JP2009081560A - Signature verifying method, stream generating method, reception device, and stream transmission device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a stream authentication/verification technique (device, method) for authenticating/verifying the whole stream. <P>SOLUTION: A reception device 100A includes a reception unit 110 which receives a transport stream with a signature and a packet for verification for verifying the signature, a generation unit 120A which generates a hash value from TSPs in a section between received verification packets, a counter unit 125 which counts the number of TSPs used for generating a hash value in the section between the received verification packets, a collation unit 142 which collates a hash value as signature information of a verification packet with the generated hash value, and a processing unit 144A which excludes the section between the verification packets from a signature verification section in the case that the number of packets counted in the section between the verification packets does not match the number of the packets, used for the hash generation, included in the verification packet when the verification packet hash value and generated hash value result in not being equal to each other. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a signature verification method, a stream generation method, a reception apparatus, and a stream transmission apparatus, and more particularly, to a signature verification technique for appropriately authenticating / verifying an entire stream.

  Conventionally, content such as television and radio has been broadcast / transmitted in an analog format. However, with the recent development of digital technology, content and service data have been digitized, and content and service have been broadcast in the form of digital data. Furthermore, terrestrial digital broadcasting has been put into practical use, and one-segment broadcasting, which is digital broadcasting for mobile terminals, has started.

  In such digital broadcasting, not only normal video and audio services (contents) but also services such as captions and data for data broadcasting (content-attached information) are broadcast. Such content and content-attached information are packetized and broadcast as a series of packets by streaming. In particular, since terrestrial digital broadcasting (including one-segment broadcasting) is transmitted using radio waves, when an attacker transmits an illegal broadcast wave as a jamming radio wave on the same channel, a general viewer The digital broadcast receiving terminal used by can not distinguish between a broadcast wave by a regular broadcast station and an illegal broadcast wave by an attacker. FIG. 13 schematically shows a situation when, for example, illegal broadcasting is performed in a conventional system. As shown in FIG. 13A, a receiving terminal in an environment where the attacker's unauthorized broadcast wave is stronger than the regular broadcast wave regards the unauthorized broadcast wave as a regular broadcast wave. I receive it. Accordingly, as shown in FIG. 13B, the viewer views the video and audio based on the illegal broadcast wave without realizing it, and the information on the video and audio is correct. There is a risk of recognition. In the case of one-segment broadcasting, it is expected that transmission devices such as relay devices and gap fillers for difficult viewing areas in urban areas such as underground shopping centers and indoors are expected. Furthermore, in the case of one-segment broadcasting, a small transmission device has been developed that performs independent broadcasting for a narrow reception area in a store or commercial facility. In such a receiving device that receives broadcast waves from various types of transmission devices, whether or not the received broadcast wave is a broadcast wave from a regular broadcast station, or a reliable business operator If there is a function for discriminating whether or not the broadcast wave is from, it is convenient for the user, but such a mechanism and technology have not been developed.

  As described above, improper broadcasting may cause problems such as spoofing to a legitimate broadcasting station, data falsification, and guidance to a malicious site (phishing fraud). In particular, for data such as caption broadcasting and data broadcasting, information important for economic activities (names, specifications and prices of products sold by TV / radio shopping, or economic indicators such as stock prices and economic statistics) is distributed. The As a result, various economic activities are often carried out between viewers and companies, and it is very important to guarantee the legitimacy and reliability of the content of broadcast waves (ie, the non-falsification of content and content-attached information). Is important to. For example, since data broadcasting is broadcast in BML (Broadcast Markup Language), a script written in BML causes a command to jump to a link destination URL unrelated to broadcasting or a command to start an unnecessary application. May be replaced with malicious code. It is also very important to prevent such an operation different from the original operation.

  Therefore, in order to guarantee the legitimacy and safety of the broadcast wave, authentication information is derived from each packet, each derived authentication information is added to each packet, and the content is authenticated on the receiving side in units of packets. There has been proposed a message authentication device that confirms that the message has not been tampered with (see Patent Document 1).

FIG. 14 shows a technique for adding a hash value to a packet of the stream transfer method according to the conventional technique. As shown in FIG. 14A, the transfer method packet does not include information for authentication, and the non-tampering property cannot be proved. For example, as shown in FIG. 14B, there is a conventional technique in which a hash value is calculated from a message of each packet using a hash function, and the calculated hash value is added to the packet used for the hash calculation.
JP 2001-251296 A

  The above-described prior art can authenticate individual packets, but cannot authenticate the entire packet stream (that is, a series of packets).

  Furthermore, when using wireless transmission such as terrestrial digital broadcasting when authenticating the entire stream, the radio wave propagation environment is often poor, and in such cases communication errors such as packet loss occur frequently, so this There is a high possibility that authentication processing cannot be performed due to such frequent packet loss. In particular, in the broadcast / multicast wireless transmission path, the packet loss is not retransmitted even though the probability of packet loss is greatly increased, and authentication processing cannot be performed. Therefore, in order to put message authentication into practical use in an environment where there are many packet losses, such as wireless communication, a technique for improving resistance to reception errors represented by packet loss is also required.

  An object of the present invention is to provide a stream authentication / verification technique (apparatus, method) that properly authenticates / verifies the entire stream.

In order to solve the above-described problems, the receiving device according to the first invention provides:
A receiving unit that receives a signed transport stream and a verification packet (VP: Verification Packet) for verifying the signature of the transport stream;
A generating unit that generates a hash value from a transport stream packet in a section between the verification packet and another verification packet received by the reception unit;
A counter unit that counts the number of transport stream packets (count value c) used to generate a hash value in a section between the verification packet and another verification packet received by the reception unit;
A collation unit that collates a hash value as signature information included in the verification packet with the generated hash value;
As a result of the collation by the collation unit, when the hash value as signature information included in the verification packet and the generated hash value do not match, in a section between the verification packet and the other verification packet, The number of packets counted by the counter unit (the number of packets used for generating the hash value in the section) and the section between the verification packet and the other verification packet included in the verification packet When the number of packets used for hash generation in (i.e., the number of packets that should exist in the section) does not match, a processing unit that excludes the section from the signature verification section;
It is characterized by comprising.

The receiving apparatus according to the second invention is
When the hash value as the signature information and the generated hash value do not match as a result of the verification by the verification unit, the processing unit of the packet used to generate the hash value counted by the counter unit When the number (count value c) matches the number of packets used for hash generation (n) included in the verification packet, the section is determined to be an illegal section.
It is characterized by that.

A receiving device according to a third invention is
When content or service is output using a transport stream packet in a section excluded from the signature verification section, output of the content or service is performed based on a signature verification result before and / or after the excluded section. A control unit that controls (for example, stops or outputs a subtitle according to the verification result);
It is characterized by further comprising.

  As described above, the solution of the present invention has been described as an apparatus. However, the present invention can be realized as a method, a program, and a storage medium storing the program, which are substantially equivalent to these. It should be understood that these are also included.

For example, the signature verification method according to the fourth aspect of the present invention realized as a method is as follows:
Receiving a signed transport stream and a verification packet for verifying the signature of the transport stream;
Generating a hash value from a transport stream packet in a section between the verification packet and another verification packet received by the reception step;
Counting the number of transport stream packets received by the receiving step used for generating a hash value of a section between the verification packet and another verification packet;
A collation step of collating a hash value as signature information included in the verification packet with the generated hash value;
As a result of the collation in the collation step, when the hash value as signature information included in the verification packet and the generated hash value do not match, in the section between the verification packet and the other verification packet, When the number of packets counted by the counter unit and the number of packets used for hash generation in the section between the verification packet and the other verification packet included in the verification packet do not match, A processing step of excluding the section from the signature verification section;
It is characterized by having.

Although the present invention has been described as a receiving apparatus on the receiving side and a method in the receiving apparatus, the present invention may be configured as a transmitting apparatus on the transmitting side or a method in the transmitting apparatus. For example, the stream transmitting apparatus according to the fifth invention is:
A generation unit for generating a hash value as signature information;
A stream generation unit that generates a stream by arranging a verification packet including the hash value as the generated signature information and the number of transport stream packets used to generate the hash value in a transport stream;
A transmission unit that sequentially transmits packets included in the generated stream;
It is characterized by comprising.

A stream generation method according to the sixth invention is:
A generation step for generating a hash value as signature information;
A stream generation step of generating a stream by arranging a verification packet including the hash value as the generated signature information and the number of transport stream packets used to generate the hash value in a transport stream;
A transmission step of sequentially transmitting packets included in the generated stream;
It is characterized by having.
It should be noted that arithmetic means (a processor such as a CPU, DSP, or MPU) can be used as necessary for calculation or processing of each step.

  According to the present invention, the entire stream can be properly authenticated.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The present invention can be applied regardless of whether the transmission path of the packet (broadcast wave) is wired or wireless, but packet loss is likely to occur, and one that uses the wireless transmission path that will most enjoy the advantages of the present invention. A description will be given in a mode applied to the segment broadcasting system. Typical examples of a receiving apparatus having a one-segment broadcast receiving function are a mobile phone terminal and a notebook personal computer.

  FIG. 1 is a block diagram showing a basic configuration of a receiving apparatus according to an embodiment of the present invention. As shown in the figure, the receiving device 100 includes an antenna ANT1, a receiving unit 110, a hash value calculation unit (generation unit) 120, a packet processing unit 130, an authentication unit 140, a control unit 150, a memory 160, an output unit 170, and A decoder 180 is provided. The antenna ANT1 receives a broadcast wave including a packet and supplies the received broadcast wave to the receiving unit 110. The receiving unit 110 converts a transport stream (TS) signal (TS packet and verification packet) obtained by performing signal processing (such as OFDM demodulation processing) from the received broadcast wave to a hash value calculation unit 120, a packet processing unit 130, and Supply to the memory 160. The memory 160 stores TS packets.

  Further, the receiving unit 110 separates and analyzes information for specifying content (for example, program specifying information PSI storing the program association table PAT and the program map table PMT) from the received transport stream. Then, based on the information, the video signal, the audio signal, and the data signal are separated from the transport stream. The decoder 180 decodes audio packets, video packets, data broadcast packets, and the like stored in the memory 160 and supplies them to the display unit 172 and the speaker 174 provided in the output unit 170.

  The packet processing unit 130 extracts a verification packet (VP packet) from the TS signal, and serves as signature information for a series of TS packets that are included in the verification packet and exist in a section [VP-VP] between the verification packets. A hash value H is acquired, and the acquired hash value H is stored in the memory 160. The hash value calculation unit 120 reads one TS packet at a time from the beginning of a series of TS packets after the verification packet, and uses this one TS packet and the calculated hash value h in a chain to obtain a predetermined function. The hash value as signature information is generated / calculated (the details of the generation method will be described later), and the generated hash value h is supplied to the authentication unit 140. The hash value calculation unit 120 repeats the same hash value calculation process every time a new verification packet is received.

  The authentication unit 140 includes a verification unit 142 and a processing unit 144. The collation unit 142 collates whether or not the hash value H as the signature information included in the next verification packet matches the generated hash value h. The decoder 180 decodes audio packets, video packets, data broadcast packets, and the like stored in the memory 160 and supplies them to the display unit 172 and the speaker 174 provided in the output unit 170. If the hash value H as the signature information included in the next verification packet does not match the generated hash value h as a result of the collation by the collation unit 142, the processing unit 144 determines that the section is an illegal section. Then, the determination result (collation result) is supplied to the control unit 150.

  The control unit 150 controls the supply of data to the output unit 170 and the decoder 180. Based on the determination result supplied from the authentication unit 140, the control unit 150 stops the output of the content or service using the transport stream packet of the section determined to be an unauthorized section, or indicates that the section is an unauthorized section. The display unit 172 and the speaker 174 are controlled so as to output by adding a character, superimpose and output a character to that effect, or output a sound indicating that.

  FIG. 2 is a block diagram showing a basic configuration of a transmission apparatus according to an embodiment of the present invention. As shown in the figure, the transmission apparatus 200 includes a hash value calculation unit (generation unit) 210, a stream generation unit 220, a transmission unit 230, a counter unit 240, a memory 250, and an antenna ANT2. The transmission device 200 receives an original message (original series of TS packets) to be transmitted from a higher-level device (such as a content server) via a wired connection or the like. For example, the hash value calculation unit 210 starts from the head of the “series of packets” between the first null packet and the second null packet that is one or more after that (that is, the second and subsequent null packets). , TS packets are read one by one, and the hash value h as signature information is calculated using a predetermined hash function using the one TS packet and the calculated hash value in a chain. The hash value calculated using the message of the last TS packet in the section and the previously calculated hash value h is set as a hash value H as signature information. The counter unit 240 counts the number of packets processed in the series of packets described above, and stores the counted value in the memory 250.

  The stream generation unit 220 generates a verification packet including a hash value H as signature information for a preceding series of packet sections, and replaces the above-described null packet with this verification packet. The null packet is inserted into the stream to some extent periodically for timing. In this embodiment, the null packet is replaced with a verification packet, and the information (hash value H) for signature is received by the receiver. To communicate.

  In this way, the stream generation unit 220 arranges the verification packet including the hash value H as signature information for authenticating the message in the section between the verification packets after the series of transport stream packets. Accordingly, the stream generation unit 220 generates a stream in the order of a verification packet, a series of transport stream packets, and a verification packet. The generated stream is sent out as a broadcast wave from the antenna ANT2 after the transmission unit 230 performs necessary processing such as modulation processing.

FIG. 3 is a flowchart showing an example of a signature verification method executed by the receiving apparatus of FIG. First, the hash value calculation unit 120 selects a verification packet in step J11, and then starts loop 1 (steps J13 and J14). Next, in step J13, from the TS packet message m (payload) and the previous hash value h0 (null at the first execution) until the end condition of step J14 is satisfied, that is, until the next verification packet is received. The hash value h is generated from all the received TS packets using the following predetermined hash function f.
h = f (m, h0)

  When the next verification packet is received and the loop 1 is finished, the packet processing unit 130 acquires the hash value H as signature information stored in the next verification packet and stores it in the memory 160 in step J15. To do. In step J16, the collation unit 142 in the authentication unit 140 collates whether or not the hash value H as the signature information acquired from the verification packet matches the hash value h generated by the hash value calculation unit 120. . If the acquired hash value H and the generated hash value h match, the processing is completed assuming that the signature information has been successfully authenticated. Under the control of the control unit 150, the TS packet in the relevant section is normally transmitted by the decoder 180. Decoded and output by the output unit 170. If H and h do not match, the process proceeds to step J17, the collation unit 142 regards the section as an illegal section, and the control unit 150 does not output the content received in the section so that the decoder 180 and The output unit 170 is controlled.

  FIG. 4 is a flowchart showing an embodiment of the stream generation method executed by the transmission apparatus of FIG. This is an embodiment in which a hash value H is obtained from all TS packets in the signature verification section, and this is included in a stream for transmission. As shown in the figure, in step K11, from the original message (original series of TS packets) received by the network unit (not shown) provided in the transmitting apparatus 200 from the higher-level apparatus (content server or the like), the first A section between a null packet and a second null packet that is one or more after that (ie, the second and subsequent null packets) is set as a signature verification section.

  Next, in step K12, the hash value calculation unit 210 uses a predetermined hash function as signature information from all the series of packets in this signature verification section (except for null packets in the section). A hash value H is calculated. In step K13, the stream generation unit 220 creates a verification packet including the obtained hash value H. Next, in step K14, the stream generation unit 220 replaces the null packet at the end point (or the start point) of the section with the generated verification packet, so that a series of TS packets and the verification packet in the signature verification section Generate a series of streams consisting of Finally, in step K15, the transmission unit 230 sequentially transmits (broadcasts) the packets included in the generated series of streams. Note that data and information created and generated in each block in the transmission apparatus 200 are temporarily stored in the memory 250 as necessary, and similarly, stored data and information are read out as necessary. To do.

  The transmission process of the transmission apparatus 200 illustrated in FIG. 2 will be described with reference to FIG. FIG. 5 is a diagram for explaining a technique (on the transmission device side) for calculating a hash value from a transport stream (TS) including a null (NULL) packet in the transmission device 200.

  As shown in the upper part of FIG. 5, the original message (original TS packet) includes packets P0 (null packet), P1 (PID = A), P2 (PID = B), P3 (PID = C), P4 (PID = A), P5 (null packet), and P6 (PID = A) in this order. Here, PID = A is a video signal, PID = B is an audio signal, and PID = C is a packet identifier indicating a data broadcast signal. The hash value calculation unit 210 of the transmission apparatus 200 generates a hash value by using the packets P1-P4 that are TS packets in the signature verification section [P1-P4] in a chain. First, as shown in the lower part of FIG. 5, a 16-byte hash value h1 is generated from a message (184 bytes) stored in the payload portion of the packet P1 (PID = A) using a predetermined hash function. To do. Next, the hash value h2 is generated from the hash value h1 and the message m1 (184 bytes) of the packet P2 (PID = B). Similarly, a hash value h3 is generated from the hash value h2 and the message m2 (184 bytes) of the packet P3 (PID = C), and further the message m3 (184 bytes) of the hash value h3 and the packet P4 (PID = A). From this, a hash value h4 is generated. Since all the packets in the section have been processed, the last hash value h4 is set as the final hash value H, and the packet P5 (null packet) is replaced with a verification packet (VP) including the hash value H. Then, these packets are transmitted (broadcast) as a stream.

  The stream reception process shown in FIG. 5 will be described with reference to FIG. FIG. 6 is a diagram for explaining a method (receiving device side) for calculating a hash value from a received transport stream (TS) message and verifying the validity of the message in the receiving device 100 of FIG. As shown in the figure, the hash value calculation unit 210 of the receiving apparatus 100 generates a hash value by using packets P1-P4 that are TS packets in the signature verification section [P1-P4] in a chain. First, a 16-byte hash value h1 is generated (calculated) from a message (184 bytes) stored in the payload portion of the packet P1 (PID = A) using a predetermined hash function. Next, a hash value h2 is generated (calculated) from the hash value h1 and the message m1 (184 bytes) of the packet P2 (PID = B). Similarly, a hash value h3 is generated (calculated) from the hash value h2 and the message m2 (184 bytes) of the packet P3 (PID = C), and further, the hash value h3 and the message m3 (packet P4 (PID = A)) of the message m3 ( Hash value h4 is generated (calculated) from (184 bytes). Since the hash value calculation unit 120 has processed all the packets in the section, the hash value calculation unit 120 sets the last hash value h4 as the final hash value. The collation unit 142 acquires the hash value H as signature information stored in the packet P5 (verification packet VP) following the signature verification section from the memory 160. Then, the collation unit 142 collates the calculated hash value h4 with the hash value H of the verification packet P5. In accordance with the collation result of the collation unit 142, the control unit 150 controls the output of content and services in the signature verification section.

  Thus, in this embodiment, since all TS packets (4) in the section are used as the hash value generation source, the same number of hash calculations as the number of TS packets are performed, and the stream calculation is performed. Authentication processing as a whole is possible. However, in the method of FIG. 5, there may be a case where it becomes inconvenient when a packet loss occurs. Such a case will be described with reference to FIG.

  FIG. 7 is a diagram for explaining a case where packet loss cannot be dealt with by the methods shown in FIGS. FIG. 7A shows an authentication process on the receiving apparatus side when a packet loss occurs, and FIG. 7B shows an authentication process on the receiving apparatus side when a packet is tampered. As shown in FIG. 7A, when the packet P3 is lost due to packet loss and cannot be received, four hashes are used by chaining P1 to P4 packets in the signature verification section [VP-VP]. Although it should be calculated, only “3 times” hash calculation using three packets is performed. The hash value h3 is finally output by the three hash calculations, and the hash value h3 and the hash value H stored in the packet P5 are collated, but they do not match and authentication fails.

  On the other hand, in FIG. 7B, the packet P3 has been tampered with by the attacker, but the receiving apparatus normally receives even the tampered packet. Therefore, four hash calculations are performed using four packets. Then, the hash value h4 is finally output by this “four times” hash calculation, and this hash value h4 and the hash value H stored in the packet P5 are collated. It becomes.

  Thus, the case of FIG. 7A is an authentication failure due to packet loss, and the case of FIG. 7B is an authentication failure due to packet tampering. In the processing shown, this cannot be distinguished, and the section is uniformly processed as an illegal section.

  In the case of FIG. 7A, there is a low possibility that an illegal broadcast wave by an attacker is a cause, and it is considered that a packet loss is a cause. In particular, when a wireless path is used for packet transmission, packet loss occurs frequently. If such a packet loss is uniformly determined as an illegal broadcast by an attacker, there is a disadvantage that there are only a few sections that can be displayed as a normal broadcast to the user. A configuration for determining such packet loss and improving usability is shown in FIG.

  FIG. 8 is a block diagram illustrating a basic configuration of a receiving apparatus that determines packet loss and improves usability according to an embodiment of the present invention. As illustrated, the receiving device 100A includes an antenna ANT1, a receiving unit 110, a hash value calculating unit (generating unit) 120A, a counter unit 125, a packet processing unit 130A, an authenticating unit 140A, a control unit 150A, a memory 160, and an output. A unit 170 and a decoder 180. The antenna ANT1 receives a broadcast wave including a packet and supplies the received broadcast wave to the receiving unit 110. The reception unit 110 converts a transport stream (TS) signal (TS packet and verification packet) obtained by performing signal processing (such as OFDM demodulation processing) on the received broadcast wave, to a hash value calculation unit 120A, a packet processing unit 130A, and Supply to the memory 160. The memory 160 stores TS packets.

  The packet processing unit 130A extracts the verification packet from the TS signal, and further stores it in the section [VP-VP] between the “current verification packet” and the “next received verification packet” stored in the verification packet. The number N of packets used for the included hash generation is acquired, and the acquired number N of TSPs (where N is an integer) is stored in the memory 160.

  The hash value calculation unit 120A sequentially acquires TS packets from a series of TS packets after the verification packet, generates a hash value using the acquired TS packets in a chain, and generates the generated hash value h to the authentication unit 140A. Supply. When receiving the verification packet, the counter unit 125 clears the counter with 0, increments by 1 each time one TS packet is selected, and stores the count value in the memory 160. The counter unit 125 counts the number of packets used for generating the hash value. Each time the hash value calculation unit 120A and the counter unit 125 receive a new verification packet, the same hash value calculation process and count process are repeated.

  The authentication unit 140A includes a verification unit 142 and a processing unit 144A. The collation unit 142 determines whether or not the hash value H as signature information included in the verification packet received next to the verification packet that triggers the hash calculation matches the generated hash value h. Collate. If the hash value H as the signature information included in the next verification packet does not match the generated hash value h as a result of the verification by the verification unit 142, the processing unit 144A determines that the verification packet and the next verification packet In the interval, the number c of packets counted by the counter unit 130 (that is, the number of packets used for generating the hash value in the interval) and the hash generation between the verification intervals [VP-VP] are used. When the number N of TSPs included in the verification packet does not match, it is considered that a packet loss has occurred, and the section is excluded from the signature verification section.

  The decoder 180 decodes audio packets, video packets, data broadcast packets, and the like stored in the memory 160 and supplies them to the display unit 172 and the speaker 174 provided in the output unit 170. When the hash value H as the signature information does not match the generated hash value h as a result of the verification by the verification unit 142, the processing unit 144A and the number c of packets counted by the counter unit 125, When the number of TSPs N matches, the section is determined to be an illegal section. The control unit 150A controls the output of the content or service in the unauthorized section by the output unit 170. For example, the control unit 150A performs control so that decoding of the section in the decoder 180 is stopped.

  Alternatively, when the content or service is output using the transport stream packet in the section excluded from the signature verification section, the control unit 150A performs the signature verification result by the authentication unit 140A in the section before and / or after the excluded section. To control the output of the content or service. For example, if the signature verification in the previous or subsequent section is normal, the control unit 150A considers that the hash value does not match due to the loss of the verification target packet in the excluded section, and outputs the content or service in the excluded section. . In addition, if the signature verification in the previous or subsequent section is abnormal (mismatch), the control unit 150A stops output in the excluded section. In addition, the control unit 150A stops the output of the excluded section, adds a caption indicating that there is a packet loss, outputs the superposed character to that effect, The display unit 172 and the speaker 174 are controlled so as to output sound indicating the above.

  FIG. 9 shows a block diagram of a transmission apparatus according to an embodiment of the present invention. Processing performed by the transmission apparatus 200A will be described with reference to FIG. FIG. 10 is a diagram for explaining a signature verification method (receiving device side) that detects a packet loss by newly including the number N of TSPs used for generating a hash value in a verification packet. As shown in (a) of FIG. 10, on the transmitting apparatus side, a packet P5 that is a verification packet after the signature verification section [P1-P4] between verification packets is created using all the packets in the section. The hash value H and the number of TSPs N = 4 used to generate the hash value in the section are included.

  FIG. 11 shows a flowchart of processing of the transmission apparatus 200A that generates and transmits a stream so that such packet loss can be determined. In order to correspond to the stream generation process of FIG. 11, the operations of the stream generation unit 220, the count unit 240, and the memory 250 of the transmission apparatus 200A of FIG. 9 are changed as follows. The count unit 240 counts the number of packets N used for generating the hash value in the section, and the counted number of packets N is stored in the memory 250. The stream generation unit 220 of the transmission device 200 </ b> A generates a stream in which the verification packet further includes the number N of packets used for packet generation in the section stored in the memory 250.

  As shown in FIG. 11, in step K21, a null part of an original message (original series of TS packets) received by a network unit (not shown) provided in transmitting apparatus 200A from a higher-level apparatus (content server, etc.) Based on this, a signature verification interval is set. At step K22, the hash value calculation unit 210A uses each packet in a chain from all the “series of TS packets” except the null packet in the signature verification section, and uses the predetermined hash function as signature information. The hash value H is calculated to generate a hash value. At this time, the counter unit 240 counts the number of packets every time one packet is processed. The counter unit 240 counts the number of packets used for generating the hash value. As described above, null packets are not counted.

  In this way, a hash value as signature information is generated from all TS packets in the signature verification section. In step K23, the stream generation unit 220 sets the value of the count value c after processing all the TS packets in the signature verification interval to the number N of TSPs used for generating the hash value in the interval. Then, a verification packet including the number N of TSPs and the generated hash value H is created.

  Next, in step K24, the stream generation unit 220 replaces the null packet at the end point of the section with the generated verification packet, so that a series of streams composed of a series of TS packets and verification packets in the signature verification section. Is generated. Finally, in step K25, the transmission unit 230 sequentially transmits (broadcasts) the packets included in the generated series of streams. Note that data and information created and generated in each block in the transmission apparatus 200 are temporarily stored in the memory 250 as necessary, and similarly, stored data and information are read out as necessary. To do.

  Returning to the description of FIG. 10, FIG. 10B shows authentication processing on the receiving device side when packet loss occurs. As shown in the figure, the packet P3 is a packet loss due to a communication error, and three hash calculations are performed using three packets. Therefore, even if the calculated hash value h3 is compared with H stored in the verification packet VP (packet P5), they do not match. For convenience of drawing, only one hash function is shown, but it should be noted that as described above, the hash calculation is performed by the same number as the received TS packets other than the null packet. Since the number of TSPs c used to generate the counted hash value is 3, and the number of TSPs N = 4 defined by the packet P5 which is a verification packet (VP), this is also inconsistent and packet loss occurs. It turns out that In such a case, it can be considered that the main cause of the hash value mismatch is packet loss.

  FIG. 10C shows authentication processing on the receiving apparatus side when the packet is tampered. As shown in the figure, the packet P3 is falsified, and four hash calculations are performed using four packets including the falsified packet. Therefore, even if the calculated hash value h4 is compared with H stored in the verification packet VP (packet P5), they do not match. In this case, since the TSP number c used for generating the counted hash value is 4, and the TSP number N = 4 defined in the packet P5, the TSP number c used for generating the counted hash value is Thus, it is found that the number of TSPs N defined in the packet matches, and no packet loss has occurred. In such a case, the hash value mismatch is completely caused by falsification, and it can be considered that an illegal broadcast wave is received.

  That is, in this configuration, it is possible to clearly distinguish between two types of authentication failure, authentication failure considered to be mainly caused by packet loss and authentication failure considered to be completely caused by tampering. When packet loss is the cause, it is preferable that the section is not determined to be illegal, but is simply excluded from the authentication section, and output control is performed based on the authentication result of the preceding section or the subsequent section. By controlling in this way, it is possible to reproduce / display broadcast content and services at a level that does not cause any problems in a wireless environment where the frequency of packet loss is high. Accordingly, the receiving apparatus can recognize the fact that “there is a packet loss and authentication failure” and recognize that “the cause of the authentication failure is likely to be a packet loss”. Therefore, even if the authentication apparatus has failed in the section, the receiving apparatus continues to play back the content in the section, or is restricted or has subtitles / displays indicating the authentication result added according to the policy of the apparatus. It is possible to play with. For example, if the content in the section where the authentication has failed is reproduced with the subtitle / display indicating the authentication result together with the cause of the authentication failure described above, the content can be reproduced with no practical problem even in a wireless environment. Usability is greatly improved.

  In addition, in the configuration of the receiving apparatus in FIG. 1, since the packet lost (reception error) of the packet in the signature verification section could not be recognized, it is illegal if the hash values do not match in the collating unit. I was forced to judge that I was receiving a stream. However, in this embodiment, by providing a counting unit and a processing unit, it is possible to determine on the receiving device side that there is a possibility that a packet loss has occurred, and a section in which such a packet loss has occurred is signed. It was configured to be excluded from the verification interval. As a result, the hash value does not match and the number of packets N used to generate the hash value that should exist within the signature verification interval and the number of packets used to generate the hash value within the interval (count value c) are If they match, it can be determined that the stream is completely invalid.

  FIG. 12 is a flowchart showing an example of a signature verification method executed by the receiving apparatus of FIG. As shown in the figure, in step S11, initial values are set (count value c and previous hash value h0 are set to zero). Next, in step S12, the hash value calculation unit 120A monitors the received and demodulated TS signal, and selects a verification packet having a predetermined unique identifier.

Next, in step S13, the hash value calculation unit 120A starts loop 2 (steps S15, S16, and S17). In step S14, a TS packet is acquired for use in generating a hash value, and the counter unit 125 increments the count value c by 1 each time one packet is acquired. Next, in step S15, a predetermined hash function f is obtained from the TS packet message m (payload) and the previous hash value h0 (null for the first execution and the hash value calculated the second time and thereafter). To generate a hash value h.
h = f (m, h0)

  Next, in step S16, loop 2 is repeated until the end condition of loop 2 is satisfied. The end condition is that all TS packets are processed in a section [VP-VP] between the verification packet and the next verification packet. In step S <b> 17, the packet processing unit 144 </ b> A acquires the hash value H as signature information stored in the next verification packet and stores it in the memory 160. In step S18, the collation unit 142 in the authentication unit 140A collates whether or not the hash value H as the signature information acquired from the verification packet matches the hash value h generated by the hash value calculation unit 120A. . When the acquired hash value H and the generated hash value h match, the processing is completed assuming that the signature information has been successfully authenticated, and the TS packet in the section is normally decoded by the decoder 180 and output by the output unit 170. Is output. If the acquired hash value H and the generated hash value h do not match, the process proceeds to step S19, and the packet processing unit 144A exists between the intervals [VP-VP] included in the next verification packet. The number N of packets used to generate the power hash value is acquired. Next, in step S20, the processing unit 144A determines the measured count value c and the hash value that should exist in the section in order to confirm whether or not a packet loss of the packet used for generating the hash value has occurred. It is determined whether or not the number N of packets used for generating the packet matches. If the measured count value c matches the number N of packets used to generate the hash value, the process proceeds to step S21, and the hash value collation has failed despite no packet loss. The processing unit 144A controls the decoder 180 so as to stop the decoding of the section, regarding the section as an illegal section. Alternatively, the processing unit 144A may perform control so that the output unit 170 does not directly output instead of the decoder 180. In step S20, if the measured count value c does not match the number of packets N used to generate the hash value, the process proceeds to step S22, and the processing unit 144A indicates that a packet loss has occurred. Therefore, the section is excluded from the signature verification section, and the process ends.

  Finally, the advantages of the present invention will be described again. According to the embodiment of the present invention, it is possible to authenticate the entire stream and to improve the tolerance and usability against a reception error by detecting that a reception error such as a packet loss has occurred. That is, in the present invention, the packet loss is detected by comparing the number of packets used for generating the hash with the number of packets used for generating the hash value while authenticating (verifying) the entire series of stream packets. Thus, it is possible to distinguish whether the cause of the mismatch in the collation result is falsification by an attacker or packet loss. In this way, by distinguishing the cause of collation mismatch, usability can be improved as compared with the prior art.

  Although the present invention has been described based on the drawings and examples, it should be noted that those skilled in the art can easily make various modifications and corrections based on the present disclosure. Therefore, it should be noted that these variations and modifications are included in the scope of the present invention. For example, the functions included in each unit, each means, each step, etc. can be rearranged so as not to be logically contradictory, and a plurality of means, steps, etc. can be combined or divided into one. It is.

  In the embodiment, an example is shown in which a hash value is generated using all TSPs in the verification interval, but a hash is generated using a specific packet among packets in the interval, that is, using some packets. The present invention can also be applied to a mode for generating values. As a method for designating a specific packet, a method for designating by a packet ID is conceivable. Thereby, the calculation processing load of the hash value is reduced, and the present invention can be applied to a small receiving terminal. In the embodiment, the number N of TSPs used for generating the hash value is stored in the verification packet after the target signature verification section, but may be included in the verification packet that is the starting point of verification. In the embodiment, hash values are generated in a chain using each message and the generated hash value in order from the front. However, these are merely examples. For example, each message is used in a chain from the rear in order. The present invention can use various formats for hash generation, such as generating values.

It is a block diagram which shows the basic composition of the receiver by one embodiment of this invention. It is a block diagram which shows the basic composition of the transmitter by one embodiment of this invention. 3 is a flowchart illustrating an example of a signature verification method executed by the receiving apparatus in FIG. 1. 3 is a flowchart showing an example of a stream generation method executed by the apparatus of FIG. It is a figure explaining the method (transmitting device side) which calculates a hash value from the transport stream (TS) containing a null (NULL) packet in the transmitting device. It is a figure explaining the method (receiver side) which calculates a hash value from the message of the received transport stream (TS), and verifies the correctness of a message. It is a figure explaining the case which cannot respond to a packet loss in the method shown in FIG. It is a block diagram which shows the fundamental structure of the receiver which determines the packet loss by one embodiment of this invention, and improves usability. It is a block diagram of the transmission apparatus by one embodiment of this invention. It is a figure explaining the signature verification method (reception apparatus side) which detects a packet loss by newly including the N number of TSPs used for generation of a hash value in a verification packet. It is a flowchart of the process of 200 A of transmission apparatuses which produce | generate and transmit a stream so that packet loss can be determined. It is a flowchart which shows an example of the signature verification method performed with the receiver of FIG. It is a figure which shows typically the unauthorized broadcast reception in a conventional system. It is a figure which shows the technique which adds a hash value to a transport stream packet by a prior art.

Explanation of symbols

100, 100A receiving device 110 receiving unit 120, 120A hash value calculation unit 125 counter unit 130, 130A packet processing unit 140, 140A authentication unit 142 verification unit 144, 144A processing unit 150, 150A control unit 160 memory 170 output unit 172 display unit 174 Speaker 180 Decoder 200.200A Transmission device 210, 210A Hash value calculation unit 220 Stream generation unit 230 Transmission unit 240 Counter unit 250 Memory ANT1-2 Antenna h0-4 Hash value m1-3 Message P1-P6 Packet VP Verification packet

Claims (6)

A receiving unit for receiving a signed transport stream and a verification packet for verifying the signature of the transport stream;
A generating unit that generates a hash value from a transport stream packet in a section between the verification packet and another verification packet received by the reception unit;
A counter unit that counts the number of transport stream packets received by the receiving unit and used to generate a hash value of a section between the verification packet and another verification packet;
A collation unit that collates a hash value as signature information included in the verification packet with the generated hash value;
As a result of the collation by the collation unit, when the hash value as signature information included in the verification packet and the generated hash value do not match, in a section between the verification packet and the other verification packet, When the number of packets counted by the counter unit and the number of packets used for hash generation in the section between the verification packet and the other verification packet included in the verification packet do not match, A processing unit for excluding the section from the signature verification section;
A receiving apparatus comprising: The receiving device according to claim 1,
When the hash value as the signature information and the generated hash value do not match as a result of the verification by the verification unit, the processing unit determines whether the packet used to generate the hash value counted by the counter unit When the number matches the number of packets used for hash generation included in the verification packet, the section is determined to be an illegal section.
A receiving apparatus. The receiving device according to claim 1,
When content or service is output using a transport stream packet in a section excluded from the signature verification section, output of the content or service is performed based on a signature verification result before and / or after the excluded section. Control unit to control,
The receiving apparatus further comprising: Receiving a signed transport stream and a verification packet for verifying the signature of the transport stream;
Generating a hash value from a transport stream packet in a section between the verification packet and another verification packet received by the reception step;
Counting the number of transport stream packets received by the receiving step used for generating a hash value of a section between the verification packet and another verification packet;
A collation step of collating a hash value as signature information included in the verification packet with the generated hash value;
As a result of the collation in the collation step, when the hash value as signature information included in the verification packet and the generated hash value do not match, in the section between the verification packet and the other verification packet, When the number of packets counted by the counter unit and the number of packets used for hash generation in the section between the verification packet and the other verification packet included in the verification packet do not match, A processing step of excluding the section from the signature verification section;
A signature verification method comprising: A generation unit for generating a hash value as signature information;
A stream generation unit that generates a stream by arranging a verification packet including the hash value as the generated signature information and the number of transport stream packets used to generate the hash value in a transport stream;
A transmission unit that sequentially transmits packets included in the generated stream;
A stream transmitting apparatus comprising: A generation step for generating a hash value as signature information;
A stream generation step of generating a stream by arranging a verification packet including the hash value as the generated signature information and the number of transport stream packets used to generate the hash value in a transport stream;
A transmission step of sequentially transmitting packets included in the generated stream;
A stream generation method characterized by comprising:

Images