JP6539387B2 - Transmitter, receiver and conditional access system - Google Patents

Description

  The present invention relates to a transmitting apparatus, a receiving apparatus, and a conditional access system for performing conditional access in a broadcast system using MMT (MPEG Media Transport).

  In the current digital broadcasting, MPEG2-TS (MPEG-2 Transport Stream) is adopted as a media transport method which is a method for transmitting multimedia contents. This MPEG2-TS can encrypt the payload portion of the TS packet in order to protect the content safely (see Non-Patent Document 1).

  On the other hand, MMT (MPEG Media Transport) and TLV (Type Length Value) methods have been proposed as new media transport methods for advanced hybrid services of broadcasting and communication (see Non-Patent Document 2). This MMT is a method based on media transmission under various network environments, and is currently being standardized in ISO / IEC (International Organization for Standardization / International Electrotechnical Commission) (see Non-Patent Document 3). ).

  In order to construct a broadcast system using MMT, video, audio, data, subtitles, and the like related to a broadcast program are placed on an MMTP (MMT Protocol) payload to form an MMTP packet. It is proposed that this MMT be transmitted by IP packet in order to realize high consistency with communication (MMT over IP). This makes it possible to easily realize an advanced service combining contents from multiple transmission paths such as broadcast waves and communication lines.

On the other hand, data unrelated to the broadcast program, files necessary for engineering services such as firmware update of the receiving device, etc. are transmitted using the data transmission method on IP (see Non-Patent Document 4). High compatibility can be realized.
As a method for safely protecting data on IP of such a network layer, IPsec (see Non-Patent Document 5) which is a protocol having an encryption function and an authentication function is widely used.

"Access control method standard for digital broadcasting (ARIB STD-B25)", version 6.2, Radio Industries Association of Japan, revised on September 25, 2012 Shuichi Aoki, “Media Transport Technology for Next-Generation Broadcasting System”, NHK Giken R & D, Japan Broadcasting Association Broadcasting Technology Research Institute, No. 140, July 2013, p. 22-31 "Information Technology-High efficiency coding and media delivery in heterogeneous environment-Part 1: MPEG media transport (MMT)", ISO / IEC DIS 23008-1, April.2013 Download method for digital broadcasting (ARIB STD-B45), version 2.2, Japan Radio Industry Association, revised July 3, 2012 "Security Architecture for the Internet Protocol", IETF RFC4301, Dec. 2005

Conventionally, even if there is a method of protecting data transmitted in IP packets in the network layer, various components (main video, main audio, sub audio, subtitles, etc.) transmitted in MMTP packets in the MMT layer There is no way to protect on a component basis, ie, on a service basis.
Thus, when only IP packets in the network layer are to be protected, although data can be protected, it can not be protected on a component (corresponding to MMT asset) unit basis, that is, on a service basis. There is a problem that it is not possible to provide a flexible billing function on a (asset) basis.
Further, in the conventional broadcast system, since the scramble method (encryption method) at the time of scrambling is only MULTI 2, a mechanism for selecting a plurality of scramble methods has been desired from the viewpoint of data protection.

  The present invention has been made in view of such problems. When constructing a broadcast system using MMT, not only data protection in the network layer but also fine service protection in the MMT layer are realized. It is an object of the present invention to provide a transmitter, a receiver and a conditional access system capable of selecting a scrambling method.

In order to solve the above-mentioned subject, the transmitting device and receiving device which constitute the conditional access system of the present invention were considered as the following composition.
That is, the transmitting apparatus is an apparatus for transmitting IP packetized contents by using MMT, wherein the MMT package table generating means, the limited reception table generating means, the MMTP packet forming means, the IP packet forming means, and the scrambling means And header setting means.

  In such a configuration, the transmitting apparatus is an MMT package table (MPT) specifying table location information specifying the location of common key information common to the receiving apparatus in which the scramble key is encrypted with the work key by the MMT package table generating means. Generate). In addition, the transmission device is limited reception that is table information specifying position information that specifies the location of individual key information encrypted with an individual encryption key for each predetermined reception device by the limited reception table generation unit. Generate a table (CAT).

In addition, the transmitting apparatus configures the content as an MMTP packet of the MMT layer by the MMTP packet configuration unit.
By this, the content is encapsulated and transmitted as an MMTP packet.

In addition, the transmitting device adds each header of the transport layer and the network layer to the MMTP packet by the IP packet forming unit, and configures the IP packet as an IP packet of the IP layer.
By this, the MMTP packet is encapsulated as an IP packet.

In addition, the transmitting device uses the scrambling unit to select the payload area of the IP packet or the payload area of the MMTP packet (more specifically, the data portion of the area) based on a predetermined scrambling target and a policy indicating the scrambling method. Scramble with the scramble key.
By this, the scrambler can scramble the two different layers of the IP layer and the MMT layer.

Also, the transmitting apparatus sets scrambling control information indicating presence / absence of scrambling in the header portion of the layer to be scrambled by the header setting means.
Then, the transmitting device causes the header setting means to embed scrambling method identification indicating the scrambling method in the header portion of the layer to be scrambled, or MMT package table generation means to perform layer identification and scrambling method indicating the layer to be scrambled A process of embedding control information including scrambling scheme identification indicating M in the MMT package table or a process of embedding control information including layer identification of scramble target and scrambling scheme identification in the limited reception table by the limited reception table generation means.
By this, the transmitting apparatus can notify the receiving apparatus of which layer data is scrambled in the IP layer or the MMT layer.

  In the receiving apparatus for receiving IP packetized content using MMT, the MMT package table processing means, the limited reception table processing means, the key information processing means, the descrambling means, and the IP packet It is configured to include filtering means and MMTP packet filtering means.

In such a configuration, the receiving apparatus receives the MMT package table by the MMT package table processing means, and extracts the position information of the common key information. Also, the reception apparatus is limited reception that is table information specifying position information that specifies the location of individual key information encrypted with an individual encryption key for each predetermined reception apparatus by the limited reception table processing means. Receive the table and extract the position information of the individual key information.
Then, the receiving apparatus extracts the scramble key from the common key information and the individual key information acquired based on the extracted position information by the key information processing means. That is, the key information processing means extracts the work key by decrypting the individual key information with the encryption key specific to the receiving apparatus, and extracts the scramble key by decrypting the common key information with the work key.

Then, when the IP layer is scrambled by the IP packet filtering means, the receiving apparatus designates the scrambling method and descrambles the payload area of the IP packet by the descrambling means, and the IP packet to the MMTP packet Extract
Also, when the MMT layer is scrambled by the MMTP packet filtering means, the receiving apparatus designates the scrambling method and de-asserts the payload area of the MMTP packet (more specifically, the data portion of the area). It is descrambled by a scrambler to extract contents from the MMTP packet.

  At this time, if the IP packet filtering means includes in the conditional access table or the MMT package table a layer identification indicating that the scramble target is an IP layer and control information including a scrambling scheme identification indicating a scrambling scheme, or And the scramble control information indicating that scrambled in the header (ESP header) immediately before the payload of the IP packet and the scramble method identification, the payload area of the IP packet is identified by the scramble method identification. It is determined that the method is scrambled.

Also, when the MMTP packet filtering means includes, in the conditional access table or the MMT package table, control information including a layer identification indicating that the scramble target is the MMT layer and a scrambling method identification indicating the scrambling method, or When scramble control information indicating that scrambled in the header of the MMTP packet and scramble method identification are set, the payload area of the MMTP packet (more specifically, the data part of the area) is identified by the scramble method identification. It is determined that scramble is performed by the specified scramble method.
By this, the receiving apparatus can correctly recognize the scrambled IP layer or MMT layer, and descramble the data of each layer using the designated scrambling scheme.

The present invention exhibits the following excellent effects.
According to the present invention, in a broadcast system that uses MMT as a media transport method and transmits content regardless of the transmission path (broadcast / communication), it is possible to protect the MMT that constitutes a service (program).
Further, according to the present invention, it is possible to scramble data of two different layers of the IP layer and the MMT layer according to the scramble target.
By this, the present invention can realize fine service protection in units of components, for example, it becomes possible to charge only sub-audio transmitted by broadcast, and data not related to a program Data protection can also be realized.
Further, according to the present invention, since the scrambling method at the time of scrambling can be selected by a policy, data can be protected by a suitable scrambling method according to the type of data to be transmitted and security requirements in advance. .

FIG. 1 is a system configuration diagram showing a configuration of a conditional access system according to a first embodiment of the present invention. It is a reference structure figure for demonstrating the reference relation of the package in MMT. It is an explanatory view for explaining the relation between an asset and MPU. It is a packet block diagram for demonstrating the structure of the IP packet which used MMT. It is a block block diagram which shows the structure of the transmitter which concerns on 1st Embodiment of this invention. It is a figure which shows the content of the policy memorize | stored in the policy memory | storage means of FIG. It is a figure explaining the data embedded in the encryption range (scramble range) and header in the transmitter which concerns on 1st Embodiment of this invention, Comprising: (a), when making IP layer into scramble object, (b) is MMT. It is a figure which shows the case where a layer is made into scramble object. It is a data structure figure which shows the structure of MPT which the MPT production | generation means of FIG. 5 produces | generates, Comprising: (a) is an example which designates a conditional access system by asset unit, (b) is an example which designates a conditional access system by program unit. It is. It is a data structure figure which shows the structure of CAT which the CAT production | generation means of FIG. 5 produces | generates. It is a block block diagram which shows the structure of the key information generation means of FIG. It is a data structure figure which shows the structure of ECM which the ECM production | generation means of FIG. 10 produces | generates. It is a data structure figure which shows the structure of EMM which the EMM production | generation means of FIG. 10 produces | generates. It is a block block diagram which shows the structure of the receiver which concerns on 1st Embodiment of this invention. It is a block block diagram which shows the structure of the key information processing means of FIG. It is a flowchart which shows operation | movement of the transmitter which concerns on 1st Embodiment of this invention. It is a flowchart which shows operation | movement of the receiver which concerns on 1st Embodiment of this invention. FIG. 10 is a data structure diagram showing the structure of MPT generated by the MPT generation means of FIG. 5 in the modification of the first embodiment of the present invention, wherein (a) is an example of specifying a conditional access system in asset units, (b Is an example of specifying the conditional access system on a program basis. FIG. 6 is a data structure diagram showing a structure of a CAT generated by the CAT generation unit of FIG. 5 in a modification of the first embodiment of the present invention. It is explanatory drawing for demonstrating the CBC mode of encryption utilization mode. It is explanatory drawing for demonstrating CFB mode of encryption utilization mode. It is explanatory drawing for demonstrating OFB mode of encryption utilization mode. It is explanatory drawing for demonstrating CTR of encryption utilization mode. It is a block block diagram which shows the structure of the transmitter which concerns on 2nd Embodiment of this invention. It is a figure explaining the data embedded in the encryption range (scramble range) and header in the transmitter which concerns on 2nd Embodiment of this invention, Comprising: (a), when making IP layer into scramble object, (b) is MMT. It is a figure which shows the case where a layer is made into scramble object. It is a block block diagram which shows the structure of the receiver which concerns on 2nd Embodiment of this invention. FIG. 24 is a data structure diagram showing the structure of a scrambling method descriptor set in each table by the MPT generation means and CAT generation means of FIG. 23, wherein (a) is an example of specifying initial value identification and scrambling method identification, (b) These are figures which show the example which designates initial value identification. It is a block block diagram which shows the structure of the transmitter which concerns on 3rd Embodiment of this invention. It is a figure which shows the content of the policy memorize | stored in the policy memory | storage means of FIG. It is a figure explaining the data embedded in the authentication range and header in the transmission apparatus which concerns on 3rd Embodiment of this invention, Comprising: When making an IP layer into authentication object, (b) makes an MMT layer authentication object. (C) is a diagram showing a case where the IP layer and the MMT layer are to be authenticated. It is a block block diagram which shows the structure of the key information generation means of FIG. It is a block block diagram which shows the structure of the receiver which concerns on 3rd Embodiment of this invention. FIG. 28 is a data structure diagram showing the structure of a scrambling method descriptor set in each table by the MPT generation means and CAT generation means of FIG. 27, where (a) is a case where a message authentication method and a scrambling method (encryption method) are specified FIGS. 6A and 6B are diagrams showing a case of specifying a message authentication method, and a case of specifying a message authentication method, a scramble method (encryption method) and an initial value in the case of specifying the message authentication method. It is a data structure figure which shows the structure of the message authentication system descriptor which MPT production | generation means of FIG. 27 and CAT production | generation means set to each table.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
«Overview of Limited Reception System»
First, an outline of a conditional access system according to a first embodiment of the present invention will be described with reference to FIG.

A conditional access system (broadcasting system) S uses MMT (MPEG Media Transport) as a media transport method, converts content into IP packets, and transmits the packets via a broadcast wave W or a communication line N.
In addition, the conditional access system S protects data and services (programs) by scrambling the two different layers of the network layer (IP layer) and the media transport layer (MMT layer), and performs conditional reception. To achieve
The conditional access system S includes a digital broadcast transmitter 1 (or a transmitter 1 providing communication network service) owned by a broadcaster and a digital broadcast receiver 3, 3, ... installed in each home. And consists of

  The transmitter 1 converts contents such as video, audio and data into MMTP packets and then IP packets (MMT over IP) and scrambles the network layer and the media transport layer as needed. And transmit via the broadcast wave W or the communication line N. In addition, when transmitting via the broadcast wave W, the transmission device 1 performs TLV of IP packet together.

  The receiving device 3 receives the content obtained by converting the MMTP packet into an IP packet via the broadcast wave W or the communication line N, descrambles the protected scrambled data, and makes the content available (such as video reproduction). It is a thing.

(Overview of MMT)
Before describing the configurations of the transmitting device 1 and the receiving device 3, referring to FIGS. 2 to 4, various data required for performing conditional reception using MMT in conditional access system S will be described. I will explain the outline.
When constructing a broadcast system using MMT, as shown in FIG. 2, ECM, EMM, which is related information of a key for scrambling content by PLT, MPT, and CAT, which is table information that refers to various information, and content MPU which is an entity of is referred to.

  The PLT (package list table: Package List Table) is table information in which packages (programs) constituting a service transmitted by an IP packet are described in an MPT list format. For example, it is possible to construct multi-organization by including multiple MPTs in PLT. The PLT specifies the MPT by specifying an arrangement place (location information) or the like for specifying the location of the MPT as information for specifying the MPT.

The MPT (MMT Package Table: MMT Package Table) is table information in which information for specifying an asset constituting one package (program) is described in a list format.
Here, an asset is a component unit having the same transmission feature information. The same transmission feature information is the same information indicating the transmission feature of the asset, and indicates the information whose presentation target, presentation timing, and the like are the same. For example, asset A1 can be a unit such as a main voice received by broadcast, and asset A2 can be a unit such as sub-voice received by communication.
With such units, assets can also be used as units that can control service protection. For example, only the asset A2 is to be charged, or the security requirement of the asset A3 is higher than that of the asset A1, and the encryption method is changed.

As described above, a plurality of data (MPU: Media Processing Unit) such as data of a single medium such as video and audio (data for designating presentation time) and a file (data for which designation of presentation time is unnecessary) is the same. A unit managed by an ID (asset ID) is an asset.
That is, as shown in FIG. 3, the asset is a unit indicating data in which one or more MPUs are connected by the same asset ID (Aid1, Aid2, Aid3).

In addition, as shown in FIG. 2, the MPT has a description in which an arrangement location of common key information (ECM: Entitlement Control Message) common to the receiving devices 3, 3,... Is specified as key information for performing limited reception. A child access control descriptor (or conditional access system descriptor) is set. Note that MPT specifies one ECM (E0) for one package (program) specified by MPT, and one for designating ECM (E2, E3) in asset units that make up a program. is there.
The specific structure of this MPT and ECM will be described later.

CAT (Conditional Access Table) is an access control description that is a descriptor that specifies the arrangement location of individual key information (EMM: Entitlement Management Message) for each reception device 3 as key information for performing conditional reception It is table information describing a child (or a conditional access system descriptor).
The specific structure of this CAT and EMM will be described later.

Next, with reference to FIG. 4, the packet configuration when IP packetizing content using MMT will be described.
As shown in FIG. 4, in the MMT packet (MMTP packet), CAT, MPT, ECM, EMM, etc. are placed as a control message or an MPU is placed in the MMTP payload. Further, in the MPU, an MFU (Media Fragment Unit) is arranged in the MPU payload. This MFU is data obtained by fragmenting the MPU, and media data below an access unit which is the minimum unit of video and audio encoding and decoding (access unit, NAL [Network Abstraction Layer] unit, file) It is.

Then, the MMTP packet is configured as an IP packet by further adding a header of TCP / UDP (Transmission Control Protocol / User Datagram Protocol), which is a transport layer, and a header of IP, which is a network layer.
When an IP packet is transmitted via a broadcast wave, a TLV header is further added.
As described above, in the MMT, high consistency with communication can be realized by carrying the program and the information related thereto on the MMTP payload and converting it into an MMTP packet and then converting it into an IP packet.
Hereinafter, each composition and operation of transmitting device 1 and receiving device 3 which constitute conditional access system S concerning an embodiment of the present invention are explained one by one.

<Configuration of Transmission Device>
First, the configuration of the transmission apparatus 1 according to the first embodiment of the present invention will be described with reference to FIG. 5 (refer to FIG. 1 as needed).
The transmitting apparatus 1 performs processing for appropriately scrambling the MMT layer and the IP layer when transmitting the content after converting the content into an MMTP packet and converting it into an IP packet.

  Here, the transmitting device 1 includes an encoding unit 10, an MPU generation unit 11, a control message generation unit 12, an MMTP packet configuration unit 13, an IP packet configuration unit 14, a policy storage unit 15, a scramble unit 16, and the like. The packet reconstruction unit 17, the data transmission unit 18, the PLT generation unit 19, the MPT generation unit 20, the CAT generation unit 21, and the key information generation unit 22.

The encoding unit 10 encodes (encodes) content (baseband signals such as video and audio). For the video, this encoding means 10 is, for example, one of H. It encodes by H.265 (HEVC: High Efficiency Video Coding). In addition, the encoding unit 10 encodes, for example, MPEG4 AAC (Advanced Audio Coding) for audio.
The encoding unit 10 outputs the encoded data to the MPU generation unit 11 as media data below an access unit such as an NAL unit, for example.

  The MPU generation unit 11 is a media processing unit, which is a data processing unit in MMT, for media data encoded by the encoding unit 10 and data (file) used in data broadcasting input (not shown) separately from the outside. (MPU) is generated.

As shown in FIG. 4, the MPU generation means 11 is a header or the like including sequence numbers (order of data) in media data or files below access units such as NAL units obtained by dividing (fragmenting) data as shown in FIG. To form a media fragment unit (MFU). Furthermore, the MPU generation unit 11 generates an MPU by adding to the MFU at least a header including an asset identifier (asset ID) for identifying the MPU and a sequence number (the order of the MPU in the asset). . As a result, the MPU is uniquely identified.
The MPU generation unit 11 generates an MPU for each of a predetermined asset unit, for example, single media such as video, audio, and data.
The MPU generation unit 11 outputs the generated MPU to the MMTP packet configuration unit 13.

The control message generation unit 12 generates a control message including control information for notifying the receiving device 3. Here, the control message generation unit 12 generates PLT (package list table) generated by the PLT generation unit 19 described later, MPT (MMT package table) generated by the MPT generation unit 20, and CAT generation unit 21. A unique for identifying a PLT, an MPT, a CAT, an ECM, an EMM, etc. by inputting a CAT (limited reception table), an ECM (common key information) generated by the key information generation means 22 and an EMM (individual key information) Control message including identification information (table ID) of
In this control message, for example, one table information or key information may be set, a plurality of table information may be set collectively, or a plurality of key information may be set collectively.
The control message generation unit 12 outputs the generated control message to the MMTP packet configuration unit 13. Note that the control message generation unit 12 may output the generated control message to the IP packet configuration unit 14.

The MMTP packet construction unit 13 encapsulates the MPU generated by the MPU generation unit 11 and the control message generated by the control message generation unit 12 into an MMTP packet.
The MMTP packet construction unit 13 constructs the payload of the MMTP packet by dividing or concatenating the input MPU and control message. Then, the MMTP packet configuration unit 13 sets at least a packet ID (value different for each asset and control message) and a payload type indicating the content type of the payload in the header of the MMTP packet. The payload type is, for example, identification information such as whether an MPU is set or a control message is set.
The MMTP packet construction unit 13 outputs the generated MMTP packet to the IP packet construction unit 14.

The IP packet construction unit 14 adds the headers of the transport layer and the network layer to the MMTP packet generated by the MMTP packet construction unit 13 to construct an IP packet. When the control message is input from the control message generation unit 12, the IP packet configuration unit 14 converts the control message into an IP packet.
Specifically, the IP packet configuration unit 14 configures the payload of TCP or UDP, which is a protocol of the transport layer, in the form of an MMTP packet, adds a TCP / UDP header, and further specifies an address of a transmission destination or a transmission source. An IP packet is generated by adding the included IP header.

Further, the IP packet forming unit 14 does not show the data unrelated to the program, files necessary for the engineering service such as firmware update of the receiving apparatus 3, etc. from outside without passing through the MMTP packet forming unit 13. We will input directly by the method.
That is, the IP packet configuration unit 14 not only encapsulates the MMTP packet, but can also configure data other than the MMTP packet as an IP packet.
In addition, the IP packet forming unit 14 adds a TCP header or a UDP header as a transport layer header. Transport layer header information such as whether to add a UDP header or a network layer such as destination information to be set to an IP packet. The header information is appropriately set based on setting information stored externally or internally according to the content etc. input to the transmission device 1.
The IP packet configuration unit 14 outputs the generated IP packet to the scramble unit 16.

The policy storage unit 15 stores conditions (policy) for performing scrambling on two different layers, a network layer (IP layer) and a media transport layer (MMT layer). The policy storage unit 15 can be configured, for example, by a general storage medium such as a semiconductor memory.
The policy stored in the policy storage unit 15 is referred to by the scramble unit 16 to determine the target of the scramble.

Here, an example of the policy stored in the policy storage unit 15 will be described with reference to FIG.
In FIG. 6, "IP Ver", "destination address", "source address", "destination port", "source port", "transport layer protocol" as conditions (policy) for performing scrambling An example in which a plurality of “scramble target”, “MMT scramble condition”, and “scramble method (encryption method)” are set is shown.

"IP Ver" indicates the version of the IP protocol. For example, it indicates the type of IPv4 or IPv6.
The “destination address” and the “source address” indicate an IP address of a destination to which an IP packet is to be transmitted, and an IP address of a transmission source to which an IP packet is to be transmitted.
“Transmission destination port” and “transmission source port” indicate transmission destination and transmission source port numbers predetermined for each type of TCP and UDP.
"Transport layer protocol" indicates the protocol type of the transport layer. For example, the types of TCP and UDP are shown.

  “Scramble target” indicates an area to be scrambled on the IP packet. Here, it is shown whether to scramble at the network layer level (IP) or scramble at the media transport layer level (MMT) as the scramble target.

  The “MMT scramble condition” indicates, when the scramble target is the media transport layer, a detailed condition as to which asset is to be scrambled. That is, if the “MMT scrambling condition” is set, the MMT is scrambled in asset units.

  "Scramble system" indicates an encryption system at the time of scrambling. For example, the type of scramble method (encryption method) to be used such as encryption with AES (Advanced Encryption Standard) encryption with AES as the key length of 256 bits and the operation mode as CBC (Cipher Block Chaining) (AES-256_CBC) Set

For example, in FIG. 6, among IP packets transmitted by IPv4, UDP IP packets transmitted with the transmission destination port “3300” and the transmission source port “3000” are scrambled with IP layer data. It means to do.
Also, for example, among IP packets transmitted by IPv4, UDP of which transmission destination address is “239.192.0.1”, transmission source port is “100”, transmission destination port is “100” For the IP packet of (1), it means that MPUs with asset identifiers “00000001” and “00000011” are scrambled in the MMT layer.
Returning to FIG. 5, the description of the configuration of the transmitting device 1 will be continued.

The scrambler 16 refers to the policy stored in the policy storage unit 15 to determine the target of scrambling for the IP packet generated by the IP packet construction unit 14 and scrambles the target. It is.
The scrambler 16 specifies the scramble target according to the contents of the IP header, transport protocol header, and MMTP header contained in the IP packet with reference to the policy shown in FIG.
Then, the scrambler 16 applies the policy shown in FIG. 6 to the payload area of the network layer to be scrambled or the payload area of the media transport layer (more specifically, the data part of the area). The scramble key Ks generated by the key information generation means 22 is scrambled by the scramble method (encryption method) described.
Here, the scrambler 16 refers to the policy stored in the policy memory 15. However, it is assumed that the scramble target and the scramble system are input as control information separately from the outside as a control signal. It is also good.

The packet reconstruction means (header setting means) 17 adds information on the scramble performed by the scramble means 16 to the header portion of the scrambled layer to reconstruct an IP packet.
When the scramble target is IP, this packet reconstruction means 17 extends the Encapsulated Security Payload (ESP) header used in general IPsec (Security Architecture for IP) and relates to scrambling. Set various information.

Specifically, as shown in FIG. 7A, the packet reconstruction means 17 inserts an ESP header between the IP header and the TCP / UDP header, and scramble control information, scramble (in the ESP header), Encryption) Embedding method identification.
The “scramble control information (scramble control bit)” indicates whether the IP is scrambled or not, and further, a key used for scrambling, for example, a key such as an odd key (odd key) or an even key (even key) Indicates information that can uniquely identify information.
“Scramble scheme identification (encryption scheme identification)” indicates information for identifying a scramble scheme when scrambling IP.

Also, when the scramble target is the MMT, the packet reconstruction unit 17 sets various information related to scrambling in the header (MMTP header) of the MMTP packet.
Specifically, as shown in FIG. 7 (b), the packet reconstruction means 17 embeds the scramble control information and the scramble method identification in the MMTP header.
Note that these embedded data are the same as the data described in FIG. 7A and only the scramble target is different, so the description will be omitted.
The packet reconstruction means 17 outputs the IP packet obtained by reconstructing the packet to the data transmission means 18.

  Note that the scramble control information and the scramble scheme identification may be embedded as individual information respectively, and in the case of controlling together, the combination of presence / absence of scramble, key information used for scramble, scramble scheme is linked to a unique identifier. It may be added and managed, and may be embedded as one control information indicating the scrambled content using the identifier.

The data transmission unit 18 transmits the IP packet to the reception device 3. Here, the data transmission unit 18 transmits the IP packet reconstructed by embedding information in the header by the packet reconstruction unit 17 to the reception device 3.
Here, the data transmission unit 18 includes a broadcast transmission unit 180 and a communication transmission unit 181.

  The broadcast transmission unit 180 transmits the IP packet as broadcast data via the broadcast wave W. For example, the broadcast transmission unit 180 encapsulates an IP packet with TLV (Type Length Value), MPEG2-TS, etc., and then modulates and outputs as broadcast data. The medium for transmitting the broadcast wave W may be wired or wireless.

The communication transmission unit 181 transmits the IP packet as communication data via the communication line N. For example, the communication transmission unit 181 transmits via a network interface such as Ethernet (registered trademark).
The data transmission means 18 is appropriately set from the outside as to whether to transmit an IP packet by a broadcast wave or to transmit it by a communication line.

The PLT generation unit (package list generation unit) 19 generates a package list table (PLT) in which information for specifying the MPT is described in a list format.
The PLT generation unit 19 describes, as table information, location information indicating the placement location of the MPT.
The PLT generation unit 19 appropriately inputs various information to be set in the PLT from the outside.

The MPT generation unit (MMT package table generation unit) 20 generates an MMT package table (MPT) in which information specifying elements (assets) constituting a package (program) is described in a list format.
The MPT generation means 20 describes, as table information, what kind of asset the program is composed of (location information etc. indicating an asset acquisition destination).
In addition, when the MPT generation means 20 performs limited reception of a program, an access control descriptor (or limited reception method descriptor) including an arrangement place (location information) for specifying the location of key information (ECM) common to the receiving device Are further described as table information.

Here, an example of the structure of the MPT generated by the MPT generation means 20 will be described with reference to FIG. FIG. 8 (a) is an example of an MPT for designating a conditional access system in asset units, and FIG. 8 (b) is an example of an MPT for designating a conditional access system in program units.
As shown in FIG. 8A, the MPT generation unit 20 sets various information according to the table identification indicating the unique value for identifying the table information, the version, the data length, and the number (N) of the assets. And generate MPT. Specifically, in the MPT, an asset identification, asset location information, and an access control descriptor are set for each asset.

"Asset identification" is a unique ID (asset ID) for identifying assets individually.
“Asset location information” is information indicating the location of an asset, and may be information including an acquisition destination address and a port according to the type (IPv4, IPv6, URL, etc.), for example. It may be information indicating the previous packet ID.
The “access control descriptor” is a descriptor in which information specifying the conditional access system is set, and includes conditional access system identification, location information of ECM, and the like.
Here, “limited reception scheme identification” refers to, for example, a plurality of limited reception schemes such as CAS (Conditional Access System) for realizing pay broadcast, RMP (Rights Management and Protection) for realizing broadcast specialized for content protection, and the like. It is information for identifying one of them.

Further, “location information of ECM” is information indicating an arrangement location of ECM, and is, for example, an IP address and a port (port number) of the arrangement destination, a packet ID and the like.
When the ECM is disposed in a server or the like on the network, an IP address and a port (port number) are set in “Location information of ECM”. Also, when the ECM is transmitted as a control message of MMT, the packet ID of MMT is set in “Location information of ECM”.
Thus, by specifying the conditional access method for each asset, conditional reception can be performed on an asset basis.

In addition, as shown in FIG. 8 (b), by setting the access control descriptor specifying the limited reception method identification to the high rank of the information of the asset according to the number (N) of the assets, the limited reception on a program basis It can be performed.
The various types of information in FIG. 8B are the same as those in FIG.
The MPT generation unit 20 generates various information to be set in the MPT based on setting information stored from outside or inside as appropriate.
Returning to FIG. 5, the description of the configuration of the transmitting device 1 will be continued.

The CAT generation means (limited reception table generation means) 21 is for generating a limited reception table (CAT) in which information for performing limited reception is described.
The CAT generation means 21 is an access control descriptor (location information) including an arrangement place (location information) for specifying the location of individual key information (EMM) for each predetermined management unit of the receiving apparatus at the time of limited reception of a program. Or describe the conditional access system descriptor) as table information.

Here, with reference to FIG. 9, an example of the structure of the CAT generated by the CAT generation means 21 will be described.
As shown in FIG. 9, the CAT generation unit 21 sets a table identification indicating a unique value for identifying table information, a version, a data length, and an access control descriptor to generate a CAT.
This access control descriptor is the same as the contents described in FIG. 8 except that the location information indicates the placement location of the ECM or the placement location of the EMM, so the description will be omitted.
The CAT generation unit 21 generates various information to be set in the CAT based on setting information stored from the outside or inside as appropriate.
Returning to FIG. 5, the description of the configuration of the transmitting device 1 will be continued.

  The key information generation means 22 generates a scramble key for scrambling the content and, as key information for extracting the scramble key in the reception device 3, common key information (ECM) common to the reception device and reception predetermined An individual key information (EMM) is generated for each management unit of the device.

  Here, a configuration example of the key information generation unit 22 will be described with reference to FIG. 10 (refer to FIG. 5 as needed). As shown in FIG. 10, the key information generation unit 22 includes a scramble key generation unit 220, a work key generation unit 221, an ECM generation unit 222, a master key storage unit 223, and an EMM generation unit 224.

The scramble key generation unit 220 generates a key (scramble key Ks) for scrambling the content.
The scramble key generation unit 220 generates a scramble key Ks by generating a random number at predetermined time intervals (for example, about once in several seconds). Then, the scramble key generation means 220 outputs the generated scramble key Ks to the ECM generation means 222.
The scramble key generation unit 220 generates, as the scramble key Ks, a scramble key at the current time and a scramble key to be used next by a pair of the odd key and the even key. As a result, when the transmitting device 1 switches the scrambling key, it is possible to eliminate the time interval in which the scrambling key is not present in the receiving device 3.
Further, the scramble key generation means 220 outputs to the packet reconstruction means 17 information for identifying an encryption key for identifying whether the scramble key Ks currently output to the scramble means 16 is an odd key or an even key. Do.

The work key generation unit 221 generates a key (work key Kw) for encrypting the scramble key Ks.
The work key generation unit 221 generates a work key Kw by generating random numbers at predetermined time intervals (for example, about one month) whose update time is longer than the scramble key Ks. Then, the work key generation unit 221 generates the work key Kw and key information (work key identification) such as an ID for identifying the generated work key Kw, the ECM generation unit 222, the EMM generation unit 224, and the like. Output to
The work key generation unit 221 may generate, as the work key Kw, a work key at the present time and a work key to be used next by a pair of the odd key and the even key.

The ECM generation means 222 encrypts the scramble key Ks with the work key Kw, and generates common key information (ECM) which is key information common to the receiver 3 including the encrypted scramble key Ks.
The ECM generation means 222 encrypts the pair (odd key, even key) of one or more scramble keys Ks generated by the scramble key generation means 220 with the work key Kw, and key information of the corresponding work key Kw. (Work key identification) is arranged to generate an ECM with a data structure as shown in FIG.
Note that the other information shown in FIG. 11, that is, “protocol number”, “business entity identification”, and “time information” are information similar to the information of ECM defined in STB-ST25 of ARIB, The description is omitted here because it is not directly related to the present invention.
Then, the ECM generation unit 222 outputs the generated ECM to the control message generation unit 12.

  The master key storage unit 223 is an encryption key that encrypts the work key Kw generated by the work key generation unit 221, and stores a unique key (master key Km) provided in advance to each receiving device 3 It is The master key storage means 223 can be configured by a storage medium such as a general semiconductor memory.

The EMM generating means 224 encrypts the work key Kw with the master key Km specific to the receiver 3 and generates individual key information (EMM) which is key information specific to the receiver 3 including the encrypted work key Kw. It is a thing.
The EMM generation means 224 encrypts the pair (odd key, even key) of the work key Kw generated by the work key generation means 221 with the master key Km, and generates an EMM with a data structure as shown in FIG. .
Note that the other information shown in FIG. 12, “device identification,” “byte length of related information,” “protocol number,” “entity identification,” and “update number” are defined in ARIB STD-B25. The information is the same as the information of the EMM, and is not directly related to the present invention, so the description is omitted here.
Then, the EMM generating means 224 outputs the generated EMM to the control message generating means 12.

  The encryption key for encrypting the work key Kw is an individual key for each predetermined management unit of the receiving device 3. Here, the EMM generation unit 224 sets the management unit to each reception apparatus 3 and encrypts the work key Kw with the master key that is an individual key of each reception apparatus, but receives the management unit of the conditional access system When using a device unit such as a machine maker or a receiver model, the work key Kw is encrypted using the device key assigned to the reception device 3 in advance in the unit as an encryption key.

  By configuring the transmitting device 1 as described above, the transmitting device 1 converts the content into an MMTP packet, and then converts it into an IP packet (MMT over IP), and according to the policy, the network layer (IP layer) And data of the media transport layer (MMT layer) can be scrambled and transmitted via the broadcast wave W or the communication line N.

Thus, the transmission device 1 can implement service protection on a fine unit basis of a program or an asset. For example, the transmission device 1 can implement processing such as charging only sub-audio sent by broadcast and encrypting only the asset constituting the sub-audio. Furthermore, the transmission device 1 can also realize data protection of various data unrelated to a program at the same time.
In addition, since the transmission apparatus 1 can select the scramble method (encryption method), the calculation load associated with encryption can be reduced or the security strength can be enhanced according to the type of data to be transmitted and security requirements. Scramble can be performed by a scramble method adapted to the contents of data to be transmitted.

<Configuration of Receiver>
Next, the configuration of the receiving device 3 according to the first embodiment of the present invention will be described with reference to FIG. 13 (refer to FIG. 1 as needed).
The receiving device 3 receives the content obtained by converting the MMTP packet into an IP packet via the broadcast wave W or the communication line N, descrambles the protected scrambled data, and makes the content available (such as video reproduction). It is a thing.

  Here, the receiving device 3 includes data receiving means 30, IP packet filtering means 31, MMTP packet filtering means 32, descrambling means 33, control message separating means 34, PLT processing means 35, and CAT processing means 36, MPT processing means 37, location solution means 38, key information processing means 39, MPU processing means 40, decoding means 41, and data processing means 42.

  The data receiving unit 30 receives the broadcast data and the communication data transmitted from the transmitting device 1. Here, the data receiving unit 30 includes the broadcast receiving unit 300 and the communication receiving unit 301.

  The broadcast receiving unit 300 receives broadcast data transmitted via the broadcast wave W. For example, the broadcast receiving unit 300 demodulates the modulated broadcast data, extracts an IP packet encapsulated by TLV, MPEG2-TS, etc., and outputs the IP packet to the IP packet filtering unit 31.

  The communication receiving unit 301 receives an IP packet transmitted as communication data via the communication line N. The communication receiving unit 301 outputs the received IP packet to the IP packet filtering unit 31.

The IP packet filtering unit 31 analyzes the header of the IP packet received by the data receiving unit 30 and distributes the packet.
Specifically, the IP packet filtering unit 31 refers to the ESP header (see FIG. 7A) added to the IP header, and determines whether the IP payload area is scrambled or not. At this time, if the IP payload area is scrambled, the IP packet filtering means 31 descrambles scramble control information and scrambling scheme identification contained in the ESP header, and IP payload data (scramble data). Output to 33 to instruct descrambling.

In addition, the IP packet filtering means 31 includes an MMTP packet in the payload of the unscrambled IP and the payload of the IP descrambled by the descrambling means 33 depending on the presence or absence of the transport protocol header or the MMTP header. It is determined whether the
Here, when the MMTP packet is included, the IP packet filtering unit 31 outputs the MMTP packet to the MMTP packet filtering unit 32. When the MMTP header is not included, the IP packet filtering unit 31 outputs the payload portion of the IP packet to the data processing unit 42.
The IP packet filtering unit 31 outputs the control message to the control message separation unit 34 when the IP payload contains a control message without being converted to the MMTP packet.

The MMTP packet filtering unit 32 analyzes the header of the MMTP packet filtered by the IP packet filtering unit 31 and distributes the packets.
Specifically, the MMTP packet filtering unit 32 scrambles the payload area of the MMT (more specifically, the data part of the area) with the scramble control information (see FIG. 7B) included in the MMTP header. It is judged whether it is done or not. At this time, if the payload area of the MMT is scrambled, the MMTP packet filtering means 32 descrambles scramble control information and scrambling scheme identification contained in the MMTP header, and payload data (scramble data) of the MMT. Output to 33 to instruct descrambling.

  Then, the MMTP packet filtering means 32 controls the payload of the MMT not scrambled according to the payload type (not shown) included in the MMTP header and the payload of the MMT descrambled by the descrambling means 33 with a control message. It is determined whether there is an MPU or an MPU.

  Here, if the MMT payload is a control message, the MMTP packet filtering means 32 outputs the MMT payload to the control message separation means 34. If the MMT payload is an MPU, the MMTP packet filtering unit 32 outputs the MMT payload to the MPU processing unit 40.

Here, the MMTP packet filtering unit 32 is instructed by the location solution unit 38 to acquire key information (ECM, EMM), MPT, and asset by the ID (packet ID) of the MMTP packet, to the packet ID. Let us extract ECM, EMM and MPT control messages sent in corresponding MMTP packets.
Further, the MMTP packet filtering means 32 is sent by the location solution means 38 by the ID (packet ID) of the MMTP packet, when instructed to obtain the MPU constituting the asset, in the MMTP packet corresponding to the packet ID. To extract the MPU.
The MMTP packet filtering unit 32 extracts a control message corresponding to a predetermined unique packet ID of the MMTP packet for PLT and CAT control messages.

  The descrambling means 33 descrambles the scrambled data. Here, the descrambling means 33 uses the scrambling key Ks corresponding to the scrambling control information specified by the IP packet filtering means 31 among the scrambling keys extracted by the key information processing means 39 to identify the scrambling method. The scramble data of the IP packet is descrambled by the designated scramble method.

Further, the descrambling means 33 is specified by the scramble system identification using the scramble key Ks corresponding to the scramble control information specified by the MMTP packet filtering means 32 among the scramble keys extracted by the key information processing means 39. The scramble data of the MMTP packet is descrambled by the scramble method.
The descrambling means 33 outputs the descrambled data to the IP packet filtering means 31 or the MMTP packet filtering means 32 which instructed descrambling, respectively.

The control message separation unit 34 determines PLT, MPT, CAT, ECM, EMM, etc. based on the identification information (table ID) included in the control message extracted by the MMTP packet filtering unit 32 and extracts them individually. (Separate).
The control message separation unit 34 outputs the extracted ECM and EMM to the key information processing unit 39. Further, the control message separation unit 34 outputs the extracted PLT to the PLT processing unit 35, outputs the extracted CAT to the CAT processing unit 36, and outputs the extracted MPT to the MPT processing unit 37.

The PLT processing means (package list processing means) 35 performs various processes based on the PLT separated by the control message separation means 34.
Here, the PLT processing means 35 notifies the location solution means 38 of the location information which is the acquisition destination of the MPT contained in the PLT.

The CAT processing means (limited reception table processing means) 36 refers to the access control descriptor (refer to FIG. 9) or the limited reception method descriptor included in the CAT separated by the control message separation means 34, The location solution means 38 is notified of an EMM location (location information) to be an acquisition destination.
The CAT processing means 36 has a conditional access system identification described in the access control descriptor (refer to FIG. 9) or the conditional access system descriptor, and the reception apparatus 3 stored in the storage means (not shown) is contracted in advance. The location solution means 38 is notified of the location information of the EMM described in the access control descriptor or the conditional access system descriptor that matches the conditional access system identification (CAS, RMP, etc.) set by the etc.

The MPT processing means (MMT package table processing means) 37 performs various processes based on the MPT separated by the control message separation means 34.
Here, the MPT processing means 37 refers to the access control descriptor (see FIG. 8) included in the MPT or the conditional access system descriptor to locate the ECM position (location information) which is the acquisition destination of the ECM, The solution means 38 is notified.
This MPT processing means 37 is a contract of the reception apparatus 3 stored in advance in the access control descriptor (see FIG. 8) or the conditional access system identification described in the conditional access system descriptor, and the storage means (not shown). The location solution means 38 is notified of the location information of the ECM described in the access control descriptor or the conditional access system descriptor that matches the conditional access system identification (CAS, RMP etc.) set by the etc.
Further, the MPT processing means 37 notifies the location solution means 38 of an asset position (location information) which is an acquisition destination of an asset included in the MPT.

The location solution means 38 performs acquisition control of the control message and the MPU based on the location information notified from the PLT processing means 35, the CAT processing means 36 and the MPT processing means 37.
That is, the location solution means 38 corresponds to the packet ID of MPT notified from the PLT processing means 35, the packet ID of EMM notified from the CAT processing means 36, and the packet ID of ECM or asset obtained from the MPT processing means 37. The MMTP packet filtering means 32 is instructed to extract a packet to be transmitted.
If the location information is location information on the network (a transmission destination address, a transmission destination port (port number)), the location solution unit 38 transmits the designated MMTP packet via the communication control unit (not shown). get. Then, the location solution means 38 outputs the MMTP packet acquired via the communication control means to the MMTP packet filtering means 32.

The key information processing means 39 extracts a scramble key for descrambling the content from the ECM and EMM separated by the control message separation means 34.
Here, the configuration of the key information processing means 39 will be described with reference to FIG. 14 (refer to FIG. 13 as needed). As shown in FIG. 14, the key information processing unit 39 includes a master key storage unit 390, an EMM processing unit 391, and an ECM processing unit 392.

  The master key storage unit 390 stores a unique encryption key (master key Km or device key) assigned to each receiving device 3 in advance. The master key storage unit 390 can be configured by a storage medium such as a general semiconductor memory.

  The EMM processing unit 391 decrypts the EMM with the master key Km stored in the master key storage unit 390, and acquires the work key Kw. The EMM processing means 391 outputs the decrypted work key Kw to the ECM processing means 392.

The ECM processing means 392 decrypts the ECM with the work key Kw decrypted by the EMM processing means 391 to obtain a scramble key Ks. The ECM processing means 392 outputs the decrypted scramble key Ks to the descrambling means 33.
Returning to FIG. 13, the description of the configuration of the receiving device 3 will be continued.

The MPU processing means 40 outputs to the decoding means 41 a set of MPUs having the same asset ID described in the header of the MPU extracted by the MMTP packet filtering means 32 as a unit.
That is, the MPU processing means 40 outputs the MFU contained in the MPU having the same asset ID to the decoding means 41 in asset units.

The decoding unit 41 decodes MPU (MFU) in asset units output from the MPU processing unit 40 in MFU units.
For example, if the MPU is video data, the decoding unit 41 may use H. 2 Decoding is performed by H.265 (HEVC), and if the MPU is audio data, decoding is performed by MPEG4 AAC.
The data thus decoded is output to the outside (display device, speaker, etc.) as reproduced content.

The data processing means 42 acquires IP packets not including MMT from the IP packet filtering means 31 and performs processing of predetermined IP packets.
The process performed by the data processing unit 42 is, for example, a process of acquiring a file or the like necessary for a firmware update engineering service of the reception apparatus 3 as an IP packet and updating the firmware.

  By configuring the receiving device 3 as described above, the receiving device 3 receives scrambled IP packets from the network layer (IP layer) and the media transport layer (MMT layer), Layer data can be descrambled.

«Operation of limited reception system»
Next, the operation of the conditional access system according to the first embodiment of the present invention will be described with reference to FIG. 15 and FIG.
In the following operations, in order to simplify the description, it is described that the control message and the content are serially transmitted and received to operate, but the control message is transmitted and received at the timing generated sequentially. It's too late.

<Operation of transmitter>
First, the operation of the transmission apparatus 1 according to the first embodiment of the present invention will be described with reference to FIG. 15 (see FIG. 5 for the configuration as appropriate). The policy storage unit 15 stores the conditions (policy) for scrambling beforehand as shown in FIG.

  First, when realizing limited reception of content, the transmitting device 1 generates MPT and CAT including position information of key information (ECM, EMM) by the MPT generation means 20 and CAT generation means 21, and generates a control message The generation means 12 generates a control message (step S10).

That is, as shown in FIG. 8, the transmitting apparatus 1 causes the MPT generation means 20 to arrange the key information (ECM) common to the receiving apparatus together with the information for specifying the elements (assets) constituting the package (program) as shown in FIG. Describe the access control descriptor or the conditional access system descriptor including the to generate the MPT.
Further, as shown in FIG. 9, the transmitting apparatus 1 describes an access control descriptor or a conditional access system descriptor including an arrangement location of key information (EMM) specific to the receiving apparatus, as shown in FIG. , CAT to generate.
Then, the transmission device 1 generates a control message by adding unique identification information by the control message generation unit 12 at the timing when the MPT or CAT is generated or at a separately specified arbitrary timing.

  In addition, the transmission device 1 generates common key information (ECM) and individual key information (EMM) as key information for extracting the scramble key in the reception device 3 by the key information generation means 22, and generates control message. A unique message is added by means 12 to generate a control message (step S11).

  Also, the transmitter 1 generates PLT in which the list of MPTs is described by the PLT generation unit 19, and adds unique identification information by the control message generation unit 12 to generate a control message (step S12).

  Then, the transmitting device 1 converts the input content and the control message generated in steps S10 to S12 into an MMTP packet (step S13). That is, the transmitting device 1 encodes (encodes) the content by the encoding unit 10, and the media processing unit (MPU) which is the data processing unit in the MMT is the data encoded by the encoding unit 10 by the MPU generation unit 11. Generate as). Then, the transmitter 1 causes the MMTP packet configuration unit 13 to encapsulate the MPU and the control message generated in steps S10 to S12 into an MMTP packet.

Furthermore, the transmitting device 1 adds each header of the transport layer (TCP / UDP) and the network layer (IP) to the MMTP packet generated in step S13 by the IP packet configuration unit 14 and converts it into an IP packet ( Step S14).
Then, the transmitter 1 determines whether the contents of the TCP / UDP header and the IP header match the policy stored in the policy storage unit 15 by the scramble unit 16 (step S15).

Then, when the contents of each header match the policy (Yes in step S15), the transmitting device 1 further determines whether the scramble target defined in the policy is IP or not by the scramble unit 16 (step S16). .
Here, when the scramble target is IP (Yes in step S16), the transmitting device 1 scrambles the IP payload by the scramble method defined in the policy by the scramble unit 16 (step S17).

  Then, the transmitting device 1 adds the ESP header to the IP header by the packet reconstruction means 17, and scramble control information indicating scramble control information and a scramble scheme identification for identifying the scramble scheme as scramble information. , And ESP header (step S18). At this time, the scrambling control information and the scrambling scheme identification may be combined and assigned to one identifier, and may be set in the ESP header using that identifier.

On the other hand, when the scramble target is not the IP (No in step S16), the transmitting device 1 further determines, by the scramble unit 16, whether the scramble target defined in the policy is the MMT (step S19).
Here, when the scramble target is MMT (Yes in step S19), the transmitter 1 scrambles the MMTP payload area (more specifically, the data part of the area) by the scramble means 16 by the scramble. It scrambles by a system (step S20).

  Then, the transmitter 1 sets the scramble control information indicating presence / absence of scramble and the scramble method identification for identifying the scramble method in the MMTP header as scramble information by the packet reconstruction unit 17 (step S21). .

Then, the transmitter 1 transmits the IP packet scrambled in the IP layer in step S18, the IP packet scrambled in the MMT layer in step S21 by the data transmission means 18, or the content of the header in step S15 and step S19 The IP packet not scrambled without being matched is transmitted to the receiving device 3 by broadcast or communication (step S22).
By the above operation, the transmitting device 1 can perform individual scrambling on each data of the IP layer and the MMT layer.

<Operation of Receiver>
Next, the operation of the reception device 3 according to the first embodiment of the present invention will be described with reference to FIG. 16 (refer to FIG. 13 as needed for the configuration).

First, the receiving apparatus 3 separates PLT from the control message received via the data receiving means 30 and extracted via the IP packet filtering means 31 and the MMTP packet filtering means 32 by the control message separating means 34. (Step S30).
Also, similarly, the receiving device 3 separates MPT and CAT by the control message separating means 34 (step S31).

Then, the receiving device 3 extracts position information (location information) of the key information (ECM, EMM) by the MPT processing means 37 and the CAT processing means 36 (step S32).
That is, the receiving device 3 extracts position information of ECM from the MPT by the MPT processing means 37. Further, the receiving device 3 extracts the position information of the EMM from the CAT by the CAT processing means 36.

Also, the receiving device 3 filters the control message corresponding to the position information (packet ID) of the key information extracted in step S32 according to the instruction of the location solution means 38 by the MMTP packet filtering means 32, and the control message separation means 34 separate the ECM and the EMM (step S33).
Then, the reception device 3 extracts the scramble key for descrambling the content from the ECM and EMM separated in step S33 by the key information processing means 39 (step S34).

When the receiving device 3 receives an IP packet via the data receiving means 30, the IP packet filtering means 31 sets it in the ESP header (see FIG. 7A) added to the IP header. It is determined whether or not the IP payload area is scrambled by the scramble control information (step S35).
Here, when the IP payload is scrambled (Yes in step S35), the receiver 3 scrambles the ESP header with the scramble key Ks associated with the scramble control information by the descrambling means 33. The descrambling is performed by the method (step S36).
When the IP payload is not scrambled (No in step S35), the receiving device 3 proceeds the operation to step S37.

Furthermore, the receiver 3 is the scramble control information set in the MMTP header (see FIG. 7 (b)) by the MMTP packet filtering means 32, and the payload area of the MMT (more specifically, the data section of the area). Is judged whether or not it is scrambled (step S37).
Here, when the MMTP payload area is scrambled (Yes in step S37), the receiver 3 is set in the MMTP header by the descrambling means 33 with the scramble key Ks associated with the scramble control information. The descrambling is performed by the scrambling method (step S38).
When the MMTP payload area is not scrambled (No in step S37), the receiving device 3 proceeds the operation to step S39.

  Then, the receiving device 3 causes the MPU processing means 40 to acquire the MPU constituting the asset for each asset from the MMTP packet filtering means 32, and reproduces the content by decoding by the decoding means 41 (step S39).

By the above operation, the receiving device 3 can descramble individually scrambled data for the IP layer and the MMT layer.
The configurations and operations of the conditional access system S, the transmitter 1 and the receiver 3 according to the first embodiment of the present invention have been described above, but the present invention can be implemented with various modifications of this embodiment.

(Modification 1)
For example, an example has been described here in which the transmitting device 1 sets the scrambling method in the policy storage unit 15 and selects one of a plurality of scrambling methods.
However, this scrambling scheme may use one predetermined scrambling scheme.
In that case, the “scramble method” is omitted from the policy stored in the policy storage unit 15 of the transmission device 1.
Then, the scrambler 16 scrambles according to a predetermined scramble method. At this time, the packet reconstruction unit 17 does not set "scramble scheme identification" among the information set in each header shown in FIG.

  Further, in the receiving device 3, if the IP packet filtering means 31 or the MMTP packet filtering means 32 does not refer to the "scramble system identification" of the header, the descrambling means 33 carries out the descrambling in a predetermined scramble system. Good.

(Modification 2)
Here, although the scrambling method identification is set in the header of the IP packet and the header (ESP header, MMTP header) of the MMTP packet, this information is not set in each packet, and further higher It is good also as setting by a layer.
For example, as shown in FIG. 17, a scrambling method descriptor is added to MPT, and as shown in FIG. 18, a scrambling method descriptor is added to CAT.

The “scramble scheme descriptor” is a descriptor in which information on scramble is set, and includes, for example, layer identification, scramble scheme identification and the like.
Here, “layer identification” is information indicating which layer of IP or MMT is to be scrambled.
Also, “scramble scheme identification” is information for identifying a scramble scheme (encryption scheme).
Note that this scrambling method descriptor may be set for each asset as shown in FIG. 17 (a), or as shown in FIG. 17 (b), the number of assets according to the number (N) of assets. The information may be set in units of packages by being set higher.
Also, as shown in FIG. 18, the scrambling scheme descriptor may be set in the CAT.

As described above, in order to set the scramble method descriptor in the MPT and the CAT, the MPT generation unit 20 and the CAT generation unit 21 may be operated as follows in the transmission device 1 of FIG.
That is, the MPT generation means 20 refers to the policy storage means 15, and the network layer (IP) or the media transport layer (MMT) is the scramble target, and if the scramble method is set, the MPT scrambles the MPT. Set the descriptor.

  If the scrambling method is set for each asset ID in the policy storage means 15, the MPT generation means 20 sets the scrambling method descriptor for each asset as shown in FIG. 17 (a). Do. Further, in the policy storage means 15, if the scramble method is not set for each asset ID, the MPT generation means 20 sets the scramble method descriptor in units of packages as shown in FIG. 17 (b). .

  Further, in the case where the specific MMT scramble condition is not set in the policy storage means 15 and the same scramble method is set, the CAT generation means 21 is, as shown in FIG. Set

In this case, in the receiving apparatus 3 of FIG. 13, when it is recognized in the CAT processing means 36 or the MPT processing means 37 that the scrambling method descriptor is set in the CAT or MPT, it is specified by the scrambling method descriptor. The content (layer identification to be scrambled, identification of scrambling method, etc.) may be notified to the IP packet filtering unit 31 or the MMTP packet filtering unit 32.
In addition, when the transmitting device 1 and the receiving device 3 are configured as the second modification, each configuration transmits / receives data or refers to data in the relationship shown by dotted lines in FIGS. 5 and 13.

<< Limited Reception System: Second Embodiment >>
Next, a conditional access system according to a second embodiment of the present invention will be described.
The conditional access system according to the second embodiment further has a function of updating an initial value used in a scrambling code utilization mode with respect to the conditional access system S described with reference to FIG. In the conditional access system according to the second embodiment, the transmitting device 1 and the receiving device 3 of the conditional access system S described in FIG. 1 are respectively added to the transmitting device 1B (FIG. 23) and the receiving device 3B (FIG. 25). Replace and configure.

(Overview of Cryptographic Usage Mode)
First, before describing the configurations of the transmission device 1B and the reception device 3B, an overview of the encryption usage mode will be described with reference to FIGS.
The block cipher modes of operation is a method of encrypting data longer than a block length using a common key block cipher.
The cipher use mode is, for example, a CBC (Cipher Block Chaining) mode shown in FIG. 19, a CFB (Cipher Feed Back Back) mode shown in FIG. 20, an OFB (Output Feed Back) mode shown in FIG. Counter) mode etc.

In the CBC mode (see FIG. 19), an XOR operation (exclusive OR) of the result of encrypting the previous plaintext block and the next plaintext block is performed, and the result is used as the encryption key key (scramble key of the present invention). Correspondingly, the operation of generating the next encrypted block is sequentially performed by the number of plaintext blocks.
In the CBC mode, an initial vector (IV: Initial Vector) given from the outside is used as a value to be XORed with the first plaintext block.

  In the CFB mode (see FIG. 20), the encryption corresponding to the next plaintext block is performed by XORing the result of encrypting the encryption block corresponding to the previous plaintext block with the encryption key key and the next plaintext block. The operation of generating blocks is sequentially performed by the number of plaintext blocks. In the CFB mode, as a value to be XORed with the first plaintext block, a result obtained by encrypting an externally applied initial vector with the encryption key key is used.

  In the OFB mode (see FIG. 21), an encrypted block is generated by performing an XOR operation on the plaintext block and the result of encrypting the externally applied initial vector with the encryption key key, and the encrypted block is previously encrypted using the encryption key key An operation of generating the next encrypted block by XORing the result and the next plaintext block is sequentially performed for the number of plaintext blocks.

  In the CTR mode (see FIG. 22), an encrypted block is generated by performing an XOR operation on a plaintext block and a result of encrypting an externally supplied counter initial value with an encryption key key. Then, in the CTR mode, for the subsequent plaintext blocks, an encrypted block is generated by performing an XOR operation on a value obtained by sequentially incrementing (+1) the initial counter value with the encryption key key and encrypting the value.

  In general, it is preferable that the initial vector used in the CBC mode or the CFB mode is unpredictable from the viewpoint of safety. Further, in the case of using the same encryption key from the viewpoint of security, it is preferable to use different values for the initial vector used in the OFB mode and the counter initial value used in the CTR mode. In the scrambler 16 (FIG. 5) and the descrambler 33 (FIG. 13) described in the first embodiment, when using the encryption mode as the scramble method (encryption method), the initial vector and counter initial value are used. It will be set as a predetermined fixed value.

Therefore, in addition to the function of the conditional access system of the first embodiment, the present invention uses an encryption vector mode to scramble contents, an initial vector and an initial value of the counter (hereinafter referred to as an initial value) as arbitrary timings. Will be updated at.
Hereinafter, the transmission device 1B and the reception device 3B which can update the initial value of the encryption mode will be sequentially described.

<Configuration of Transmission Device>
First, the configuration of a transmission apparatus 1B according to the second embodiment of the present invention will be described with reference to FIG.

  The transmitting apparatus 1 B performs processing for appropriately scrambling the MMT layer and the IP layer when converting the content into an MMTP packet and converting it into an IP packet for transmission. In addition, the transmitter 1B has a function of updating an initial value used in the encryption mode at an arbitrary timing when performing scrambling.

Here, the transmitting apparatus 1B includes the encoding unit 10, the MPU generation unit 11, the control message generation unit 12, the MMTP packet configuration unit 13, the IP packet configuration unit 14, the policy storage unit 15, and the scramble unit 16B. A packet reconfiguring unit 17B, a data transmitting unit 18, a PLT generating unit 19, an MPT generating unit 20, a CAT generating unit 21, a key information generating unit 22, and an initial value generating unit 23.
The configuration other than the scrambler 16B, the packet reconstruction unit 17B, and the initial value generation unit 23 is the same as that of the transmission apparatus 1 described with reference to FIG.

The scrambler 16B refers to the policy stored in the policy storage unit 15 to determine the target of scrambling for the IP packet generated by the IP packet construction unit 14, and scrambles the target. And has the same function as the scramble means 16 described in FIG.
Here, the scrambler 16 B uses the initial value generated by the initial value generator 23 as an initial value of the encryption mode when performing scrambling. The scrambler 16B does not necessarily have to use all the initial value values, and may be part of a predetermined initial value.
The scrambler 16 B updates the initial value to be used at the timing when the initial value is notified from the initial value generator 23.

  The packet reconstruction means (header setting means) 17B adds a header to the payload area scrambled by the scramble means 16B to reconstruct an IP packet, and is the same as the packet reconstruction means 17 described in FIG. It has a function.

Furthermore, the packet reconstruction unit 17B has a function of embedding the initial value information notified from the initial value generation unit 23 in the header of the payload area scrambled by the scramble unit 16B.
Specifically, as shown in FIG. 24A, when the scramble target is IP, the packet reconstruction unit 17B inserts an ESP header between the IP header and the TCP / UDP header, and the ESP header And embed the scramble control information, the scramble system identification, and the initial value information.
The “scramble control information” and the “scramble scheme identification” are the same as in FIG.
The “initial value information” may be information that identifies which of the initial value itself or an initial value prepared in advance is to be used. Also, it may be a seed necessary to generate an initial value by a predetermined algorithm. When the initial value information is identification information of the initial value or a seed for generating the initial value, information for correlating the initial value with the identification information of the initial value is separately controlled, and information for specifying the generation algorithm of the initial value is separately controlled It shall be specified by a message etc.

Also, when the scramble target is the MMT, the packet reconstruction unit 17B sets various information related to the scramble in the MMTP header.
Specifically, as shown in FIG. 24B, the packet reconstruction unit 17B embeds the scramble control information, the scramble method identification, and the initial value information in the MMTP header.
Note that these embedded data are the same as the data described in FIG. 24A, and only the scramble target is different, so the description will be omitted.

The initial value generation unit 23 generates an initial value of the encryption use mode of scrambling performed by the scramble unit 16B.
The initial value generation unit 23 generates an initial value at a constant cycle or at a timing instructed from the outside. For example, the initial value generation unit 23 generates an initial value by using random numbers.
Then, the initial value generation unit 23 outputs the generated initial value to the scramble unit 16B, and outputs the initial value information to the packet reconstruction unit 17B. When the initial value information is used as the identification information of the initial value, the initial value generation unit 23 outputs information in which the initial value and the initial value identification information are associated to the control message generation unit 12, and the control message generation unit Let 12 generate a control message.

  As described above, by configuring the transmitting device 1B, the transmitting device 1B scrambles the contents and data with respect to the network layer (IP layer) and the media transport layer (MMT layer) according to the policy. At the time of application, since the initial value of the encryption usage mode can be appropriately updated, the security of data transmitted by broadcasting or communication can be enhanced.

<Configuration of Receiver>
Next, the configuration of the reception device 3B according to the second embodiment of the present invention will be described with reference to FIG.

  The receiving device 3B receives the content obtained by converting the MMTP packet into an IP packet via the broadcast wave W or the communication line N, descrambles the protected scrambled data, and makes the content available (such as video reproduction). It is a thing. Further, the receiving device 3B has a function of performing descrambling in the encryption mode using the initial value (initial vector or counter initial value) updated by the transmitting device 1B.

Here, the receiving apparatus 3B includes a data receiving unit 30, an IP packet filtering unit 31B, an MMTP packet filtering unit 32B, a descrambling unit 33B, a control message separating unit 34, a PLT processing unit 35, and a CAT processing unit. 36, MPT processing means 37, location solution means 38, key information processing means 39, MPU processing means 40, decoding means 41, and data processing means 42.
The configuration other than the IP packet filtering unit 31B, the MMTP packet filtering unit 32B, and the descrambling unit 33B is the same as that of the receiving apparatus 3 described with reference to FIG.

  The IP packet filtering unit 31B analyzes the header of the IP packet received by the data receiving unit 30, and distributes the packet, and has the same function as the IP packet filtering unit 31 described with reference to FIG.

Furthermore, if the IP packet filtering unit 31 B determines that the initial value of the encryption usage mode is set by the initial value information (see FIG. 24A) of the ESP header added to the IP header, the EPS header Has a function of notifying the descrambling means 33B of the initial value information added to.
Thus, the IP packet filtering unit 31B can notify the descrambling unit 33B that the IP payload is scrambled, using the initial value of the encryption usage mode specified by the initial value information.

  The MMTP packet filtering unit 32 B analyzes the header of the MMTP packet filtered by the IP packet filtering unit 31 and distributes the packets, and has the same function as the MMTP packet filtering unit 32 described in FIG.

Furthermore, when the MMTP packet filtering unit 32B determines that the initial value of the encryption usage mode is set by the initial value information (see FIG. 24B) of the MMTP header, the initial value added to the MMTP header It has a function of notifying information to the descrambling means 33B.
As a result, the MMTP packet filtering unit 32B can use the initial value of the encryption usage mode specified by the initial value information to scramble the MMT payload area (more specifically, the data portion of the area). , Descrambling means 33B can be notified.

The descrambling means 33B descrambles the scrambled data, and has the same function as the descrambling means 33 described in FIG.
Furthermore, when an initial value is notified as initial value information from the IP packet filtering unit 31B or the MMTP packet filtering unit 32B, the descrambling unit 33B performs descrambling using the notified initial value.
By this, the descrambling means 33B can correctly perform descrambling using the same initial value as the initial value of the encryption mode used by the scrambling means 16B (see FIG. 23) of the transmitter 1.

  Note that when information associating an initial value with identification information of an initial value, an algorithm for generating an initial value, etc. is notified by a control message, the descrambling means 33B acquires the information from the control message separating means 34, The descrambling is performed using a predetermined initial value corresponding to the identification information or an initial value generated by a predetermined generation algorithm. In addition, the descrambling means 33B need not necessarily use all the initial value values, and may be part of a predetermined initial value. In this case, which part of the initial value is to be used is known information from the scrambler.

  By configuring the receiving device 3B as described above, the receiving device 3B acquires the initial value as control information when performing scrambling by updating the initial value of the encryption usage mode in the transmitting device 1B. , Descrambling can be done. As a result, the receiving device 3B can appropriately update the initial value of the encryption mode, so that the security of data transmitted by broadcasting or communication can be improved.

The configurations of the transmitting device 1B and the receiving device 3B constituting the conditional access system according to the second embodiment of the present invention have been described above.
The basic operation of the conditional access system according to the second embodiment is the same as the operation of the conditional access system of the first embodiment described with reference to FIGS. In the conditional access system according to the second embodiment, the initial value of the encryption usage mode is transmitted, and information for identifying the initial value is set in the headers of the IP layer and the MMT layer. Since it is only different from the system, detailed description is omitted here.

Here, although it is assumed that initial value information is set in the header of the IP packet and the header (ESP header, MMTP header) of the MMTP packet, this information is described in (Modification 2) of the first embodiment. As described above, the packet may be set in a layer higher than the packet without being set in each packet.
In that case, the scrambling scheme descriptor of the MPT shown in FIG. 17 and the CAT shown in FIG. 18 may be replaced with the scrambling scheme descriptor shown in FIG.
In FIG. 26 (a), initial value information is newly added to the scramble method descriptor of FIG. 17 and FIG.

  Then, when the receiving device 3B recognizes that the scrambling method descriptor is set in the CAT or MPT in the CAT processing means 36 or the MPT processing means 37, the content specified by the scrambling method descriptor (scramble target) , Scrambling method identification, initial value information, etc.) may be notified to the IP packet filtering unit 31B and the MMTP packet filtering unit 32B.

  Furthermore, as described in (Modification 1) of the first embodiment, the transmission device 1B may use one predetermined scrambling scheme. In this case, as shown in FIG. 26 (b), the scrambling method identification may be omitted from FIG. 26 (a).

<< Limited Reception System: Third Embodiment >>
Next, a conditional access system according to a third embodiment of the present invention will be described.
The conditional access system according to the third embodiment further has a tampering detection function for data of the IP layer and the MMT layer with respect to the conditional access system S described with reference to FIG. In the conditional access system according to the third embodiment, the transmitting device 1 and the receiving device 3 of the conditional access system S described in FIG. 1 are respectively added to the transmitting device 1C (FIG. 27) and the receiving device 3C (FIG. 31). Replace and configure.

<Configuration of Transmission Device>
First, the configuration of a transmission apparatus 1C according to a third embodiment of the present invention will be described with reference to FIG.

  The transmitting apparatus 1C performs processing for appropriately scrambling the MMT layer and the IP layer when converting the content into an MMTP packet and converting it into an IP packet for transmission. In addition, the transmitter 1C has a function of adding authentication data (message authentication data) to the MMT layer and the IP layer.

Here, the transmitter 1 C includes the encoding unit 10, the MPU generation unit 11, the control message generation unit 12, the MMTP packet configuration unit 13, the IP packet configuration unit 14, the policy storage unit 15 C, and the scramble unit 16. And packet transmitting means 17C, data transmitting means 18, PLT generating means 19, MPT generating means 20, CAT generating means 21, key information generating means 22C, and message authentication data giving means 24.
The configurations other than the policy storage unit 15C, the packet reconstruction unit 17C, the key information generation unit 22C, and the message authentication data attachment unit 24 are the same as those of the transmission apparatus 1 described in FIG. I omit explanation.

The policy storage unit 15C stores the condition (policy) for scrambling for two different layers of the IP layer and the MMT layer, and the same information as the policy storage unit 15 described in FIG. Remember.
Furthermore, the policy storage unit 15C stores an authentication method (message authentication method) in addition to the scramble condition. Among the policies stored in the policy storage unit 15C, the message authentication method is referred to by the packet reconstruction unit 17C, and the target of the message authentication data and the message authentication method are determined.

Here, with reference to FIG. 28, an example of the policy stored in the policy storage unit 15C will be described.
In FIG. 28, “IP Ver”, “transmission destination address”, “transmission source address”, “transmission destination port”, “transmission source port”, as conditions (policy) for performing scrambling and authentication (message authentication), An example in which a plurality of “transport layer protocol”, “scramble authentication target”, “MMT scramble authentication condition”, “scramble method (encryption method)”, and “message authentication method” are set is shown. The information other than the “scramble authentication target”, the “MMT scramble authentication condition”, and the “message authentication method” is the same as the information described in FIG.

  “Scramble authentication target” indicates an area to be subjected to scramble / message authentication on the IP packet. Here, it is shown whether scrambling / message authentication is performed at the network layer level (IP) or scramble / message authentication is performed at the media transport layer level (MMT) as the scramble / message authentication target.

  The “MMT scramble authentication condition” indicates a detailed condition as to which asset the scramble / message authentication is to be performed, when the scramble / message authentication target is the media transport layer. That is, if the “MMT scramble authentication condition” is set, the MMT becomes a scramble / message authentication target in asset units.

The “message authentication method” indicates the type of the message authentication method when giving message authentication data to the IP layer or the MMT layer.
For this "message authentication method", a general message authentication method may be set. For example, HMAC-SHA-1 (Keyed Hashing for Message Authentication Code-SHA-1), HMAC-SHA-256, etc. that perform message authentication using a common key (authentication key).
In the example of FIG. 28, among the IP packets transmitted by IPv4, the UDP IP packet transmitted with the transmission destination port “3300” and the transmission source port “3000” uses the payload data of the IP layer as a message. It means that the message authentication data is given by HMAC-SHA-1 as an authentication target.
Here, although the scramble target and the message authentication target are the same target, they may be different targets. For example, the scramble target is set to the IP layer, and the message authentication target is set to the MMT layer.

The packet reconstruction means (header setting means) 17C adds a header to the payload area scrambled by the scramble means 16 to reconstruct an IP packet.
Furthermore, the packet reconfiguring means 17C refers to the policy stored in the policy storage means 15 and determines the version of IP set in the IP packet, the destination address, the source address, the destination port, the source port In accordance with the transport layer protocol, the message authentication target and the message authentication method are specified, and the information is set in the header.
That is, when the scramble target or the authentication target is IP, the packet reconstruction means 17C extends an ESP (IP encrypted payload: Encapsulated Security Payload) header used in general IPsec (Security Architecture for IP). , Information related to scrambling and information related to message authentication.

  Specifically, as shown in FIG. 29 (a), the packet reconstruction means 17C inserts an ESP header between the IP header and the TCP / UDP header, and scramble control information and scrambling method are included in the ESP header. Embed identification, message authentication control information, message authentication method identification.

The “scramble control information” and the “scramble scheme identification” are the same as in FIG.
“Message authentication control information (message authentication control bit)” indicates whether or not to add message authentication data. Also, it may indicate information identifying the authentication key.
“Message authentication scheme identification” indicates information for identifying a message authentication scheme when authenticating an IP.

Also, when the message authentication target is the MMT, the packet reconstruction unit 17C sets various information related to the message authentication in the MMTP header.
Specifically, as shown in FIG. 29 (b), the packet reconstruction means 17C embeds scramble control information, scramble method identification, message authentication control information, and message authentication method identification in the MMTP header.
These pieces of embedded data are the same as the data described in FIG. 29 (a), except for the scramble target.

Also, if the message authentication target is both IP and MMT as shown in FIG. 29 (c), the packet reconstruction means 17C processes both the ESP header and the MMTP header as shown in FIGS. 29 (a) and 29 (b). Embed the same data as.
Here, the packet reconstruction unit 17C sets information related to scrambling and information related to message authentication in the header, but a unique identifier in which information related to scramble and information related to message authentication are associated. By specifying in the header, specific contents may be indicated.

The key information generation unit 22C generates a scramble key for scrambling the content and, as key information for extracting the scramble key in the receiving device 3C, common key information (ECM) common to the receiving device and the receiving device specific It generates individual key information (EMM). Furthermore, the key information generation means 22C also manages an authentication key which is a key at the time of giving message authentication data according to a predetermined message authentication method.
Here, the reason for generating message authentication data using an authentication key is as follows.
That is, in the case of performing authentication using only the hash function (message digest), data is falsified during transmission, and when new authentication data is added using the same hash function, falsification detection can not be performed. Therefore, in the present invention, in consideration of transmission by communication, in order to prevent an intermediate attack, message authentication data is generated using an authentication key.

Here, the configuration of the key information generation unit 22C will be described with reference to FIG. As shown in FIG. 30, the key information generation unit 22C includes a scramble key generation unit 220, a work key generation unit 221, an ECM generation unit 222, a master key storage unit 223, an EMM generation unit 224, and an authentication key management. And means 225.
The configuration other than the authentication key management means 225 is the same as that of the key information generation means 22 described with reference to FIG.

The authentication key management means 225 manages (stores) the authentication key in advance.
The authentication key management unit 225 notifies the message authentication data application unit 24 of the authentication key Ka when requested by the message authentication data application unit 24. Further, when managing a plurality of authentication keys, the authentication key management means 225 responds to the authentication key Ka associated with the identification information when there is a request from the message authentication data addition means 24 including the identification information of the key. I decided to.
Returning to FIG. 27, the description of the configuration of the transmission device 1C will be continued.

The message authentication data giving means (authentication data giving means) 24 gives the message authentication data to the IP layer and / or the MMT layer for the IP packet whose information is set in each header by the packet reconstruction means 17C. is there.
Here, the message authentication data attachment means 24 refers to the message authentication control information set in the header of each layer (IP layer, MMT layer), and when information to which message authentication data is added is set, Assign message authentication data to each layer.
At this time, the message authentication data giving unit 24 uses the authentication key Ka managed by the authentication key management unit 225 (see FIG. 30) of the key information generation unit 22C, and uses the message authentication method set in the header of each layer. Generate message authentication data. When the message authentication control information set in the header of each layer includes the key identification information, the message authentication data appending means 24 performs message authentication using the authentication key Ka corresponding to the identification information. Generate data.

In addition, when the message authentication data appending means 24 sets the IP layer as the authentication range, as shown in FIG. 29 (a), the message authentication data (IP) is applied to data after the ESP header added behind the IP header. Grant message authentication data).
Further, when the MMT layer is set as the authentication range, the message authentication data addition means 24 adds message authentication data (MMT message authentication data) to data after the MMTP header as shown in FIG. 29 (b).

When the message authentication data giving means 24 gives message authentication data to both the IP layer and the MMT layer, as shown in FIG. 29 (c), the message authentication data giving means 24 first gives the message authentication data to the MMT layer. , Attach message authentication data to the IP layer.
Thus, it goes without saying that the message authentication data adding means 24 updates the packet length in the IP header when the message authentication data is added.

  As described above, by configuring the transmitting device 1C, the transmitting device 1C scrambles the contents and data with respect to the network layer (IP layer) and the media transport layer (MMT layer) according to the policy. As well as being able to provide message authentication data. Thus, the transmission device 1C can cause the reception device to detect tampering of content and data.

<Configuration of Receiver>
Next, the configuration of a reception device 3C according to the third embodiment of the present invention will be described with reference to FIG.

  The receiving device 3C receives the content obtained by converting the MMTP packet into an IP packet through the broadcast wave W or the communication line N, and descrambles the protected scrambled data to make the content available (such as video reproduction). It is a thing. Further, the receiving device 3C has a function of detecting falsification of data for performing data authentication of the layer to which the message authentication data is added by the transmitting device 1C.

Here, the receiving apparatus 3C includes a data receiving unit 30, an IP packet filtering unit 31C, an MMTP packet filtering unit 32C, a descrambling unit 33, a control message separating unit 34, a PLT processing unit 35, and a CAT processing unit. 36, MPT processing means 37, location solution means 38, key information processing means 39, MPU processing means 40, decoding means 41, data processing means 42, and message authentication means 43.
The configuration other than the IP packet filtering unit 31C, the MMTP packet filtering unit 32C, and the message authentication unit 43 is the same as that of the receiving apparatus 3 described with reference to FIG.

  The IP packet filtering unit 31C analyzes the header of the IP packet received by the data receiving unit 30, and distributes the packet, and has the same function as the IP packet filtering unit 31 described in FIG.

Furthermore, if the IP packet filtering unit 31 C determines that the message authentication data is added by the message authentication control information (see FIG. 29A) of the ESP header added to the IP header, the message authentication data is Message authentication means 43 authenticates the assigned IP packet.
At this time, the IP packet filtering means 31C notifies the message authentication means 43 of the message authentication method identification (see FIG. 29A) set in the ESP header, thereby using the same message authentication method as the transmitter 1C. Message authentication can be performed.
When tampering is detected by message authentication, the IP packet filtering unit 31C discards the IP packet.

  The MMTP packet filtering unit 32C analyzes the header of the MMTP packet filtered by the IP packet filtering unit 31C and distributes the packets, and has the same function as the MMTP packet filtering unit 32 described in FIG.

Furthermore, when the MMTP packet filtering unit 32 C determines that the message authentication data is attached by the message authentication control information (see FIG. 29B) of the MMTP header, the MMTP packet to which the message authentication data is attached is It is made to authenticate in the message authentication means 43.
At this time, the MMTP packet filtering unit 32C notifies the message authentication unit 43 of the message authentication method identification (see FIG. 29B) set in the MMTP header, thereby performing authentication by the same authentication method as the transmitter 1C. Can be done.
When tampering is detected by message authentication, the MMTP packet filtering unit 32C discards the IP packet including the MMTP packet.

The message authentication means 43 authenticates the data to which the message authentication data is attached.
When the message authentication means 43 is instructed by the IP packet filtering means 31C or the MMTP packet filtering means 32C to perform message authentication, the message authentication method identification corresponding to the instructed message authentication method identification is performed in advance. Are acquired from storage means (not shown) storing the authentication key corresponding to the message authentication method of the IP layer or MMT layer according to the instructed message authentication method.
The message authentication unit 43 notifies the IP packet filtering unit 31C or the MMTP packet filtering unit 32C that requested authentication.

  As described above, by configuring the receiving device 3C, in the transmitting device 1C, when the message authentication data is added to the IP layer or the MMT layer in the transmitting device 1C, the data is transmitted by the same authentication method as the transmitting device 1C. Authentication can be performed. As a result, the receiving device 3C can detect the falsification of data, so that the security of data transmitted by broadcast or communication can be enhanced.

The configurations of the transmission device 1C and the reception device 3C that configure the conditional access system according to the third embodiment of the present invention have been described above.
The basic operation of the conditional access system according to the third embodiment is the same as the operation of the conditional access system of the first embodiment described with reference to FIGS. In the conditional access system according to the third embodiment, information (message authentication control information and message authentication method identification) related to message authentication is further set in step S18 and step S21 of FIG. Give data. Also, the receiving device 3C authenticates the message authentication data before step S35. The other operations are basically the same as in the first embodiment, and thus detailed description will be omitted.

In this case, information (message authentication control information, message authentication method identification) related to message authentication is set in the header of the IP packet and the header of the MMTP packet (ESP header, MMTP header). As described in the second modification of the first embodiment, the packet may be set in a higher layer without being set in each packet.
In that case, the scrambling scheme descriptor of the MPT shown in FIG. 17 and the CAT shown in FIG. 18 may be replaced with the scrambling scheme descriptor shown in FIG.
32 (a) shows the presence or absence of message authentication, authentication key identification information (corresponding to message authentication control information), and message authentication method identification with respect to the scramble method descriptor in FIGS. 17 (a) and 17 (b). It is newly added.
Furthermore, as described in the first modification of the first embodiment, the transmission apparatus 1C may use one predetermined scrambling scheme. In that case, as shown in FIG. 32 (b), the scrambling method identification may be omitted from FIG. 32 (a).

In the conditional access system according to the third embodiment, a function may be added to update the initial value of the scrambling method in the conditional access system of the second embodiment. That is, even if transmitting apparatus 1C of FIG. 27 is provided with initial value generating means 23 described in FIG. 23, descrambling means 33 of receiving apparatus 3C of FIG. 31 performs descrambling using the notified initial value. Good.
At that time, instead of setting information related to message authentication (message authentication control information and message authentication method identification) and initial value information in the header of the IP packet and the header of the MMTP packet (ESP header and MMTP header), It may be set in the upper layer.
For example, the scrambling method descriptor of the MPT shown in FIG. 17 and the CAT shown in FIG. 18 may be replaced with the scrambling method descriptor shown in FIG. 32 (c).

  In this case, in the receiving apparatus 3C of FIG. 31, when the CAT processing means 36 or the MPT processing means 37 recognizes that the scrambling method descriptor is set to CAT or MPT, it is specified by the scrambling method descriptor. The content (message authentication control information, message authentication method identification, etc.) may be notified to the IP packet filtering unit 31C or the MMTP packet filtering unit 32C.

  In the third embodiment, the information related to message authentication may be separately set as a descriptor (message authentication method descriptor) different from the scrambling method descriptor. This message authentication scheme descriptor can be, for example, the data structure of FIG. In addition, since each data of a message authentication system descriptor is the same as the data of FIG. 32, description is abbreviate | omitted.

In this case, the transmitter 1C in FIG. 27 may set the message authentication method descriptor shown in FIG. 33 in the MPT (eg, FIG. 17) in the MPT generation means 20. In addition, the transmission apparatus 1C may set the message authentication method descriptor shown in FIG. 33 in the CAT (for example, FIG. 18) in the CAT generation means 21.
When the receiving apparatus 3C shown in FIG. 31 recognizes in the CAT processing means 36 or the MPT processing means 37 that the message authentication method descriptor is set to CAT or MPT, it is specified by the message authentication method descriptor. Contents (message authentication control information, message authentication method identification, etc.) may be notified to the IP packet filtering means 31C and the MMTP packet filtering means 32C.

S conditional access system 1 transmitting device 10 encoding means 11 MPU generation means 12 control message generation means 13 MMTP packet forming means 14 IP packet forming means 15 policy storage means 16 scrambling means 17 packet reconfiguring means (header setting means)
18 Data Transmission Means 19 PLT Generation Means (Package List Generation Means)
20 MPT generation means (MMT package table generation means)
21 CAT generation means (limited reception table generation means)
22 key information generation means 23 initial value generation means 24 message authentication data giving means (authentication data giving means)
Reference Signs List 3 receiver 30 data receiving means 31 IP packet filtering means 32 MMTP packet filtering means 33 descrambling means 34 control message separating means 35 PLT processing means (package list processing means)
36 CAT processing means (limited reception table processing means)
37 MPT processing means (MMT package table processing means)
38 location analysis means 39 key information processing means 40 MPU processing means 41 decoding means 42 data processing means 43 message authentication means (authentication means)

Claims (3)

In a transmitting apparatus that converts content into IP packets using MMT (MPEG Media Transport) and transmits
MMT package table generation means for generating an MMT package table, which is table information specifying location information specifying the location of common key information common to the receiving apparatus in which the scramble key is encrypted with a work key;
Limited reception table generation means for generating a limited reception table, which is table information specifying position information for specifying the location of individual key information encrypted by an individual encryption key for each predetermined reception apparatus for the work key;
MMTP packet forming means for forming the content as an MMTP packet of an MMT layer;
IP packet forming means for forming the MMTP packet as an IP packet of an IP layer;
Scramble means for scrambling the payload area of the IP packet or the payload area of the MMTP packet with the scramble key based on a predetermined scramble target and a policy indicating a scramble method;
Header setting means for setting scrambling control information indicating presence / absence of scrambling in a header portion of a layer to be scrambled;
The header setting means embeds a scrambling method identification indicating the scrambling method in the header portion of the layer to be scrambled, or the MMT package table generating means indicates a layer identification indicating the layer to be scrambled and the scrambling method A transmitting apparatus characterized in that processing of embedding control information including identification in the MMT package table or processing of embedding the control information in the conditional access table is performed by the conditional access table generating means. In a receiver for receiving IP packetized content using MMT (MPEG Media Transport),
The MMT package table, which is table information specifying location information specifying the location of common key information common to the receiving apparatus common to the receiving apparatus obtained by encrypting the scramble key scrambled with the work key, is received, and the position information of the common key information MMT package table processing means to extract;
A limited reception table is received, which is a table information specifying position information for specifying the location of individual key information encrypted by an individual encryption key for each reception apparatus in which the work key is predetermined, and the position information of the individual key information Conditional access table processing means for extracting
Key information processing means for extracting the scramble key from the common key information and the individual key information acquired based on the extracted position information;
Descrambling means for descrambling scrambled data with the scrambling key using a designated scrambling scheme;
IP packet filtering means for descrambling the payload area of the IP packet by the descrambling means and designating the scrambling method when the IP layer is scrambled, and for extracting the MMTP packet;
And MMTP packet filtering means for descrambling the payload area of the MMTP packet by the descrambling means and designating the scrambling method when the MMT layer is to be scrambled, and for extracting the contents.
When the IP packet filtering means includes control information including a layer identification indicating that the scramble target is an IP layer and a scrambling scheme identification indicating a scrambling scheme in the conditional access table or the MMT package table, or And a scramble control information indicating that the header immediately before the payload of the IP packet is scrambled and the scramble method identification in the scramble method specified in the scramble method identification when the scramble method identification is set. Judged as scrambled,
When the MMTP packet filtering means includes the layer identification indicating that the scramble target is the MMT layer and the control information including the scrambling method identification in the conditional access table or the MMT package table, or an MMTP packet It is determined that the payload area of the MMTP packet is scrambled by the scramble method specified by the scramble method identification when the scramble control information indicating that the header is scrambled and the scramble method identification are set. A receiver characterized in that. A limited reception system, comprising: a transmission device that converts IP packets of content by using MMT (MPEG Media Transport) and transmitting; and a reception device that receives the content converted into IP packets, and that limited reception of the content,
The transmitting device is
MMT package table generation means for generating an MMT package table, which is table information specifying location information specifying the location of common key information common to the receiving apparatus in which the scramble key is encrypted with a work key;
Limited reception table generation means for generating a limited reception table, which is table information specifying position information for specifying the location of individual key information encrypted by an individual encryption key for each predetermined reception apparatus for the work key;
MMTP packet forming means for forming the content as an MMTP packet of an MMT layer;
IP packet forming means for forming the MMTP packet as an IP packet of an IP layer;
Scramble means for scrambling the payload area of the IP packet or the payload area of the MMTP packet with the scramble key based on a predetermined scramble target and a policy indicating a scramble method;
Header setting means for setting scrambling control information indicating presence / absence of scrambling in a header portion of a layer to be scrambled;
The header setting means embeds a scrambling method identification indicating the scrambling method in the header portion of the layer to be scrambled, or the MMT package table generating means indicates a layer identification indicating the layer to be scrambled and the scrambling method A process of embedding control information including an identification in the MMT package table, or a process of embedding the control information in the limited reception table, the limited reception table generation unit,
The receiving device is
MMT package table processing means for receiving the MMT package table and extracting position information of the common key information;
Limited reception table processing means for receiving the limited reception table and extracting position information of the individual key information;
Key information processing means for extracting the scramble key from the common key information and the individual key information acquired based on the extracted position information;
Descrambling means for descrambling scrambled data with the scrambling key using a designated scrambling scheme;
IP packet filtering means for descrambling the payload area of the IP packet by the descrambling means and designating the scrambling method when the IP layer is scrambled, and for extracting the MMTP packet;
And MMTP packet filtering means for descrambling the payload area of the MMTP packet by the descrambling means and designating the scrambling method when the MMT layer is to be scrambled, and for extracting the contents.
When the IP packet filtering means includes control information including a layer identification indicating that the scramble target is an IP layer and a scrambling scheme identification indicating a scrambling scheme in the conditional access table or the MMT package table, or And a scramble control information indicating that the header immediately before the payload of the IP packet is scrambled and the scramble method identification in the scramble method specified in the scramble method identification when the scramble method identification is set. Judged as scrambled,
When the MMTP packet filtering means includes the layer identification indicating that the scramble target is the MMT layer and the control information including the scrambling method identification in the conditional access table or the MMT package table, or an MMTP packet It is determined that the payload area of the MMTP packet is scrambled by the scramble method specified by the scramble method identification when the scramble control information indicating that the header is scrambled and the scramble method identification are set. A conditional access system characterized by:

Images