JP2013070247A - Digital broadcast transmitter, digital broadcast receiver and digital broadcast system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a digital broadcast transmitter which delivers an access control program by data carousel.SOLUTION: A digital broadcast transmitter 1 comprises distribution data generation means 13 for generating the distribution data of data carousel by encrypting an access control program with a program encryption key, distribution data scramble means 14 for generating encrypted distribution data by encrypting the distribution data with a scramble key, common information generation means 15 for generating common information by encrypting the scramble key with a transmission line protection key, individual information generation means 19 for generating individual information by encrypting the transmission line protection key and the program encryption key with an effective device key, download table generation means 20 for generating a download table including an identifier indicating that the access control program is transmitted by data carousel, and multiplexing means 22 for multiplexing the information thus generated.

Description

  The present invention relates to a digital broadcast transmission device, a digital broadcast reception device, and a digital broadcast system that transmit and receive a program related to access control of a broadcast program of a digital broadcast.

In the current digital broadcasting, the copyright can be obtained by restricting the broadcast program (hereinafter referred to as “content”) only to the subscriber's receiving device, allowing the content to be received only by a legitimate receiving device, or performing copy restrictions. The function of performing protection is realized using CAS (Conditional Access System) which is an access control method.
Specifically, a function related to access control (for example, decryption of a key for decrypting encrypted content) is mounted on an IC card (CAS card) which is a tamper-resistant module, and the IC card and the receiving device are mounted. In combination, access is restricted.

  However, there is a possibility that security of this function related to access control may be broken due to outflow of keys held inside, analysis of algorithms, or the like. In such a case, a method of redistributing an IC card with increased security strength is conceivable. However, since it imposes a burden on the user such as IC card distribution costs and IC card replacement, it is practically difficult to implement. In addition to solving security problems, there is a desire to expand functions related to access control.

Therefore, a technique for accumulating functions related to access control mounted on an IC card as a CAS program in a receiving apparatus and updating the CAS program via a broadcast wave is disclosed (see Patent Document 1).
In the technology disclosed in Patent Document 1, an encrypted CAS program is arranged and distributed in ECM-RMP (ECM: Entitlement Control Message, RMP: Rights Management and Protection), which is common information related to content right protection. ing.
In the technique disclosed in Patent Document 1, a key for decrypting an encrypted CAS program is arranged and distributed in EMM-RMP (EMM: Entitlement Management Message), which is individual information related to content right protection. ing.
As a result, the receiving apparatus can store and update the CAS program by downloading and decrypting the encrypted CAS program distributed by ECM-RMP using the key distributed by EMM-RMP. Become.

JP 2009-267605 A

In the prior art disclosed in Patent Document 1, CAS program distribution is realized by using ECM (ECM-RMP) or EMM (EMM-RMP) having a role as a security parameter. Security parameters such as ECM and EMM must be processed as confidential information by a tamper resistant module or the like.
In general, since the tamper resistant module has a low processing speed, for example, the bit rate can be increased only to about 300 kbps. That is, in the prior art, the CAS program must be transmitted from the transmission side at a low bit rate.
For this reason, in the prior art, in order to reliably distribute the CAS program, it is necessary to continue broadcasting for a long period of time, and there is a problem that the broadcast band is compressed.

  The present invention has been made in view of the above problems, and a digital broadcast transmission device capable of downloading a CAS program at high speed while ensuring safety against alteration, leakage, etc. of the CAS program, An object is to provide a digital broadcast receiving apparatus and a digital broadcast system.

  The present invention has been developed to solve the above-mentioned problems. First, the digital broadcast transmission apparatus according to claim 1 is an access for controlling access to content transmitted via a broadcast wave. A digital broadcast transmitting apparatus for transmitting a control program to a digital broadcast receiving apparatus, comprising: a device key list storage unit; an invalid setting unit; a distribution data generation unit; a distribution data scramble unit; a common information generation unit; The configuration includes a selection unit, an individual information generation unit, a download table generation unit, a startup program designation unit, and a multiplexing unit.

In such a configuration, the digital broadcast transmitting apparatus stores a device key unique to the digital broadcast receiving apparatus in association with information indicating whether the device key is valid or invalid in the device key list storage unit. Then, the digital broadcast transmitting apparatus sets the corresponding device key stored in the device key list storage unit as an invalid key by instructing the invalidity of the specific device key from the outside by the invalid setting unit. .
Thereby, for example, when a device key leaks in the digital broadcast receiving apparatus, the device key can be managed as an invalid key.
The digital broadcast transmitting apparatus encrypts the access control program for distribution with the program encryption key common to the digital broadcast receiving apparatus by the distribution data generating means, and adds identification information for identifying the access control program. To generate distribution data in the data format of the data carousel. This identification information is, for example, an identifier or version of the access control program.

  Then, the digital broadcast transmission apparatus encrypts the distribution data generated by the distribution data generation unit with the scramble key by the distribution data scramble unit, and generates encrypted distribution data. As a result, the access control program becomes data that can be distributed in the data carousel.

  Further, the digital broadcast transmission device encrypts the scramble key with the transmission path protection key transmitted to the digital broadcast reception device by the common information generation means, and generates common common information in the digital broadcast reception device. Thus, the scramble key is encrypted so that it can be decrypted if it is a legitimate digital broadcast receiving apparatus.

  Then, the digital broadcast transmission device selects a device key set as an effective key from the device key list storage unit for each digital broadcast reception device by the device key selection unit. As a result, the invalidated device key is not selected, and only a valid device key is selected.

  Further, the digital broadcast transmitting apparatus generates individual information for each digital broadcast receiving apparatus by encrypting the transmission path protection key and the program encryption key with the device key selected by the device key selecting means by the individual information generating means. . As a result, the transmission path protection key and the program encryption key are encrypted so that only the digital broadcast receiving apparatus having an individual effective device key can decrypt.

  In addition, the digital broadcast transmitting apparatus generates an download table including identification information for identifying the access control program, and adds an identifier indicating that the access control program for distribution is transmitted by the data carousel by the download table generating means. To do. From this download table, the digital broadcast receiving apparatus can recognize that the access control program can be downloaded by the data carousel and can start downloading.

  Also, the digital broadcast transmission apparatus uses the activation program designating means to specify the second identification information for identifying the access control program for activation as PSI (Program Specific Information) / SI (Service Information) information that is program arrangement information. Place on the table. For example, it is arranged in CAT (Conditional Access Table) or PMT (Program Map Table).

  Then, the digital broadcast transmitting apparatus sequentially multiplexes the generated encrypted distribution data, common information, individual information, download table, and information table of program arrangement information at the generated timing by the multiplexing means. To generate a multiplexed signal to be transmitted to the digital broadcast receiver.

  As described above, the digital broadcast transmitting apparatus can transmit the encrypted access control program by using a high-speed data carousel. Further, since the digital broadcast transmitting apparatus does not use the invalid device key when encrypting the access control program, only the digital broadcast receiving apparatus having a valid device key controls the access control program to be usable. be able to.

  The digital broadcast transmission apparatus according to claim 2 is the digital broadcast transmission apparatus according to claim 1, wherein the distribution data generation means includes a signature value calculation means, a division means, an encryption means, and a data carousel. And a data generation means.

In such a configuration, the digital broadcast transmitting apparatus calculates the signature value of the digital signature using the secret key with respect to the access control program for distribution by the signature value calculation means.
Also, the digital broadcast transmitting apparatus divides the distribution access control program into data carousel block sizes by the dividing means. Then, the digital broadcast transmitting apparatus encrypts the divided data with the program encryption key by the encryption unit, and generates the encrypted divided data.

Then, the digital broadcast transmission device generates a DII message including the signature value and the identification information by the data carousel data generation means, and generates a DDB message including the encrypted divided data for each encrypted divided data. By doing so, distribution data is generated. As a result, the access control program is distributed in the data carousel data format with the digital signature added.
The verification key corresponding to the secret key used for the calculation of the signature value of the digital signature is added to the individual information by the individual information generating means as a root public key certificate including the verification key, and received by digital broadcasting Sent to the device.

  The digital broadcast transmission device according to claim 3 is the digital broadcast transmission device according to claim 1 or 2, wherein the individual information generating means updates the device key held by the digital broadcast reception device. The configuration is such that individual information is generated by further adding a seed as a parameter.

  In such a configuration, the digital broadcast transmission device is held by the digital broadcast transmission device from the digital broadcast transmission device by adding a seed, which is a parameter (random number) for updating the device key, to the individual information in the individual information generation means. It is possible to update the existing device key.

  The digital broadcast transmission device according to claim 4 is the digital broadcast transmission device according to any one of claims 1 to 3, wherein the common information generation unit includes a hash value of an access control program for distribution. Is added to generate common information.

  In such a configuration, the digital broadcast transmission apparatus adds a hash value calculated by a common hash function common to the digital broadcast reception apparatus to the common information by the common information generation unit. Thus, the hash value functions as a security parameter for verifying the validity of the access control program in the digital broadcast transmitting apparatus.

  Further, in the digital broadcast transmission device according to claim 5, in the digital broadcast transmission device according to any one of claims 1 to 4, the common information generation unit specifies an access control program for activation. The second identification information is further added to generate common information.

  In such a configuration, the digital broadcast transmission device generates the common information by adding the second identification information for specifying the access control program for activation by the common information generation unit. It is possible to verify the second identification information for specifying the access control program for activation specified in the information table.

  The digital broadcast transmission device according to claim 6 is the digital broadcast transmission device according to any one of claims 1 to 5, wherein the download table generating means is configured to perform data carousel in response to an instruction from the outside. Instead of an identifier indicating that the distribution access control program is being transmitted, a download table including an identifier indicating that the distribution access control program is acquired from the server designated via the communication line is generated. The configuration.

  In such a configuration, the digital broadcast transmitting apparatus can instruct the digital broadcast receiving apparatus whether to acquire the access control program using the data carousel or via the communication line, using the download table.

  The digital broadcast receiving apparatus according to claim 7 is a digital broadcast receiving apparatus that performs access control to content transmitted via a broadcast wave by an access control program. In the digital broadcast receiving apparatus, a separating unit, a download table analyzing unit, An information decoding unit, a common information decoding unit, a distribution data descrambling unit, a distribution data separation unit, a program decoding unit, a program storage unit, an activation program specifying unit, and a program activation unit are provided. .

In such a configuration, the digital broadcast receiving apparatus uses the separating means to transmit each information from the multiplexed signal including the encrypted distribution data, the common information, the individual information, the download table, and the information table of the program arrangement information. Isolate.
Then, the digital broadcast receiving device uses the identifier described in the download table including the identifier indicating that the access control program is transmitted by the data carousel and the identification information for identifying the access control program by the download table analyzing unit, It is determined that the access control program is transmitted in the data carousel.

Further, the digital broadcast receiving apparatus decrypts the individual information with the device key common to the digital broadcast transmitting apparatus by the individual information decrypting means, and acquires the transmission path protection key and the program encryption key. Then, the digital broadcast receiving apparatus acquires the scramble key by decoding the common information with the transmission path protection key by the common information decoding means. Then, the digital broadcast receiving apparatus decrypts the data carousel data with the scramble key by the distribution data descrambling means.
Furthermore, the digital broadcast receiving apparatus separates the encrypted access control program and the identification information for identifying the access control program from the distribution data in the data carousel data format by the distribution data separation means.

  The digital broadcast receiving apparatus decrypts the access control program encrypted by the program decrypting means with the program encryption key acquired by the individual information decrypting means, and associates the access control program with the identification information and stores the program storage means. To remember.

  In this way, the digital broadcast receiving apparatus can receive the access control program with a high-speed data carousel. Also, the digital broadcast receiving apparatus receives the program encryption key obtained by encrypting the access control program as individual information encrypted so that only the digital broadcast receiving apparatus having a valid device key can decrypt it.

  Further, the digital broadcast receiving apparatus according to claim 8 is the digital broadcast receiving apparatus according to claim 7, wherein the program decryption means includes signature verification means.

  In such a configuration, the digital broadcast receiving apparatus verifies the signature value of the digital signature added to the distribution data by the digital broadcast transmitting apparatus by the signature verification means included in the root public key certificate transmitted as individual information. Verify using the key.

  The digital broadcast receiving apparatus according to claim 9 is the digital broadcast receiving apparatus according to claim 7 or claim 8, further comprising device key generation / update means.

  In such a configuration, the digital broadcast receiving device generates a device key based on the seed when the device key generating / updating unit includes a seed that is a parameter for updating the device key in the individual information. Then, the device key used in the digital broadcast receiving apparatus is updated. As a result, the device key can be updated by an instruction from the digital broadcast transmission apparatus.

  Furthermore, the digital broadcast receiver according to claim 10 is the digital broadcast receiver according to any one of claims 7 to 9, wherein the hash value of the access control program is added to the common information. When the program starting unit calculates the hash value of the access control program corresponding to the second identification information extracted by the starting program specifying unit and matches the hash value added to the common information, the access control The program is activated.

  In such a configuration, when the hash value of the access control program to be activated is different from the hash value notified by the common information by the program activation unit, the digital broadcast receiving apparatus stops the activation of the access control program.

  The digital broadcast receiving apparatus according to claim 11 is the digital broadcast receiving apparatus according to any one of claims 7 to 10, wherein the common information includes a first access control program for identifying an activation access control program. 2 identification information is added, and when the program identification means matches the second identification information extracted by the activation program identification means and the second identification information added to the common information, the second identification information is added. The access control program stored in the program storage means is started corresponding to the information.

  In such a configuration, when the second identification information of the access control program to be activated is different from the second identification information notified by the common information by the program activation unit, the digital broadcast receiving apparatus stops the activation of the access control program. .

  Furthermore, the digital broadcast receiving apparatus according to claim 12 is the digital broadcast receiving apparatus according to any one of claims 7 to 11, further comprising a communication download unit.

  In such a configuration, the digital broadcast receiving apparatus, when an identifier indicating that the access control program is acquired from the server designated via the communication line is described in the download table by the communication download unit, from the server. Obtain an encrypted access control program. As a result, the digital broadcast receiving apparatus downloads the access control program according to the instruction of the digital broadcast transmitting apparatus, by the data carousel via the broadcast wave, or from the server via the communication line. Can do.

  The digital broadcast system according to claim 13 includes a digital broadcast transmission device that transmits content via a broadcast wave and a digital broadcast reception device that receives the content, and controls access to the content. A digital broadcast system for transmitting an access control program from the digital broadcast transmission apparatus to the digital broadcast reception apparatus, the digital broadcast transmission apparatus including a device key list storage unit, an invalid setting unit, and a distribution data generation unit A digital broadcast receiving apparatus comprising: distribution data scrambling means; common information generating means; device key selecting means; individual information generating means; download table generating means; start program specifying means; Separating means, download table analyzing means, and individual information decoding A stage, and the common information decoding means, and the delivery data descrambling means, and delivering data separation means, and the program decoding means, program storage means, an activation program specifying means, a program starting unit, configured to include a.

The present invention has the following excellent effects.
According to the first, seventh, and thirteenth aspects of the present invention, the access control program (CAS program) is distributed from the digital broadcast transmitting device to the digital broadcast receiving device by the data carousel, and the identification information, the key Can be distributed as common information or individual information as security parameters. As a result, the present invention prevents falsification of the access control program and the like, can be distributed at a higher speed than the case where the access control program is distributed as a security parameter, and can suppress the compression of the broadcast band.
According to the first, seventh, and thirteenth aspects of the present invention, even when the device key or the program encryption key is leaked, the transmission path protection key and the program encryption key are updated, and new access control is performed. By distributing the program, it is possible to invalidate (revoke) the digital broadcast receiving apparatus in which the device key has been leaked, and to prevent leakage of a new access control program.
Further, according to the first, seventh, and thirteenth aspects, the access control program can be updated at high speed even when the security of the access control program is broken. Further, the broadcaster can change the access control program according to the service desired to be provided.

According to the second and eighth aspects of the present invention, since a digital signature is added to the access control program, the downloaded access control program can be prevented from being falsified.
According to the third and ninth aspects of the present invention, the device key held by the digital broadcast receiving device can be updated from the digital broadcast transmitting device, and the leaked device key can be invalidated.

  According to the fourth and tenth aspects of the present invention, since the validity of the access control program to be activated can be verified by the hash value of the access control program distributed with the common information serving as the security parameter, digital broadcast reception In the apparatus, the access control program can be prevented from being falsified.

  According to the fifth and eleventh aspects of the invention, the (second) identification information of the access control program designated to be activated from the digital broadcast transmitting apparatus and the common information serving as the security parameter are distributed (second) identification information. In both cases, the access control program to be activated is specified, so that it is possible to prevent other access control programs from being illegally activated.

  According to the sixth and twelfth aspects of the present invention, it is possible to switch and distribute the access control program by broadcast waves or communication lines. As a result, after the access control program is distributed for a certain period by the data carousel, it can be switched to the distribution of the access control program through the communication line, and the broadcast band can be prevented from being compressed.

It is a schematic block diagram which shows the structure of the digital broadcasting system which concerns on embodiment of this invention. It is a block block diagram which shows the structure of the digital broadcast transmitter which concerns on embodiment of this invention. It is a block block diagram which shows the structure of the delivery data production | generation means of the digital broadcast transmitter which concerns on embodiment of this invention. It is a block block diagram which shows the structure of the digital broadcast receiver which concerns on embodiment of this invention. It is a data structure figure which shows the content of a DII message. It is a data structure figure which shows the content of a DDB message. It is a figure for demonstrating the memory content of a device key list memory | storage means. It is a data structure figure which shows the content of a download table. It is a data structure figure which shows the content of a download content descriptor. It is a data structure figure which shows the content of a network download content descriptor. It is a flowchart which shows the delivery operation | movement of the access control program (CAS program) in the digital broadcast transmitter which concerns on embodiment of this invention. It is a flowchart which shows the reception operation | movement of the access control program (CAS program) in the digital broadcast receiver which concerns on embodiment of this invention. It is a flowchart which shows starting instruction | indication operation | movement of the access control program (CAS program) in the digital broadcast transmitter which concerns on embodiment of this invention. It is a flowchart which shows the starting operation | movement of the access control program (CAS program) in the digital broadcast receiver which concerns on embodiment of this invention.

Embodiments of the present invention will be described below with reference to the drawings.
[Outline of digital broadcasting system]
First, an overview of a digital broadcasting system according to an embodiment of the present invention will be described with reference to FIG.

  The digital broadcast system S is composed of a digital broadcast transmission device 1 owned by a broadcaster and digital broadcast reception devices 3, 3, 3,... Installed in each home. This is a system in which a content (broadcast program) transmitted by a broadcast wave W is received by a digital broadcast receiver 3 and viewed by a viewer. The broadcast wave W may be wireless or wired, such as terrestrial digital broadcast, satellite broadcast, and cable broadcast.

  The digital broadcast transmission device 1 transmits content to the digital broadcast reception device 3 via the broadcast wave W. The digital broadcast transmitting apparatus 1 transmits a CAS (Conditional Access System) program (access control program) having a function related to content access control via a broadcast wave W in a digital broadcast data carousel, and updates it. It has the function to do.

The digital broadcast receiving device 3 receives content via a broadcast wave W. The digital broadcast receiving device 3 has a function of receiving and updating a CAS program distributed by data carousel transmission from the digital broadcast transmitting device 1.
That is, the digital broadcasting system S is used when security is broken, such as the leakage of the key of the CAS program used in the digital broadcast receiving apparatus 3, or when it is desired to update the CAS program used according to the service to be provided. In this system, a broadcaster distributes a new CAS program to the digital broadcast receiver 3 by the digital broadcast transmitter 1.

The data carousel repeatedly distributes the same data defined in STD-B24 of the Radio Industries Association (ARIB) for a certain period of time, so that the digital broadcast receiver 3 can acquire necessary data at an arbitrary timing. It is a transmission method that enables
In the digital broadcasting system S, the same CAS program (CAS P _{1 to} P _n ) is repeatedly transmitted for a certain period, so that the CAS program is distributed to the digital broadcast receiving device 3.

Further, the digital broadcasting system S has a function of distributing the CAS program via the communication line N in addition to the distribution of the CAS program by the data carousel.
Here, the digital broadcast system S includes a server (CAS server 5) that stores the CAS program and transmits the CAS program via the communication line N, and the digital broadcast transmission apparatus 1 receives the CAS via the broadcast wave W. The digital broadcast receiver 3 is notified of the location of the program (URL: Uniform Resource Locator). Then, the digital broadcast receiving apparatus 3 acquires a CAS program from the CAS server 5 through the communication line N and updates it.

As described above, the digital broadcasting system S can transmit the CAS program at high speed by performing the data carousel transmission, and the period for distributing the CAS program can be shortened to, for example, about one week.
Further, the digital broadcast system S can distribute the CAS program via the communication line N even when the transmission period of the CAS program by the data carousel has ended. As a result, the digital broadcasting system S can reduce the compression of the broadcast band accompanying the distribution of the CAS program by the broadcast wave W.

  Hereinafter, in the digital broadcast system S, the configuration and operation of the digital broadcast transmission apparatus 1 and the digital broadcast reception apparatus 3 that can update the CAS program by increasing the safety in transmission of the CAS program will be described in detail. .

[Configuration of digital broadcasting transmitter]
First, referring to FIG. 2 (refer to FIG. 1 as appropriate), the configuration of the digital broadcast transmitting apparatus according to the embodiment of the present invention will be described. Here, the digital broadcast transmission apparatus 1 includes content scramble means 10, ECM-CAS generation means 11, EMM-CAS generation means 12, distribution data generation means 13, distribution data scramble means 14, and ECM-RMP generation. Means 15, device key list storage means 16, invalid setting means 17, device key selection means 18, EMM-RMP generation means 19, download table generation means 20, startup program designation means 21, multiplexing means 22.

  In FIG. 2, a plurality of configurations of the A portion indicated by the broken line portion are provided for each CAS program. For example, when the CAS program to be distributed differs for each manufacturer of the digital broadcast receiving apparatus 3, a plurality of A parts are provided for each manufacturer.

The content scramble means 10 scrambles (encrypts) input content (video, audio, data, etc.) Ct with a scramble key Ks1.
For the encryption with the scramble key Ks1, a common common key encryption algorithm may be used. For example, the encryption is performed by the MULTI2 encryption. The scrambled content (encrypted content Sct) is output to the multiplexing means 22.

  The scramble key Ks1 is updated according to time, and is updated about once every several seconds. Here, it is assumed that the scramble key Ks1 is stored in a storage unit (not shown) and is appropriately updated by inputting a new scramble key Ks1 from the outside.

The ECM-CAS generation unit 11 encrypts the scramble key Ks1 used in the content scramble unit 10 with the work key Kw, and generates common information including the encrypted scramble key Ks1. This common information is security information common to all digital broadcast receiving apparatuses 3.
A common common key encryption algorithm may be used for encryption with the work key Kw. Further, the ECM-CAS generation unit 11 generates the common information as a message having an ECM (Entitlement Control Message) structure defined by MPEG (Moving Picture Experts Group) -2 Systems. The common information (ECM-CAS) generated in this way is output to the multiplexing means 22.

  The work key Kw has a longer update time than the scramble key Ks, and is updated in about one month, for example. Here, it is assumed that the work key Kw is stored in a storage unit (not shown) and appropriately updated by inputting a new work key Kw from the outside.

  The EMM-CAS generation unit 12 encrypts the work key Kw used in the ECM-CAS generation unit 11 with the master key Km, and generates individual information including the encrypted work key Kw. This individual information is individual security information for each digital broadcast receiver 3.

  A common common key encryption algorithm may be used for encryption using the master key Km. Further, the EMM-CAS generation unit 12 generates the individual information as a message having an EMM (Entitlement Management Message) structure defined by MPEG-2 Systems. At this time, an identifier ID for identifying the individual digital broadcast receiving device 3 is added to the individual information (EMM-CAS). The individual information (EMM-CAS) generated in this way is output to the multiplexing means 22.

  The master key Km is an encryption key that is different for each digital broadcast receiving device 3 and is distributed to each digital broadcast receiving device 3 in advance. Here, it is assumed that the master key Km is stored in a storage unit (not shown).

  The common information (ECM-CAS) generated by the ECM-CAS generation unit 11 and the individual information (EMM-CAS) generated by the EMM-CAS generation unit 12 are scrambled only by the digital broadcast receiving apparatus 3 with which a reception contract is made. It is security information for limited reception that can be solved.

The distribution data generation means 13 converts the CAS program P distributed to the digital broadcast receiving device 3 into a data carousel data format and generates distribution data (distribution data). The distribution data generated by the distribution data generation unit 13 is output to the distribution data scramble unit 14.
Note that a new CAS program to be updated is input to the distribution data generation unit 13 via an input unit (not shown).

  Here, with reference to FIG. 3, the structure of the delivery data generation means 13 is demonstrated in detail. As shown in FIG. 3, the distribution data generating unit 13 includes a signature value calculating unit 13a, a dividing unit 13b, an encrypting unit 13c, and a data carousel data generating unit 13d.

  The signature value calculation means 13a calculates the signature value of the digital signature for the new CAS program P to be updated. That is, the signature value calculation unit 13a generates a hash value from the CAS program P in advance by using a hash function common to the digital broadcast receiving device 3. The signature value calculation means 13a calculates the signature value by encrypting the hash value with the secret key Kps corresponding to the public key (verification key) of the digital broadcast receiving apparatus 3 in the public key cryptosystem. The signature value calculated in this way is output to the data carousel data generation means 13d. The signature value generated by the signature value calculation means 13a can be calculated by general DSA and RSA.

  A public key (verification key) for verifying the digital signature corresponding to the secret key Kps used for calculating the signature value by the signature value calculation means 13a is a root public key certificate RPKC (see FIG. 2), which will be described later. Then, the EMM-RMP generating means 19 performs distribution to the digital broadcast receiving apparatus 3 by EMM-RMP.

  The dividing means 13b divides a new CAS program P to be updated into a predetermined size. Here, the dividing means 13b divides the CAS program P by the block size of a DDB (Download Data Block) message when performing data carousel transmission. The data thus divided (divided data) is output to the encryption means 13c.

The encryption unit 13c encrypts the CAS program P (divided data) divided by the dividing unit 13b with the program encryption key Kpe. The encryption in the encryption means 13c may use a common common key encryption algorithm.
The program encryption key Kpe is a key common to all the digital broadcast receiving apparatuses 3, and is stored in a storage unit (not shown). The divided data thus encrypted (encrypted divided data) is output to the data carousel data generation means 13d.

The program encryption key Kpe is encrypted with the device key Kd stored in advance in the digital broadcast receiving apparatus 3 when the EMM-RMP generating means 19 described later generates the EMM-RMP. However, when the device key Kd is leaked from the digital broadcast receiving apparatus 3, the program encryption key Kpe is decrypted and the CAS program P itself is leaked.
Therefore, it is assumed that the program encryption key Kpe is updated when the device key Kd is leaked or periodically.

  The data carousel data generation unit 13d generates data carousel data from the divided data (encrypted divided data) of the CAS program P encrypted by the encryption unit 13c. That is, the data carousel data generating unit 13d sections the encrypted divided data as a DDB message and sections the configuration information as a DII (Download Info Indication) message.

  Further, the data carousel data generation means 13d inputs the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P from the outside and arranges them inside the DII. Thereby, the identifier and version of the CAS program distributed by the data carousel can be notified to the digital broadcast receiving apparatus 3.

  The data carousel data generation unit 13d arranges the signature value of the CAS program P calculated by the signature value calculation unit 13a in the DII when sectioning the DII. As a result, the digital broadcast receiving apparatus 3 can verify whether or not the CAS program P received by the data carousel is a legitimate one using the digital signature.

  Here, with reference to FIGS. 5 and 6 (refer to FIGS. 2 and 3 as appropriate), examples of data structures of DII and DDB generated by the distribution data generation means 13 will be described. Note that the description of the data defined in the ARIB STD-B24 is omitted, and in the present invention, the data that particularly needs to be set will be described.

FIG. 5 shows an example of the data structure of the DII message when the CAS program is transmitted in the data carousel.
As shown in FIG. 5, the digital broadcast transmitting apparatus 1 arranges a compatibility descriptor in the DII message. This compatibility identifier describes the meta information of the CAS program P distributed by DDB. Here, the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P are described in the compatibility descriptor (“CAS_version” area in FIG. 5). The identifier (CAS-ID) and version (CAS-Ver) are information input from the outside when the CAS program P is downloaded and written by the data carousel data generation means 13d.

  Further, as shown in FIG. 5, the digital broadcast transmitting apparatus 1 places the signature value of the CAS program P in the DII message (“CAS_digital_signature” area). The signature value is information generated by the signature value calculation unit 13a of the distribution data generation unit 13 and written by the data carousel data generation unit 13d.

FIG. 6 shows an example of the data structure of the DDB message when the CAS program P is transmitted in the data carousel.
As shown in FIG. 6, the digital broadcast transmitting apparatus 1 arranges the divided and encrypted CAS program P in the DDB message (“blockDataByte” area; payload area). The data in the payload area is information that is encrypted by the encryption unit 13c of the distribution data generation unit 13 and written by the data carousel data generation unit 13d.

Also, the digital broadcast transmitting apparatus 1 arranges a number (block number) indicating the order of the blocks of the CAS program P divided in the DDB message (here, “blockNumber” area). The block number is information that is sequentially incremented and written for each block by the data carousel data generation unit 13d of the distribution data generation unit 13.
As a result, the digital broadcast receiving apparatus 3 can reconstruct the encrypted CAS program using the DDB message after obtaining the DII message.
Returning to FIG. 2, the description of the configuration of the digital broadcast transmitting apparatus 1 will be continued.

The distribution data scramble means 14 scrambles (encrypts) the distribution data (DII, DDB), which is data for the data carousel generated by the distribution data generation means 13, with the scramble key Ks2.
For the encryption with the scramble key Ks2, a common common key encryption algorithm may be used. For example, the encryption is performed with the MULTI2 encryption. The scrambled data (encrypted distribution data Scas) is output to the multiplexing means 22.

  Note that, as with the scramble key Ks1, the scramble key Ks2 is updated with time, and is updated about once every few seconds. The scramble key Ks2 may be the same as the scramble key Ks1, but it is desirable to manage the scramble key Ks2 as another key, for example, by making the key length longer than the scramble key Ks1 in order to increase the security of the CAS program. . Here, it is assumed that the scramble key Ks2 is stored in a storage unit (not shown) and is appropriately updated by inputting a new scramble key Ks2 from the outside.

  The ECM-RMP generating means (common information generating means) 15 encrypts the scramble key Ks2 used in the distribution data scramble means 14 with the transmission path protection key Kp, and generates common information including the encrypted scramble key Ks2. It is. This common information is security information common to all digital broadcast receiving apparatuses 3.

A common common key encryption algorithm may be used for encryption using the transmission path protection key Kp. Further, the ECM-RMP generation unit 15 generates common information as a message having an ECM structure defined by MPEG-2 Systems. The common information (ECM-RMP) generated in this way is output to the multiplexing means 22.
The transmission path protection key Kp is a key delivered to the regular digital broadcast receiving apparatus 3 regardless of the reception contract. Here, it is assumed that the transmission path protection key Kp is stored in a storage unit (not shown) and is appropriately updated when a new transmission path protection key Kp is input from the outside.

  Further, the ECM-RMP generating unit 15 specifies an identifier (CAS-ID) or version (CAS-Ver) of the CAS program P delivered by PSI / SI when the CAS program to be started is specified by the starting program specifying unit 21 described later. ) And the hash value (CAS-H) of the CAS program P is added to the common information (ECM-RMP). This hash value is a value calculated using a hash function common to the digital broadcast receiving device 3.

  As a result, the digital broadcast receiving apparatus 3 prevents malfunction due to alteration of the identifier (CAS-ID) or version (CAS-Ver) of the CAS program P delivered by PSI / SI, or stores it in the digital broadcast receiving apparatus 3. It is possible to prevent malfunctions by detecting inconsistencies in the hash values of the CAS program P.

The device key list storage unit 16 stores a device key unique to the digital broadcast receiving apparatus 3 and information indicating whether the device key is valid or invalid in association with each other. Device.
Here, the device key list storage unit 16 is configured to use a device key for a receiver identifier RID that is a unique identifier for each manufacturer of the digital broadcast receiver 3 or for each model (set model) of the digital broadcast receiver 3. Kd is stored in association with information (flag) indicating whether the device key Kd is valid or invalid. For example, a value (“0”) indicating “valid” is set for the valid device key Kd, and a value (“1”) indicating “invalid” is set for the invalid device key Kd.
In this device key list storage unit 16, it is assumed that “valid” values are set in advance for all device keys as initial values.

Here, the device key Kd is stored in advance in the digital broadcast receiving device 3 and used when the EMM-RMP generating unit 19 described later generates an EMM-RMP, and the digital broadcast receiving device 3 uses the EMM-RMP. It is a key for decrypting information.
For example, as shown in FIG. 7, when the device key Kd30 leaks in a certain receiver identifier RID3, “invalid” is set in the device key Kd30 in the list of the device key list storage unit 16.

After that, when a new device key Kd (Kd31) is distributed to the digital broadcast receiver 3 with the receiver identifier RID3, the device key list storage unit 16 stores the new device key via an input unit (not shown). The key Kd31 is stored and “valid” is set.
Here, the new device key Kd is based on the same value as the seed (Seed: parameter for generating a device key) notified to the digital broadcast receiving device 3 by the EMM-RMP generating means 19 to be described later. Generated by the person. The algorithm for generating the device key is the same algorithm as that of the digital broadcast receiving apparatus 3.

  If the device key is generated in the digital broadcast transmission device 1, for example, the digital broadcast transmission device 1 includes device key generation means (not shown), and notifies the digital broadcast reception device 3 of the seed. Before, using the seed, a device key is generated by the device key generation unit, and the device key list storage unit 16 is updated, that is, the previous device key is “invalid” and the generated device key is set to “valid”. Set. The device key generation algorithm of the device key generation means (not shown) is the same as the device key generation / update means 31g of the digital broadcast receiving apparatus 3 described later.

The invalidity setting means 17 invalidates the device key Kd in the device key list storage means 16 according to an instruction from the outside.
The invalidity setting means 17 inputs “receiver” to the validity / invalidity flag of the corresponding device key Kd stored in the device key list storage means 16 by receiving the receiver identifier RID and the device key Kd from the outside. Set.

The device key selection unit 18 selects a device key that has not been revoked from among the device keys Kd stored in the device key list storage unit 16. That is, as shown in FIG. 7, the device key selection unit 18 selects a valid device key Kd for which “valid” is set, and sends it to the EMM-RMP generation unit 19 together with the corresponding receiver identifier RID. Output.
As a result, when the EMM-RMP is generated, the revoked device key Kd is not used.

  In FIG. 2, the configuration of the portion A indicated by the broken line portion is provided for each CAS program. For example, when the CAS program to be distributed differs for each manufacturer of the digital broadcast receiving device 3, the device key selection is performed. The means 18 selects only the device key Kd corresponding to a predetermined manufacturer-specific receiver identifier RID.

  The EMM-RMP generation means (individual information generation means) 19 encrypts the program encryption key Kpe and the transmission path protection key Kp used by the ECM-RMP generation means 15 with the device key Kd selected by the device key selection means 18. To generate individual information including the corresponding receiver identifier RID, encrypted program encryption key Kpe, and transmission path protection key Kp. This individual information is security information common to the digital broadcast receiving device 3.

  A common common key encryption algorithm may be used for encryption using the device key Kd. Further, the EMM-RMP generating unit 19 generates the individual information as an EMM-RMP having an EMM structure defined by MPEG-2 Systems. In this EMM-RMP, the digital signature of the certificate authority is preliminarily added to the public key (verification key) corresponding to the secret key Kps (see FIG. 3) used when the distribution data generation means 13 generates the signature value. The added root public key certificate RPKC is added.

Further, when the device key update control information KDc is input from the outside, the EMM-RMP generation unit 19 adds an identifier (device key update identifier) including the device key update control information KDc to the ECM-RMP. To do.
Here, the device key update control information KDc is information for instructing to update the device key Kd used in the digital broadcast receiving apparatus 3. The device key update control information KDc includes a seed that is a parameter for newly generating the device key Kd.
Thereby, when the device key Kd is leaked, the broadcaster can control the update of the device key of the digital broadcast receiving apparatus 3 via the broadcast wave W.
Thus, the common information (ECM-RMP) generated by the EMM-RMP generating unit 19 is output to the multiplexing unit 22.

The common information (ECM-RMP) generated by the ECM-RMP generating unit 15 and the individual information (EMM-RMP) generated by the EMM-RMP generating unit 19 are all scrambled by the authorized digital broadcast receiving device 3. Security information that can be
The common information (ECM-RMP) and individual information (EMM-RMP) have a role as information used for cryptographic delivery of the CAS program P.

The download table generating means 20 inputs control information (download control information Dc) indicating various information when the digital broadcast receiving apparatus 3 downloads the CAS program P through an input means (not shown), It is generated as a table (download table).
Here, the download control information Dc is identification information for specifying the CAS program P to be distributed. For example, the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P.

  Here, the download control information Dc further includes information for identifying whether the CAS program P is distributed by broadcasting or the CAS program P is distributed by communication. For example, when the CAS program P is distributed by broadcasting (data carousel), the number of DII / DDB modules, module identification, module size, etc. are included, and when the CAS program P is distributed by communication, the CAS program P is held. The URL, IP address, etc. of the existing CAS server 5 are included.

  Note that whether the CAS program P is distributed by broadcasting or the CAS program P is distributed by communication is appropriately switched by an operator (broadcaster). For example, when a CAS program is newly distributed, the CAS program is distributed all at once by broadcasting, and after a certain period (for example, one week) has elapsed, the distribution is switched to communication. As a result, it is not necessary to continue sending the CAP program over a long period of time, and pressure on the broadcast band can be reduced.

  Here, an example of the data structure of the download table generated by the download table generating means 20 will be described with reference to FIGS. 8 to 10 (refer to FIG. 2 as appropriate). The download table, download content descriptor, and network download content descriptor shown in FIGS. 8 to 10 are examples of tables and descriptors in which data is arranged in accordance with the section format used in the existing digital broadcasting. Show. Therefore, only the data directly related to the present invention will be described here.

As shown in FIG. 8, a “target_version (target version)” area is provided in the download table, and the download table generation unit 20 sets the version of the CAS program to be updated. As a result, the digital broadcast receiving apparatus 3 can determine whether or not the CAS program held by the digital broadcast receiving apparatus 3 is an update target, and can download the CAS program as necessary.
In addition, a “new_version (new version)” area is provided in the download table, and the download table generation means 20 sets the version of the CAS program to be updated this time. As a result, the digital broadcast receiving apparatus 3 that has downloaded the CAS program can manage the version of the CAS program held by itself. Note that the version of the CAS program is the same value as the version (CAS-Ver) set by the distribution data generation means 13.

  In addition, a “download_level (download level)” area may be provided in the download table, and the digital broadcast receiving apparatus 3 may be controlled to forcibly or arbitrarily update. For example, when the value of “download level” is “01”, the digital broadcast receiving apparatus 3 that holds the CAS program of “update target version” always updates the CAS program. On the other hand, when the value of “download level” is “00”, the digital broadcast receiving apparatus 3 holding the CAS program of “update target version” arbitrarily updates the CAS program.

  In addition, a “version_indication (version display)” area may be provided in the download table, and the CAS program to be updated may be controlled by version. For example, when the value of “version display” is “00”, designation of “target version” is invalidated, and all versions of the CAS program are to be updated. When the value of “version display” is “01”, the CAS program after the version specified by “target version” is set as the update target. When the value of “version display” is “02”, the CAS program before the version specified by “target version” is set as the update target. When the value of “version display” is “03”, only the CAS program of the version specified by “target version” is to be updated.

  Also, as shown in FIG. 8, when a “descriptor () (descriptor)” area is provided in the download table and the download table generating means 20 distributes the CAS program P by broadcasting (data carousel), this descriptor “Download content descriptor” is placed in the area. Further, when the CAS program P is distributed by communication, a “network download content descriptor” is arranged in this descriptor area.

In this way, by arranging the “download content descriptor” in the descriptor area, the digital broadcast receiving device 3 acquires the CAS program P by broadcasting (data carousel) and arranges the “network download content descriptor”. Thus, the digital broadcast receiving apparatus 3 acquires the CAS program P from the CAS server 5 (see FIG. 1) through communication.
Hereinafter, the “download content descriptor” and the “network download content descriptor” will be described.

  First, an example of the data structure of the download content descriptor will be described with reference to FIG. As shown in FIG. 9, the download content descriptor is a descriptor in which various information necessary for receiving the CAS program by the data carousel is set. For example, the number of DII / DDB modules of the data carousel that transmits the CAS program, module identification, module size, and the like. Further, here, the same compatibility descriptor as that arranged in the DII message (see FIG. 5) is arranged in the download content descriptor. As shown in FIG. 5, since the compatibility descriptor includes the identifier (CAS-ID) and version (CAS-Ver) of the CAS program, the digital broadcast receiving apparatus 3 already has a target CAS program. Can be controlled not to be downloaded.

Next, an example of the data structure of the network download identifier will be described with reference to FIG. As shown in FIG. 10, the network download content descriptor is a descriptor in which various information necessary for receiving the CAS program via the network is set. For example, the URL or IP address of a communication server (CAS server) that provides a CAS program. Here, the network download content descriptor is arranged with the same compatibility descriptor as that arranged in the DII message (see FIG. 5), like the download content descriptor. Accordingly, the digital broadcast receiving device 3 can control not to acquire the CAS program from the server if the target CAS program has already been accumulated.
Returning to FIG. 2, the description of the configuration of the digital broadcast transmitting apparatus 1 will be continued.

  The start program specifying means 21 is for specifying a CAS program to be started in the digital broadcast receiving apparatus 3. The activation program designation means 21 adds information (program designation information) for designating a CAS program to be activated in the digital broadcast receiving device 3 to PSI / SI (program arrangement information). This program designation information is an identifier (CAS-ID) of a CAS program and its version (CAS-Ver). As a result, the digital broadcast transmitting apparatus 1 can activate the designated CAS program in the digital broadcast receiving apparatus 3.

The activation program specifying means 21 arranges the program specifying information in a PSI / SI CAT (Conditional Access Table) or PMT (Program Map Table). Here, it is determined in advance whether to arrange in the CAT or the PMT.
In this CAT or PMT, for example, a compatibility descriptor (see FIG. 5) including an identifier (CAS-ID) of a CAS program and its version (CAS-Ver) is arranged in the descriptor area of each table. .
In this way, the PSI / SI to which the program designation information is added is output to the multiplexing means 22.

  The multiplexing unit 22 includes the encrypted content Sct generated by the content scramble unit 10, the common information (ECM-CAS) generated by the ECM-CAS generation unit 11, and the individual information (EMM generated by the EMM-CAS generation unit 12). -CAS), encrypted distribution data (DII, DDB) Scas generated by the distribution data scramble means 14, common information (ECM-RMP) generated by the ECM-RMP generation means 15, and EMM-RMP generation means 19 The generated individual information (EMM-RMP), the download table Td generated by the download table generating means 20, and the PSI / SI to which the program specifying information is added by the activation program specifying means 21 are multiplexed, and a multiplexed signal is obtained. Is to be generated.

  Here, it is assumed that the multiplexing means 22 multiplexes each input information into a TS (transport stream) format (MPEG-2 TS) defined by MPEG-2 Systems. The multiplexed multiplexed signal (MPEG-2 TS) is delivered to the digital broadcast receiving device 3 via a broadcast wave by a sending device (not shown).

  By configuring the digital broadcast transmitting apparatus 1 in this way, the CAS program P can be distributed to the digital broadcast receiving apparatus 3 by a data carousel. At this time, since the information for decrypting and verifying the CAS program P and the information for verification are distributed to the digital broadcast receiving device 3 by ECM-RMP or EMM-RMP, the safety of the CAS program P is improved. Can be delivered.

  Further, the digital broadcast transmitting apparatus 1 lists and stores leaked device keys (blacklist), and since the leaked device key Kd does not generate individual information (EMM-RMP), the transmission path protection key Kp or The program encryption key Kpe can be distributed to the digital broadcast receiving apparatus 3 in which the device key Kd is not leaked.

  Thereby, even if the device key Kd and the program encryption key Kpe are leaked, the transmission path protection key Kp and the program encryption key Kpe are updated, and the new CAS program P is distributed by broadcasting or communication. By doing so, the digital broadcast receiving device 3 that has leaked the device key Kd can be invalidated (revoked), and leakage of the new CAS program P can be prevented.

Further, the digital broadcast transmitting apparatus 1 can switch the distribution of the CAS program P from the data carousel transmission by broadcasting to the distribution by communication using the CAS server 5. As a result, the digital broadcast transmitting apparatus 1 can prevent wasteful use of the broadcast band over a long period of time.
The digital broadcast transmission apparatus 1 can be operated by a program (CAS program transmission program) that causes a general computer to function as each of the above-described means.

[Configuration of digital broadcast receiver]
Next, referring to FIG. 4 (refer to FIG. 1 as appropriate), the configuration of the digital broadcast receiving apparatus according to the embodiment of the present invention will be described. Here, the digital broadcast receiving apparatus 3 includes a separating unit 30, a program executing unit 31, a download table analyzing unit 32, a distribution data separating unit 33, a program decoding unit 34, a storage unit 35, and an activation program specifying unit. 36, a program starting unit 37, and a communication downloading unit 38.

The separating means 30 separates the digital broadcast (multiplexed signal; MPEG-2 TS) transmitted from the digital broadcast transmitting apparatus 1. This separating means 30 is used to encrypt encrypted content Sct, individual information (EMM-CAS) and common information (ECM-CAS) including information for limited reception, and encrypted transmission of CAS programs from MPEG-2 TS. Separate information (EMM-RMP) and common information (ECM-RMP) including information, data carousel data (encrypted distribution data Scas), download table Td, and PSI / SI CAT or PMT To do.
The separating unit 30 separates the data carousel data (DII, DDB) from the MPEG-2 TS when the download table analyzing unit 32 receives an instruction to separate the data carousel data.

The program execution means 31 decrypts the encrypted content Sct and the encrypted delivery data Scas separated by the separation means 30.
The program execution means 31 is the substance of the CAS program distributed from the digital broadcast transmission apparatus 1 and is executed by the program activation means 37 described later. The program execution means 31 may be configured by a programmable device such as an FPGA (Field Programmable Gate Array), or a virtual machine that operates with middleware on an OS (Operating System), such as a Java (registered trademark) virtual machine. You may comprise with a machine (Java Virtual Machine, Java VM) etc.

  When the program execution means 31 is configured by a programmable device, the CAS program is configured by circuit information. When the program execution means 31 is configured as software that operates on the OS, the CAS program is configured as a binary program.

  Here, the program execution unit 31 includes an EMM-CAS decoding unit 31a, an ECM-CAS decoding unit 31b, a content descrambling unit 31c, an EMM-RMP decoding unit 31d, an ECM-RMP decoding unit 31e, and distribution data. A descrambling unit 31f and a device key generating / updating unit 31g are provided.

The EMM-CAS decrypting means 31a decrypts the individual information (EMM-CAS) separated by the separating means 30 with the master key Km. The EMM-CAS decrypting means 31a includes an identifier (not shown) stored in the storage means 35 in advance for an identifier for identifying the digital broadcast receiving device 3 included in the non-encrypted area of the EMM-CAS. Only when they match, the EMM-CAS encryption area is decrypted with the master key Km stored in advance in the storage means 35, and the work key Kw is extracted. As a result, the work key Kw can be decrypted only by the receiving apparatus with which a regular contract is made.
The work key Kw decrypted by the EMM-CAS decrypting means 31a is output to the ECM-CAS decrypting means 31b.

The ECM-CAS decrypting unit 31b decrypts the common information (ECM-CAS) separated by the separating unit 30 with the work key Kw decrypted by the EMM-CAS decrypting unit 31a. This ECM-CAS includes the scramble key Ks1 used when the encrypted content Sct is scrambled, and the ECM-CAS decrypting means 31b extracts the scramble key Ks1 by decrypting the ECM-CAS. .
The scramble key Ks1 decrypted by the ECM-CAS decrypting unit 31b is output to the content descrambling unit 31c.

  The content descrambling means 31c descrambles (decrypts) the encrypted content Sct separated by the separating means 30 with the scramble key Ks1 decrypted by the ECM-CAS decrypting means 31b. The content Ct descrambled by the content descrambling means 31c is decoded (encoded) by a video / audio decoding means (not shown) and output to a display device (not shown).

The EMM-RMP decryption means (individual information decryption means) 31d decrypts the individual information (EMM-RMP) separated by the separation means 30 with the device key Kd. The EMM-RMP decrypting means 31d uses an identifier (non-identifier) in which a receiver identifier RID for identifying the digital broadcast receiving device 3 included in the non-encrypted area of EMM-RMP is stored in the storage means 35 in advance. Only when it matches the figure, the device key Kd previously stored in the storage means 35 is used to decrypt the EMM-RMP encryption area and extract the transmission path protection key Kp.
The transmission path protection key Kp decrypted by the EMM-RMP decrypting means 31d is output to the ECM-RMP decrypting means 31e.

The EMM-RMP decrypting unit 31d extracts the root public key certificate RPKC when the EMM-RMP includes the root public key certificate RPKC, and stores it in the storage unit 35 or the tamper-resistant module not shown. Keep it.
Further, when the EMM-RMP includes the program encryption key Kpe, the EMM-RMP decryption unit 31d extracts the program encryption key Kpe and stores it in the storage unit 35 or the tamper-resistant module not shown. deep.
When the device key update identifier is included in the EMM-RMP, a seed for generating the device key Kd included in the device key update identifier is sent to the device key generation / update unit 31g. Output.

  The ECM-RMP decryption means (common information decryption means) 31e decrypts the common information (ECM-RMP) separated by the separation means 30 with the transmission path protection key Kp decrypted by the EMM-RMP decryption means 31d. is there. The ECM-RMP includes a scramble key Ks2 used when the distribution data (DII, DDB) is scrambled. The ECM-RMP decrypting means 31e decrypts the ECM-RMP, thereby scramble key Ks2. To extract.

The scramble key Ks2 decrypted by the ECM-RMP decrypting means 31e is output to the distribution data descrambling means 31f.
Note that the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P delivered by PSI / SI and the hash value (CAS-H) of the CAS program P are added to the ECM-RMP. In this case, the ECM-RMP decoding unit 31e outputs these identification information (CAS-ID, CAS-Ver, CAS-H) to the program starting unit 37.

  The delivery data descrambling means 31f descrambles (decrypts) the data carousel data (encrypted delivery data Scas) separated by the separating means 30 with the scramble key Ks2 decrypted by the ECM-RMP decrypting means 31e. is there. The distribution data (DII, DDB) cas descrambled by the distribution data descrambling means 31 f is output to the distribution data separating means 33.

The device key generation / update means 31g newly generates and updates a device key Kd for decrypting the individual information (EMM-RMP).
The device key generating / updating means 31g newly generates a device key Kd when a seed is notified from the EMM-RMP decrypting means 31d. Here, the device key generating / updating means 31g generates a pseudo random number as the device key Kd, for example, and generates a random number based on the seed. The random number generated in this way is stored in the storage unit 35 as a new device key Kd.
Further, the algorithm (random number generation algorithm) by which the device key generating / updating means 31g generates a device key is the same as the broadcaster's device key generating algorithm in advance.

  Here, the device key generating / updating means 31g is realized as a configuration inside the program executing means 31, that is, inside the CAS program. You may comprise as an intrinsic | native means. In this case, in order to prevent leakage of the device key generation algorithm, it is desirable that the device key generation / update means 31g is configured in a tamper resistant module (not shown).

The download table analysis means 32 analyzes the section format download table Td separated by the separation means 30 and determines whether the CAS program P is downloaded by broadcasting or communication.
Specifically, the download table analysis means 32 is a download content descriptor (see FIG. 9) indicating that the download is performed by broadcasting in the “descriptor () (descriptor)” area in the download table described in FIG. Whether a network download content descriptor (see FIG. 10) indicating that download is performed by communication is described based on the value of the descriptor tag.

  Here, when the download content descriptor is described in the download table Td, the download table analysis unit 32 performs filtering by the packet identification (PID) of the data carousel arranged in the PMT in the separation unit 30. An instruction is given to output the data in the data carousel to the distribution data descrambling means 31f. As a result, the separating means 30 separates and extracts the data carousel data (DII, DDB) from the MPEG-2 TS and outputs the data carousel data to the distribution data descrambling means 31f.

  On the other hand, when the network download content descriptor is described in the download table Td, the download table analysis unit 32 includes the URL or IP address of the communication server (CAS server 5) described in the network download content descriptor, and The identifier (CAS-ID) and version (CAS-Ver) of the CAS program described in the compatibility descriptor are output to the communication download means 38. As a result, the communication download means 38 starts downloading the CAS program P via the network (communication line N).

Note that the download table analysis unit 32, when the CAS program P corresponding to the identifier (CAS-ID) and version (CAS-Ver) described in the download table Td is already stored in the storage unit 35, Do not execute the download. Thereby, an unnecessary download operation can be eliminated.
Further, as described with reference to FIG. 8, the download table analysis unit 32 performs “target_version (target version)”, “new_version (new version)”, “download_level (download level)”, “version_indication (version display) of the download table Td. ) ", And whether or not download is possible may be determined.

The distribution data separation means 33 separates and extracts the CAS program P (encrypted CAS program P) from the data carousel data (distribution data cas) descrambled by the distribution data descrambling means 31f. .
That is, the distribution data separation means 33 is encrypted by concatenating data included in the DDB message from the DII message of the distribution data cas to the next DII message (data in the “blockDataByte” area in FIG. 6). The CAS program P is separated and extracted.

Further, the distribution data separating means 33 extracts the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P in the compatibility descriptor (“CAS_version” area in FIG. 5) in the DII message. , The signature value of the CAS program P in the DII message ("CAS_digital_signature" area in FIG. 5) is extracted.
The distribution data separation means 33 outputs the separated and extracted encrypted CAS program P, identifier (CAS-ID), version (CAS-Ver), and signature value to the program decryption means 34.

  The program decryption means 34 decrypts the encrypted CAS program P separated and extracted by the distribution data separation means 33 or the encrypted CAS program P downloaded via the communication download means 38. Here, the program decryption unit 34 includes an encryption / decryption unit 34a, a signature verification unit 34b, and a writing unit 34c.

The encryption / decryption unit 34a decrypts the encrypted CAS program P input from the distribution data separation unit 33 or the communication download unit 38 with the program encryption key Kpe. This program encryption key Kpe is the same key as that obtained by encrypting the CAS program P in the digital broadcast transmitting apparatus 1, and is a key decrypted by the EMM-RMP decrypting means 31d.
The decrypted CAS program P is output to the signature verification unit 34b.

The signature verification unit 34b verifies the digital signature added to the CAS program P input from the distribution data separation unit 33 or the communication download unit 38.
That is, the signature verification unit 34b generates a hash value of the CAS program P by a hash function common to the signature value calculation unit 13a (see FIG. 3). Then, the signature verification unit 34b decrypts the signature value of the CAS program P with the public key (verification key) Kpp included in the root public key certificate RPKC stored in the storage unit 35 or the tamper-resistant module (not shown). . If the decrypted value matches the hash value of the CAS program P, the signature verification unit 34b determines that the downloaded CAS program P is a genuine one that has not been tampered with.
The signature verification unit 34b outputs only the regular CAS program P to the writing unit 34c by verifying the downloaded CAS program P.

The writing unit 34c corresponds to the CAS program P input from the signature verification unit 34b with the identifier (CAS-ID) and version (CAS-Ver) of the CAS program P input from the distribution data separation unit 33 or the communication download unit 38. In addition, it is written in the storage means 35.
Thus, the program decryption means 34 writes and accumulates only the CAS program P that has not been tampered with or the like by verifying the signature of the downloaded CAS program P.

The storage means (program storage means) 35 stores a plurality of CAS programs P in association with identifiers (CAS-ID) and versions (CAS-Ver). For example, the storage unit 35 is a general storage medium such as a nonvolatile memory.
In this storage means 35, the CAS program P is written in association with the identifier (CAS-ID) and the version (CAS-Ver) by the writing means 34c of the program decoding means 34, and the program starting means 37 described later The CAS program P is retrieved and read using the identifier (CAS-ID) and version (CAS-Ver) as keys.
Note that at least one CAS program P is stored in advance in the storage means 35, and other CAS programs are downloaded.

The activation program specifying means 36 uses the CAT or PMT of PSI / SI (program arrangement information) separated by the separation means 30 to identify the CAS program P identifier (CAS-ID) and its version (CAS-Ver) as program designation information. ) To identify the CAS program P to be started.
The identifier (CAS-ID) and version (CAS-Ver) of the extracted CAS program P are output to the program starting means 37.

The program starting unit 37 reads the CAS program P specified by the starting program specifying unit 36 from the storage unit 35 and executes it.
The program starting unit 37 searches the storage unit 35 using the identifier (CAS-ID) and the version (CAS-Ver) notified from the starting program specifying unit 36 as keys, and reads the corresponding CAS program P. Then, the program activation unit 37 activates the read CAS program P as the program execution unit 31.
Note that the program activation unit 37 activates the CAS program P stored in advance in the storage unit 35 at the initial activation, that is, in a state where the CAS program P has not yet been downloaded.

Further, the program activation unit 37 includes an identifier (CAS-ID) and version (CAS-Ver) notified from the ECM-RMP decoding unit 31e, and an identifier (CAS-ID) and version notified from the activation program specifying unit 36. It is determined whether or not (CAS-Ver) matches. If they do not match, the CAS program is not started.
As a result, the program activation unit 37 uses the identifier (CAS-ID) and version (CAS-Ver) distributed by PSI / SI, and the identifier (CAS-ID) and version (CAS-Ver) transmitted by ECM-RMP. ), The identifier (CAS-ID) and version (CAS-Ver) distributed by PSI / SI are falsified, and it is possible to prevent the CAS program P from malfunctioning.

  Furthermore, the program starting unit 37 calculates the hash value of the read CAS program P, and the hash value matches the hash value (CAS-H) of the CAS program P notified from the ECM-RMP decoding unit 31e. If it does not match, the CAS program P is not started. As a result, it is possible to prevent the unauthorized CAS program P from being activated. Note that the hash function for calculating the hash value of the program activation unit 37 is the same as that on the transmission side of the CAS program P.

  The communication download means 38 downloads the CAS program P from the communication server notified from the download table analysis means 32 via the network (communication line N). The communication download means 38 is based on the URL or IP address of the communication server (CAS server 5) notified from the download table analysis means 32, and the identifier (CAS-ID) and version (CAS-Ver) of the CAS program. The CAS program is downloaded from the designated communication server (CAS server 5).

  The communication download unit 38 outputs the downloaded encrypted CAS program P and the identifier (CAS-ID) and version (CAS-Ver) notified from the download table analysis unit 32 to the program decryption unit 34. . A signature value is added to the CAS program P downloaded from the communication server (CAS server 5), and the communication download means 38 also outputs this signature value to the program decryption means 34.

By configuring the digital broadcast receiving apparatus 3 in this way, the digital broadcast receiving apparatus 3 can download the CAS program P by data carousel transmission. Further, even if the distribution of the CAS program P by the data carousel is completed, the CAS program P can be downloaded via the network (communication line N).
The digital broadcast receiving apparatus 3 can be operated by a program (CAS program receiving program) that causes a general computer to function as each of the means described above.

[Operation of digital broadcasting system]
Next, the operation of the digital broadcast system S according to the embodiment of the present invention will be described. Since the content distribution operation by the conditional access method is the same as that of the prior art, the description is omitted here, and the CAS program distribution / reception operation and the CAS program start operation are mainly described.

(CAS program distribution operation: digital broadcast transmitter)
First, with reference to FIG. 11 (refer to FIG. 2 and FIG. 3 as appropriate for the configuration), the operation of the digital broadcast transmitting apparatus 1 when the CAS program is distributed will be described.

First, the digital broadcast transmitting apparatus 1 uses the distribution data generation means 13 to convert the CAS program P transmitted by data carousel transmission into the data format of the data carousel, and generates distribution data (DII, DDB).
That is, the digital broadcast transmission apparatus 1 inputs the CAS program P from the outside by the signature value calculation unit 13a of the distribution data generation unit 13, and calculates the signature value of the digital signature of the CAS program P using the secret key Kps. (Step S1).

  Further, the digital broadcast transmitting apparatus 1 divides the CAS program P by the block size of the DDB message used when performing the data carousel transmission by the dividing unit 13b (step S2). Then, the digital broadcast transmission device 1 encrypts the divided data divided in step S2 by the encryption unit 13c with the program encryption key Kpe common to the digital broadcast reception device 3 (step S3).

  Thereafter, the digital broadcast transmitting apparatus 1 arranges the signature value calculated in step S1, the identifier (CAS-ID) and the version (CAS-Ver) of the CAS program input from the outside, and the DII message (FIG. 5) and at the same time, the encrypted divided data encrypted in step S3 is arranged and a DDB message (see FIG. 6) is generated to generate data carousel data (distribution data) (step S4).

The digital broadcast transmitting apparatus 1 then scrambles (encrypts) the data carousel data generated in step S4 with the scramble key Ks2 by the distribution data scramble means 14 (step S5).
Then, the digital broadcast transmission device 1 encrypts the scramble key Ks2 used in step S5 with the transmission path protection key Kp by the ECM-RMP generation means 15, and common information (ECM common to all the digital broadcast reception devices 3). -RMP) is generated (step S6).

  Then, the digital broadcast transmitting apparatus 1 uses the device key selection unit 18 to select a device key Kd that has not been revoked among the device keys stored in the device key list storage unit 16 and a receiver identifier corresponding thereto. RIDs are sequentially selected (step S7).

Furthermore, the digital broadcast transmitting apparatus 1 uses the EMM-RMP generating unit 19 to program the encryption key Kpe used in step S3, the transmission path protection key Kp used in step S6,
The receiver identifier RID selected in step S7 and the root public key certificate RPKC including the public key (verification key) for verifying the digital signature corresponding to the secret key Kps used in step S1 are sequentially added in step S7. Encryption is performed with the device key Kd corresponding to the selected receiver identifier RID, and individual information (EMM-RMP) for each digital broadcast receiving apparatus 3 is generated (step S8).
When the device key Kd used in the digital broadcast receiving device 3 is updated, the device key update control information KDc including the seed may be included in the individual information (EMM-RMP) in step S8.

  Then, the digital broadcast transmitting apparatus 1 uses the download table generating means 20 to download a table Td (see FIG. 8) that is a section format table from information (download control information Dc) for specifying the CAS program P to be distributed. Is generated (step S9). Here, the CAS program is distributed by broadcasting, and a download descriptor (see FIG. 9) indicating that the CAS program by broadcasting is distributed is arranged in the download table Td.

Then, the digital broadcast transmission device 1 is generated by the multiplexing means 22 in the data carousel data (encrypted distribution data) scrambled in step S5, the ECM-RMP generated in step S6, and generated in step S8. The EMM-RMP and the download table Td generated in step S9 are multiplexed to generate a multiplexed signal (MPEG-2 TS) and transmit it (step S10).
Through the above operation, the digital broadcast transmitting apparatus 1 can distribute the CAS program P by the data carousel.

(Receiving operation of CAS program: digital broadcast receiving device)
Next, referring to FIG. 12 (refer to FIG. 4 as appropriate for the configuration), the operation of the digital broadcast receiving apparatus 3 at the time of CAS program distribution will be described. Note that the digital broadcast receiving apparatus 3 stores at least one CAS program P in the storage unit 35 in advance even when the CAS program P has not been downloaded. It is assumed that the program is started by the program starting unit 37 and is operating as the program executing unit 31.

  In this state, the digital broadcast receiving apparatus 3 receives the multiplexed signal (MPEG-2 TS) transmitted from the digital broadcast transmitting apparatus 1 and separates it into each signal by the separating means 30 (step S11).

Then, the digital broadcast receiving apparatus 3 decrypts the EMM-RMP (individual information) separated by the separating means 30 by the EMM-RMP decrypting means 31d with the device key Kd, and the transmission path protection key Kp and the program encryption The key Kpe, the receiver identifier RID, and the root public key certificate RPKC are extracted (step S12).
The program encryption key Kpe and the public key (verification key) Kpp included in the root public key certificate RPKC are stored in the storage unit 35. When the device key update control information KDc is included in the EMM-RMP (individual information), the device key generation / update unit 31g generates a new device key Kd and stores it in the storage unit 35.

  Further, the digital broadcast receiving apparatus 3 uses the ECM-RMP decrypting unit 31e to decrypt the ECM-RMP (common information) separated by the separating unit 30 with the transmission path protection key Kp decrypted (extracted) in step S12. Then, the scramble key Ks2 is extracted (step S13).

  Thereafter, the digital broadcast receiving apparatus 3 analyzes the download table Td in the section format separated by the separating means 30 by the download table analyzing means 32 (step S14), and download content descriptor ( It is determined whether or not a network download content descriptor (see FIG. 10) is described (see FIG. 9) (step S15).

  In this step S15, when the download content descriptor is described in the descriptor area (“broadcast”), the digital broadcast receiving apparatus 3 performs the data carousel by the separating means 30 in response to an instruction from the download table analyzing means 32. Data (encrypted distribution data) is separated and extracted (step S16).

  Then, the digital broadcast receiving apparatus 3 uses the distribution data descrambling means 31f to extract the data carousel data (encrypted distribution data; DII, DDB) separated and extracted in step S16 with the scramble key Ks2 extracted in step S13. Descrambling (decoding) is performed (step S17).

  Then, the digital broadcast receiving device 3 separates and extracts the CAS program P (encrypted CAS program P) from the data carousel data descrambled in step S17 by the distribution data separating means 33 (step S18). ). That is, in this step S18, the distribution data separating means 33 reconstructs the encrypted CAS program P by concatenating the data of each block of the DDB message. At this time, the distribution data separation means 33 acquires the signature value, identifier (CAS-ID) and version (CAS-Ver) of the CAS program P from the DII message.

  On the other hand, in step S15, when the network download content descriptor is described in the descriptor area (“communication”), the digital broadcast receiving device 3 is described in the network download content descriptor by the communication download means 38. The encrypted CAS program P is acquired from the existing communication server (CAS server 5) via the communication line N (step S19). It is assumed that a signature (signature value), an identifier (CAS-ID), and a version (CAS-Ver) are added to the CAS program P acquired from the CAS server 5.

  Then, the digital broadcast receiving apparatus 3 uses the encryption / decryption means 34a of the program decryption means 34 to obtain the (encrypted) CAS program separated and extracted in step S18 or the (encrypted) CAS program acquired in step S19 in step S12. And decrypted with the stored program encryption key Kpe (step S20).

  Further, the digital broadcast receiving apparatus 3 performs signature verification of the CAS program decrypted in step S20 by the signature verification unit 34b (step S21). That is, the signature verification unit 34b decrypts the signature value added to the CAS program with the public key (verification key) Kpp included in the root public key certificate RPKC extracted in step S12, and matches the hash value of the CAS program. The CAS program is verified depending on whether or not to do so.

If there is no problem in the verification result in step S21, the digital broadcast receiving apparatus 3 stores the CAS program P decrypted in step S20 by the writing unit 34c in the storage unit 35 with the identifier (CAS-ID) and version. It is written and stored in association with (CAS-Ver) (step S22).
Through the above-described operation, the digital broadcast receiving apparatus 3 can download the CAS program P in an encrypted and digitally signed state, and can prevent fraud with respect to the CAS program.

(CAS program start instruction operation: digital broadcast transmitter)
Next, referring to FIG. 13 (refer to FIG. 2 as appropriate for the configuration), the operation of the digital broadcast transmitting apparatus 1 for starting up the CAS program P designated by the digital broadcast receiving apparatus 3 will be described.

  First, the digital broadcast transmitting apparatus 1 uses the ECM-RMP generating means 15 to identify the CAS program P to be activated (CAS-ID), the version (CAS-Ver), and the hash value (CAS-H) of the CAS program P. Is encrypted with the transmission path protection key Kp, and common information (ECM-RMP) common to all the digital broadcast receiving apparatuses 3 is generated (step S31).

In the digital broadcast transmitting apparatus 1, the device key selecting unit 18 sequentially selects device keys Kd that have not been revoked from among the device keys stored in the device key list storage unit 16 (step S32).
Also, the digital broadcast transmitting apparatus 1 encrypts the transmission path protection key Kp used in step S31 with the device key Kd sequentially selected in step S32 by the EMM-RMP generation means 19, and for each digital broadcast receiving apparatus 3. Individual information (EMM-RMP) is generated (step S33).

Further, the digital broadcast transmitting apparatus 1 uses the activation program designating means 21 as information (program designation information) for designating the CAS program P to be activated, as an identifier (CAS-ID) and version (CAS-ID) of the CAS program P. Ver) is placed in the PSI / SI CAT or PMT (step S34).
Then, the digital broadcast transmitting apparatus 1 uses the multiplexing means 22 to generate the ECM-RMP generated in step S31, the EMM-RMP generated in step S33, and the PSI / SI in which the identifier and the like are arranged in step S34. Are multiplexed and a multiplexed signal (MPEG-2 TS) is generated and transmitted (step S35).

  Through the above operation, the digital broadcast transmitting apparatus 1 can specify the CAS program P to be started by the program specifying information arranged in the PSI / SI. Also, the digital broadcast transmitting apparatus 1 uses the ECM-P for the CAS program P identifier (CAS-ID) and version (CAS-Ver) designated by the program designation information and the hash value (CAS-H) of the CAS program P. By transmitting to the digital broadcast receiver 3 by RMP, it is possible to verify the consistency of the identifier (CAS-ID) and version (CAS-Ver) and the validity of the CAS program P in the digital broadcast receiver 3. become.

(CAS program start-up operation: digital broadcast receiver)
Next, referring to FIG. 14 (refer to FIG. 4 as appropriate for the configuration), the operation of the digital broadcast receiving apparatus 3 that activates the CAS program P designated by the digital broadcast transmitting apparatus 1 will be described.

First, the digital broadcast receiving apparatus 3 receives the multiplexed signal (MPEG-2 TS) transmitted from the digital broadcast transmitting apparatus 1, and separates it into each signal by the separating means 30 (step S41).
Then, the digital broadcast receiving apparatus 3 uses the activation program specifying means 36 to determine the CAS program P identifier (CAS-ID) and its version (CAS) from the CAT or PMT of PSI / SI (program sequence information). -Ver) is extracted (step S42).

  Then, the digital broadcast receiving apparatus 3 uses the EMM-RMP decrypting means 31d to decrypt the EMM-RMP (individual information) separated in step S41 with the device key Kd and extract the transmission path protection key Kp (step S43). ).

  Further, the digital broadcast receiving apparatus 3 uses the ECM-RMP decrypting means 31e to decrypt the ECM-RMP (common information) separated in step S41 with the transmission path protection key Kp decrypted (extracted) in step S43, and to create a CAS program. The identifier (CAS-ID) and version (CAS-Ver) and the hash value (CAS-H) of the CAS program are extracted (step S44).

Then, the digital broadcast receiving apparatus 3 uses the program activation unit 37 to identify the identifier (CAS-ID) and version (CAS-Ver) extracted in step S42 and the identifier (CAS-ID) and version (CAS) extracted in step S44. -Ver) are determined to match each other (step S45).
Here, when the identifier (CAS-ID) and the version (CAS-Ver) do not match (No in step S45), the digital broadcast receiving device 3 ends the start operation of the instructed CAS program P.

  On the other hand, when the identifier (CAS-ID) and the version (CAS-Ver) match (Yes in step S45), the digital broadcast receiving device 3 instructs the activation stored in the storage unit 35 by the program activation unit 37. The hash value of the CAS program P thus obtained is calculated (step S46), and it is determined whether or not it matches the hash value (CAS-H) of the CAS program P extracted in step S44 (step S47).

Here, if the hash values do not match (No in step S47), the digital broadcast receiving apparatus 3 ends the activation operation of the instructed CAS program P.
On the other hand, if the hash values match (Yes in step S47), the digital broadcast receiving device 3 reads the designated CAS program P from the storage unit 35 by the program activation unit 37 and activates it as the program execution unit 31. (Step S48).

  Through the above operation, the digital broadcast receiving device 3 can activate the CAS program P designated by the digital broadcast transmitting device 1. At this time, the digital broadcast receiving device 3 uses the identifier (CAS-ID), version (CAS-Ver), and hash value (CAS-H) of the CAS program P notified by ECM-RMP (common information). It is possible to start only a regular CAS program that is in the specified correct version and has not been tampered with.

As described above, according to the present invention, the CAS program P can be distributed from the digital broadcast transmitting apparatus 1 to the digital broadcast receiving apparatus 3 at high speed by data carousel transmission. As a result, even if the security of the function related to access control in the CAS program P is broken, the CAS program P with the changed security function can be distributed, so that the influence when the security is broken is minimized. Can be suppressed.
Further, according to the present invention, even when the distribution of the CAS program P by broadcasting is completed, the CAS program P can be distributed through the communication line, and the use of the broadcast band can be completed in a short period of time. Can do.

  Further, according to the present invention, when the CAS program P is distributed in the data carousel, the CAS program P can be prevented from being falsified by the verification. Further, according to the present invention, when the digital broadcast transmitting apparatus 1 designates the CAS program P to be activated, the digital broadcast receiving apparatus 3 can check the consistency of the version, etc. Since the validity of the program P can be checked by the hash value, fraud with respect to the CAS program P to be started can be prevented.

  Further, according to the present invention, even when the device key Kd and the program encryption key Kpe are leaked, after updating the transmission path protection key Kp and the program encryption key Kpe, the CAS program is updated and broadcast or By distributing by communication, the use of the digital broadcast receiving apparatus 3 that is the source of leakage of the device key Kd can be stopped (revoked). As a result, leakage of a new CAS program can be prevented.

  Further, according to the present invention, the CAS program P to be activated can be switched from the digital broadcast transmitting apparatus 1 by PSI / SI, and the broadcaster can select the CAS program P according to the service provided. It becomes possible.

S Digital Broadcasting System 1 Digital Broadcasting Transmitter 10 Content Scrambling Unit 11 ECM-CAS Generation Unit 12 EMM-CAS Generation Unit 13 Distribution Data Generation Unit 13a Signature Value Calculation Unit 13b Division Unit 13c Encryption Unit 13d Data Carousel Data Generation Unit 14 Distribution data scramble means 15 ECM-RMP generation means (common information generation means)
16 Device key list storage means 17 Invalid setting means 18 Device key selection means 19 EMM-RMP generation means (individual information generation means)
20 download table generation means 21 start program designation means 22 multiplexing means 3 digital broadcast receiver 30 separation means 21 program execution means 31a EMM-CAS decoding means 31b ECM-CAS decoding means 31c content descrambling means 31d EMM-RMP decoding means ( Individual information decoding means)
31e ECM-RMP decoding means (common information decoding means)
31f Distribution data descrambling means 31g Device key generation / update means 32 Download table analysis means 33 Distribution data separation means 34 Program decryption means 34a Encryption decryption means 34b Signature verification means 34c Write means 35 Storage means (program storage means)
36 starting program specifying means 37 program starting means 38 communication downloading means 5 CAS server

Claims (13)

A digital broadcast transmitting apparatus that transmits an access control program for controlling access to content transmitted via a broadcast wave to a digital broadcast receiving apparatus,
A device key list storage means for storing a device key unique to the digital broadcast receiving apparatus and information indicating whether the device key is valid or invalid;
An invalid setting means for setting a corresponding device key stored in the device key list storage means as an invalid key by being instructed from the outside to invalidate a specific device key;
The digital broadcast receiver encrypts the access control program for distribution with a common program encryption key and adds identification information for identifying the access control program to generate distribution data in a data carousel data format Distribution data generation means for
A distribution data scramble means for encrypting the distribution data generated by the distribution data generation means with a scramble key and generating encrypted distribution data;
Common information generating means for encrypting the scramble key with a transmission path protection key to be transmitted to the digital broadcast receiver, and generating common information common to the digital broadcast receiver;
Device key selection means for selecting a device key set as a valid key from the device key list storage means for each digital broadcast receiving device;
Individual information generating means for encrypting the transmission path protection key and the program encryption key with the device key selected by the device key selecting means, and generating individual information for each digital broadcast receiving device;
A download table generating means for adding an identifier indicating that the access control program for distribution is transmitted by the data carousel, and generating a download table including the identification information;
Activation program specifying means for arranging second identification information for specifying an access control program for activation in an information table of PSI / SI as program arrangement information;
Multiplexing that multiplexes the encrypted delivery data, the common information, the individual information, the download table, and the information table of the program arrangement information to generate a multiplexed signal to be transmitted to the digital broadcast receiving device And
A digital broadcast transmitting apparatus comprising: The delivery data generating means
Signature value calculation means for calculating a signature value of a digital signature using a secret key for the distribution access control program,
Dividing means for dividing the access control program for distribution into block sizes of the data carousel;
Encryption means for encrypting the divided data divided by the dividing means with the program encryption key to generate encrypted divided data;
A data carousel for generating the distribution data by generating a DII message including the signature value and the identification information and generating a DDB message including the encrypted divided data for each encrypted divided data Data generating means,
2. The digital broadcast transmission apparatus according to claim 1, wherein the individual information generating unit generates the individual information by further adding a root public key certificate including a verification key corresponding to the secret key.   3. The individual information generation unit generates the individual information by further adding a seed that is a parameter for updating a device key held by the digital broadcast receiving apparatus. The digital broadcast transmission device described.   2. The common information generating means further generates the common information by adding a hash value obtained by calculating the distribution access control program using a hash function common to the digital broadcast receiving apparatus. The digital broadcast transmission apparatus according to claim 3.   5. The digital broadcast transmission apparatus according to claim 1, wherein the common information generation unit generates the common information by further adding the second identification information. 6.   The download table generating means replaces the distribution access control program via a communication line instead of an identifier indicating that the distribution access control program is transmitted by the data carousel according to an instruction from the outside. The digital broadcast transmitting apparatus according to claim 1, wherein the download table including an identifier indicating acquisition from a designated server is generated. In a digital broadcast receiving apparatus that performs access control to content transmitted via broadcast waves by an access control program,
After the access control program is divided and encrypted with a program encryption key, the encrypted distribution data obtained by further encrypting the distribution data in the data carousel data format with the scramble key, and the scramble key with the transmission path protection key Common information generated by encryption, individual information generated by encrypting the transmission path protection key and the program encryption key with a device key, an identifier indicating that the access control program is transmitted by the data carousel, and the access control Each information is separated from the multiplexed signal including the download table including the identification information for identifying the program and the information table of the program arrangement information including the second identification information for identifying the access control program for activation. Separating means;
Download table analysis means for determining that the access control program is transmitted in the data carousel by the identifier described in the download table;
Individual information decrypting means for decrypting the individual information with a device key common to the digital broadcast transmitting apparatus and obtaining the transmission path protection key and the program encryption key;
Common information decryption means for decrypting the common information with the transmission path protection key obtained by the individual information decryption means and obtaining the scramble key;
Distribution data descrambling means for decrypting data of the data carousel with the scramble key after detecting that the access control program is transmitted by the data carousel in the download table analysis means;
Distribution data separating means for separating the encrypted access control program and identification information for identifying the access control program from the distribution data in the data format of the data carousel decrypted by the distribution data descrambling means;
Program decryption means for decrypting the encrypted access control program with a program encryption key acquired by the individual information decryption means;
Program storage means for storing the access control program decoded by the program decoding means in association with the identification information;
An activation program specifying means for extracting the second identification information from the information table;
An access control program corresponding to the second identification information extracted by the activation program specifying means, read from the program storage means and activated, and program activation means;
A digital broadcast receiving apparatus comprising: The distribution data is appended with a signature value of a digital signature generated using a private key of the digital broadcast transmitting apparatus, and the individual information includes a root public key certificate including a verification key corresponding to the private key Is added,
The individual information decryption means extracts the root public key certificate from the individual information,
8. The digital broadcast receiving apparatus according to claim 7, wherein the program decrypting unit includes a signature verifying unit that verifies the signature value by using a verification key included in the root public key certificate. apparatus. A device key generating / updating unit for generating and updating the device key;
The device key generation / update means generates a device key based on the seed when the individual information includes a seed that is a parameter for updating the device key, and the digital broadcast receiving apparatus The digital broadcast receiving apparatus according to claim 7, wherein the device key used in the update is updated. In the common information, a hash value obtained by calculating the access control program with a hash function common to the digital broadcast receiving device is further added,
The common information decoding means extracts the hash value from the common information,
The program starting means calculates a hash value of an access control program stored in the program storage means corresponding to the second identification information extracted by the starting program specifying means, and a hash value extracted from the common information The digital broadcast receiving apparatus according to any one of claims 7 to 9, wherein the access control program is started when the two coincide with each other. The common information includes the second identification information for identifying an access control program for activation,
The common information decoding means extracts the second identification information from the common information;
When the second identification information extracted from the common information matches the second identification information extracted by the activation program specifying means, the program activation unit corresponds to the second identification information. The digital broadcast receiving apparatus according to any one of claims 7 to 10, wherein an access control program stored in the storage unit is activated. In the download table, one of an identifier indicating that the access control program is transmitted by the data carousel and an identifier indicating that the access control program is acquired from a server designated via a communication line Is described,
When the download table describes an identifier indicating that the access control program is acquired from the server, the download table further includes communication download means for acquiring the access control program encrypted from the server. The digital broadcast receiver according to any one of claims 7 to 11. An access control program for controlling access to the content is configured from the digital broadcast transmission device, which comprises a digital broadcast transmission device for transmitting content via a broadcast wave and a digital broadcast reception device for receiving the content. A digital broadcast system for transmitting to the digital broadcast receiver,
The digital broadcast transmission device includes:
A device key list storage means for storing a device key unique to the digital broadcast receiving apparatus and information indicating whether the device key is valid or invalid;
An invalid setting means for setting a corresponding device key stored in the device key list storage means as an invalid key by being instructed from the outside to invalidate a specific device key;
The digital broadcast receiver encrypts the access control program for distribution with a common program encryption key and adds identification information for identifying the access control program to generate distribution data in a data carousel data format Distribution data generation means for
A distribution data scramble means for encrypting the distribution data generated by the distribution data generation means with a scramble key and generating encrypted distribution data;
Common information generating means for encrypting the scramble key with a transmission path protection key to be transmitted to the digital broadcast receiver, and generating common information common to the digital broadcast receiver;
Device key selection means for selecting a device key set as a valid key from the device key list storage means for each digital broadcast receiving device;
Individual information generating means for encrypting the transmission path protection key and the program encryption key with the device key selected by the device key selecting means, and generating individual information for each digital broadcast receiving device;
A download table generating means for adding an identifier indicating that the access control program for distribution is transmitted by the data carousel, and generating a download table including the identification information;
Activation program specifying means for arranging second identification information for specifying an access control program for activation in an information table of PSI / SI as program arrangement information;
Multiplexing that multiplexes the encrypted delivery data, the common information, the individual information, the download table, and the information table of the program arrangement information to generate a multiplexed signal to be transmitted to the digital broadcast receiving device And means for
The digital broadcast receiving apparatus includes:
Separating means for separating the encrypted distribution data, the common information, the individual information, the download table, and the information table of the program arrangement information from the multiplexed signal generated by the digital broadcast transmission device When,
Download table analysis means for determining that the access control program is transmitted in the data carousel by the identifier described in the download table;
Individual information decrypting means for decrypting the individual information with a device key common to the digital broadcast transmitting apparatus and obtaining the transmission path protection key and the program encryption key;
Common information decryption means for decrypting the common information with the transmission path protection key obtained by the individual information decryption means and obtaining the scramble key;
Distribution data descrambling means for decrypting data of the data carousel with the scramble key after detecting that the access control program is transmitted by the data carousel in the download table analysis means;
Distribution data separating means for separating the encrypted access control program and identification information for identifying the access control program from the distribution data in the data format of the data carousel decrypted by the distribution data descrambling means;
Program decryption means for decrypting the encrypted access control program with a program encryption key acquired by the individual information decryption means;
Program storage means for storing the access control program decoded by the program decoding means in association with the identification information;
An activation program specifying means for extracting the second identification information from the information table;
An access control program corresponding to the second identification information extracted by the activation program specifying means, read from the program storage means and activated, and program activation means;
A digital broadcasting system comprising:

Images