JP2005176312A - Metadata access control system and method therefor, and receiver and transmitter - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent metadata unpermitted by a content provider from being provided and to prevent a content from being used by the metadata not intended by the content provider. <P>SOLUTION: A metadata verifying means verifies the metadata. A content verifying means verifies the content and the provider of the content. A metadata access control information verifying means verifies metadata access control information indicating the relation between the content accessible and the metadata, and also verifies a source of the metadata access control information. A metadata determination means determines whether the source of the metadata access control information is reliable for the content provider. If it is determined that the metadata is reliable, a metadata using means makes use of the metadata. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a metadata access control system and method for performing access control and storage control on content using metadata for controlling content, and a receiving device and a transmission device using them.

  Currently, digital broadcasting has been promoted, and the introduction of digital broadcasting has increased the number of channels, enabling viewers to receive a large amount of program content. On the other hand, with the recent widespread use of high-speed Internet environments such as ADSL and FTTH, services that distribute not only music content such as music but also video content using streaming and download are increasing.

  As a result, the contents that can be selected by the user are expanding. Therefore, in the world that can be realized by standards such as server type broadcasting and TV Anytime, it is possible to attach and transmit metadata that is attribute information for content. Using metadata makes it easier for users to select content through ECG (Electronic Content Guide), content search, and content navigation, as well as content highlight viewing and navigation to specific scenes. Can be enjoyed in a short time. In addition to the use as a simple content alone, providing metadata for viewing such highlights creates a new method for using the content and adds value to the metadata itself. Production and provision of this metadata can also be performed by a business other than the business that provides the content, and this creates a new business called “providing metadata for content use”.

  For example, Patent Document 1 discloses one conventional technique in which metadata, which is attribute information for content, is added and transmitted.

  When adding metadata to content, the content provider can add metadata to the content and increase the added value of the content. In an environment where broadcasting and communication such as server type broadcasting and TV Anytime can be used, anyone can create and distribute contents and metadata. As a result, a person different from the content provider can create metadata and distribute it at a different timing and route from the content.

  In such a situation, since metadata is arbitrarily given to the content, the content provided by the content provider (or content provider) may be illegally used. For example, metadata for a content provider is created and distributed by a third party to whom the content provider has not given permission, for example, highlight viewing metadata that skips the CM of the content without permission. Therefore, it becomes possible to use the content against the intention of the content provider. In addition, using the content provided by the content provider, it is possible to establish a new business form such as making a profit from the metadata publisher instead of giving permission to use the content to the metadata publisher that performs the service. It will be difficult.

  In order to solve the above-described problems, for example, in the technique described in Patent Document 1, a mechanism for determining whether or not metadata can be used in a receiving device using the reliability attached to the metadata; It has become.

  In addition, as a conventional content storage control service system, there is one that automatically stores content in a user's receiving device in response to a storage control command from a center (see, for example, Patent Document 2). In addition, there are companies in which a business operator sets a personal attribute of a viewer in a receiver, and automatically selects a service suitable for the user and provides the user with the attribute. (For example, refer to Patent Document 3). In addition, as a method for restricting viewing of accumulated content, there is a method of controlling viewing by transmitting viewing control information from the center together with the content to the receiving device (see, for example, Patent Document 4).

  Furthermore, conventionally, it is known that data broadcasting technology can be used as a technology for displaying link information to the Internet in conjunction with broadcast data (content). For example, in Patent Document 4, a transmission side multiplexes broadcast data with a CM link (link information) and broadcasts, a reception side extracts a CM link from the broadcast data, and CM data designated by the CM link is transmitted on the network. A configuration that enables downloading from a computer is disclosed.

  However, in the solution described in Patent Document 1, all the metadata that the receiving apparatus determines to be reliable can be used because only the reliability of the metadata is verified. This reliability is not related to the content provider. For this reason, even if metadata that has been trusted by a certain certification authority and is created and distributed by a third party who is not related to the content provider is distributed and received by the receiving device, Data becomes available. Therefore, this mechanism has not solved the problem that content is illegally used by metadata created by a third party.

  In addition, in the conventional configuration as described in Patent Documents 2 to 4, a recording control service such as user-adaptive automatic recording appears, and most contents are stored by increasing the capacity of the HDD (Hard Disk Drive). If the situation is happening, the user will be able to watch most content by recording and playback without watching in real time, so that the content can be viewed many times, semi-permanently saved, and CM can be skipped Therefore, there is a problem that the license agreement with the content holder and the CM business in the current real-time broadcasting cannot be maintained.

  Accordingly, the broadcaster is also required to be able to specify the playback conditions when the user records and plays back the broadcast content so as not to affect the contract with the content holder and the CM business.

  However, on the other hand, there is an existing user's right that broadcast content can be freely reproduced within the range of private recording, and it is difficult for users to accept that it is impossible to do so at all.

  On the other hand, as link information, it is possible to use information that specifies an arbitrary address on the Internet. However, when link information is acquired from the Internet, link information that violates public order and morals, or damage to users. Even the link information that brings In addition, link information that is not appropriate for the content for the broadcaster is displayed (for example, a link that introduces a product of a rival company of the predetermined product even though the content that introduces the predetermined product is played) If the information is displayed), the value of the content is lowered and the business model may be hindered.

Therefore, when using the Internet to display link information in conjunction with content playback, a mechanism that enables only the link information licensed by the broadcaster is indispensable. Regarding the licensed link information, a mechanism for protecting the licensed link information from unauthorized tampering is also required. However, such a mechanism cannot be realized by the conventional technology.
JP 2003-204308 A JP 2000-278618 A Japanese Patent Laid-Open No. 10-75219 JP 2001-128130 A

This problem has been made in view of the above problems, and there is a problem that the receiving side does not use it under the usage conditions intended by the content provider.
The present invention has been made in view of the above problems, and is a metadata access control system for realizing a mechanism for controlling usage on the receiving terminal side based on access control information describing usage conditions intended by a content provider. And a receiving apparatus and a transmitting apparatus using them.

  As a means for solving the above-mentioned problems, the present invention provides a content receiving apparatus related to metadata access control, metadata verification means for verifying metadata, and metadata access control information for verifying metadata access control information. A verification unit, a content verification unit that verifies the content, and a metadata determination unit that determines whether the metadata is usable are provided.

  Further, in the metadata access control system of the present invention, a metadata transmission apparatus provided with metadata verification information adding means for adding information for verifying metadata to the metadata; giving information for verifying the content A content transmission apparatus provided with content verification information adding means for performing; a metadata access control information transmitting apparatus provided with metadata access control information verification information adding means for providing information for verifying creation of metadata access control information; And metadata verification means for verifying metadata, metadata access control information verification means for verifying metadata access control information, content verification means for verifying content, and whether or not the metadata can be used. From a content receiving device comprising metadata judging means for judging It has been made.

  The present invention also provides a content providing apparatus that authenticates the storage control information from the storage control service providing apparatus, and a storage control service that sends storage control information for storing content acquisition means to the content acquisition means Content acquisition that stores content according to storage control information only when the providing device and the storage control information acquired from the storage control service providing device are authenticated by the content providing device that provides the content stored by the storage control information Means are provided. Thereby, it is possible to protect the rights of the service provider that provides services such as content provision.

  In addition, the present invention is applied when content is controlled and stored according to storage control information, a content providing device that adds authentication with reproduction control information added thereto, and a storage control acquired from the storage control service providing device When the reproduction control information is added to the information, content acquisition means for accumulating the content together with the reproduction control information, and when reproducing the content accumulated with the reproduction control information, the content reproduction means for reproducing according to the reproduction control information is provided. It is provided. Thereby, it is possible to protect the rights of the broadcaster who provides the content.

  Further, the present invention provides a content providing apparatus that provides authentication after adding an ID of reproduction control information to the accumulation control information from the accumulation control service providing apparatus, and provides the reproduction control information to the content acquisition means, and provides the accumulation control service Content acquisition means is provided for acquiring the reproduction control information corresponding to the reproduction control information ID added to the storage control information acquired from the device from the content providing device and storing the content together with the acquired reproduction control information. Thereby, the band of the service provider and the receiving device can be used efficiently.

  In addition, the present invention includes content acquisition means for storing content together with the reproduction control information when receiving the reproduction control information corresponding to the content when recording and accumulating the content that matches the user's personal attributes and preferences. It is. As a result, it is possible to accumulate content that matches the user's preference while protecting the rights of the broadcaster.

  In addition, the present invention provides, as a link information authentication system, a content providing device that broadcasts content through a broadcast network, a content receiving device that receives and reproduces the content from the content providing device, and the content receiving device. A link information authentication system configured to provide link information providing apparatus that provides link information to be displayed simultaneously with reproduction of the content in the content receiving apparatus, wherein the link information providing apparatus is associated with the content Link information generating means for generating link information designating a predetermined link destination, signed link information in which the link information is transmitted to the content providing apparatus and an electronic signature is given to the link information Link information received from the content providing device Transmission / reception means; and signed link information providing means for providing the signed link information to the content receiving device, wherein the content providing device receives the link information from the link information providing device, and Corresponding to the link information transmitting / receiving means for transmitting the completed link information to the link information providing apparatus, the content managing means for managing the content to be broadcast to the content receiving apparatus, and the content managed by the content managing means A certificate generating means for generating a certificate to be applied, and attaching the electronic signature to the link information received from the link information providing apparatus using the certificate generated by the certificate generating means. , Signature means for generating the signed link information, and the content management means Broadcast means for broadcasting the managed content to the content receiving apparatus through the broadcast network, and certificate transmission for transmitting the certificate corresponding to the content generated by the certificate generating means to the content receiving apparatus The content receiving device receives the content from the content providing device through the broadcast network, and receives the certificate corresponding to the content from the content providing device. A link information receiving means for receiving the signed link information from the link information providing device, a link information managing means for managing the signed link information received by the link information receiving means, and the broadcast receiving means. The signature including the link information associated with the received content Link information search means using link information search means for searching for the completed link information from the signed link information managed by the link information management means, and the certificate received by the certificate reception means. Signature verification that verifies the electronic signature in the signed link information retrieved by the means and determines the link information in the signed link information that has been authenticated as valid link information Means for reproducing the content received by the broadcast receiving means, and link information for displaying the link information determined to be valid by the signature authenticating means simultaneously with the reproduction of the content in the content reproducing means Display means, and associated with the content to be reproduced when the content is reproduced. And, and, the link information determined to be valid by said signature authentication means is configured to be displayed in the content receiving apparatus.

  According to this configuration, only when the validity of the link information licensed by the broadcaster is evaluated and it is determined that the link information is valid, the content receiving apparatus can obtain valid link information together with the reproduction of the content. It will be displayed.

  According to the present invention, by providing a mechanism for controlling usage on the receiving terminal side by access control information describing usage conditions intended by the content provider, in order to be used under the usage conditions intended by the content provider, The rights of content providers can be protected.

  Hereinafter, more specific embodiments of the present invention will be described. In addition, this invention is not limited to these embodiments at all, and can be implemented in various modes without departing from the scope of the invention.

(Outline of the present invention)
FIG. 1 is a system configuration diagram for explaining the outline of the present invention. A content provider 1801 that provides a broadcasting station or a VOD service distributes content 1811 to a receiving device 1804 used by a user through a distribution route 1802.

  On the other hand, the metadata provider 1803 creates metadata 1813 for controlling the content 1811 such as access control, digest viewing / accumulation control, and link assignment to the content 1811, and the user's The metadata 1813 is distributed to the receiving device 1804. Furthermore, the metadata 1813 that may control the content 1811 and the metadata access control information 1812 indicating the correspondence with the content 1811 are distributed from the content provider 1801 to the user receiving device 1804. The receiving apparatus confirms that the metadata X813 is permitted by the metadata access control information 1811 and whether the metadata 1813 and the content 1811 are associated with each other by the metadata access control information 1812. The content 1811 is controlled using 1813. The distribution path 1804 includes the Internet 1824 which is a bidirectional network in addition to a broadcasting network such as terrestrial digital broadcasting 1821, digital satellite broadcasting 1822 such as BS and CS, and digital CATV broadcasting 1823, and which distribution path 1804 is used. Whether to distribute the content 1811, metadata 1813, and metadata access control information 1812 can be arbitrarily selected according to the facility and operation of the operator that changes depending on the situation.

  The metadata 1831 includes attribute information of the content 1811 such as a TV program, reproduction control for enabling the digest viewing that allows only a specific scene of the content 1811 to be viewed, or the specific content 1811 to the receiving device 1804. It is used for various control purposes such as storage control for storage and link control indicating link information such as Web pages that may be displayed in the content. The metadata for performing the digest viewing is as shown in FIG. FIG. 2 is a diagram showing a schematic configuration of metadata representing reproduction control in the present invention. Moreover, when it describes with XML as metadata defined by TV Anytime Forum, it will become like FIG. FIG. 3 is a diagram describing metadata representing reproduction control in the XML format in the present invention. The metadata for accumulating the content 1811 in the receiving device 1804 is as shown in FIG. The link information of the Web page that may be displayed in the content will be described later in detail, but is as shown in FIG.

(Embodiment 1)
FIG. 4 is a block diagram of a reception device, a transmission device, and a metadata access control system configured by them for implementing the metadata access control method according to the first embodiment of the present invention. The metadata access control system shown in FIG. 4 includes a metadata transmission device 1, a content transmission device 3, a metadata access control information transmission device 2, a distribution path 5, and a reception device 4 that receives content. The content transmission device 3 is a device possessed by the content provider 1801 in FIG. 1, and the metadata transmission device 1 is a device possessed by the metadata provider 1803 in FIG. The metadata access control information transmitting device 2 is a device that is normally held by the content provider 1801, but may be a third party that is deemed to be trusted by the content provider by a certificate authority or the like. The distribution path 5 corresponds to the distribution path 1802, and the reception apparatus 4 corresponds to the reception apparatus 1804. The metadata issuer corresponds to the metadata provider 1803.

  The metadata transmission device 1 is a device for delivering metadata to the reception device 4, and includes a metadata generation unit 11 and a metadata verification information addition unit 12. The metadata access control information transmitting device 2 distributes metadata access control information to the receiving device 4 and includes a metadata access control information generating unit 21 and a metadata access control information verification information adding unit 22. . Here, the metadata access control information defines the correspondence between “metadata” and “content” indicating whether or not content can be controlled by metadata.

  The content transmission device 3 is a device for transmitting AV content such as a television program, content such as an HTML document, a BML document, and a computer program, and includes a content generation unit 31 and a content verification information addition unit 32. The distribution route 5 is a distribution route for carrying content, metadata, and metadata access control information from each transmitting device to the receiving device 4. Specific examples are digital broadcasting networks such as BS and terrestrial waves, and communication distribution networks such as the Internet. In this embodiment, the content, metadata, and metadata access control information are obtained from the distribution route each time, but these data are used after being stored in a storage device such as a hard disk or a memory of the receiving device. The same applies to the receiving device and the case where these data are supplied to the receiving device by a portable medium such as an optical disk or a memory card. The content, metadata, and metadata access control information may be distributed through the same distribution route, or may be distributed through different distribution routes.

  The receiving device 4 is a device for receiving and using metadata, metadata access control information, and content. The receiving device 4 includes a metadata verification unit 41 for verifying metadata, a metadata access control information verification unit 42 for verifying metadata access control information, a content verification unit 43 for verifying content, and metadata From metadata determination means 44 for determining whether the content provider is permitted, metadata use means 45 for using metadata based on the determination result, and content use means 46 for reproducing content based on the metadata Composed.

  Next, the operation of the metadata access control system constituted by such devices and means will be described.

  The metadata transmitted by the metadata transmission device 1, the metadata access control information transmitted by the metadata access control transmission device 2, and the content transmitted by the content transmission device 3 are received via the distribution path 5. Delivered to. First, the metadata transmission device 1, the metadata access control information transmission device 2, and the content transmission device 3, which are transmission devices, will be described.

  In the metadata transmission apparatus 1, metadata for content is generated by the metadata generation means 11. As shown in FIG. 3, the metadata includes identification information 1101 (crid: //broadcast.com/ContentID1) of content to be controlled by the metadata, 1102 navigation information such as a summary of the content, and the content “crid: // Define the playback method for “broadcast.com/ContentID1”, metadata body including scenario information 1103 (corresponding to the position shown in FIG. 3) such as information for highlight viewing and scene navigation, Metadata identification information 1100 for identifying the metadata itself is described. With respect to the generated metadata, the metadata verification information adding means 12 extracts the metadata issuer information and verifies that the metadata issuer and metadata identification information are valid. Give verification information to do. As examples of verification information to be added, an electronic signature is given to the metadata by the secret key of the metadata issuer, or the issuer information and metadata identification information are described in the metadata itself using a digital watermark. There are ways to do it. Further, when information that is alternative to metadata verification information can be verified using information at the time of transmission of metadata, the metadata verification information may not be given.

  A case where an electronic signature is used as an example of metadata verification information will be described with reference to FIG. An electronic signature 1902 as metadata verification information is given to the metadata main parts 1901 and 1911. For example, X. There are methods standardized in 509. The electronic signature 1902 includes a signature object 1912, a signature algorithm 1913, a digest value calculation algorithm 1914, a digest value 1915, a signature value 1916, and key information 1917. The signature target 1912 is a range indicating a valid range of the electronic signature, and designates a metadata entity, that is, 1911. There is a method in which the signature target is not specified and the entire signature target is set. In the signature algorithm 1913, an algorithm obtained by encrypting a signature value, which will be described later, is specified. Here, a public key encryption system called DSA (Digital Signature Algorithm) is specified. The digest value calculation algorithm 1914 is an algorithm specification for generating a digest value from the data to be signed through a hash function, and SHA-1 is specified. The digest value 1915 is a value calculated by using the SHA-1 of the digest value calculation algorithm 1914 for the data of the signature object 1912 and becomes “Sagfsukgfd8k2, sd @”. The signature value 1916 is obtained by encrypting the digest value 1915 using the signature algorithm 1913. In the example, DSA is used to obtain a value “Gljm, l; k90k4buxz13” obtained by encrypting the digest value “Sagfsukgfd8k2, sd @” using the secret key of the metadata issuer. In the key information 1917, key information necessary for the receiving device 4 to decrypt the signature value 1916 is designated, and “004587” is designated as the public key certificate ID here. As a method for specifying the public key certificate, there is a method for specifying the owner of the public key certificate in addition to specifying the public key certificate ID described above. In addition, there is a method of having the actual data itself of the public key certificate. The metadata to which the metadata verification information is added is sent to the distribution path 5 for distribution to the receiving device 4.

Next, the operation of the metadata access control information transmission device 2 will be described.
In the metadata access control information transmitting apparatus 2, metadata access control information generating means 21 generates metadata access control information. An example of the metadata access control information will be described with reference to FIG. Information included in the metadata access control information is composed of corresponding content information 18 and corresponding metadata information 16 or non-corresponding metadata information 17. The corresponding content information 18 is information for specifying the content 20 for which the access control of the metadata is performed, and is indicated by the identification information of the content 20 or the provider information. FIG. 7 is a diagram illustrating the corresponding content information 18 in more detail. FIG. 7A shows a case where the corresponding content information indicates information for identifying the content, and the content identifier is directly specified. The content identifier is described in the metadata used in the TV Anytime Forum specification, and a content reference identifier (CRID) used to indicate the content from the metadata is used. In the case of digital broadcasting, ARIB is used. The network ID, service ID, and event ID included in the PSI / SI defined in STD-B10 may be used. In this case, the content is specified by the content identifier described in the corresponding content information.

  On the other hand, FIG. 7B shows a case where the corresponding content information indicates an identifier of the content provider, and the content provider is designated. As other designations, as a content provider identifier, a URL (Unique Resource Locator) used in the Internet, an operator identifier (ABCD in FIG. 7B), a URN (Unique Resource Name), a DNS domain name, etc. In addition, the PSI / SI broadcaster ID and service ID used in digital broadcasting can be used as identification information regarding the route information through which the content is transmitted as the provider. The PSI / SI information will be described later with reference to FIG.

  The corresponding metadata information 16 indicates metadata 13A-13C that may access the content 20, and is indicated by metadata identification information or information 14 specifying a metadata issuer. For example, the information 14 to be specified includes a public key certificate for confirming an issuer of an electronic signature attached to metadata, an identifier for designating a public key certificate, and an identification for specifying a metadata issuer The information includes an owner ID, which is information, a broadcaster_id broadcaster ID, terrestrialtrial_broadcaster_id, affiliation_id, or a service_id indicating a service included in the PSI / SI information of digital broadcasting. FIG. 8 is a diagram illustrating the corresponding metadata information 16 in more detail. FIG. 8A shows a case where the corresponding metadata information 16 indicates information that identifies the metadata, and the metadata identifier is directly specified. In this case, only metadata to which a metadata identifier that matches the metadata ID described in the corresponding metadata is assigned is specified. FIG. 8B is a case in which the corresponding metadata specifies an issuer ID for identifying the issuer of the metadata. In this case, only metadata in which an issuer ID matching the issuer ID described in the corresponding metadata is described as the metadata issuer is specified.

  Next, a case where the corresponding metadata specifies a public key certificate will be described. FIG. 8C shows a case where the corresponding metadata designates a public key certificate. For example, the ID of the identifier of the public key certificate is used. In this case, only the metadata that can verify the electronic signature attached to the metadata with the public key certificate specified in the corresponding metadata is specified. As a public key certificate designation method, it is possible to designate the owner of the public key certificate in addition to the public key certificate identifier. In FIG. 8D, the corresponding metadata is the public key certificate itself. In this case, only the metadata that can verify the electronic signature attached to the metadata with the public key certificate included in the corresponding metadata is designated.

  Contrary to the corresponding metadata information 16, the non-compatible metadata information 17 indicates metadata 13D that cannot access the content, and the identification information of such metadata 13D or information 14 specifying the metadata issuer is used. It is described in the same manner as the corresponding metadata information 16. The metadata information referred to by the metadata access control information includes non-corresponding metadata information 17 and corresponding metadata information 16, and functions as metadata access control information by describing one or more data. . Note that it is also possible to assign specific issuer identifiers to metadata uniquely created by the user on the receiving device and describe these identifiers in the corresponding metadata information or the non-compatible metadata information. Accordingly, it is possible to control whether or not the metadata content created by the user can be used with the metadata access control information.

  The metadata access control information includes various methods such as being included in metadata, being included in content, and being included in a license. The case where it is included in the metadata will be described in Embodiment 2, and the case where it is included in the content will be described in Embodiment 3. The case where the license is included will be described with reference to FIG. The license 1501 includes a key 1511 for decrypting the encrypted content and a use condition 1512 for using the content, and the content is encrypted by the DRM system to protect the content. When the encrypted content 1521 is reproduced, the content use means 1531 is used. When metadata access control information 1513 is included in the license, since the DRM system associates the content corresponding to the license with the encrypted content and the key for solving it, the license itself is associated with the content. Therefore, the corresponding content information 18 included in 1513 can be omitted.

  The metadata access control information is provided with verification information 19 for enabling the receiving device 4 to verify the legitimacy of the issuer of the metadata access control information by the metadata access control information verification information adding means 22. This metadata access verification information is an electronic signature for the metadata access control information with the private key of the metadata access control information issuer, or a digital watermark is used for the metadata access control information. For example, a method for embedding information for verifying the issuer. The metadata access control information to which the verification information is added is sent to the delivery path 5 for delivery to the receiving device 4.

  As described above, when content usage is restricted, metadata access control information may be distributed together with information that permits usage of the content. As a specific example, for content protected by the DRM system, metadata access control information is described as part of the content usage conditions, and only for terminals that are permitted to use the content. In other words, there is a form in which the license including the metadata is distributed, that is, the form in which the metadata access control information is included in the license as described above.

  Next, the content transmission device 3 will be described. In the content transmission device 3, the content generation unit 31 generates content. Verification information is given to the generated content by the content verification information adding means 32. The verification information is information for the reception device 4 to check whether the content provider information is valid or whether the identification information given to the content is valid. Examples of verification information include an electronic signature attached to the content by the content provider, information in which the content provider information and content identification information are embedded using the digital watermark, and content inserted in the header of the content data In the case of provider information, content identification information information, or content composed of multiple files or resources (hereinafter referred to as multipart content), content provider information or content described in one of the files or resources Identification information. The content to which the verification information is added is sent to the distribution path 5 for distribution to the receiving device 4. The metadata, metadata access control information, and content sent from the transmission device to the reception device 4 are transmitted not only to protect the content but also to ensure execution of access control rules from the metadata to the content. May be. That is, only the receiving device 4 that can comply with the condition that the metadata access control information from the metadata to the content is reliably executed can obtain the encrypted metadata, the metadata access control information, and the content decryption key. This restriction is provided so that the restriction can be observed when decrypting when using the content.

(Receiver)
Next, the operation of the receiving device 4 will be described using FIG. 4 and FIG.

(Metadata validation)
In order to verify the received metadata in the receiving device 4, the metadata is verified by the metadata verification means 41 (S301). The verification of metadata is to check the issuer information of the metadata by using the verification information added to the metadata and prevent impersonation by a malicious issuer. When metadata is obtained by a broadcast route, any one of a method using an electronic signature, a method using an identifier in metadata, a method using CAS, and a method using broadcast route information obtained from metadata Can be verified. When metadata is obtained through a communication path, any of a method using an electronic signature, a method using a public key certificate acquired from a metadata server, and a method of trusting information described in metadata using DRM This can be verified. A detailed verification method will be described below.

(Method using electronic signature)
As an example of a method for verifying metadata issuer information, a case where an electronic signature attached to metadata verification information is used will be described with reference to FIG. The metadata verification unit 141 obtains a public key certificate necessary for metadata signature verification. The public key certificate necessary for verifying the electronic signature of the metadata uses the identifier of the public key certificate described in the key information 1917 included in the electronic signature, and matches the identifier of the public key It is searched whether the certificate is held by a certificate management means (not shown). If the matched public key certificate can be acquired, the signature value 1916 is decrypted using the public key included in the public key certificate. The decrypted value is compared with the digest value (1915), and if the match is confirmed, the electronic signature is confirmed. After verifying the electronic signature and verifying the electronic signature of the metadata, issue the metadata by confirming the owner information of the signature verification public key certificate used when verifying the metadata verification information Validate the original. Alternatively, since it is found that the metadata has not been tampered with by checking the electronic signature, it is possible to use the provider information (1100 in FIG. 3) described in the metadata. As this public key certificate, one issued by a trusted CA organization or one signed by an intermediate certificate issued by a trusted CA organization is used. As a result, it can be determined that the contents of the certificate can be trusted. In addition, since the signature can be verified with only one public key corresponding to the private key that signed it, the operator who signed the metadata must be the owner of the certificate used for verification. Can be determined.

(Use metadata information by broadcast transmission path)
As a further example of a method of verifying the publisher information of metadata, when metadata is acquired from a broadcast channel specified by the operator, the metadata described in the acquired metadata or meta-data by digital watermark is used. There is also a method in which identification information or issuer information (for example, 1100 in FIG. 3) embedded in data is regarded as reliable.

(Use broadcast channel identifier)
As a further example of a method for verifying the publisher information of metadata, broadcast route information from which metadata can be acquired, that is, a broadcaster ID designating the route of digital broadcast, for example, broadcaster_id in the case of BS digital broadcast, In the case of digital broadcasting, there is a method of specifying metadata issuer information using PSI / SI information such as terrestrial_broadcaster_id or a sequence ID (affiliation_id) and a service ID.

(Use CAS)
A case where CAS is used will be described as a further example of a method for verifying metadata issuer information. CAS is an access control method used in digital broadcasting, where metadata is protected by CAS. That is, when encrypted and transmitted, it can be decrypted only with the unique key possessed by the receiving device, so the metadata issuer information described in the metadata (for example, 1100 in FIG. 3) and the metadata There are also methods for regarding the data identifier information or the broadcaster identifier as reliable. In the case of CAS, a work key for decrypting an ECM is extracted from an EMM packet that can be decrypted only with a unique key possessed by the receiving apparatus. Next, it is possible to acquire a scramble key for decoding the stream including metadata by decoding the ECM. The metadata can be acquired by decrypting the metadata on the stream by using the acquired scramble key. Through the above process, the metadata is protected and sent to the receiving device, that is, it can be determined that the content of the metadata is reliable. Therefore, the provider information and metadata described in the metadata The issuer can be determined by the carrier identification information of the route on which the message is transmitted.

(Use server public key certificate)
Another example of a method for verifying metadata issuer information is the use of public key certificates. This is because the receiving device can authenticate the public key certificate acquired from the metadata server from which the metadata is acquired by using the reliable business entity information that the receiving device itself has, and thus, from the metadata server that can be determined to be reliable. It can be judged that it was acquired. Therefore, it is possible to determine that the content of the metadata itself is correct, and there is a method of determining the metadata issuer using the metadata issuer information described in the metadata. Alternatively, it is determined using the owner information described in the public key certificate obtained from the server. Note that reliable business operator information that can be held by the receiving device includes public key certificates, identifiers for identifying the public key certificates first, and owner information of public key certificates.

(Use DRM system)
A DRM system may be used as a further example of a method for verifying metadata issuer information. This is because the metadata is encrypted by the DRM system, and the metadata is protected in the same way as CAS. Therefore, since the receiving device securely acquires a license for decrypting the metadata from the DRM system, it can be determined that the content of the publisher identification information described in the metadata is reliable, This makes it possible to determine the metadata issuer. As described above, there are various metadata publishers and methods for verifying the validity of the content. The method used depends on the ease of operation / implementation and the difficulty of impersonation of the metadata publisher and content alteration. This is determined by the trade-off and the method of sending metadata that can be selected by each operator.

  When the metadata can be verified, the metadata identification information or metadata issuer information (for example, “crid: //broadcast.com/ContentID1” described as a Crid of ProgramRef indicated by 1101) is obtained as the verification result. ) Is transmitted to the determination means 144 (S302). Next, the metadata refers to at least one of metadata identification information, metadata issuer information (for example, metadata issuer ID = ABCD), or identification information of a public key certificate used for metadata verification. 3, for example, when the metadata is the SegmentInformation of FIG. Send (S303).

(Verification of metadata access control information 1)
The metadata access control information verification unit 142 searches for metadata access control information with the same metadata identification information or issue source (S311). An example of metadata access control information is shown in FIG. This metadata access control information 11001 is composed of each data of correspondence metadata 11002, correspondence content 11003, and verification information. When the metadata issuer is ABCD, the corresponding metadata 11002 searches the metadata access control information 11001 indicating the issuer ABCD from the management means for the metadata access control information of the receiving device (not shown). As another method, the corresponding metadata access control information is searched using the identifier and owner information of the public key certificate used for verifying the digital signature of the metadata. This differs depending on the format (A to D in FIG. 8) of the corresponding metadata information of the metadata access control information. It does not matter whether the metadata access control information is already sent to the receiving device or is acquired through the network because it has not been distributed yet.

  If the corresponding metadata access control information is found, it is confirmed whether the content referred to by the metadata is associated with the found metadata access control information (S312). That is, it is confirmed whether the correspondence between the metadata and the content referred to by the metadata is associated with the corresponding metadata information 16 and the corresponding content information 18 of the metadata access control information. Also, it is confirmed whether or not the non-supported metadata information 17 is the target. Note that the corresponding metadata 211 and the non-compatible metadata information 17 are not compatible at the same time. In the case of the metadata access control information shown in FIG. 11, the content identifier “crid: //broadcast.com/ContentID1” described in the corresponding content 11003) and the content corresponding to the metadata transmitted from the metadata verification means The identifiers (“crid: //broadcast.com/ContentID1” in FIG. 3) are compared to confirm whether they match. The above confirmed the correspondence between metadata and content by the content identifier and the metadata issuer, but instead of the content identifier instead of the content identifier as the corresponding content, instead of the metadata issuer as the corresponding metadata The association may be confirmed using the metadata identifier.

(Verification of metadata access control information 2)
When the correspondence between the metadata and the content is confirmed by the metadata access control information, the issuer of the metadata access control information is verified using the verification information of the metadata access control information (S313). When metadata access control information is transmitted by broadcasting, use digital signature, use issuer information embedded in metadata access control information with digital watermark, use information of broadcast path acquisition source itself The issuer can be verified by using the issuer information described in the metadata access control information. When the metadata access control information is transmitted by communication, the receiving device uses the digital signature, uses the issuer information embedded in the metadata access control information with a digital watermark, and is trusted by the public key certificate. It is possible to verify the issuer by obtaining it from the server.

  Each method for verifying metadata access control information will be described below.

(Use electronic signature)
There is a method of verifying by verifying an electronic signature given as verification information to the metadata access control information by a method similar to that of the metadata and specifying the owner of the public key certificate used for the verification.

(Use broadcast channel identifier)
As a further example of the method of verifying the issuer of the metadata access control information, information characterizing the broadcast path that is simultaneously transmitted through the broadcast path for acquiring the metadata access control information, for example, PSI / SI being broadcast In the case of terrestrial digital broadcasting, terrestrial_broadcaster_id or series ID (affiliation_id) is used to identify and verify the issuer of metadata access control information.

(Use metadata access control information sent by broadcast)
As a further example of a method for verifying metadata access control information, when metadata access is acquired from a broadcast route specified by the operator, the operator identification described in the acquired metadata access control information is used. There is also a method that considers information (1100 in FIG. 3) to be reliable.

(Use CAS)
As a further example of a method for verifying metadata issuer information, metadata issuer information, metadata identifier information, or broadcaster identifiers described in metadata can be trusted when transmitted by broadcasting using CAS. There is also a method to consider it. This verification method is the same as the method of verifying metadata using CAS.

(Use server public key certificate)
As a further example of the method of verifying the issuer of the metadata access control information, when the metadata access control information is obtained through a communication path such as the Internet, a public key held as a provider trusted by the receiving device By authenticating the public key certificate acquired from the server that acquired the metadata access control information with the provider information such as the certificate, it can be determined that the certificate is acquired from the metadata access control information server that can be determined to be reliable and reliable. As a result, it can be determined that the metadata access control information is obtained from a trusted route, and the owner information of the public key certificate acquired from the server and the issuer identification information described in the metadata access control information are used. Then, there is a method of verifying the metadata access control information issuer by specifying the provider of the metadata access control information.

(Use DRM system)
As a further example of a method for verifying metadata access control information, a DRM system may be used. This is because the metadata access control information is encrypted by the DRM system, and the receiving apparatus securely acquires a license for decrypting the metadata access control information from the DRM system. It is possible to determine that the content of the issuer identification information described in the information is reliable, thereby determining the metadata access control issuer.

(Use license)
A case will be described in which the metadata access control information is included in a license including an encryption key for decrypting content. The license is securely provided to the terminal of the user who can use the content from the content provider. Therefore, it is possible to determine that the provider of the metadata access control information is the same provider as the content provider.

  After verifying the issuer of the metadata access control information, the metadata determination unit 44 is notified of the result of checking the correspondence between the metadata and the content and the issuer of the metadata access control information (S314). Further, at least one of the identification information of the content to be used and the publisher information of the content is sent to the content verification unit 43 (S315).

(Content verification)
The content verification unit 43 verifies the content provider or the content identification information (S321).

(Use electronic signature)
As for the content verification method, as with metadata, the electronic signature given as content verification information is verified and verified using the owner information and identifier of a public key certificate trusted by a certificate authority, etc. There is a way.

(Use data combined with content)
As another content verification method, when the content is acquired from the broadcast route, the content header or the files and resources constituting the multipart content, or the content described in the content using the digital watermark is used. Check the identification information of the provider or content. A case where identification information is included in the content header will be described with reference to FIG. In this case, the content is divided into a header portion 1601 and a body portion 1602, and the header portion includes content codec information, content attribute information, and the like, which are information for reproducing the content. Although the broadcaster identifier is described in FIG. 12a in this header portion 1601, any one of the content provider information identifier, the broadcaster identifier, or the content identification information for identifying the content can be used as the content provider information. Or one or more. The body portion 1602 is actual content data, and includes video and audio data encoded by MPEG-2, MPEG-4, or the like.

  The case of one resource name or content in the case of multipart content will be described with reference to FIG. In this case, the contents are grouped together as 1611 multiparts, and are composed of resources and files from 1612 to 1615. Each resource includes video, image, and audio data encoded by MPEG-2, MPEG-4, JPEG, and the like, and HTML and BML data. As one of the resources, a broadcaster identifier is described as the content information as in 1613. In order to identify the content provider information identifier, the broadcaster identifier, or the content as the content provider information. Any one or more of the content identification information is inserted. Alternatively, content provider identification information or content identification information is embedded in the content using an electronic watermark. In such a case, the broadcaster is a content that can be obtained by a limited distribution route, and is header information combined with the content, multipart information, or content information described in a digital watermark. There is a method of verifying by confirming the content provider information and content identification information described.

(Use broadcast channel identifier)
In this case, the content provider is confirmed by storing the broadcast provider ID provided by PSI / SI used in digital broadcasting in the receiving device. A method for confirming the content provider in this case will be described with reference to FIG. When the content is being broadcast, the service ID in which the content is transmitted according to the selected service ID is checked using an SDT (Service Description Table) 1701. In this example, the Service ID is 1021. Next, using the BIT (Broadcast Information Table) 1711, the Broadcast_id of the corresponding Service ID 1021 is checked. Since BIT 1712 and 1713 indicate that the corresponding Broadcast_id is 7, this value is used as the content provider identifier. Note that in a broadcast environment where BIT is not used, Service id 1024 may be verified as a content provider. In the case of terrestrial digital broadcasting, information such as terrestrial_broadcaster_id or a series ID (affiliation_id) can be used as verification of issuer information.

(Use server public key certificate)
As another method, when the content is obtained through a communication path, the public key certificate of the acquisition destination server can be authenticated using the provider information such as the public key certificate held by the receiving device. It can be determined that it was acquired from a content server that can. Therefore, there is a method of verifying using the acquired owner information of the content server certificate. In addition, since the content can be obtained by a reliable means, the content source is confirmed by using the content provider or the content identification information described in the file or resource constituting the multipart content. There is a method that has been verified.

(Use CAS)
When the content is acquired from an encrypted broadcast, there is a method using a CAS mechanism. This is a method in which the information specifying the content is verified by confirming the content acquisition source by the content provider identifier and the content identifier included in the ECM including the content key.

(Use DRM)
As another means for verifying content, there is a method of synthesizing verification information with content and encrypting the content with DRM. The content uses the DRM system in a state including the content provider or content identification information described in the information embedded in the header of the content, the file or resource constituting the multipart content, or the digital watermark, When the content itself is encrypted, the content itself can be acquired securely, so check the content provider or the content identification information described in the files or resources that make up the multipart content. There is a method of verifying by doing.

(Use license)
A case where content is verified using license information including a content key for decrypting content encrypted using the DRM system will be described. Since the license is securely provided, the content can be verified using the content provider information included in the license. If the metadata access control information is also included in the license, the content key is provided by the content provider or the business authorized by the content provider, so the metadata access control information issuer and the content provider Can be verified that they are identical or trusted.

  After the verification of the metadata, the content determination unit 44 is notified of the content provider or the content identification information (S322). In the metadata determination means 44, based on the information acquired from the metadata verification means 41, the metadata access control information verification means 42, and the content verification means 43, the issuer of the metadata access control information and the content provider match, In addition, if the verification result confirms that the metadata is controlled by the metadata access control information, the content can be controlled by the metadata. (S341). That is, when the content provider issues metadata access control information by itself, it is possible to specify metadata that the content provider can access to the content. In addition, if it is known that the issuer of the metadata access control information is trusted by the content provider by using a public key certificate authenticated by the content provider, it can be used as well. It is determined as metadata (S341). Otherwise, it is determined that it cannot be used, and the metadata is not used.

  In this embodiment, processing is performed in the order of metadata verification, metadata access control information verification, and content verification. However, the processing is not necessarily performed in this order. In addition, even after contents, metadata, and metadata access control information are once stored in the receiving device 4, it is possible to determine whether or not the metadata can be used by the same operation.

  In the present embodiment, the case where the metadata access control information is distributed to the receiving device 4 as the operation of the receiving device 4 has been described. However, the server may have the metadata access control information. In this case, the receiving device 4 inquires of a server having metadata access control information using metadata issuer information or metadata identification information as a key, and determines whether or not the relationship between the metadata and the content is permitted to the server. Let it be judged. Furthermore, it is confirmed by a public key certificate or the like that the determined server has a trust relationship with the content provider. Thereby, it is possible to determine on the server whether or not the metadata content can be accessed. In addition, metadata verification, content verification, and metadata determination can be performed with the same operation, so that the same effect can be expected.

(Embodiment 2)
Next, a second embodiment will be described with reference to FIG. FIG. 14 shows the metadata access control system shown in FIG. 4, in which metadata access control information adding means 10 is added to the metadata transmitting apparatus 1, while metadata verification information adding means 12, metadata access control information transmission. 2 is a block diagram of a metadata access control system excluding the apparatus 2 and metadata verification means 41. FIG. In this metadata access control system, the metadata access control information added by the metadata access control information adding means 10 is added to the metadata created by the metadata generating means 11 and transmitted to the receiving device 4.

  FIG. 15 is a data configuration diagram schematically showing a data configuration of metadata access control information in the present embodiment. Since the metadata access control information 19 targets the synthesized metadata 13 itself, it is not necessary to specify metadata for performing access control. In addition, since the content 20 to be referred to is described in the metadata 13 itself, the metadata access control information is only the verification information 19 that proves the issuer. As a method of adding the metadata access control information to the metadata, there is a method in which the issuer of the metadata access control information digitally signs the metadata. As another method, there is a method of multiplexing metadata access control information in which issuance source information of metadata access control information is described using digital watermark in the metadata.

  The metadata access control information verification unit 42 of the reception device 4 verifies the issuer of the metadata access control information. As a verification method, the digital signature attached to the metadata is used using the owner information of the public key certificate used at the time of confirmation, and it is confirmed using the metadata access control information that has been multiplexed as a digital watermark. There is a method of verifying. The issuer information of the confirmed metadata access control information and the metadata itself are transmitted to the metadata determination means 44. The content verification unit 43 verifies the issue source of the content referenced from the metadata, and transmits the content issue source to the metadata determination unit 44. The metadata determination unit 44 confirms whether the issuer of the metadata access control information matches the content provider. If they match, it is determined that the metadata can be used for the content, and access to the content from the metadata is permitted.

  As described above, according to the present embodiment, by using the metadata access control information given to the metadata, the receiving device controls the content by the metadata based on the permission from the content provider. It can be judged whether or not.

(Embodiment 3)
A third embodiment will be described with reference to FIG. FIG. 16 is a block diagram showing the metadata access control system shown in FIG. 4, in which a content synthesizing unit 33 is added to the content transmitting device 3 and a content separating unit 48 is added to the receiving device 4. It is a block diagram of a metadata access control system excluding control information verification information adding means 22, content verification information adding means 32, metadata verification means 41, and metadata access control information.

  In the metadata access control system having such a configuration, a difference from the first embodiment will be described from the transmission device. Metadata access control information verification information is not added to the metadata access control information created by the metadata access control information generating means 121. Furthermore, without adding verification information to the content created by the content generation unit 31, the metadata synthesis unit 33 synthesizes the metadata access control information with the content and transmits it to the receiving device.

  The difference of the receiving device 4 from the first embodiment is that the content verification unit 43 verifies the issue source of the content and metadata access control information, and the content separation unit 48 separates the content and the metadata access control information. As for the metadata access control information, when the content itself is combined with the metadata access control information as shown in FIG. 17, the corresponding content information 18 of the metadata access control information shown in FIG. 6 is not particularly necessary. Other than that, it doesn't change.

  Details of this embodiment will be described using a specific example. The metadata transmission apparatus 1 is the same as that in the first embodiment. The content synthesizing unit 31 synthesizes the content generated by the content generating unit 31 and the metadata access control information generated by the metadata access control information 21. As a synthesizing method, there is a method of multiplexing metadata access control information using digital watermark on content. As another method, metadata access control information is described as a content header, or it is described in a file or resource constituting multipart content in order to combine the content and metadata access control. There is.

  The content verification unit 48 of the receiving device 4 verifies whether the metadata access control information is inseparable from the content. As a verification method, there is a method of confirming that the metadata access control information is multiplexed as a digital watermark. As another verification method, when metadata access control information is sent as a file or resource that constitutes a content header or multipart content, it is authenticated by the provider information such as a public key certificate held by the receiving device. Confirm by obtaining content from the server of the operator. Alternatively, it is verified by acquiring the content from a broadcast route that is a reliable route, and specifying the acquisition destination by the content provider or the content identifier by the identification of the provider transmitted by the broadcast.

  By verifying that the content and the metadata access control information are inseparable, it can be seen that the provider of the metadata access control information matches the content provider. The provider information of the metadata access control information verified here is sent to the metadata determination means 44. Next, the content separation unit 48 separates the content from the metadata access control information. The metadata access control information is sent to the metadata judging means 44 and the content is sent to the content using means 46. The metadata determination unit 44 checks whether the metadata to be used is in the corresponding metadata information in the metadata access control information. If it is in the list, the metadata can be used, and if not, it is determined that the metadata is not allowed to be used. When the corresponding metadata specified by the metadata access control information is a public key certificate, if the digital signature of the metadata can be confirmed by the specified public key certificate, it is determined that the metadata can be controlled.

  As described above, according to the present embodiment, by using the metadata access control information given to the content, the receiving device can determine whether the content can be controlled by the metadata based on the permission from the content provider. Can be judged.

(Embodiment 4)
A fourth embodiment to which the present invention is applied will be described. In the present embodiment, a content recording control service system will be described as a more detailed example of metadata for performing accumulation control. FIG. 18 shows a schematic configuration example of the entire content recording control service system to which the present invention is applied. This content recording control service system includes a broadcast provider 101 that provides content that is the content of a broadcast program, a recording control service provider 102 as a storage control service provider connected to the broadcast provider 101, and content acquisition. It is comprised by the receiving terminal 103 as an apparatus. The receiving terminal 103 is connected to the broadcasting company 101 and the recording control service company 102 via the network 100. The network is a broadcast network such as broadcasting using radio waves or multicast broadcasting using an IP network, or a bidirectional network. The broadcaster 101 has a content providing device (104 described later) that distributes content to the receiving terminal 103. Further, the recording control service provider 102 has a recording control service providing apparatus 105 as an accumulation control service providing apparatus that sends recording control information (access control information) that is accumulation control information for accumulating contents in the receiving terminal 103. . The content providing apparatus 104 is also connected to the recording control service providing apparatus 105, and performs various processes for generating recording control service information that is storage control service information.

  The broadcaster 101 can hold the actual content to be provided. The content entity is digital data such as video or music. Broadcasting here refers to broadcasting using radio waves such as BS, CS110, or terrestrial digital broadcasting, or IP broadcasting using multicast on an IP network. As an example of a broadcasting system using radio waves, there are standards such as ARIB STD-B10, B20, B21, B24, B31, B32, ARIB TR-B14, and B15.

  Below, it demonstrates as an Example in broadcasting of these BS, CS110, and terrestrial digital broadcasting. The application of this embodiment is not limited to these broadcasts, but is a server-based broadcast content delivery service as shown in ARIB STD-B38, a metadata format defined in MPEG7, and a TV Any Time Forum. The present invention is also applicable to a content distribution service based on a content distribution method on a bidirectional network using metadata in accordance with a metadata format defined in the standard documents SP003, SP004, etc.

  Also, the broadcaster 101 can hold the playback conditions for the content to be provided. The playback conditions are limited to viewing such as prohibition of viewing by skipping CMs when viewing content, the number of times the content can be viewed, and the viewing time limit, for example, only between a specific start time and end time every day, This is viewing restriction information such as viewable time, such as permitting content reproduction. The recording control service provider 102 can create and hold recording control information for storing content in the receiving terminal 103. The receiving terminal 103 is connected to the recording control service provider 102 via a broadcast network such as a broadcast using radio waves or a multicast broadcast using an IP network, or a bidirectional network, and is reproduced from the recording control service provider 102. Conditions and recording control information can be acquired and held. The receiving terminal 103 is connected to the broadcaster 101 via a broadcast network or a bidirectional network, and can acquire content from the broadcaster 101 and store and play it.

  FIG. 19 shows an internal configuration example of the content providing apparatus 104 possessed by the broadcaster 101 in the present embodiment. In FIG. 19, the content management means 111 can hold the substance of the content to be provided. The content broadcasting unit 112 is connected to the receiving terminal 103 via a broadcast network or a bidirectional network, and can transmit content to the receiving terminal 103. Further, the content broadcasting unit 112 can obtain a certificate ID indicating the signature used for the signature processing from the signature unit 115. Further, the content broadcasting unit 112 can transmit the correspondence information between the certificate ID and the broadcaster ID indicating the broadcaster who has signed the signature to the receiving terminal 103 via the broadcast network or the bidirectional network. .

  Recording control information acquisition means (accumulation control information acquisition means) 113 records from the recording control service provider 102 recording control information that is created by the recording control service provider 102 and is information for allowing the user to accumulate content. It can be obtained together with a recording control service provider ID for identifying the control service provider. The reproduction condition management unit 114 can acquire the recording control information and the recording control service provider ID from the recording control information acquisition unit 113. In addition, the reproduction condition management unit 114 can determine the reproduction condition based on the acquired service provider ID. The signature unit 115 can acquire the reproduction condition and the recording control information from the reproduction condition management unit 114 and perform signature processing. The service information transmission unit 116 can acquire the certificate ID, the playback condition subjected to the signature process, and the recording control information from the signature unit 115. In addition, the service information transmission unit 116 can pass the acquired reproduction condition, recording control information, certificate ID, and broadcaster ID to the recording control service provider 102 as recording control service information.

  FIG. 20 shows an internal configuration example of the recording control service providing apparatus 105 possessed by the recording control service provider according to the present embodiment. In FIG. 20, the viewing history collection unit 121 is connected to the receiving terminal 103 via the bidirectional network, and can collect the user's content viewing history from the receiving terminal 103. The viewing history analysis unit 122 can create personal attribute data so that the user's preference is reflected by acquiring and analyzing the content viewing history from the viewing history collection unit 121. The user management means 123 can acquire personal attribute data from the viewing history analysis means 122 and hold it together with the user identifier. The personal attribute data transmission unit 124 is connected to the receiving terminal 103 via the bidirectional network, and can transmit the personal attribute data held in the user management unit 123 to the receiving terminal 103.

  Recording control information creation means (storage control information creation means) 125 can create recording control information for accumulating content that suits the user's preference in cooperation with the user management means 123. The recording control information creating unit 125 can create the recording control information in consideration of the intention of the recording control service provider when creating the recording control information. The recording control information transmitting unit (storage control information transmitting unit) 126 passes the created recording control information and the recording control service provider ID indicating the recording control service provider that created the recording control information to the content providing apparatus 104. Can do. The service information receiving unit 127 can acquire recording control service information from the content providing apparatus 104. The service information transmitting unit 128 is connected to the receiving terminal 103 via a broadcast network or a bidirectional network, and can transmit the recording control service information to the receiving terminal 103. Further, when transmitting the recording control service information of a plurality of broadcasters to the receiving terminal 103, the service information transmitting means 128 can divide and transmit the respective recording control service information.

  FIG. 21 shows an internal configuration example of the receiving terminal 103 in the present embodiment. In FIG. 21, the viewing history transmission means 131 is connected to the recording control service providing apparatus 105 via a bidirectional network, and the user's content viewing history held by the viewing history holding means 132 is stored in the recording control service providing apparatus 105. Can be sent. The viewing history holding unit 132 can acquire and hold information on content viewed by the user from the content display unit 141. The personal attribute data receiving means 133 is connected to the recording control service providing apparatus 105 via a broadcast network or a bidirectional network, and can acquire personal attribute data from the recording control service providing apparatus 105. The personal attribute data holding unit 134 can acquire and hold personal attribute data from the personal attribute data receiving unit 133. The service information receiving unit 135 is connected to the recording control service providing apparatus 105 via a broadcast network or a bidirectional network, and can acquire recording control service information from the recording control service providing apparatus 105.

  The certificate holding unit 136 can hold a certificate for verifying the signature. The signature verification unit 137 can verify whether the playback condition acquired from the recording control service providing apparatus 105 and the signature of the recording control information are valid. The content selection unit 138 can filter the recording control information acquired from the signature verification unit 137 using the personal attribute data acquired from the personal attribute data holding unit 134 and select the content to be stored. The content receiving unit 139 is connected to the content providing apparatus 104 via a broadcast network or a bidirectional network, and can acquire the content selected by the content selecting unit 138 from the content providing apparatus 104.

  Further, the content receiving unit 139 can pass the correspondence information between the broadcaster ID and the certificate ID to the certificate management unit 144. The content management unit 140 can acquire the content from the content reception unit 139 and the playback condition of the content acquired from the content selection unit 138, and can hold the content and the playback condition together. The content display unit 141 can present content information to the user in response to a request from the user. The content playback unit 142 can play back the stored content according to playback conditions. The user recording reservation holding means 143 can hold information on contents that the user has reserved for recording privately. The certificate management unit 144 can hold correspondence information between the broadcaster ID and the certificate ID acquired from the content reception unit 139. Since one broadcaster may have a plurality of certificates, a plurality of certificate IDs may correspond to one broadcaster ID.

  The operation of the recording control service configured as described above will be described below. First, creation of personal attribute data will be described. The viewing history collection unit 121 acquires the user's content viewing history from the viewing history transmission unit 131 via the interactive network when the user joins the service or periodically after joining. The viewing history acquired by the viewing history collection unit 121 of the recording control service providing apparatus 105 is analyzed by the viewing history analysis unit 122 to create personal attribute data. An example of the personal attribute data used here is shown in FIG. As shown in FIG. 22, the personal attribute data is a correspondence table between items and values. The created personal attribute data is held in the user management unit 123 of the recording control service providing apparatus 105, and the personal attribute data of the receiving terminal 103 is transmitted from the personal attribute data transmission unit 124 via a broadcast network or a bidirectional network. It is transmitted to the receiving means 133. The personal attribute data received by the personal attribute data receiving unit 133 of the receiving terminal 103 is held in the personal attribute data holding unit 134.

  Next, creation of recording control information will be described. The recording control information creating unit 125 of the recording control service providing apparatus 105 acquires the item of personal attribute data from the user management unit 123 and stores the recording control information that allows the content that meets the user's preference to be stored in the receiving terminal 103. create. Note that the recording control information can be created not only for the content that suits the user's preference but also for the content that the recording control service provider wants to store. An example of the recording control information created here is shown in FIG. As shown in FIG. 23, the recording control information is a correspondence table of items, values, and contents. For example, when the user's hobby as an item is “car” as the value, the contents “1”, “3”, and “5” are stored in the receiving terminal 103.

  Next, creation of recording control service information will be described. The recording control information acquisition unit 113 of the content providing apparatus 104 acquires the recording control information and the recording control service provider ID from the recording control service providing apparatus 105. The recording control information acquisition unit 113 passes the acquired recording control information and the recording control service provider ID to the reproduction condition management unit 114. The playback condition management unit 114 determines the playback conditions created based on the acquired recording control service provider ID and a contract with the recording control service provider in advance. The playback conditions created by the contract are different for each recording control service provider, and are the playback conditions reflected in the entire content that the recording control service provider stores in the receiving terminal 103.

  FIG. 24 shows an example of a correspondence table between the recording control service provider ID and the playback conditions used here. As shown in FIG. 24, for example, for a recording control service provider with id = 100, the playback condition with id = 2 in the playback condition list is reflected in all the contents stored in the receiving terminal. An example of the reproduction condition list used here is shown in FIG. As shown in FIG. 25, for example, the reproduction condition of id = 1 is a condition of one reproduction. Next, the playback condition management means 114 determines a playback condition corresponding to the content described in the recording control information from the correspondence table. FIG. 26 shows a correspondence table between the contents and the reproduction conditions used here. As shown in FIG. 26, for example, in the case of content name 2, the reproduction conditions of id = 1, 3 in the reproduction condition list are applied. The reproduction condition management unit 114 newly creates a correspondence table between the content and the reproduction condition from the correspondence table between the recording control service provider ID and the reproduction condition and the correspondence table between the content and the reproduction condition.

  An example of a newly created correspondence table is shown in FIG. FIG. 27 is a correspondence table created from FIG. 24 and FIG. As shown in FIG. 27, for example, there is no playback condition for content name 1 in FIG. 26, but a playback condition of id = 2 is added. The playback condition management unit 114 passes the list of playback conditions and the newly created correspondence table to the signature unit 115 together with the recording control information as playback conditions. The signature unit 115 holds a pair of a private key and a public key that are associated with each other with a certificate ID, and performs signature processing on the acquired reproduction condition and recording control information using the private key. Note that the signature processing is performed by X. A standard such as 509 may be used. The signature unit 115 passes the playback condition and recording control information on which the signature processing has been performed to the service information transmission unit 116 together with the certificate ID corresponding to the private key on which the signature is performed. The service information transmission unit 116 of the content providing apparatus 104 passes the acquired reproduction condition, recording control information, certificate ID, and broadcaster ID to the recording control service providing apparatus 105 as recording control service information. The service information receiving unit 127 of the recording control service providing apparatus 105 transmits the recording control service information acquired from the content providing apparatus 104 from the service information transmitting unit 128 to the receiving terminal 103 via the broadcast network or the bidirectional network. .

  An example of the data format of the recording control service information used here is shown in FIG. As shown in FIG. 28, the recording control service information is divided for each broadcaster ID and signed for each broadcaster. In FIG. 28, “recording control” data and “content information” data correspond to the recording control information.

  Next, content accumulation will be described. The service information receiving unit 135 of the receiving terminal 103 passes the recording control service information acquired from the recording control service providing apparatus 105 to the signature verification unit 137. The signature verification unit 137 of the receiving terminal 103 passes the certificate ID and broadcaster ID described in the acquired recording control service information to the certificate management unit 144. The certificate management means 144 confirms whether the acquired certificate ID and broadcaster ID are valid from the correspondence information between the held certificate ID and broadcaster ID. Note that there may be a case where a plurality of certificate IDs correspond to one broadcaster ID. In this case, the broadcaster ID is searched by using the certificate ID obtained from the signature verification unit 137 and found. If the broadcaster ID matches the broadcaster ID acquired from the signature verification unit 137, it is determined to be valid.

  The certificate management unit 144 of the receiving terminal 103 passes the certificate ID to the certificate holding unit 136 when the validity is confirmed. The certificate holding unit 136 searches for a certificate held based on the acquired certificate ID, and passes the certificate to the signature verification unit 137 via the certificate management unit 144. If the certificate management unit 144 does not hold a certificate with the designated certificate ID, a certificate corresponding to the designated ID can be acquired from a trusted organization. In this case, the trusted authority is a certificate issuing authority corresponding to the root certificate, which the certificate management unit 144 has. The signature verification unit 137 verifies the signature of the recording control service information with the acquired certificate. The signature verification unit 137 passes the verified recording control service information to the content selection unit 138.

  The processing of the content selection unit 138 of the receiving terminal 103 will be described using the processing flow of FIG. The content selection unit 138 filters the acquired recording control information (S9) one by one with the personal attribute data (S10) acquired from the personal attribute data holding unit 134 (S11).

  If there is a suitable content as a result of filtering, the content selection unit 138 sets the content as a selected content in the recording reservation management list (S12). The content selection means 138 repeats filtering until there is no personal attribute data (S13). The content selection unit 138 performs filtering until there is no personal attribute data, and then acquires information on the content that the user has reserved for recording privately from the user recording reservation holding unit 143 (S14). The content selection means 138 determines whether the content reserved by the user for private recording is included in the recording reservation management list (S15), and if included, deletes it from the recording reservation management list. (S16).

  An example of the recording reservation management list finally created is shown in FIG. As shown in FIG. 30, for example, in the case of content name 1, there is no playback condition for private recording, but in the case of content name 2, the playback condition list id = 1 is applied as the playback condition and is applied during playback. Must be accumulated as is done. The content selection unit 138 passes the recording reservation management list and broadcaster ID of the selected content to the content reception unit 139, and passes the playback condition list to the content management unit 140 (S17). The content reception means 139 determines whether the content of the recording reservation management list acquired from the content selection means 138 is the content of the broadcaster indicated by the acquired broadcaster ID via a broadcast network or a bidirectional network. The validity is confirmed based on the correspondence table between the broadcaster ID acquired from the content providing apparatus 104 and the content.

  The content receiving unit 139 of the receiving terminal 103 acquires the content whose validity has been confirmed from the content providing apparatus 104 via the broadcast network or the bidirectional network. The content receiving unit 139 passes the acquired content to the content management unit 140. The content management unit 140 accumulates the content acquired from the content receiving unit 139 and the reproduction condition list acquired from the content selection unit 138. The content management unit 140 assigns an ID to the playback condition list so that the playback condition is unique within the content management unit 140, and accumulates the playback condition list. The content management means 140 manages the stored content and playback conditions by creating a stored content management list. An example of the stored content management list used here is shown in FIG. As shown in FIG. 31, the stored content management list is a correspondence table between contents and playback conditions. For example, in the case of content name 2, the playback condition of id = 1 in the playback condition list with id = 100 is applied. Indicates that the content must be played. In the above description, the recording control information is filtered one by one using the personal attribute data. However, the filtering may be performed simultaneously using a plurality of personal attribute data.

  Next, content reproduction will be described. The content display unit 141 presents content information to the user in response to a request from the user. When the user makes a viewing request for the content stored in the content management unit 140, the content management unit 140 passes the content and the reproduction condition to the content reproduction unit 142 if there is a reproduction condition. The content reproduction unit 142 reproduces the content according to the reproduction condition when there is a reproduction condition, or as requested by the user when there is no reproduction condition.

  As described above, in this embodiment, by accumulating content and content playback conditions together, the broadcaster can specify the playback conditions, and what the user has recorded privately , Can protect the rights of existing users.

  In the present embodiment, the certificate for verifying the signature is assumed to be held in the receiving device. However, a method of obtaining from a broadcaster or another method of obtaining from a reliable place may be used.

(Embodiment 5)
A fifth embodiment to which the present invention is applied will be described. In the fourth embodiment, the content recording control service is free of charge. However, in consideration of operation, charging processing is required. In the present embodiment, a billing process for adding a sales company and performing a content recording control service for a fee is added.

  FIG. 32 shows an example of the overall configuration of the content recording control service system in the present embodiment. The broadcaster 201 can hold the actual content to be provided. Also, the broadcaster 201 can hold the playback conditions for the content to be provided. The recording control service provider 202 can create and hold recording control information for storing content in the receiving terminal. The receiving terminal 203 is connected to the recording control service provider 202 via a broadcast network or a bidirectional network, and can acquire and hold playback conditions and recording control information from the recording control service provider 202. The receiving terminal 203 is connected to the broadcaster 201 via a broadcast network or a bidirectional network, and can acquire content from the broadcaster 201 and store and play it. The sales company 204 can acquire and hold a key obtained by encrypting the reproduction conditions and the recording control information from the recording control service company 202. Further, the sales company 204 is connected to the receiving terminal 203 via the bidirectional network, and can transmit the key acquired from the recording control service company to the receiving terminal 203. The broadcaster 201 has the same content providing apparatus 104 as that in the fourth embodiment.

  FIG. 33 shows an internal configuration example of a recording control service providing apparatus 205 as a storage control service providing apparatus possessed by the recording control service provider in the present embodiment. The service information encryption processing unit 221 can encrypt the recording control service information that has been subjected to signature processing, acquired from the content provider device 104 of the broadcaster by the service information receiving unit 127. The encryption key transmission unit 222 can pass the key used for encryption by the service information encryption processing unit 221 to the sales company 204. Other components are the same as those in FIG.

  FIG. 34 shows an internal configuration example of the receiving terminal 203 in the present embodiment. The restoration key receiving unit 231 is connected to the sales company 204 via the bidirectional network, and can obtain a key for restoring the recording control service information from the sales company 204. The restoration key holding unit 232 can hold the key acquired by the restoration key receiving unit 231 from the sales company 204. The service information restoration processing unit 233 can restore the recording control service information acquired by the service information receiving unit 135 from the recording control service providing apparatus 205 with the restoration key held by the restoration key holding unit. Other components are the same as those in FIG.

  FIG. 35 shows an example of the internal configuration of the sales company in the present embodiment. The encryption key receiving unit 241 can acquire a key obtained by encrypting the recording control service information from the recording control service providing apparatus 205. The key holding unit 242 can hold the encryption key acquired by the encryption key receiving unit 241. The restoration key transmission unit 243 is connected to the reception terminal 203 via the bidirectional network, and can transmit a key for restoring the recording control service information held in the key holding unit 242 to the reception terminal 203. .

  The operation of the content storage control service system configured as described above will be described below. First, creation of personal attribute data will be described. The personal attribute data is created by the same method as the personal attribute data creation in the fourth embodiment. The created personal attribute data is held in the personal attribute data holding means 134.

  Next, creation of recording control information will be described. The recording control information is generated by the same method as the recording control information generation in the fourth embodiment. The created recording control information is transferred from the recording control information transmitting means 126 to the content provider 104 of the broadcaster.

  Next, creation of recording control service information will be described. The recording control service information is created by the same method as the creation of the recording control service information in the fourth embodiment. The created recording control service information is encrypted by the service information encryption processing means 221 and transmitted from the service information transmission means 128 to the receiving terminal 203 via the broadcast network or the bidirectional network. Examples of the encryption method referred to here include the methods disclosed in Japanese Patent Laid-Open Nos. 2001-142472 and 2001-142786.

  Next, key sales will be described. The encryption key transmission unit 222 passes the key used for encryption in the service information encryption processing unit 221 to the sales company 204. The encryption key receiving unit 241 receives the key passed from the encryption key transmitting unit 222 and passes it to the key holding unit 242. The key holding unit 242 holds the acquired key. The restoration key transmitting unit 243 transmits the key held in the key holding unit 242 to the receiving terminal 203 via the bidirectional network in response to a request from the user. The restoration key receiving unit 231 receives the key transmitted from the restoration key transmission unit 243 and passes it to the restoration key holding unit 232. The restoration key holding unit 232 holds the acquired key.

  Next, content accumulation will be described. The service information receiving unit 135 passes the recording control service information acquired from the recording control service providing apparatus 205 to the service information restoration processing unit 233. The service information restoration processing unit 233 restores the acquired recording control service information using the key held in the restoration key holding unit 232. The service information restoration processing unit 233 passes the restored recording control service information to the signature verification unit 137. The subsequent operations until content accumulation are the same as those in the fourth embodiment.

  Next, content reproduction will be described. Content reproduction is performed by the same method as the content reproduction in the first embodiment.

  As described above, in the present embodiment, in addition to the effects of the fourth embodiment, it is possible to perform a content storage control service for a fee in addition to the effects of the fourth embodiment. It becomes possible to protect the rights of the recording control service provider.

(Embodiment 6)
A sixth embodiment to which the present invention is applied will be described. In the fourth embodiment, the playback condition is transmitted from the recording control service provider to the receiving terminal together with the recording control information. This embodiment is different in that the playback condition is transmitted from the broadcaster to the receiving terminal.

  FIG. 36 shows an example of the overall configuration of the content recording control service system in the present embodiment. The broadcaster 301 can hold the actual content to be provided. In addition, the broadcaster 301 can hold the reproduction conditions of the held content. The recording control service provider 302 can create and hold recording control information for storing content in the receiving terminal 303. The receiving terminal 303 is connected to the recording control service provider 302 via a broadcast network or a bidirectional network, and can acquire and hold recording control information from the recording control service provider 302. The receiving terminal 303 is connected to the broadcaster 301 via a broadcast network or a bidirectional network, and can acquire, store, and play back content and playback conditions from the broadcaster 301.

  FIG. 37 shows an example of the internal configuration of the content providing apparatus 304 possessed by the broadcaster 301 in this embodiment. The signature unit 311 can sign the reproduction condition held in the content management unit 111. The signature unit 311 can sign the recording control information acquired by the recording control information acquisition unit 113 from the recording control service provider 302. The content broadcasting unit 312 is connected to the receiving terminal 303 via a broadcast network or a bidirectional network, and can transmit the content and the playback condition subjected to signature processing to the receiving terminal 303. The signed recording control information transmission unit 313 can pass the recording control information subjected to the signature processing in the signature unit 311 to the recording control service provider 302. The reproduction condition management unit 314 can determine the reproduction condition based on the recording control information acquired from the recording control information acquisition unit 113. Other components are the same as those in FIG.

  FIG. 38 shows an internal configuration example of a recording control service providing apparatus 305 as a storage control service providing apparatus possessed by the recording control service provider 302 in the present embodiment. The signed recording control information receiving unit 321 can acquire the recording control information subjected to the signature processing from the content providing apparatus 304. The signed recording control information transmitting unit 322 can transmit the recording control information subjected to the signature processing to the receiving terminal 303 via a broadcast network or a bidirectional network. Other components are the same as those in FIG.

  FIG. 39 shows an internal configuration example of the receiving terminal 303 in the present embodiment. The recording control information receiving unit 331 is connected to the recording control service service providing apparatus 305 via a broadcast network or a bidirectional network, and can acquire recording control information from the recording control service service providing apparatus 305. The broadcast receiving means 332 is connected to the content providing apparatus 304 via a broadcast network or a bidirectional network, and can acquire content and playback conditions from the content providing apparatus 304. Other components are the same as those in FIG.

  The operation of the recording control service configured as described above will be described below. First, creation of personal attribute data will be described. The personal attribute data is created by the same method as the personal attribute data creation in the fourth embodiment. The created personal attribute data is held in the personal attribute data holding means 134.

  Next, creation of recording control information will be described. The recording control information is generated by the same method as the recording control information generation in the fourth embodiment. The created recording control information is transferred from the recording control information transmission unit 126 to the recording control information acquisition unit 113. The signature unit 311 acquires recording control information from the recording control information acquisition unit 113 and performs signature processing. The signed recording control information transmitting unit 313 passes the certificate ID and the signed recording control information from the signature unit 311 to the signed recording control information receiving unit 321 together with the broadcaster ID. The signed recording control information transmitting unit 322 acquires the recording control information from the signed recording control information receiving unit 321 and transmits the recording control information to the receiving terminal 303 via the broadcast network or the bidirectional network. An example of the data format of the recording control information transmitted to the receiving terminal is shown in FIG. As shown in FIG. 40, the recording control information is divided for each broadcaster ID and signed for each broadcaster.

  Next, the creation of playback conditions will be described. The reproduction condition management unit 314 acquires the recording control information acquired by the recording control information acquisition unit 113 from the recording control service service providing apparatus 305. The reproduction condition management unit 314 determines a reproduction condition corresponding to the content described in the recording control information from the correspondence table. The reproduction condition management unit 314 passes the determined reproduction condition to the signature unit 311. The signature unit 311 performs a signature process on the acquired reproduction condition and passes the reproduction condition subjected to the signature process to the content broadcast unit 312. The content broadcasting unit 312 transmits the acquired reproduction condition together with the content to the receiving terminal 303 via the broadcast network or the bidirectional network. An example of the data format of the playback conditions transmitted to the receiving terminal 303 is shown in FIG. As shown in FIG. 41, the playback condition is divided for each recording control service provider ID and signed for each recording control service provider.

  Next, content accumulation will be described. The recording control information 331 passes the recording control information acquired from the recording control service service providing apparatus 305 to the signature verification unit 137. In addition, the broadcast receiving unit 332 passes the reproduction condition acquired from the content providing apparatus 304 to the signature verification unit 137. The signature verification unit 137 verifies the recording control information and the signature of the playback condition. The signature verification operation in the signature verification unit 137 is the same as the signature verification operation in the fourth embodiment. The subsequent operations until content accumulation are the same as those in the fourth embodiment.

  Next, content reproduction will be described. The content reproduction is performed by the same method as the content reproduction in the fourth embodiment.

  As described above, in the present embodiment, by transmitting the playback condition from the broadcaster, the playback condition stored in the receiving terminal for each recording control service provider is stored in the receiving terminal for each broadcaster. Therefore, useless data can be suppressed.

(Embodiment 7)
A seventh embodiment to which the present invention is applied will be described. In the fourth embodiment, the recording control information is created by the recording control service provider. In the present embodiment, the recording control information is created at the receiving terminal.

  FIG. 42 shows an example of the overall configuration of the content storage control service system in the present embodiment. The broadcaster 402 can hold the substance of the content to be provided. In addition, the broadcaster 402 can hold the reproduction conditions of the held content. The receiving terminal 402 is connected to the broadcaster 401 via a broadcast network or a bidirectional network, and can acquire, store, and play back content and playback conditions from the broadcaster 401.

  FIG. 43 shows an internal configuration example of the receiving terminal 402 in the present embodiment. Each component is the same as the component in FIG.

  The operation of the recording control service configured as described above will be described below. First, content accumulation will be described. The content selection unit 138 selects the content to be stored based on the information held by the viewing history holding unit 132 and creates a recording reservation management list. The content selection unit 138 acquires information on the content that the user has reserved for recording privately from the user recording reservation holding unit 143. The content selection means 138 determines whether the content reserved by the user for private recording is included in the recording reservation management list, and if it is included, deletes it from the recording reservation management list. The content selection unit 138 passes the recording reservation management list to the broadcast receiving unit 332. The subsequent operations until the contents are accumulated are the same as those in the sixth embodiment.

  Next, content reproduction will be described. The content reproduction is performed by the same method as the content reproduction in the fourth embodiment.

  As described above, in the present embodiment, it is possible to realize a service that more reflects the user's preference by selecting all the contents to be stored at the receiving terminal.

(Embodiment 8)
An eighth embodiment to which the present invention is applied will be described. In the fourth embodiment, the content acquired by the receiving terminal is not encrypted. In the present embodiment, the content is encrypted by the broadcaster, and a licensee is installed, and the receiving terminal acquires a key for restoring the content from the licensee.

  FIG. 44 shows an example of the overall configuration of the content recording control service system in the present embodiment. The content provider 501 can hold the substance of the content to be provided. Also, the content provider 501 can hold the playback conditions for the content to be provided. The recording control service provider 502 can create and hold recording control information for storing content in the receiving terminal. The receiving terminal 503 is connected to the recording control service provider 502 via a broadcast network or a bidirectional network, and can acquire and hold playback conditions and recording control information from the recording control service provider 502. The receiving terminal 503 is connected to the content provider 501 via a broadcast network or a bidirectional network, and can acquire, store, and play back content from the content provider 501. The license provider 504 can acquire and hold a key obtained by encrypting the content from the content provider 501. In addition, the license provider 504 is connected to the receiving terminal 503 via the bidirectional network, and can transmit the key acquired from the broadcasting company to the receiving terminal 503.

  FIG. 45 shows an internal configuration example of a content providing apparatus 505 included in the content provider 501 in the present embodiment. The content encryption unit 511 can encrypt the content held in the content management unit 111. The license ticket transmission unit 512 includes a certificate ID corresponding to the content key used for encryption by the content encryption unit 511 and the private key used for signing the recording control service information by the signature unit 115. A license ticket that is a set of Other components are the same as those in FIG.

  FIG. 46 shows an internal configuration example of the receiving terminal 503 in the present embodiment. The license ticket receiving unit 531 is connected to the license operator 504 via the bidirectional network, and can acquire a license ticket from the license operator 504. Other components are the same as those in FIG.

  FIG. 47 shows an example of the internal configuration of the license issuing device 506 possessed by the license business in this embodiment. The license ticket receiving unit 541 can acquire a license ticket from the content providing apparatus 505. The license ticket holding unit 542 can hold the license ticket acquired by the license ticket receiving unit 541. The license ticket transmission unit 543 is connected to the reception terminal 503 via the bidirectional network, and can transmit the license ticket held in the license ticket holding unit 542 to the reception terminal 503.

  The operation of the content storage control service system configured as described above will be described below. First, creation of personal attribute data will be described. The personal attribute data is created by the same method as the personal attribute data creation in the fourth embodiment. The created personal attribute data is held in the personal attribute data holding means 134.

  Next, creation of recording control information will be described. The recording control information is generated by the same method as the recording control information generation in the fourth embodiment. The created recording control information is transmitted from the recording control information transmitting unit 126 to the content providing apparatus 505.

  Next, creation of recording control service information will be described. The recording control service information is created by the same method as the creation of the recording control service information in the fourth embodiment. However, unlike the fourth embodiment, the created recording control service information includes a license ID for identifying the license including the content key used by the content encryption unit 511. The created recording control service information is transmitted from the service information transmitting means 128 to the receiving terminal 503 via a broadcast network or a bidirectional network. An example of the data format of the recording control service information transmitted to the receiving terminal is shown in FIG. As shown in FIG. 48, the recording control service information is divided for each content provider ID and signed for each content provider.

  Next, the license ticket will be described. The license ticket is data that includes at least a content key and a certificate ID and collects licenses uniquely identified by the license ID. The license transmission unit 512 acquires the content key used for content encryption in the content encryption unit 511, the license ID, and the certificate ID used for the signature of the recording control service information in the signature unit 115. The license transmission unit 512 passes the set of the acquired content key, license ID, and certificate ID to the license issuing device 506 as a license ticket. The license reception unit 541 receives the license ticket passed from the license transmission unit 512 and passes it to the license holding unit 542. The license holding unit 542 holds the acquired license ticket. The license ticket transmission unit 543 transmits the license ticket held in the license holding unit 542 to the receiving terminal 503 via the bidirectional network in response to a request from the user. An example of the data format of the license ticket transmitted to the receiving terminal is shown in FIG. As shown in FIG. 49, the license ticket is divided for each license ID.

  Next, content accumulation will be described. The operation until the content to be stored is determined is the same as the operation until the content is determined in the fourth embodiment. The content selection unit 138 acquires the license ticket for the content in the recording reservation management list from the license ticket reception unit 531. The content selection unit 138 checks whether the certificate ID of the acquired license ticket matches the certificate ID of the recording control service information. When the match is confirmed, the content selection unit 138 passes the recording reservation management list and the broadcaster ID to the content reception unit 139, and passes the playback condition list and the license ticket to the content management unit 140. The subsequent operations until content accumulation are the same as those in the fourth embodiment. However, unlike the fourth embodiment, since the content is encrypted, the content reproduction unit 140 acquires the license key corresponding to the content from the content management unit 139 and encrypts it using the acquired content key. The reproduced content is decrypted and then reproduced.

  Next, content reproduction will be described. The content reproduction is performed by the same method as the content reproduction in the fourth embodiment.

  As described above, in the present embodiment, by installing a license provider, in addition to the effects of the fourth embodiment, the content is encrypted and sent, so that the rights of the content can be more protected. .

(Embodiment 9)
Next, details of a “link information authentication system”, which is an example when link information is used as metadata, will be described as a ninth embodiment. A feature of the ninth embodiment of the present invention is that content is played back when content provided by a broadcaster on the content providing side is played on the receiving side (content receiving device, hereinafter simply referred to as “receiving device”). Regarding the link information displayed at the same time, an electronic signature (hereinafter referred to as a signature) is given only to the link information that the broadcaster who owns the content permits the simultaneous display, and the receiving device acquires it from the broadcaster. For link information that is set to be displayed at the same time for the selected content, the signature is verified with a certificate obtained in advance from the broadcaster, and only the link information authenticated by this verification is considered valid. Is displayed at the same time as playback.

  Hereinafter, the ninth embodiment of the present invention will be described in detail with reference to the drawings. First, the configuration of the link information authentication system in the present embodiment will be described. FIG. 50 is a block diagram showing an overall configuration of the link information authentication system according to the present embodiment. The link information authentication system shown in FIG. 50 includes a broadcaster 601 that provides content to a receiving device 603 through a broadcast network 606, and an ISP (Internet Service Provider: ISP) that provides link information to be displayed simultaneously with the reproduction of the content. (Internet service provider) 102 and a receiving device 603 that reproduces content received from the broadcast network 606 and displays link information simultaneously with the reproduction of the content. Here, the broadcaster 601 and ISP 602, the ISP 602 and the receiving device 603 are connected by IP (Internet Protocol) networks 604 and 605, respectively. The broadcaster 601 and the receiving device 603 are connected by the broadcasting network 606. Connected by. The IP networks 604 and 605 are illustrated separately, but may be the same.

  Here, although the case where the provider of the link information displayed together with the content is ISP 602 will be described, the provider of the link information is not limited to ISP 602. In FIG. 50, only one ISP 602 as a link information provider is shown. However, there are a plurality of ISPs 602, and each ISP 602 independently provides link information to the broadcaster 601. It is also possible to do.

  The broadcast network 606 is a satellite broadcast such as BS (Broadcasting Satellite) or CS (Communications Satellite) 110 °, a broadcast using radio waves such as a digital terrestrial broadcast, or an IP network multicast. This means IP broadcasting using the Internet. As an example of a broadcasting system using radio waves, there are standards such as ARIB (Association of Radio Industries and Businesses) STD-B10, B20, B21, B24, B31, B32, ARIB TR-B14, B15.

  In the present embodiment, the case where the present invention is applied to BS, CS110 °, terrestrial digital broadcasting will be described. However, the broadcasting system to which the present invention can be applied is not limited to these, and ARIB STD. -Content distribution service in the server type broadcasting system as shown in B38, metadata format defined in MPEG7, TVA (TV Anytime Forum) standard documents SP003, SP004, etc. The present invention is also applicable to a content distribution service using a content distribution method on a bidirectional network performed using metadata in accordance with a prescribed metadata format.

  The content here means digital data such as video and music. The link information is information necessary for accessing a specific service on the Internet (generally a URL (Uniform Resource Locator)), and is displayed at the same time as playback of specific content. Means data that contains information needed to be The link information includes, for example, a link information name for identifying the link information, a link destination URL for designating a connection destination of the link information, and a Web of the connection destination as in the link information data example illustrated in FIG. The link destination genre indicating the genre of the service, the content specification for specifying the content for which the link information is displayed simultaneously, the display data necessary for displaying the link information, and the like are described. For example, the link information shown in FIG. 57 is for displaying display data (link information button) having a link to the link destination URL when reproducing the content designated by the content designation. In the present embodiment described below, it is assumed that link information is displayed simultaneously with the reproduction of content (broadcast content), and a case where service_id and event_id are used for content specification will be described.

  Next, in the link information authentication system shown in FIG. 50, the configuration of the content providing apparatus 700 included in the broadcaster 601 will be described. FIG. 51 is a block diagram showing a content providing apparatus included in a broadcaster of the link information authentication system according to the present embodiment. The content providing apparatus 700 shown in FIG. 51 issues a certificate for authenticating the validity of the link information displayed simultaneously with the reproduction of the content, and uses the certificate to attach a signature to the link information received from the ISP 602. In addition, the content is transmitted to the receiving device 603 through the broadcast network 606, and includes content management means 701, broadcast means 702, certificate generation means 703, certificate management means 704, signature means 705, and communication means 706. ing.

  The content management unit 701 manages content (digital content) such as video content and music content, and includes a storage unit for storing the content, or can access the storage unit to read out the digital content. It is. Also, the broadcast unit 702 sends the content supplied from the content management unit 701 and the certificate supplied from the certificate management unit 704 to the receiving device 603 through the broadcast network 606.

  Also, the certificate generation unit 703 generates a certificate for authenticating the validity of the link information displayed at the same time when the content managed by the content management unit 701 is played back. In the present embodiment, the certificate generated by the certificate generation unit 703 includes X. It is assumed that a public key certificate is generated and used using a public key-based electronic signature method standardized in 509 and the like. The public key certificate can be associated with the content, but it can also be associated with, for example, some scenes of the content, broadcaster, date and time, region, content genre, and the like.

  Also, the certificate management unit 704 manages the public key certificate generated by the certificate generation unit 703 in association with the content managed by the content management unit 701. Also, the signature unit 705 obtains, from the certificate management unit 704, a public key certificate corresponding to the content for which the link information is displayed at the same time with respect to the link information received from the ISP 602, and uses the public key certificate for the signature. I do. The communication unit 706 transmits / receives link information to / from the ISP 602 through the IP network 604. The communication unit 706 receives link information from the ISP 602 and transmits signed link information with a predetermined signature to the ISP 602.

  Next, the configuration of the link information providing apparatus 800 included in the ISP 602 in the link information authentication system shown in FIG. 50 will be described. FIG. 52 is a block diagram showing a link information providing apparatus included in the ISP of the link information authentication system according to the present embodiment. The link information providing apparatus 800 shown in FIG. 52 generates link information that is displayed simultaneously with the reproduction of the content, transmits the link information signed by the broadcaster 601 (signed link information) to the receiving apparatus 603, When an access based on signed link information is performed in the receiving device 603, the device provides a Web service to the user of the receiving device 603. The link information generating unit 801, the link information managing unit 802, and the communicating unit 803 And Web service providing means 804.

  The link information generation unit 801 generates link information to be displayed simultaneously with the content reproduction. An example of the link information generated by the link information generating unit 801 is illustrated in FIG. However, it is possible to use another parameter as the content designation item. For example, some scenes of content can be specified using segment information (segment information) of the TVA standard, broadcaster specification using service_id of SI (Service Information), date / time specification, region specification, It is possible to specify a genre. In FIG. 57, the link information is shown in a table format, but in actual operation, the XML (Extensible Markup Language: CSV) format, CSV (Comma Separated Value: CS buoy) A description method such as a format, a text format, and a binary format is possible.

  The link information management unit 802 manages link information generated by the link information generation unit 801 and signed link information signed by the broadcaster 601. The communication unit 803 transmits link information to the broadcaster 601 through the IP network 604, receives signed link information from the broadcaster 601, and transmits to the receiving device 603 through the IP network 605. The signed link information is transmitted. Further, the communication unit 803 transmits Web service data corresponding to access based on link information (including signed link information) to the receiving device 603.

  The web service providing unit 804 provides a web service corresponding to access based on the link information received by the communication unit 803. As described above, the Web service data is transmitted to the reception device 603 via the communication unit 803. Here, for example, in addition to displaying the portal site of ISP 602, the Web service means any service that can be provided using the Internet, such as downloading and selling contents, purchasing products, and applying for sweepstakes. To do.

  Next, the configuration of the link information authentication apparatus 900 included in the reception apparatus 603 in the link information authentication system shown in FIG. 50 will be described. FIG. 53 is a block diagram showing a link information authentication apparatus included in reception apparatus 603 of the link information authentication system according to the present embodiment. 53 receives the content and the public key certificate from the broadcaster 601 and searches the link information received from the ISP 602 for those that can be displayed simultaneously with the reproduction of the content. It is an apparatus capable of displaying valid link information at the same time as the reproduction of content, assuming that the signature of the obtained link information is valid only when the signature is authenticated by the public key certificate. Broadcast receiving means 901, content reproduction means 902, a certificate management unit 903, a signature authentication unit 904, a link information management unit 905, a link information search unit 906, a link information display unit 907, a communication unit 908, and a Web service display unit 909.

  Broadcast receiving means 901 receives content, information related to the content, and public key certificate corresponding to the content from the broadcaster 601 through the broadcast network 606. In the case of digital broadcasting, content means a broadcast program, and information related to the content means SI. Further, the public key certificate corresponding to the content needs to be received before or before the time when the content is broadcast.

  In addition, the content reproduction unit 902 reproduces the content received by the broadcast reception unit 901 and accepts a content operation from the user via a predetermined operation unit (not shown). Note that the content reproduced by the content reproduction unit 902 is visually and / or audibly notified to the user by a monitor (display unit), a speaker, and the like (not shown). The certificate management unit 903 stores and manages the public key certificate received by the broadcast receiving unit 901 as a database. Also, the signature authentication unit 904 obtains a public key certificate corresponding to the link information searched by the link information search unit 906 from the certificate management unit 903, and verifies the validity of the signature given to the link information. Only link information authenticated as valid is valid.

  Note that the signature given to the link information must be verified by an appropriate public key certificate (certificate associated with the link information). FIG. 58 is a diagram showing an example of the relationship between the content of the link information authentication system according to the present embodiment, the content SI, the link information, and the public key certificate. As shown in FIG. 58, SI, link information, and public key certificate of broadcast content are associated with each other by service_id and event_id. Therefore, it is possible to acquire an appropriate public key certificate corresponding to the link information using service_id and event_id as identification information, and to verify the signature of the link information using this public key certificate.

The link information management unit 905 manages the link information received by the communication unit 908 as a database. The link information search unit 906 searches the link information management unit 905 for link information corresponding to the service_id and event_id of the content received from the broadcast receiving unit 901, and requests the signature authentication unit 904 to authenticate the searched link information. To do. Then, the link information authenticated by the signature authentication unit 904 is transferred to the link information display unit 907, and the display is requested. When the content being tuned in the broadcast receiving unit 901 is changed or when the content is changed due to channel switching, the link information search unit 906 detects a change in event_id and links information corresponding to the content. Search again.

  The link information display unit 907 displays the link information requested to be displayed from the link information search unit 906 on a monitor (not shown) connected to the receiving device 603 simultaneously with the reproduction of the content. Further, the link information display unit 907 receives a link operation from the user via a predetermined operation unit (not shown), and when an access request based on the link information is made, the link information display unit 907 links to the communication unit 908. Request to connect first. The communication unit 908 receives link information from the ISP 602 through the IP network 605 and transmits / receives data to / from the connection destination via the ISP 602 in accordance with a connection request from the link information display unit 907 or the Web service display unit 909. I do. The web service display unit 909 displays a screen relating to the web service received from the communication unit 908 on a monitor (not shown) and accepts a web operation from the user via a predetermined operation unit (not shown). Do.

  Next, with reference to the sequence chart shown in FIG. 54, the operation until the broadcaster 601 signs the link information generated by the ISP 602 in the configuration shown in FIGS. 50 to 53 will be described. . FIG. 54 is a sequence for explaining processing in the content providing apparatus and the link information providing apparatus until the broadcaster signs the link information generated by the ISP in the link information authentication system according to the present embodiment. It is a chart.

  First, the link information generation unit 801 of the link information providing apparatus 800 of the ISP 602 generates link information that is to be displayed simultaneously with the reproduction of the content, and passes it to the link information management unit 802 (step S501). The link information generated at this time is, for example, shown in FIG. 57 described above. Next, the link information management unit 802 of the link information providing apparatus 800 transmits the link information to the content providing apparatus 700 in order to have the broadcaster 601 sign the link information acquired in step S501. The link information is handed over to the communication means 803, and a transmission request for link information to the content provider 700 of the broadcaster 601 is made (step S502). Then, the communication unit 803 of the link information providing apparatus 800 transmits the link information requested to be transmitted in step S502 to the content providing apparatus 700 (step S503).

  The communication unit 706 of the content providing apparatus 700 receives the link information transmitted from the link information providing apparatus 800 in step S503, and passes it to the signature unit 705 (step S504). Then, the signature unit 705 of the content providing apparatus 700 determines whether or not the link information supplied from the communication unit 706 in step S504 is appropriate for the broadcaster. If it is determined that the link information is permitted, the signature unit 705 requests the certificate management unit 704 for a public key certificate corresponding to the link information (step S505).

  Although not shown in FIG. 54, when the link information is not permitted, it is desirable that the signature unit 705 does not give the signature and notifies the link information providing apparatus 800 that the link information is not permitted. . Further, for example, the received link information is included in the table in which the received link information is included in the table in which the list of information regarding the permitted link information is described or the list in which the information regarding the link information not permitted is described. Various determination methods for permission / prohibition of permission related to link information, such as checking whether the content is included or checking the contents directly by accessing based on the received link information, may be adopted Is possible.

  When the request for the public key certificate corresponding to the link information is received from the signature unit 705, the certificate management unit 704 of the content providing apparatus 700 searches for the public key certificate requested in step S505, and the public key certificate is obtained. If the certificate is found, the public key certificate is returned to the signing means 705. On the other hand, if the certificate management unit 704 cannot find the public key certificate, the link information certificate generation unit 703 is requested to generate a public key certificate corresponding to the link information (step S506). ). In the sequence chart of FIG. 54, the case where the public key certificate could not be found is illustrated, but when the public key certificate is found and returned to the signing means 705, the public key certificate is based on this public key certificate. Processing related to the signature on the link information (step S510 described later) is performed.

  The certificate generation unit 703 of the content providing apparatus 700 searches the content management unit 701 for the content corresponding to the link information requested to be generated in step S506, acquires the identification information related to the content, and acquires the content. A corresponding public key certificate (a certificate including identification information related to the content) is generated (step S507). The certificate generating unit 703 of the content providing apparatus 700 passes the public key certificate generated in step S507 to the certificate management unit 704 (step S508), and the certificate management unit 704 of the content providing apparatus 700 in step S508. The acquired public key certificate is stored and managed, and this public key certificate is passed to the signing means 705 (step S509).

  The signature unit 705 of the content providing apparatus 700 generates a signed link information by adding a signature to the link information using the public key certificate acquired in step S509, and sends the signed link information to the communication unit 706. At the same time, a request for sending signed link information is sent to the link information providing apparatus 800 to send the signed link information (step S510). Then, the communication unit 706 of the content providing apparatus 700 transmits the signed link information requested to be transmitted in step S510 to the link information providing apparatus 800 (step S511).

  The communication unit 803 of the link information providing apparatus 800 receives the signed link information transmitted from the content providing apparatus 700 in step S511 and passes it to the link information management unit 802 (step S512). Then, the link information management unit 802 of the link information providing apparatus 800 registers and stores the signed link information supplied in step S512 in the database (step S513).

  When the broadcaster 601 determines whether or not the link information generated by the ISP 602 is appropriate as the link information displayed simultaneously with the reproduction of the content by the series of processes shown in FIG. Only the signature is given and the signed link information is generated and stored in the link information providing apparatus 800. As a result, regarding the link information displayed simultaneously with the reproduction of the content, the broadcaster 601 can permit the link information, and the licensed link information is provided with the signature of the broadcaster 601. It is possible to prevent link information that is not permitted by the broadcaster from being displayed together with the content.

  Subsequently, with reference to the sequence chart shown in FIG. 55, in the configuration shown in FIGS. 50 to 53, the link information authentication apparatus 900 receives the content and the public key certificate from the broadcaster 601 and The operation until the link information that can be displayed simultaneously with reproduction is searched from the ISP 602 will be described. FIG. 55 shows the link information authentication system according to the present embodiment, in which the link information authentication apparatus receives content and a public key certificate from a broadcaster, and searches the ISP for link information that can be displayed simultaneously with the reproduction of the content. It is a sequence chart for demonstrating the process in the content provision apparatus, link information provision apparatus, and link information authentication apparatus until it does.

  First, the broadcast unit 702 of the content providing device 700 of the broadcaster 601 acquires content to be broadcast to the receiving device 603 from the content management unit 701 (step S601), and a public key corresponding to the content acquired in step S601. A certificate is acquired from the certificate management means 704 (step S602). Then, the broadcasting unit 702 of the content providing apparatus 700 multiplexes the content and public key certificate acquired in steps S601 and S602 and broadcasts them to the link information authentication apparatus 900 (step S603). As will be described later with reference to FIG. 59, the public key certificate is not necessarily sent from the content providing apparatus 700 to the receiving apparatus 603 via the broadcast network 606. For example, the IP networks 604, 605, etc. The public key certificate may be transmitted via. In this case, similarly to the case where the public key certificate is transmitted in a state of being multiplexed with the content, the content providing apparatus 700 is adapted to the time zone in which the corresponding content is broadcast (in the same time zone). By making the public key certificate transmitted to the receiving device 603, falsification of the public key certificate and unauthorized use of the public key certificate are prevented, and the reproduced content and the displayed link It becomes possible to improve the reliability of information.

  The broadcast receiving unit 901 of the link information authentication apparatus 900 receives the public key certificate transmitted from the content providing apparatus 700 in step S603, passes this public key certificate to the certificate management unit 903, and requests management. Together with (Step S604), the content transmitted from the content providing apparatus 700 in Step S603 is received, and identification information (service_id and event_id) of this content is passed to the link information search means 906 (Step S605).

  The link information search unit 906 of the link information authentication apparatus 900 searches the link information management unit 905 for the signed link information corresponding to the identification information (service_id and event_id) supplied from the broadcast receiving unit 901 in step S605 and finds it. In that case, the signed link information is acquired (step S606). On the other hand, if the link information search unit 906 cannot find the signed link information, the link information search unit 906 of the link information authentication apparatus 900 uses the identification information (service_id and event_id) acquired in step S605 as the communication unit 908. To the communication means 908 to obtain the signed link information from the link information providing apparatus 800 using the identification information (service_id and event_id) as a search key (step S607). In addition, in step S608 and subsequent steps in the sequence chart of FIG. 55, a process when the signed link information cannot be found and the acquisition request of the signed link information is performed in step S607 will be described.

  The communication unit 908 of the link information authentication apparatus 900 transmits the search key acquired in step S607 to the communication unit 803 of the link information providing apparatus 800 (step S608). The communication unit 803 of the link information providing apparatus 800 receives the search key transmitted from the link information providing apparatus 800 in step S608, passes it to the link information management unit 802, and responds to this search key from the link information management unit 802. Signed link information is acquired (step S609). Then, the communication unit 803 of the link information providing apparatus 800 transmits the signed link information acquired in step S609 to the link information authentication apparatus 900 (step S610). The communication unit 908 of the receiving device 603 receives the signed link information transmitted from the link information providing device 800 in step S610 and passes it to the link information search unit 906 (step S611).

  Through the series of processes shown in FIG. 55 described above, the link information authentication apparatus 900 receives the content and the public key certificate corresponding to the content from the broadcaster 601 and can display the signed link simultaneously with the reproduction of the content. Information can be acquired from the ISP 602.

  Subsequently, referring to the sequence chart shown in FIG. 56, in the configuration shown in FIGS. 50 to 53, the link information authentication apparatus 900 verifies the signature of the link information and reproduces the authenticated link information as the content. The operation until the link destination of the link information is displayed will be described. FIG. 56 shows a link information authentication system according to this embodiment in which the link information authentication apparatus verifies the signature of the link information and displays the authenticated link information at the same time as the reproduction of the content. It is a sequence chart for demonstrating the process in the link information provision apparatus and link information authentication apparatus until it accesses. The sequence chart shown in FIG. 56 illustrates the operation following the series of processes shown in FIG. 55. That is, the link information authentication apparatus 900 receives the content and the public key certificate corresponding to the content. Furthermore, link information that can be displayed simultaneously with the reproduction of the content is acquired.

  First, the broadcast receiving unit 901 of the link information authenticating device 900 of the receiving device 603 passes the content received from the content providing device 700 to the content reproducing unit 902, and requests the content reproduction (step S701). Next, the link information search unit 906 of the link information authentication apparatus 900 requests the signature authentication unit 904 to perform signature authentication of the link information displayed simultaneously with the content to be reproduced (step S702). Then, the signature authentication unit 904 of the link information authentication apparatus 900 acquires the public key certificate corresponding to the link information requested for signature authentication in step S702 from the certificate management unit 903, and uses this public key certificate to obtain link information. Is verified (step S703).

  The signature authentication unit 904 of the link information authentication apparatus 900 notifies the link information search unit 906 of an authentication notification if the signature can be authenticated in step S703 and an authentication failure notification if the signature cannot be authenticated (step S703). S704). In step S705 and subsequent steps in the sequence chart of FIG. 56, a process when the signature is authenticated in step S703 and the authentication notification is notified to the link information search unit 906 will be described. If the signature is not authenticated, the link information is not supplied to the link information display unit 907 and the link information is not displayed.

  The link information search unit 906 of the link information authentication apparatus 900 passes the link information authenticated in step S704 to the link information display unit 907, and requests display of this link information (step S705). The link information display unit 907 of the link information authentication apparatus 900 displays the link information requested for display in step S705 simultaneously with the reproduction of the content (step S706).

  Further, when the user of the link information authentication apparatus 900 gives an instruction to access the link destination of the link information using a predetermined operation means (not shown) or the like, the link information display means 907 is described in the link information. The communication unit 908 is requested to access the existing link destination (step S707). The communication unit 908 of the link information authentication apparatus 900 accesses the link destination requested for access in step S707 (step S708). Here, the case where the access destination is ISP 602 and the communication unit 803 of the link information providing apparatus 800 is accessed will be described.

  The communication unit 803 of the link information providing apparatus 800 acquires Web service data corresponding to the link destination from the Web service providing unit 804 in response to the access request to the link destination from the link information authentication apparatus 900 received in step S708. (Step S709), and transmits the Web service data acquired in Step S709 to the link information authentication apparatus 900 (Step S710).

  The communication unit 908 of the link information authentication apparatus 900 receives the Web service data transmitted from the link information providing apparatus 800 in step S710, passes the Web service data to the Web service display unit 909, and requests display ( Step S711). Then, the web service display unit 909 of the link information authentication apparatus 900 displays a web service screen on a predetermined monitor (not shown) based on the web data supplied in step S711 (step S712).

  Through the series of processes shown in FIG. 56 described above, the receiving apparatus 603 simultaneously displays link information related to the content to be played back, and the user can receive a Web service by giving an access instruction to the link information. It becomes possible. In addition, in the receiving device 603, only link information authenticated by the public key certificate of the broadcaster 601 is displayed. Therefore, unfair link information that the broadcaster 601 does not recognize is not displayed, and the link information is given to the user. It is possible to protect from damage caused by

  Note that the reception device 603 acquires the public key certificate and the signed link information at any time before the content corresponding to the public key certificate and the signed link information is broadcast or during broadcasting. It is also possible to obtain the information in advance and store it in the receiving device 603.

  In addition, the manner in which the link information is displayed at the same time as the content reproduction in step S706 is not particularly limited. That is, for example, when the content is a moving image or a still image, it is possible to display the content and the link information at the same time by superimposing display data of link information on the displayed content. In addition, for example, a link information display area and a content display area can be separately determined in advance, and the link information can be displayed in the link information display area when the content is displayed in the content display area. It is.

  In addition, the display mode relating to the Web service data acquired in step S711 described above can be any method. For example, when the content is a moving image or a still image, the Web service data display area may be generated and the content display area may be reduced so that the Web service data and the content are displayed simultaneously. It was possible, and when the Web service data display was started and the content recording started, and when the user finished browsing the Web service data, it was recorded retroactively to the Web service data display start time. It is also possible to perform chasing playback of content.

  It is also possible to set a plurality of link information for the same content. In this case, all of the plurality of link information may be displayed on the monitor (not shown) of the reception device 603 together with the reproduction of the content, and the reception device 603 limits the number of link information displayed. It is also possible to filter the link information to be displayed by providing link information or selecting link information according to various conditions.

  In the above-described embodiment, content identification information for specifying content is inserted into the link information so that the link information and the content correspond to each other. For example, a partial scene ( Content specific section), broadcaster 601, date and time, region, content genre, or a combination thereof can be associated with link information.

  For example, when corresponding to a part of the scene of the content, it is desirable to transmit index information indicating the scene to the receiving device 603 by broadcasting or communication, and associate the index information with the link information. In addition, when index information is transmitted to the receiving device 603 by broadcasting, it is possible to use program index information of ARIB B10, segment information of TVA, and the like. On the other hand, segment information of TVA can also be used when index information is transmitted to the receiving device 603 by communication.

  Also, for example, link information and the broadcast provider 601 can be associated with each other by inserting broadcaster identification information for identifying the broadcast provider 601 into the link information. In this case, the receiving device 603 can determine which broadcaster 601 is playing the content being broadcast, and can display link information corresponding to the specified broadcaster 601.

  In addition, for example, by inserting date / time information or region identification information indicating date / time or region into the link information, it is possible to associate the link information with the date / time or region where the link information is permitted to be displayed. It is. In the case of setting by date and time, the receiving device 603 determines whether or not link information is available by referring to the time indicated by the built-in clock, the time measured by reception of radio waves, and the like. Further, in the case of setting by region, the region where the receiving device 603 exists is determined by referring to the region identification information received by the broadcast receiving unit 901 or using various other installation location detection methods. It is possible to grasp. By comparing the area detected in this way with the area identification information inserted in advance in the link information, it is possible to determine whether or not to display the link information, or the installation area and link information of the receiving device 603. Appropriate link information can be searched by determining the degree of association with the designated area.

  Further, for example, as shown in FIG. 57 as “link destination genre”, appropriate link information can be searched for the link destination service content or the link destination content genre (content type) indicated by the link information. Information. In this case, the degree of association between the content and the link information can be determined by comparing the genre of the content received by the broadcast receiving unit 901 with the service content of the link destination indicated by the link information and the content genre of the link destination. It becomes.

  In the above-described embodiment, SI is used as identification information for identifying the content corresponding to the link information. However, when content is transmitted to the receiving device 603 by communication, the content is identified. An ID is assigned in advance, and the link information search means 906 can search for link information corresponding to this search key using the identification ID as a search key.

  In the above-described embodiment, as shown in FIG. 58, service_id and event_id are assigned to the public key certificate, and the public key certificate and the content are transmitted to the receiving apparatus 603 through the broadcast network 606 at the same time. However, the public key certificate and the content can be transmitted separately. For example, as shown in FIG. 59, the receiving apparatus 603 receives and stores a public key certificate to which a certificate ID is assigned in advance, and then “certificate ID-broadcast” described in the SI together with the content. You may make it receive the corresponding | compatible information of provider ID-service_id-event_id. As a result, the receiving device 603 searches for and acquires the link information corresponding to the broadcaster ID, service_id, and event_id described in the SI, and also searches for the public key certificate from the certificate ID described in the SI. Then, it is possible to verify the signature of the link information using the acquired public key certificate.

  In the above-described embodiment, the public key certificate is transmitted to the receiving apparatus 603 through the broadcast network 606. For example, as shown in FIG. 60, the public key certificate is transmitted to the receiving apparatus 603 through the IP network 605. It is also possible to provide a certificate authority 1104 for distributing documents. In this case, the broadcaster 601 registers / stores a public key certificate to which a certificate ID has been assigned in advance in the certificate authority 1104 via the IP network 604, and the receiving device 603 transmits the certificate authority via the IP network 605. The public key certificate corresponding to the certificate ID can be acquired from 1104.

  In the above embodiment, the link information button is displayed at the same time as the content using the display data for displaying the link information itself. For example, the user presses the button for directly displaying the link destination. When the link destination display mode in which the link destination is directly displayed is set, the link destination Web page can be displayed simultaneously with the content without displaying the link information button itself. is there. It is also possible to automatically set the above link destination display mode so that the linked Web page is displayed simultaneously with the content.

  The metadata access control system and method of the present invention, and the receiving apparatus and transmitting apparatus using them are useful as a broadcasting system or content distribution system using metadata. It can also be applied to broadcasting systems and content distribution systems that use access to content from structured document information such as BML, HTML, and SMIL.

1 is a block diagram illustrating an overview of a metadata access control system of the present invention. The figure which shows the outline of the example of the metadata which shows reproduction | regeneration control in the system of FIG. FIG. 1 is a diagram describing an example of metadata indicating playback control in the XML format in the system of FIG. The block diagram which shows the structure of the metadata access control system which concerns on the 1st Embodiment of this invention The figure which shows the metadata to which the electronic signature in the said 1st Embodiment is provided The figure which shows an example about the metadata access control information in the said 1st Embodiment The figure shown about the content of the corresponding | compatible content information which is an element of the metadata access control information in the said 1st Embodiment The figure shown about the content of the corresponding | compatible metadata information which is an element of the metadata access control information in the said 1st Embodiment The figure which shows the outline | summary about the license in the said 1st Embodiment. The flowchart explaining operation | movement of the receiver in the said 1st Embodiment. The figure which shows an example of the metadata access control information in the said 1st Embodiment The figure which shows the content about the header and multipart of the content in the said 1st Embodiment The figure explaining the technique which confirms a content provider based on BIT and SDT of PSI / SI in the said 1st Embodiment The block diagram which shows the structure of the metadata access control system which concerns on the 2nd Embodiment of this invention. The figure which shows an example about the metadata access control information of this invention in the said 2nd Embodiment The block diagram which shows the structure of the metadata access control system which concerns on the 3rd Embodiment of this invention. The figure which shows an example about the metadata access control information of this invention in the said 3rd Embodiment Overall configuration diagram of the fourth embodiment of the present invention Broadcaster internal configuration diagram in the fourth to fifth embodiments of the present invention Recording control service provider internal configuration diagram in the fourth and eighth embodiments of the present invention Receiving terminal internal configuration diagram in the fourth embodiment of the present invention The figure which shows the example of the personal attribute data in the 4th-8th embodiment of this invention. The figure which shows the example of the video recording control information in the 4th-8th embodiment of this invention. The figure which shows the example of the reproduction conditions for every video recording control service provider in 4th-5th, 8th embodiment of this invention. The figure which shows the example of the reproduction | regeneration condition list | wrist in the 4th-8th embodiment of this invention. The figure which shows the example of the reproduction conditions for every content in the 4th-8th embodiment of this invention. The figure which shows the example of the reproduction conditions which the receiving terminal in the 4th-8th embodiment of this invention acquires. The figure which shows the example of the data format of the video recording control service information in 4th-5th, 8th embodiment of this invention. The flowchart which shows the procedure of the content selection in the 4th-8th embodiment of this invention. The figure which shows the example of the video recording reservation management list in the 4th-8th embodiment of this invention. The figure which shows the example of the stored content management list in the 4th-8th embodiment of this invention. Overall configuration diagram of the fifth embodiment of the present invention Recording control service provider internal configuration diagram in the fifth embodiment of the present invention Receiving terminal internal configuration diagram in the fifth embodiment of the present invention Sales organization internal block diagram in the 5th Embodiment of this invention Overall configuration diagram of the sixth embodiment of the present invention Broadcaster internal configuration diagram in the sixth to seventh embodiments of the present invention Service provider internal configuration diagram in the sixth embodiment of the present invention Receiving terminal internal configuration diagram in the sixth embodiment of the present invention The figure which shows the example of the data format of the video recording control information in the 6th Embodiment of this invention The figure which shows the example of the data format of the reproduction conditions in the 6th Embodiment of this invention Overall configuration diagram of the seventh embodiment of the present invention Receiving terminal internal configuration diagram in the seventh embodiment of the present invention Overall configuration diagram in the eighth embodiment of the present invention Content provider internal configuration diagram in the eighth embodiment of the present invention Receiving terminal internal configuration diagram in the eighth embodiment of the present invention Internal configuration diagram of license business according to the eighth embodiment of the present invention The figure which shows the example of the data format of the video recording control service information in the 8th Embodiment of this invention The figure which shows the example of the data format of the license ticket in the 8th Embodiment of this invention. The block diagram which shows the whole structure of the link information authentication system which concerns on the 9th Embodiment of this invention The block diagram which shows the content provision apparatus with which the broadcaster of the link information authentication system which concerns on the 9th Embodiment of this invention comprises The block diagram which shows the link information provision apparatus with which ISP of the link information authentication system which concerns on the 9th Embodiment of this invention comprises The block diagram which shows the link information authentication apparatus with which the receiver of the link information authentication system which concerns on the 9th Embodiment of this invention comprises In the link information authentication system according to the ninth exemplary embodiment of the present invention, the processing in the content providing apparatus and the link information providing apparatus until the broadcaster signs the link information generated by the ISP is described. Sequence chart In the link information authentication system according to the ninth embodiment of the present invention, the link information authentication apparatus receives content and a public key certificate from a broadcaster, and displays link information that can be displayed simultaneously with reproduction of content from the ISP. Sequence chart for explaining processing in content providing device, link information providing device, and link information authenticating device until search In the link information authentication system according to the ninth exemplary embodiment of the present invention, the link information authentication apparatus displays the link information authenticated by verifying the signature of the link information simultaneously with the reproduction of the content, and the link destination of the link information Sequence chart for explaining processing in the link information providing device and the link information authentication device until access to the network The figure which shows the example of data described in the link information of the link information authentication system which concerns on the 9th Embodiment of this invention The figure which shows an example of the relationship of the content of the link information authentication system which concerns on the 9th Embodiment of this invention, SI of content, link information, and a public key certificate The figure which shows another example of the relationship of content, SI of content, link information, and a public key certificate of the link information authentication system which concerns on the 9th Embodiment of this invention. The figure which shows the whole structure in the case of using the certificate authority of the link information system which concerns on the 9th Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Metadata transmission apparatus 2 Metadata access control information transmission apparatus 3 Content transmission apparatus 4 Receiving apparatus 5 Distribution path 11 Metadata production | generation means 12 Metadata verification information addition means 21 Metadata access control information generation apparatus 22 Metadata access control information verification Information adding means 31 Content generating means 32 Content verification information adding means 41 Metadata verifying means 42 Metadata access control information verifying means 43 Content verifying means 44 Metadata determining means 45 Metadata using means 46 Content using means 101, 201, 301, 401 Broadcasting company 102, 202, 302, 502 Recording control service provider 103, 203, 303, 402, 503 Receiving terminal 111 Content management means 112, 312 Content broadcasting means 113 Recording Information acquisition means 114, 314 Playback condition management means 115, 311 Signature means 116 Service information transmission means 121 Viewing history collection means 122 Viewing history analysis means 123 User management means 124 Personal attribute data transmission means 125 Recording control information creation means 126, 321 Recording control information transmitting means 127 Service information receiving means 128 Service information transmitting means 131 Viewing history transmitting means 132 Viewing history holding means 133 Personal attribute data receiving means 134 Personal attribute data holding means 135 Service information receiving means 136 Certificate holding means 137 Signature verification Means 138 Content selection means 139 Content reception means 140 Content management means 141 Content display means 142 Content playback means 143 User recording reservation holding means 144 Certificate management means 2 4 Sales Operator 221 Service Information Encryption Processing Means 222 Encryption Key Transmission Means 231 Restoration Key Receiving Means 232 Restoration Key Holding Means 233 Service Information Restoration Processing Means 241 Encryption Key Receiving Means 242 Key Holding Means 243 Restoration Key Sending Means 313, 322 Signed recording control information transmitting means 321 Signed recording control information receiving means 331 Recording control information receiving means 332 Broadcast receiving means 501 Content provider 504 License provider 511 Content encryption means 512 License transmitting means 531 License ticket receiving means 531 541 License receiving means 542 License holding means 543 License ticket sending means 206, 303, 408 Communication means 300 Link information providing device 301 Link information generating means 302, 405 Link information manager 304 Web service providing unit 400 link information authentication device 401 broadcast receiving unit 402 the content reproducing unit 404 signature verification unit 406 link information retrieval means 407 link information display means 409 Web service display unit 1104 certification authority

Claims (62)

Metadata verification means for acquiring metadata describing control information for at least content and identifying the metadata;
Content verification means for acquiring content and identifying content;
Metadata access control information verifying means for securely acquiring metadata access control information describing the correspondence of information specifying metadata to information specifying the content, and specifying metadata access control information;
Based on the metadata access control information, metadata determining means for determining whether or not the content can be controlled by metadata from the information specifying the content and the information specifying the metadata;
A content receiving apparatus comprising: content use means for using content using the metadata based on whether the metadata determination means is acceptable. The metadata determination means includes
The information specifying the content is content provider information, the information specifying the metadata access control information is provider information of the metadata access control information, and providing the content specified by the content verification unit And the provider information of the metadata access control information specified by the metadata access control information verification means are the same, and
When the metadata access control information describes the correspondence between the information specifying the content to be controlled and the information specifying the metadata describing the control for the content,
The content receiving apparatus according to claim 1, wherein whether to control the content by the metadata is determined.   2. The content receiving apparatus according to claim 1, wherein the metadata verification unit acquires the metadata transmitted through a broadcast path or an encrypted broadcast path.   4. The content receiving apparatus according to claim 3, wherein the metadata verification unit specifies the metadata based on information described in the metadata.   4. The content receiving apparatus according to claim 3, wherein the metadata verification unit specifies the metadata based on information combined with the metadata by digital watermarking.   4. The content receiving apparatus according to claim 3, wherein the metadata verification unit specifies the metadata based on information describing a transmission path attribute transmitted through a broadcast path separately from the metadata.   2. The content according to claim 1, wherein the metadata verification unit acquires the metadata transmitted by encrypted two-way communication, and identifies the metadata based on information described in the metadata. Receiver device.   The metadata verification means acquires the metadata transmitted by encrypted two-way communication, and uses a server certificate used in encrypted two-way communication, or information described in the server certificate The content receiving apparatus according to claim 1, wherein the metadata is specified by:   The metadata verification unit obtains encrypted metadata, decrypts it with a decryption key included in license information that can be decrypted only with a unique key unique to the receiver, and describes the decrypted metadata. The content receiving apparatus according to claim 1, wherein metadata is specified from the stored information.   3. The content receiving apparatus according to claim 2, wherein the metadata verification unit specifies metadata by metadata provider information or an identifier for uniquely identifying metadata.   2. The content reception according to claim 1, wherein the metadata verification unit specifies the metadata based on a certificate that can verify a signature attached to the metadata, or information described in the certificate. apparatus.   12. The content reception according to claim 11, wherein the information described in the certificate is an identifier for uniquely identifying a certificate, an identifier for uniquely identifying an owner, or a unique owner name. apparatus.   2. The content verification unit according to claim 1, wherein the content verification unit acquires content transmitted through a broadcast route, and specifies the content based on information for specifying content transmitted through the broadcast route separately from the content. Content receiving device.   14. The content receiving apparatus according to claim 13, wherein the information specifying the content is an identifier for uniquely identifying the content or content provider information.   The content verification means acquires the content transmitted through an encrypted broadcast path, and decrypts the content with information included in license information including a key for decrypting the content, which is decrypted with a unique key of the receiver. The content receiving apparatus according to claim 1, wherein:   16. The content receiving apparatus according to claim 15, wherein the information for specifying the content is an identifier for uniquely identifying the content, content provider information, or a content key for decrypting the content.   The content receiving apparatus according to claim 1, wherein the content verification unit specifies content based on information combined with the content.   The content receiving apparatus according to claim 17, wherein the information combined with the content is information combined with the content by being multipartified.   18. The content receiving apparatus according to claim 17, wherein the information combined with the content is information embedded with a digital watermark.   18. The content receiving apparatus according to claim 17, wherein the information combined with the content is information described in a content data header.   18. The content receiving apparatus according to claim 17, wherein the information specifying the content is an identifier for uniquely identifying the content or content provider information.   The content verification means acquires the content transmitted by encrypted two-way communication, and uses the server certificate used in the encrypted two-way communication or the content described in the server certificate. The content receiving apparatus according to claim 1, wherein:   The content verification means obtains encrypted content, decrypts it with a decryption key included in license information that can be decrypted only with a unique key unique to the receiver, and creates content from the information described in the license information. The content receiving apparatus according to claim 1, wherein:   25. The content receiving apparatus according to claim 24, wherein the information specifying the content specifies content by content provider information, an identifier for uniquely identifying the content, or the decryption key.   The content receiving apparatus according to claim 1, wherein the content verification unit specifies the content based on a certificate that can verify a signature attached to the content, or information described in the certificate.   The content reception according to claim 25, wherein the information described in the certificate is an identifier for uniquely identifying the certificate, an identifier for uniquely identifying the owner, or a unique owner name. apparatus.   The metadata access control information verification means obtains the metadata access control information transmitted through a broadcast path or an encrypted broadcast path, and provides metadata access control information from information transmitted through the same transmission path The content receiving apparatus according to claim 1, wherein person information is specified.   28. The content reception according to claim 27, wherein the metadata access control information verification unit specifies provider information of the metadata access control information based on information described in the metadata access control information. apparatus.   The metadata access control information verification means identifies provider information of the metadata access control information based on information describing attributes of a transmission path that is transmitted through a broadcast path separately from the metadata access control information. 28. The content receiving apparatus according to claim 27.   The metadata access control information verification means acquires the metadata access control information transmitted through the encrypted broadcast path, and decrypts the metadata access control information that is decrypted with the unique key of the receiver. The content receiving apparatus according to claim 1, wherein provider information of metadata access control information is specified by information included in license information including a key.   The content verification unit obtains the content transmitted through the encrypted broadcast path, and the metadata access control information verification unit decrypts the content by using a unique key of the receiver. The content receiving apparatus according to claim 1, wherein provider information of metadata access control information is specified by information included in the included license information. The content verification means acquires the content transmitted through an encrypted broadcast path,
The metadata access control information verification means obtains metadata access control information described in information included in license information including a key for decrypting content, which is decrypted with a unique key of the receiver. The content receiving apparatus according to claim 1, wherein: The metadata access control information verification means is the metadata access control transmitted by the encrypted two-way communication with the carrier specified by the carrier information held as the carrier trusted by the receiver. Get information,
The content receiving apparatus according to claim 1, wherein provider information of metadata access control information is specified by the provider information. The content verification means acquires encrypted content,
The metadata access control information verification means obtains metadata access control information described in information included in license information that includes a content decryption key and can be decrypted only by a unique key unique to the receiver. The content receiving apparatus according to claim 1.   35. The content receiving apparatus according to claim 34, wherein the metadata access control information is a correspondence between a decryption key of the content and information for specifying metadata.   2. The content receiving apparatus according to claim 1, wherein the metadata access control information verifying unit acquires metadata access control information combined with the content.   37. The content receiving apparatus according to claim 36, wherein the information combined with the content is information combined with the content by being multipartified.   The content receiving apparatus according to claim 36, wherein the information combined with the content is information embedded with a digital watermark.   The metadata access control information verification unit obtains metadata access control information transmitted within the time when the content is transmitted through the same transmission path as the content, thereby associating the content with the metadata. The content receiving apparatus according to claim 1, wherein:   40. The content receiving apparatus according to claim 39, wherein the metadata access control information is a certificate specifying metadata or information specifying metadata described in the certificate.   The content reception according to claim 40, wherein the information described in the certificate is an identifier that uniquely identifies the certificate, an identifier that uniquely identifies the owner, or a unique owner name. apparatus.   The content reception according to claim 1, wherein the metadata includes at least content playback control information, and the use of the content is playback of content in accordance with the playback control information described in the metadata. apparatus.   The reproduction control information is segment metadata and segment group metadata, and the use of the content is content reproduction control according to the segment metadata and segment group metadata. 42. A content receiving apparatus according to 42.   The content receiving apparatus according to claim 1, wherein the metadata includes at least content storage control information, and the use of the content is content storage according to the storage control information.   The metadata includes at least content storage control information and playback control information for the storage-controlled content. Usage of the content refers to content storage according to the storage control information and playback of the content. The content receiving apparatus according to claim 1, wherein reproduction control is performed.   46. The content receiving apparatus according to claim 45, wherein the reproduction control information is information that permits reproduction of the content only during a period other than between a specific start time and an end time every day.   46. The content receiving apparatus according to claim 45, wherein the reproduction control information is information that permits only reproduction that prohibits skipping of a CM included in the content during content reproduction.   46. The content receiving apparatus according to claim 45, wherein the reproduction control information is information that permits reproduction of the content only for a predetermined period after the content is acquired. The metadata includes at least link information for switching a screen to other information at the time of reproducing the content,
The content receiving apparatus according to claim 1, wherein use of the content is a screen switching to the other information according to the link information when the content is reproduced.   The metadata includes at least link information for switching a screen to other information at the time of playing the content, and the use of the content displays the link information at the time of playing the content according to the link information. The content receiving apparatus according to claim 1.   51. The content receiving apparatus according to claim 50, wherein displaying the link information includes displaying at least data referred to by information described in the link information.   51. The content receiving apparatus according to claim 50, wherein the link information is content information.   51. The content receiving apparatus according to claim 50, wherein the link information is transmitted through a transmission path different from the content transmission path.   51. The content receiving apparatus according to claim 50, wherein the link information includes still image data or moving image data used for displaying link information. Verifying metadata describing control information for at least the received content;
Verifying the content;
Verifying the metadata access control information for controlling the access from the metadata to the content by defining the relationship between the content provider and the metadata publisher;
Determining whether or not the content can be controlled by the metadata based on the metadata verification result, the metadata access control information verification result, the content verification result, and the content of the metadata access control information. A metadata access control method characterized by the above.   Whether or not control by metadata is possible can be confirmed that the content provider and the issuer of the metadata access control information are the same, and the metadata access control information permits the control by the metadata to the content. 56. The metadata access control method according to claim 55, wherein the metadata access is determined to be metadata permitted by the content provider.   56. The determination as to whether or not metadata control is possible is that the metadata access control information issuer is determined to be metadata permitted by the content provider when the trust can be confirmed by the content provider. Metadata access control method. Metadata generation means for generating at least metadata describing control information for content, and metadata verification information addition for providing verification information for verifying information for identifying a metadata issuer or content by the receiving device A metadata transmission device comprising means;
Metadata access control information generating means for generating metadata access control information for defining the relationship between content and metadata and describing whether or not the content can be controlled by the metadata, and the receiving device controls the metadata access control Metadata access control information for providing metadata access control information with verification information for verifying at least one of identification information of information metadata, issuer information, acquisition destination information, or that the metadata has not been tampered with A metadata access control information transmitting device comprising verification information adding means;
A content transmission device comprising: content generation means for generating content; and content verification information adding means for giving information for verifying at least one of content identifier information, issuer information, and acquisition destination information by the receiving device When,
Metadata verification means for verifying the metadata, metadata access control information verification means for verifying the metadata access control information, content verification means for verifying the content, and whether the metadata can be used A content receiving device comprising metadata determination means for determining the metadata verification result using the content verification result and the metadata access control information;
A metadata access control system comprising:   The metadata determination unit of the content receiving apparatus confirms that the content providing source and the issuer of the metadata access control information are the same, and access to the content from the metadata is permitted by the metadata access control information. 59. The metadata access control system according to claim 58, wherein the metadata is determined as metadata permitted by the content provider.   The metadata determination unit of the content receiving apparatus confirms that the issuer of the metadata access control information is trusted by the content provider, and the access from the metadata to the content is permitted by the metadata access control information. 59. The metadata access control system according to claim 58, wherein the metadata is determined to be permitted by the content provider. The metadata generation means for generating the metadata and the receiving apparatus verify the metadata access control information that describes whether or not the content can be controlled by the metadata by defining the relationship between the content providing source and the metadata issuing source. A metadata transmission device comprising metadata access control information adding means for providing information for
A content transmission device comprising: content generation means for generating content; and content verification information adding means for giving information for the reception device to verify the content;
Metadata access control information verification means for verifying the metadata access control information, content verification means for verifying content, whether or not metadata can be used, the metadata verification result, the content verification result, and the metadata A metadata access control system comprising: a content receiving device provided with metadata determination means for determination using access control information. A metadata transmitting device comprising metadata generating means for generating metadata, and metadata verification information adding means for giving verification information for the receiving device to verify the metadata;
Content generation means for generating content, and metadata access control information generation for generating metadata access control information for controlling access from metadata to content by defining the relationship between the content provider and the metadata issuer A content transmission apparatus comprising: means; and metadata access control information verification information adding means for combining the metadata access control information with the content;
Content reception means comprising content verification means for verifying content, and metadata determination means for determining whether or not the content can be controlled by metadata using the metadata verification result, the content verification result and the metadata access control information A metadata access control system comprising a device.