signature key management means 602 Signature key management means 70 Application registration device 700 Application input means 701 Application ID input means 702 Application ID addition means 703 Signature key input means 704 Signature generation Means 705 Signature adding means 706 Application output means 80 Repository 8 0 Application input means 801 Application storage means 802 Application transmission means 90 Revocation list management device 900 Emergency revocation list application ID input means 901 Emergency revocation list generation means 902 Emergency revocation list output means 903 Normal revocation list application ID input means 904 Normal revocation List generation means 905 Normal revocation list storage means 906 Normal revocation list request reception means 907 Normal revocation list transmission means

Claims (6)

A broadcast transmitting apparatus that transmits a broadcast program, a signature key that is secret information and a signature key issuing apparatus that issues a verification key that is public information corresponding to the signature key, an application signature generated by the signature key, and An application registration apparatus for adding identification information generated according to a predetermined naming convention to an application, a repository for storing an A application that is an application to which the application signature and the identification information are added, and identification of the A application to be forcibly terminated And an emergency revocation list that includes information, and a revocation list management device that stores a revocation list management device that stores a normal revocation list that includes identification information of the A application whose activation is to be stopped, and receives the broadcast program A broadcast communication cooperation receiving device,
Application acquisition means for acquiring the A application from the repository via a network;
An emergency revocation list acquisition means for outputting an application revocation information notification indicating that the emergency revocation list has been acquired, as well as acquiring the emergency revocation list from the revocation list management device via a broadcast wave;
A normal revocation list acquisition means for acquiring the normal revocation list from the revocation list management device via the network;
Using the emergency revocation list and the normal revocation list, at least application authentication means for performing application authentication processing for determining whether or not the authentication target application has expired;
When starting the A application, instructing the application authentication unit to perform the application authentication process with the A application to be started as the authentication target application, and determining that the A application to be started has expired, A start control means for stopping the start of the A application,
When the application revocation information notification is input from the emergency revocation list acquisition unit, the application authentication unit is instructed to perform the application authentication process using the activated A application as the authentication target application, and the activated A application If it is determined that the application has expired, termination control means for forcibly terminating the A application,
A broadcasting / communication cooperative receiving apparatus comprising: Verification key storage means for storing the verification key in advance;
The normal revocation list acquisition means acquires a normal revocation list to which a hash value, a MAC value, or a revocation list signature is further added as revocation list verification information,
The application authentication means, as the application authentication process,
Using the verification key, determine whether the application signature of the authentication target application is valid, if the application signature is not valid, determine that the authentication target application has expired,
Using the revocation list verification information, determine whether the normal revocation list is valid, if the normal revocation list is not valid, determine that the authentication target application has expired,
When it is determined whether the identification information of the authentication target application is included in the emergency revocation list or the normal revocation list, and the identification information is not included in the emergency revocation list and the normal revocation list, the authentication target application 2. The broadcast according to claim 1, wherein the authentication target application is determined to be revoked when the identification information is included in the emergency revocation list or the normal revocation list. Communication cooperation receiver. A revocation list storage means for storing the normal revocation list;
The normal revocation list acquisition unit receives difference information between the latest normal revocation list stored in the revocation list management device and the normal revocation list stored in the revocation list storage unit from the revocation list management device. The broadcast communication cooperation receiving apparatus according to claim 1, wherein the received difference information is reflected in a normal revocation list of the revocation list storage unit.   The normal revocation list acquisition means is configured such that when the application is started, when the launcher is started, a timing preset for each group to which a device code unique to the broadcast communication cooperative receiver belongs, or the broadcast communication cooperative receiver The broadcasting / communication cooperation receiving apparatus according to claim 3, wherein the difference information is requested to the revocation list management apparatus at any one or more within a waiting time of the revocation list. A broadcast transmitting apparatus that transmits a broadcast program, a signature key that is secret information and a signature key issuing apparatus that issues a verification key that is public information corresponding to the signature key, an application signature generated by the signature key, and An application registration apparatus for adding identification information generated according to a predetermined naming convention to an application, a repository for storing an A application that is an application to which the application signature and the identification information are added, and identification of the A application to be forcibly terminated And an emergency revocation list that includes information, and a revocation list management device that stores a revocation list management device that stores a normal revocation list that includes identification information of the A application whose activation is to be stopped, and receives the broadcast program A computer comprising verification key storage means,
Application acquisition means for acquiring the A application from the repository via a network;
An emergency revocation list acquisition means for outputting an application revocation information notification indicating that the emergency revocation list has been acquired, as well as acquiring the emergency revocation list from the revocation list management device via a broadcast wave,
A normal revocation list acquisition means for acquiring the normal revocation list from the revocation list management device via the network;
Application authentication means for performing application authentication processing for determining whether or not an authentication target application has expired, using the emergency revocation list and the normal revocation list,
When starting the A application, instructing the application authentication unit to perform the application authentication process with the A application to be started as the authentication target application, and determining that the A application to be started has expired, A start control means for stopping the start of the A application,
When the application revocation information notification is input from the emergency revocation list acquisition unit, the application authentication unit is instructed to perform the application authentication process using the activated A application as the authentication target application, and the activated A application If it is determined that the application has expired, the termination control means for forcibly terminating the A application,
Application authentication program to function as The broadcasting / communication cooperation receiving device according to claim 1,
A broadcast transmission device for transmitting the broadcast program;
A signature key issuing device for issuing the signature key and the verification key;
An application registration device for adding the application signature and the identification information to the application;
A repository for storing the A application to which the application signature and the identification information are added;
A revocation list management device for storing the emergency revocation list and the normal revocation list;
A broadcasting / communication cooperation system comprising:

Images