JP4658814B2 - Digital broadcast receiver, content providing apparatus, and authentication management apparatus - Google Patents

Description

  The present invention relates to a digital broadcast receiver, a content providing apparatus, and an authentication management apparatus that enable cooperation between network communication and digital broadcasting.

  2. Description of the Related Art Conventionally, a digital broadcast receiver has a network communication function, and a viewer participation type broadcast program using this function and services such as shopping are provided. In the future server-type broadcasting, the provision of various new services that combine metadata, stored content, and communication content using digital broadcast reception, storage, and communication functions is being considered. As one of them, a service for linking a service for a member (shopping site, movie distribution site, etc.) provided by a service provider (hereinafter referred to as SP) on a communication network and broadcasting has been proposed. In order for a digital broadcast viewer (a user of a digital broadcast receiver) to use such a limited service for members, for example, a user ID such as a member number and A combination of passwords (authentication data) will be presented (authentication procedure). When the user is authenticated, the user can use a desired service.

  In addition, using a normal personal computer (PC), etc., only presenting the authentication data once on the communication network allows only the user who presented the authentication data beyond the boundaries of the application or company. Single Sign-On is known as a technology that can use all the services that are provided (see, for example, Patent Document 1).

In the single sign-on system disclosed in Patent Document 1, when a content providing apparatus (web server) authenticates authentication data acquired from a user's PC as a result of verification, an individual possessed corresponding to the authentication data The customer code is given an expiration date, a cookie including these is generated, and transmitted along with the web page requested from the PC. Then, the PC stores the received cookie. Subsequently, when the user accesses the web server from the PC, the web server determines that the user has been authenticated and distributes the requested web page. Furthermore, if the user subsequently accesses another web server, the other web server requests a cookie stored in the PC, and if the expiration date of the personal customer code included in the acquired cookie is valid. Assuming that the user has been authenticated, the requested web page is distributed to the PC without performing an authentication procedure with the user.
JP 2003-323409 A (paragraphs 0018 to 0029, FIG. 3)

  Since an ordinary PC is equipped with input means such as a mouse and a keyboard as standard, an authentication ID such as a user ID and a password can be input relatively easily. However, since the digital broadcast receiver mainly has a function as a television, a user usually operates an attached remote controller in order to realize various functions of the digital broadcast receiver. This remote control is required to have a large operation button so that it can be easily seen by the elderly and the like, and a small number of operation buttons so that it can be easily handled. And, there is a problem that it takes a lot of time to input characters and numbers indicating the user ID and password with the operation buttons of the remote control.

  The digital broadcast receiver is limited to functions specialized in broadcasting, and the browser function is also targeted for BML (Broadcast Markup Language), which is a page description language for data broadcasting. For this reason, mounting a cookie as disclosed in Patent Document 1 is not assumed. However, there is a demand for a digital broadcast receiver that can realize processing similar to single sign-on in a PC.

  The present invention has been made in view of the above problems, and provides a digital broadcast receiver, a content providing apparatus, and an authentication management apparatus capable of reducing the number of operations required for an authentication procedure. Objective.

  The present invention was devised to achieve the above object. First, a digital broadcast receiver according to claim 1 is provided for a broadcast receiving means for receiving a digital broadcast and a device connected to a network. In a digital broadcast receiver having network communication means for communicating with each other, content request generation means, limited reception information extraction means, identification information storage means, authentication data generation means, authentication data output means, and content acquisition Means.

  According to such a configuration, the digital broadcast receiver generates a content request for requesting content that requires user authentication from the content providing apparatus, which is the device connected to the network, by the content request generating unit. To do. Here, the content providing device provides content including various services. For example, there are a plurality of service providing devices such as a web server that operates a website. The digital broadcast receiver may directly transmit the generated content request to the content providing apparatus, or may indirectly transmit the content request via, for example, a proxy server. Then, the digital broadcast receiver extracts the limited reception information multiplexed in advance on the digital broadcast broadcast data by the limited reception information extraction means, and identifies the user of the digital broadcast receiver in the identification information storage means Store information. Here, the limited reception information is information for limited reception of digital broadcasting, and is key information such as a work key Kw, a scramble key Ks, and a content key Kc, for example. The identification information may be information for identifying the digital broadcast receiver main body, and in this case, is information stored in the CAS card. That is, the identification information storage means may be detachable from the digital broadcast receiver. If there are a plurality of users of the digital broadcast receiver, identification information of each user is stored in the identification information storage means.

  Then, the digital broadcast receiver uses the authentication data generation means to set the identification information stored in the identification information storage means as authentication data for authenticating the user, or the limited reception information extraction means. The authentication data is generated based on the extracted limited reception information and the identification information stored in the identification information storage means. Here, the authentication data is generated at a timing when the user of the digital broadcast receiver performs an operation indicating an instruction to generate the authentication data. For example, when the digital broadcast receiver acquires a request message for authentication data from the content providing apparatus, the user who sees it performs an operation. Further, the authentication data is one or a plurality of data, and in the case of a plurality of data, the data may include fixed data. For example, the authentication data includes a user ID and a password. The method for generating authentication data is arbitrary, and information other than limited reception information and identification information may be combined.

  The digital broadcast receiver outputs the authentication data generated by the authentication data generation means by the authentication data output means. Here, the authentication data output means may output the authentication data when acquiring a message requesting the authentication data, or may output the authentication data at the same timing as the content request. Then, the digital broadcast receiver acquires content corresponding to the content request by the content acquisition means.

  According to a second aspect of the present invention, there is provided a digital broadcast receiver comprising: a broadcast receiving means for receiving a digital broadcast; and a network communication means for communicating with a device connected to a network. Means, content request generation means, conditional access information extraction means, identification information storage means, authentication data generation means, authentication data output means, authentication message acquisition means, content acquisition means, and authentication result transmission Means.

  According to such a configuration, when the digital broadcast receiver is connected to the network for the first time by the SSO request generation unit, the digital broadcast receiver performs single sign-on to the content providing apparatus that is the device connected to the network. Generate an SSO request. Then, the digital broadcast receiver generates a content request for requesting content that requires user authentication from the content providing device by using the content request generating means. Here, the digital broadcast receiver generates an SSO request and a content request for the content providing apparatus connected for the first time, and only a content request for the content providing apparatus connected for the second time or later by single sign-on. Is generated. This is because the content providing device connected for the first time performs authentication by the verification process of the authentication data, whereas the content providing device connected for the second time or later by single sign-on is the result of inquiring to a third party. This is for authentication. In addition, in the case of “connecting for the second time or later by single sign-on”, the content connected for the first time while maintaining the network connection, not after turning off the power of the digital broadcasting receiver or releasing the network connection The providing device means communication connection to another content providing device.

  Then, the digital broadcast receiver extracts the limited reception information multiplexed in advance on the digital broadcast broadcast data by the limited reception information extraction means, and identifies the user of the digital broadcast receiver in the identification information storage means Store information. Then, the digital broadcast receiver uses the authentication data generation means to set the identification information stored in the identification information storage means as authentication data for authenticating the user, or the limited reception information extraction means. The authentication data is generated based on the extracted limited reception information and the identification information stored in the identification information storage means. Here, when the digital broadcast receiver acquires the authentication data request message from the content providing apparatus connected for the first time, the user who sees it performs an operation indicating an instruction to generate the authentication data. Further, since the content providing apparatus connected for the second time or later by single sign-on makes an inquiry to a third party for authentication, it does not request authentication data from the digital broadcast receiver. There is no need to generate authentication data at the receiver.

  Then, the digital broadcast receiver outputs the authentication data generated by the authentication data generation means to the content providing apparatus by the authentication data output means. Specifically, the digital broadcast receiver outputs authentication data to the content providing apparatus connected for the first time. Here, the authentication data output means may output the authentication data when acquiring a message requesting the authentication data, or may output the authentication data at the same timing as the content request. Then, the digital broadcast receiver acquires an authentication message corresponding to the authentication data from the content providing apparatus by an authentication message acquisition unit. Then, the digital broadcast receiver acquires content corresponding to the content request by the content acquisition means.

  Then, the digital broadcast receiver uses an authentication result transmitting unit to connect an authentication result based on the authentication message acquired by the authentication message acquiring unit to a third party for realizing single sign-on connected to the network. To the authentication management device. Here, the digital broadcast receiver transmits the authentication result both when authenticated by the content providing apparatus connected for the first time and when authenticated by the content providing apparatus connected for the second time and thereafter by single sign-on. Thereby, the authentication management apparatus can respond to an inquiry from the content providing apparatus connected for the second time or later by single sign-on.

  A content providing device according to claim 3 is a content providing device that is connected to the digital broadcast receiver according to claim 1 via a network and provides content that requires user authentication. An acquisition unit, an authentication data acquisition unit, a registration information storage unit, a determination unit, an authentication message generation unit, and a content distribution unit are provided.

  According to this configuration, the content providing apparatus acquires the content request from the digital broadcast receiver by the content request acquisition unit, and acquires the authentication data from the digital broadcast receiver by the authentication data acquisition unit. . Then, the content providing apparatus has registered information in which authentication data generated by the digital broadcast receiver is stored in advance as user registration information based on the authentication data acquired by the authentication data acquisition unit by the determination unit. It is determined whether or not to authenticate the user with reference to the storage means. The content providing device generates an authentication message when the authentication message generation unit determines that the user is authenticated by the determination unit, and when the authentication message is generated, the content distribution unit generates the authentication message. Content based on the content request acquired by the request acquisition means is distributed to the digital broadcast receiver. Note that authentication request generation means for generating a request message for authentication data for authenticating the user may be provided.

  According to a fourth aspect of the present invention, there is provided a content providing apparatus that is connected to the digital broadcast receiver according to the first aspect via a network and provides content that requires user authentication. An acquisition unit, a connection instruction unit, a certification request generation unit, a certificate acquisition unit, and a content distribution unit are provided.

  According to this configuration, the content providing apparatus acquires the content request from the digital broadcast receiver by the content request acquisition unit. Then, when the content request is acquired by the connection instruction unit, the content providing device instructs the digital broadcast receiver to switch the connection to the authentication management device by redirection. Then, the content providing apparatus uses the certification request generation means to provide a certificate for authenticating the user of the digital broadcast receiver as an authentication management apparatus that is connected to the network and becomes a third party for realizing single sign-on A certificate request for requesting the certificate is generated, and the certificate is acquired from the authentication management apparatus by a certificate acquisition unit. In other words, the content providing apparatus authenticates with the certificate issued by the authentication management apparatus without executing the collation process regarding the authentication data of the digital broadcast receiver. When the content distribution unit acquires the certificate by the content distribution unit, the content distribution unit distributes the content based on the content request acquired by the content request acquisition unit to the digital broadcast receiver.

  A content providing apparatus according to claim 5 is a content providing apparatus that is connected to the digital broadcast receiver according to claim 2 via a network and provides content that requires user authentication. An acquisition unit, a content request acquisition unit, an authentication request generation unit, an authentication data acquisition unit, an authentication inquiry generation unit, a registration information storage unit, a determination unit, an authentication message generation unit, and a content distribution unit I decided to prepare.

  According to this configuration, the content providing apparatus acquires the SSO request from the digital broadcast receiver by using an SSO request acquiring unit, and acquires the content request from the digital broadcast receiver using the content request acquiring unit. Here, the content providing device connected for the first time from the digital broadcast receiver acquires the SSO request and the content request, and the content providing device connected for the second time or later by single sign-on acquires only the content request. . This is because the content providing device connected for the first time performs authentication by the verification process of the authentication data, whereas the content providing device connected for the second time or later by single sign-on is the result of inquiring to a third party. This is for authentication.

  The content providing device generates an authentication request for requesting the authentication data when the SSO request and the content request are acquired by the authentication request generating unit, and the digital data is acquired by the authentication data acquiring unit. The authentication data is acquired from a broadcast receiver. Here, the SSO request and the content request are acquired by the content providing apparatus connected for the first time from the digital broadcast receiver. Then, the content providing device obtains the content request by the authentication query generation means and, when not obtaining the SSO request, an authentication query for referring the user of the digital broadcast receiver to the authentication management device. Is generated. Here, the content requesting apparatus that acquires the content request and does not acquire the SSO request is the content providing apparatus connected after the second time by single sign-on.

  Then, the content providing apparatus has registered information in which authentication data generated by the digital broadcast receiver is stored in advance as user registration information based on the authentication data acquired by the authentication data acquisition unit by the determination unit. It is determined whether or not to authenticate the user with reference to the storage means. Here, the registered information storage means refers to the content providing apparatus connected for the first time from the digital broadcast receiver. When the content providing device determines that the user is authenticated by the determining device by the authentication message generating device, or when receiving an authentication notification indicating that the user is authenticated from the authentication management device, Generate an authentication message. Here, it is the content providing apparatus that is connected for the first time from the digital broadcast receiver, and the authentication notification is received by the content providing apparatus that is connected for the second time or later by single sign-on. is there. Then, when the authentication message is generated by the content distribution unit, the content providing device distributes the content based on the content request acquired by the content request acquisition unit to the digital broadcast receiver.

  Further, an authentication management apparatus according to claim 6 is an authentication management apparatus that is connected to the digital broadcast receiver according to claim 1 via the network and serves as a third-party certification body that realizes single sign-on. The registration information storage unit, the authentication data acquisition unit, the determination unit, the authentication response output unit, the certification request acquisition unit, the certificate generation unit, and the certificate output unit are provided.

  According to this configuration, the authentication management apparatus acquires the authentication data from the digital broadcast receiver by the authentication data acquisition unit. Then, the authentication management device stores, in advance, authentication data generated by the digital broadcast receiver as user registration information when the authentication data is acquired by the authentication data acquisition unit by the determination unit. Based on the user registration information stored in the storage means, it is determined whether or not to authenticate the user. 5. The authentication management apparatus according to claim 4, wherein when the authentication response output unit determines that the user is authenticated by the authentication response output unit, the authentication management device displays an authentication response indicating that the user is authenticated. Output to the providing device. Thereby, the content providing apparatus recognizes that the digital broadcast receiver that has transmitted the content request is authenticated by the authentication management apparatus, and returns a certification request for a certificate to the authentication management apparatus. Then, the authentication management device acquires the certification request according to the authentication response from the content providing device by the certification request acquisition unit, and the user of the digital broadcast receiver has been authenticated by the certificate generation unit. A certificate that proves this is generated, and the certificate output unit outputs the certificate generated by the certificate generation unit. As a result, the content providing apparatus that has received the certificate distributes the content to the digital broadcast receiver.

  An authentication management apparatus according to claim 7 is an authentication management apparatus that is connected to the digital broadcast receiver according to claim 2 via the network and serves as a third party for realizing single sign-on. Thus, an authentication result acquisition unit, an authentication result storage unit, a determination unit, and an authentication notification output unit are provided.

  According to this configuration, the authentication management apparatus acquires the authentication result from the digital broadcast receiver by the authentication result acquisition unit. And an authentication result storage means for storing the authentication result acquired by the authentication result acquisition means for each user when the authentication inquiry is received from the content providing apparatus according to claim 5 by the determination means. Whether or not to authenticate the user is determined on the basis of the authentication result stored in. Here, the determination unit authenticates, for example, when the authentication result is registered in the authentication result storage unit or within a predetermined time (for example, 24 hours) after registration. Note that an authentication result that has passed a predetermined time (for example, 24 hours) after registration may be deleted from the authentication result registration unit. Then, when the authentication notification output means determines that the user is to be authenticated by the authentication notification output means, the authentication management apparatus outputs an authentication notification indicating that the user is authenticated to the content providing apparatus.

  According to the first or second aspect of the present invention, the authentication data is automatically generated by the operation indicating the authentication data generation instruction by the user, so that the user of the digital broadcast receiver receives the authentication data. There is no need to input characters or symbols to be shown. As a result, the number of operations required for the authentication procedure can be reduced and the usability is improved.

According to the invention described in claim 3 or claim 5 or claim 6, since the authentication data generated by the digital broadcast receiver is registered in advance, it is checked against the authentication data received from the digital broadcast receiver. can do. As a result, content limited to members can be protected from unauthorized accessers other than members.
According to the fourth aspect of the present invention, it is not necessary to previously register the authentication data generated by the digital broadcast receiver, so that the storage capacity can be reduced.

  According to the seventh aspect of the present invention, since the authentication result based on the authentication message is managed instead of the authentication data itself generated by the digital broadcast receiver, leakage of the authentication data can be prevented.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(First embodiment)
[Content reception system configuration]
FIG. 1 is a configuration diagram showing a configuration of a content receiving system including a digital broadcast receiver according to the first embodiment of the present invention. This content receiving system includes a digital broadcast receiver 1 and a content providing apparatus 100 connected to each other via a network N.

  The digital broadcast receiver 1 receives a digital broadcast program transmitted (transmitted) through a broadcast wave or a network N from a broadcaster (information provider, broadcast station) on the transmission side, and via a network N such as the Internet. To acquire various information. The digital broadcast receiver 1 is installed under a viewer who has signed a reception contract with a broadcaster. The digital broadcast program is scrambled so that it can be distributed only to users who have signed a reception contract, and the digital broadcast receiver 1 can release the scramble of the digital broadcast program (descrambling). it can).

  In addition to the tuner, the digital broadcast receiver 1 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), a HDD (Hard Disk Drive), and a communication interface. The CPU implements various functions to be described later by expanding a program stored in the HDD or the like in the RAM. The type of digital broadcasting may be any of BS (Broadcasting Satellite), CS (Communication Satellite), and terrestrial.

  The content providing apparatus 100 is connected to the digital broadcast receiver 1 via the network N, provides content that requires user authentication, and executes a verification process for authenticating the accessing user. The content providing apparatus 100 is, for example, a web server that operates a website (site), and includes a CPU, a ROM, a RAM, an HDD, and a communication interface. The CPU stores a program stored in the HDD or the like. Various functions to be described later are realized by developing in the RAM. This content providing apparatus 100 provides content that can be used only by a user registered (member) on the site. The content providing apparatus 100 is installed under a content distributor who operates a member-limited site that is a paid or free membership system.

  Here, the content refers to, for example, video (moving image, still image, CG image, character, etc.), audio (including synthesized audio), and the like, and hereinafter, the content includes a digital broadcast program. Specifically, the content includes video / audio content that is video and / or audio data, and data broadcast content that defines the configuration of the display screen. Here, the data broadcasting content is data described in BML (Broadcast Markup Language) which is a page description language for data broadcasting. The video / audio content is video and / or audio data (stream data) and is encoded by an encoding method such as MPEG2.

  The content distributor concludes a license agreement for becoming a member with respect to a person who intends to use the content of the member-only site. Specifically, the user of the digital broadcast receiver 1 performs user registration with the content distributor. That is, the user of the digital broadcast receiver 1 registers, for example, a user ID, password, name, address, telephone number, credit number, etc., which are authentication data. As a user registration method, for example, an existing method such as an application by mail such as a postcard or an application by online processing using an information processing terminal (personal computer, mobile phone, etc.) connectable to a network can be used. The digital broadcast receiver 1 may be used for user registration. Although only one content providing apparatus 100 is illustrated in FIG. 1, the content receiving system includes a plurality of content providing apparatuses 100 and a plurality of content distributors.

[Configuration of digital broadcast receiver]
FIG. 2 is a functional block diagram showing the configuration of the digital broadcast receiver shown in FIG.
As shown in FIG. 2, the digital broadcast receiver 1 includes a network communication unit 2, an authentication management unit 3, a reception data management unit 4, a broadcast reception unit 5, a key information extraction unit 6, and a key information storage. Means 7, identification information storage means 8, operation control means 9, storage means 10, switching means 11, content reproduction means 12, and display control means 13 are provided.

The network communication unit 2 transmits / receives various information to / from the content providing apparatus 100 (see FIG. 1) via the network N such as the Internet. Data acquired by the network communication unit 2 is output to the switching unit 11.
As shown in FIG. 2, the network communication unit 2 includes a content request transmission unit 21, an authentication request reception unit 22, an authentication data transmission unit 23, an authentication message reception unit 24, and a content reception unit 25. Yes.

The content request transmission unit (content request output unit) 21 transmits the content request generated by the content request generation unit 31 to the content providing apparatus 100.
The authentication request receiving unit 22 receives an authentication request for requesting user authentication.
The authentication data transmission unit (authentication data output unit) 23 transmits the authentication data generated by the authentication data generation unit 32 to the content providing apparatus 100.
The authentication message receiving means (authentication message obtaining means) 24 receives an authentication message indicating that authentication has been performed and a reject message indicating that authentication has not been performed.
The content receiving unit (content acquisition unit) 25 acquires content from the content providing apparatus 100.

  The broadcast receiving means 5 receives digital broadcast data (program data) transmitted via broadcast waves, and is a general digital broadcast tuner. The broadcast receiving unit 5 receives and demodulates broadcast data, performs error correction and TMCC (Transmission and Multiplexing Configuration Control) decoding, and outputs the result to the switching unit 11. In the program data broadcast by this digital broadcast, content and metadata are associated with each other.

The key information extraction means (limited reception information extraction means) 6 extracts key information from the broadcast data received by the broadcast reception means 5 and stores the extracted key information in the key information storage means 7. Here, the key information (limited reception information) is pre-multiplexed with the broadcast data of the digital broadcast. For example, a work key for encrypting the content key Kc or the scramble key Ks in contract units, group units, or the like. Kw.
The key information storage unit 7 stores the key information output by the key information extraction unit 6 and is a general recording medium such as a RAM or an HDD.

  The identification information storage means 8 stores identification information for identifying a user of the digital broadcast receiver 1 and is configured to be detachable from the digital broadcast receiver 1 to identify the main body of the digital broadcast receiver 1. An IC card such as a CAS (Conditional Access System) card.

The authentication management unit 3 executes processing necessary for authentication for acquiring member-limited content from the content providing apparatus 100, and includes a content request generation unit 31 and an authentication data generation unit 32.
The content request generation means 31 generates a content request that is a message for requesting content from the content providing apparatus 100 in response to an operation of the remote controller R.

  The authentication data generating unit 32 converts the key information stored in the key information storage unit 7 and the identification information stored in the identification information storage unit 8 via the operation control unit 9 according to the operation of the remote controller R. Based on this, authentication data for authenticating the user is generated. The authentication data includes, for example, a user ID and a password. In this case, the user ID is a fixed one stored in the identification information storage means 8 and a password is generated from the key information and the identification information. Here, the operation of the remote controller R does not mean that the user inputs a specific password using the remote controller R but, for example, selects a “display button for generating a password” displayed on the display device D. The operation buttons on the remote controller R are operated as described above. The method for generating a password by the authentication data generating means 32 is arbitrary, and a plurality of characters and numbers indicating the key information and a plurality of characters and numbers indicating the identification information are appropriately converted or multiplied. Can be generated. Further, the authentication data generated by the authentication data generation means 32 is stored in the content providing apparatus 100 in advance by user registration.

  The received data management unit 4 manages the content stored in the storage unit 10. Specifically, the reception data management unit 4 acquires the content output from the switching unit 11 and stores it in the storage unit 10. The received data management means 4 reads out the content requested from the content reproduction means 12 from the storage means 10 and outputs it to the content reproduction means 12. If the content is not accumulated in the accumulation means 10, the received data management means 4 switches the contents. The content is acquired from the content providing apparatus 100 via the network N by switching the means 11.

Further, the received data management means 4 includes an analysis means 41, a writing means 42, and a reading means 43 as shown in FIG.
The analyzing unit 41 analyzes data received by the broadcast receiving unit 5 or the network communication unit 2 and generates an instruction according to the contents of the data. For example, when the received data is an authentication message, an instruction for receiving, playing back or storing the distributed content is generated and output to each means.
The writing unit 42 stores the content received via the broadcast wave or the network N in the storage unit 10.
The reading unit 43 reads the content stored in the storage unit 10 and outputs it to the content reproduction unit 12.

  The operation control means 9 notifies the operation instruction (press signal (key code) corresponding to the operation key) input via the input means such as the remote controller R to the authentication management means 3, the reception data management means 4 and the like. is there. For example, the operation control unit 9 notifies the authentication management unit 3 of a key code corresponding to an arrow key or a determination key of the remote controller R, so that the content request generation unit 31 of the authentication management unit 3 generates a content request. . Here, the remote controller R is used as the input means, but this input means may be an operation button in the digital broadcast receiver 1 or a keyboard connected with a connection cord.

The storage unit 10 stores the content acquired by the received data management unit 4 and is a general recording medium such as an HDD. The storage means 10 stores content acquired via broadcast waves or the network N.
Based on an instruction from the received data management unit 4, the switching unit 11 switches whether the content is acquired from the broadcast station via the broadcast wave or from the content providing apparatus 100 via the network N. . The switching unit 11 outputs the acquired content to the received data management unit 4. When the viewer views the content during the broadcast time (Live), the acquired content is directly output to the content reproduction means 12.

  The content reproduction unit 12 reproduces the content stored in the storage unit 10 or the content that is viewed (live) during the broadcast time zone output from the switching unit 11. The content reproduced here is output (displayed) to the display device D via the display control means 13. This content reproduction means 12 analyzes the BML of the data broadcast content and converts it into viewable data, and reproduces video / audio content encoded by an encoding method such as MPEG2 (for example, Decoding).

  The display control unit 13 outputs drawing data, video data, audio data, and the like generated by the content reproduction unit 12 to the display device D. The display device D may be anything as long as it can display an image, such as a liquid crystal display or a CRT (Cathode Ray Tube). Here, it is assumed that the display device D includes a speaker or the like that outputs sound.

[Configuration of content providing device]
FIG. 3 is a functional block diagram showing the configuration of the content providing apparatus shown in FIG.
As shown in FIG. 3, the content providing apparatus 100 includes network communication means 120, storage means 140, and received data management means 160.

The network communication unit 120 transmits / receives various information to / from the digital broadcast receiver 1 (see FIG. 1) via the network N. Data acquired by the network communication unit 120 is output to the reception data management unit 160.
The network communication unit 120 includes a content request acquisition unit 121, an authentication request transmission unit 122, an authentication data acquisition unit 123, an authentication message transmission unit 124, and a content distribution unit 125.

The content request acquisition unit 121 acquires a content request from the digital broadcast receiver 1.
The authentication request transmission unit 122 transmits the authentication request generated by the authentication request generation unit 162 to the digital broadcast receiver 1.
The authentication data acquisition unit 123 acquires authentication data from the digital broadcast receiver 1.
The authentication message transmission unit 124 transmits the authentication message or the reject message generated by the authentication message generation unit 164 to the digital broadcast receiver 1.
The content distribution unit 125 transmits the content read by the content management unit 165 to the digital broadcast receiver 1.

The storage unit 140 includes, for example, a memory and an HDD, and includes a registration information storage unit 141 and a content storage unit 142. The registration information storage unit 141 stores authentication data generated by the digital broadcast receiver 1 as user registration information in advance, and is a general recording medium such as an HDD.
The content storage unit 142 stores video / audio content, which is video and / or audio data, and is a general recording medium such as an HDD.

  The received data management means 160 executes an authentication process based on the received data and distributes the content when the authentication is performed. As shown in FIG. 3, the received data analysis means 161 and the authentication request generation means 162, a determination unit 163, an authentication message generation unit 164, and a content management unit 165.

  The received data analysis unit 161 analyzes data received by the network communication unit 120 and gives instructions to the authentication request generation unit 162 and the determination unit 163 according to the contents of the data. When it is determined that the content request has been received as a result of the analysis, the received data analysis unit 161 gives an instruction to generate an authentication request to the authentication request generation unit 162 and sends the requested content to the content management unit 165. Notice. Further, when it is determined that the authentication data has been received as a result of the analysis, the reception data analysis unit 161 gives an instruction to the determination unit 163 to execute the determination process based on the received authentication data.

The authentication request generation unit 162 generates an authentication request that is a message for requesting the digital broadcast receiver 1 for authentication data based on an instruction from the reception data analysis unit 161.
The discriminating unit 163 discriminates whether or not the acquired authentication data is registered (authenticated) in the registration information storage unit 141 based on an instruction from the received data analyzing unit 161, and the discrimination result is generated as an authentication message. It outputs to the means 164.

  When it is determined by the determination unit 163 that the authentication message generation unit 164 has registered (authenticates), the authentication message generation unit 164 generates an authentication message indicating the fact. Further, the authentication message generation unit 164 generates a reject message indicating that it is not registered (not authenticated) by the determination unit 163. The authentication message generation unit 164 instructs the content management unit 165 to distribute / cancel the requested content.

  The content management unit 165 manages the content stored in the content storage unit 142. The content management unit 165 reads the content specified by the content request acquired from the received data analysis unit 161 from the content storage unit 142 based on an instruction from the authentication message generation unit 164 and outputs the content to the content distribution unit 125.

[Operation of content receiving system]
Next, the operation of the content receiving system will be described with reference to FIG. 4 (see FIGS. 2 and 3 as appropriate). FIG. 4 is a flowchart showing the operation of the content receiving system shown in FIG.

  As a precondition, the digital broadcast receiver 1 previously receives broadcast data of the digital broadcast by the broadcast receiving means 5 (broadcast reception step), and the received broadcast data (data broadcast content, video / audio content and metadata). ), Drawing data, video data, audio data, etc. are output to the display device D. In the digital broadcast receiver 1, the key information extraction unit 6 extracts key information from the broadcast data received by the broadcast reception unit 5, and stores the extracted key information in the key information storage unit 7. Note that the digital broadcast receiver 1 may appropriately store the received broadcast data in the storage unit 10 by the writing unit 42.

  The digital broadcast receiver 1 generates a content request by the content request generation unit 31 via the operation control unit 9 according to the operation of the remote controller R by the user, and the content request transmission unit 21 sends the content request to the network N Is transmitted to the content providing apparatus 100 (step S401).

  When the content request is received by the content request acquisition unit 121 (step S431), the content providing apparatus 100 generates an authentication request by the authentication request generation unit 162, and the authentication request transmission unit 122 sends the authentication request via the network N. To the digital broadcast receiver 1 (step S433).

  Subsequent to step S433, the digital broadcast receiver 1 receives an authentication request by the authentication request receiving unit 22 (step S403). In accordance with the authentication request displayed on the display device D, the user of the digital broadcast receiver 1 performs an operation for authentication with the remote controller R. The digital broadcast receiver 1 receives the key information stored in the key information storage unit 7 and the identification information storage unit 8 by the authentication data generation unit 32 via the operation control unit 9 according to the operation of the remote controller R. The authentication data is generated based on the identification information stored in. Then, the digital broadcast receiver 1 transmits the authentication data to the content providing apparatus 100 by the authentication data transmitting unit 23 (step S405).

  When the content providing apparatus 100 receives the authentication data by the authentication data acquisition unit 123 (step S435), the determination unit 163 determines whether the received authentication data is registered in the registration information storage unit 141. (Step S436). If it is determined that it is registered (step S436: Yes), the content providing apparatus 100 generates an authentication message by the authentication message generation unit 164, and transmits the authentication message to the digital broadcast receiver 1 by the authentication message transmission unit 124. Transmit (step S437). Following step S437, the content providing apparatus 100 reads content from the content storage unit 142 by the content management unit 165, and transmits the read content to the digital broadcast receiver 1 by the content distribution unit 125 (step S439). On the other hand, when it is determined that it is not registered (step S436: No), the content providing apparatus 100 generates a reject message by the authentication message generating unit 164, and the reject message is generated by the authentication message transmitting unit 124. 1 is transmitted (step S438).

  Further, following step S437, the digital broadcast receiver 1 uses the analysis unit 41 to determine whether the received data is an authentication message (step S407). Then, when the authentication message receiving unit 24 receives the authentication message (step S407: Yes), the digital broadcast receiver 1 receives the content distributed in step S439 from the content providing apparatus 100 by the content receiving unit 25. (Step S409). On the other hand, when the digital broadcast receiver 1 receives the reject message (step S407: No), the digital broadcast receiver 1 ends the process on the assumption that it has not been authenticated.

  According to the first embodiment, the digital broadcast receiver 1 can automatically generate authentication data for authenticating the user by the authentication data generation means 32. This eliminates the need for the user to input authentication data and improves usability. In addition, since the content providing apparatus 100 acquires and registers the authentication data generated by the digital broadcast receiver 1 in advance by user registration, the content that is limited to members can be protected from unauthorized accessers other than members. it can.

(Second Embodiment)
[Content reception system configuration]
FIG. 5 is a configuration diagram showing a configuration of a content receiving system including a digital broadcast receiver according to the second embodiment of the present invention. This content receiving system includes a digital broadcast receiver 1A, a content providing apparatus 101 (101a, 101b), and an authentication management apparatus 200 that are connected to each other via a network N.

The digital broadcast receiver 1A and the content providing apparatus 101 are the same as the digital broadcast receiver 1 and the content providing apparatus 100 of the first embodiment, respectively.
The authentication management device 200 manages the authentication status (authentication result) of the user of the digital broadcast receiver 1A for which the verification processing for authentication has been executed in the content providing device 101. The CPU, ROM, RAM And a HDD and a communication interface, and the CPU develops a program stored in the HDD or the like in the RAM, thereby realizing various functions to be described later and becoming a third party organization for realizing single sign-on. It is. Note that the authentication management apparatus 200 does not perform verification processing of authentication data itself such as a user ID and a password, but determines whether the verification processing has been completed.

[Configuration of digital broadcast receiver]
FIG. 6 is a functional block diagram showing a configuration of the digital broadcast receiver shown in FIG.
As shown in FIG. 6, this digital broadcast receiver 1A has the same configuration as the digital broadcast receiver 1 shown in FIG. 2 except that the functions of the network communication means 2A and the authentication management means 3A are different. The same code | symbol is attached | subjected to the same structure and description is abbreviate | omitted.

The network communication unit 2A includes an SSO request transmission unit 51, an SSO approval reception unit 52, and an authentication status transmission unit 53 in addition to the functions shown in FIG.
The SSO request transmission unit 51 transmits an SSO (Single Sign On) request generated by the SSO request generation unit 54 to the content providing apparatus 101.
The SSO approval receiving means 52 receives an SSO approval that is a response to the SSO request.
The authentication status transmission unit (authentication result transmission unit) 53 transmits the authentication status (authentication result) generated by the authentication status generation unit 55 to the authentication management apparatus 200.

The authentication management unit 3A includes an SSO request generation unit 54 and an authentication status generation unit 55 in addition to the functions shown in FIG.
The SSO request generation means 54 generates an SSO request that is a message for performing SSO to the content providing apparatus 101 (see FIG. 5) when connecting to the network N for the first time in response to an operation of the remote controller R. .
The authentication status generating unit 55 generates an authentication status (authentication result) based on the authentication message acquired by the authentication message receiving unit 24. Here, the authentication status (authentication result) includes, for example, information on the date and time of authentication, information for specifying the authenticated content providing apparatus 101, and the like.

[Configuration of content providing device]
FIG. 7 is a functional block diagram showing the configuration of the content providing apparatus shown in FIG.
The content providing apparatus 101 has the same configuration as the content providing apparatus 100 shown in FIG. 3 except that the functions of the network communication unit 120A and the received data management unit 160A are different, as shown in FIG. The same reference numerals are given to the configurations of and the description is omitted.

The network communication unit 120A includes an SSO request acquisition unit 131, an SSO approval transmission unit 132, an authentication inquiry transmission unit 133, and an authentication notification acquisition unit 134 in addition to the functions shown in FIG.
The SSO request acquisition unit 131 acquires an SSO request from the digital broadcast receiver 1A (see FIG. 5).
The SSO approval transmission unit 132 transmits SSO approval, which is a response to the SSO request, to the digital broadcast receiver 1A.
The authentication inquiry transmission unit 133 transmits the authentication inquiry generated by the authentication inquiry generation unit 171 to the authentication management apparatus 200.
The authentication notification acquisition unit 134 acquires an authentication notification from the authentication management apparatus 200.

In addition to the functions shown in FIG. 3, the received data management means 160A includes an authentication query generating means 171 and the functions of the received data analyzing means 161A and the authentication message generating means 164A are different.
When it is determined that the SSO request has been received as a result of the analysis, the reception data analysis unit 161A sets a flag indicating that (for example, F1 = 1) and determines that the content request has been received. A flag indicating that this is set (for example, F2 = 1). The reception data analysis unit 161A gives an instruction to generate an authentication request to the authentication request generation unit 162 when both flags are set, that is, when “F1 = 1 and F2 = 1”. . The reception data analysis unit 161A sends an authentication inquiry to the authentication inquiry generation unit 171 when only the flag indicating that the content request has been received, that is, when “F1 = 0 and F2 = 1”. An instruction is given to generate the content, and the requested content is notified to the content management means 165. Furthermore, if the reception data analysis unit 161A determines that the authentication notification has been received as a result of the analysis, the reception data analysis unit 161A instructs the authentication message generation unit 164A to generate an authentication message.

When the content request is acquired by the content request acquisition unit 121, the authentication reference generation unit 171 generates an authentication reference for inquiring the user of the digital broadcast receiver 1A that has transmitted the content request to the authentication management apparatus 200. It is.
The authentication message generation unit 164A generates an authentication message when the determination unit 163 determines to authenticate the user or when the authentication notification acquisition unit 134 receives the authentication notification.

[Configuration of authentication management device]
FIG. 8 is a functional block diagram showing the configuration of the authentication management apparatus shown in FIG.
As shown in FIG. 8, the authentication management apparatus 200 includes network communication means 220, storage means 240, and authentication status management means 260.

The network communication means 220 transmits / receives various information via the network N between the digital broadcast receiver 1A (see FIG. 5) and the content providing apparatus 101 (see FIG. 5). Data acquired by the network communication unit 220 is output to the authentication status management unit 260.
The network communication unit 220 includes an authentication status acquisition unit 221, an authentication inquiry acquisition unit 222, and an authentication notification output unit 223.

The authentication status acquisition means 221 acquires the authentication status (authentication result) from the digital broadcast receiver 1A.
The authentication inquiry acquisition unit 222 acquires an authentication inquiry from the content providing apparatus 101.
The authentication notification output unit 223 outputs an authentication notification indicating that the user is authenticated to the content providing apparatus 101 when the determination unit 264 determines to authenticate the user.

  The storage unit 240 includes, for example, a memory or an HDD, and includes an authentication status storage unit 241. The authentication status storage unit 241 stores the authentication status (authentication result) acquired by the authentication status acquisition unit 221 for each user, and is a general recording medium such as an HDD.

  The authentication status management means 260 manages the authentication status (authentication result) acquired from the digital broadcast receiver 1A. As shown in FIG. 8, the received data analysis means 261, the authentication status registration means 262, An authentication status search unit 263, a determination unit 264, and an authentication notification generation unit 265 are provided.

  The received data analysis unit 261 analyzes the data received by the network communication unit 220 and gives instructions to the authentication status registration unit 262 and the authentication status search unit 263 according to the contents of the data. When it is determined that the authentication status has been received as a result of the analysis, the received data analysis unit 261 instructs the authentication status registration unit 262 to register. In addition, if the reception data analysis unit 261 determines that the authentication notification is received as a result of the analysis, the reception data analysis unit 261 instructs the authentication status search unit 263 to perform a search.

The authentication status registration unit 262 registers the authentication status acquired from the digital broadcast receiver 1A in the authentication status storage unit 241 based on an instruction from the received data analysis unit 261. Note that an authentication status after a predetermined time (for example, 24 hours) after registration may be deleted from the authentication status registration means 262.
The authentication status search unit 263 searches the authentication status storage unit 241 for the authentication status of the user specified by the authentication query acquired from the content providing apparatus 101 based on the instruction of the received data analysis unit 261, and outputs it to the determination unit 264. Is.

The determination unit 264 determines whether to authenticate the user specified by the authentication inquiry acquired from the content providing apparatus 101 based on the search result of the authentication status search unit 263. For example, authentication is performed when the authentication status is registered in the authentication status storage unit 241 or within a predetermined time (for example, 24 hours) after registration.
If the determination unit 264 determines that authentication is to be performed, the authentication notification generation unit 265 generates an authentication notification indicating that fact. Further, when the determination unit 264 determines that authentication is not performed, the authentication notification generation unit 265 generates a reject message indicating that fact.

[Operation of content receiving system]
Next, the operation of the content receiving system will be described with reference to FIGS. 9 and 10 (refer to FIGS. 5 to 8 as appropriate). 9 is a flowchart showing the first content reception operation in the content reception system shown in FIG. 5, and FIG. 10 is a flowchart showing the second and subsequent content reception operations in the content reception system shown in FIG. It is.

  The precondition is the same as that of the first embodiment described with reference to the flowchart of FIG. The first content reception operation is as follows. That is, the digital broadcast receiver 1A performs the first connection to the network N according to the operation of the remote controller R by the user, generates an SSO request by the SSO request generation unit 54 via the operation control unit 9, The SSO request transmission unit 51 transmits the SSO request to the content providing apparatus 101a (101) via the network N (step S901).

  When the SSO request acquisition unit 131 receives the SSO request (step S931), the content providing apparatus 101a recognizes that the received data is an SSO request and sets a flag (F1 = 1). ), The SSO approval transmission means 132 transmits an SSO approval as a response to the SSO request to the digital broadcast receiver 1A via the network N (step S933).

  Subsequent to step S933, the digital broadcast receiver 1A receives the SSO approval by the SSO approval receiving means 52 (step S903). Then, the digital broadcast receiver 1A sequentially processes steps S905 to S911. Steps S905 to S911 are the same as steps S401 to S407 shown in FIG.

  On the other hand, following step S933, the content providing apparatus 101a sequentially processes steps S935 to S943 and ends the process. Steps S935-S943 are the same as steps S431-S439 shown in FIG. However, when the content providing apparatus 101a receives the content request in step S935, the received data analyzing unit 161A sets a flag (F2 = 1). As a result, since both flags indicating that both the SSO request and the content request have been acquired (F1 = 1 and F2 = 1), the received data analysis unit 161A sends an authentication request to the authentication request generation unit 162. Instructions are given to generate. As a result, an authentication request is generated, and the authentication request is transmitted in step S937.

  When the authentication message receiving unit 24 receives the authentication message (step S911: Yes), the digital broadcast receiver 1A receives time information authenticated by the content providing apparatus 101a based on the authentication message by the authentication status generation unit 55. Generate an authentication status including etc. Then, the digital broadcast receiver 1A transmits the generated authentication status to the authentication management apparatus 200 via the network N by the authentication status transmission unit 53 (step S912). Following step S912, the authentication management apparatus 200 receives the authentication status from the digital broadcast receiver 1A by the authentication status acquisition unit 221 (step S982), and stores the received authentication status by the authentication status registration unit 262. Register in the means 241. On the other hand, following step S912, the digital broadcast receiver 1A receives the content distributed in step S943 from the content providing apparatus 101a by the content receiving unit 25 (step S913). If a reject message has been received (step S911: No), the process ends as a result of not being authenticated.

  In the second content reception operation, the digital broadcast receiver 1A requests content from the content providing apparatus 101b different from the content providing apparatus 101a while maintaining the connection to the network N. Note that the content providing apparatus 101a and the content providing apparatus 101b only have to provide contents limited to members, and the content distributors may be the same or different. In this case, following step S913, the digital broadcast receiver 1A transmits a content request to the content providing apparatus 101b via the network N in the same manner as in step S905 (step S915).

  The content providing apparatus 101b receives the content request by the content request acquisition unit 121 (step S955). Since the content providing apparatus 101b sets only the flag indicating that the content request has been received by the received data analyzing unit 161A (F1 = 0 and F2 = 1), the content providing device 101b generates an authentication query in the authentication query generating unit 171. The content management means 165 is notified of the requested content. Then, the content providing apparatus 101b generates an authentication query for querying the user of the digital broadcast receiver 1A that has transmitted the content request by the authentication query generating unit 171 and the generated authentication query is transmitted by the authentication query transmitting unit 133. And transmitted to the authentication management apparatus 200 (step S957).

  Subsequently, the authentication management apparatus 200 that has already received the authentication status from the digital broadcast receiver 1A in step S982 receives the authentication query by the authentication query acquisition unit 222 (step S987), and by the authentication status search unit 263, The authentication status storage unit 241 is searched for the authentication status of the user specified by the received authentication query. Then, the authentication management apparatus 200 determines whether or not the authentication status of the user specified by the received authentication query is registered in the authentication status storage unit 241 by the determination unit 264 based on the search result of the authentication status search unit 263. Is discriminated (step S989).

  If registered (step S989: Yes), the authentication management apparatus 200 generates an authentication notification indicating that by the authentication notification generation means 265, and transmits it to the content providing apparatus 101b by the authentication notification output means 223 ( Step S991). On the other hand, when not registered (step S989: No), the authentication management apparatus 200 generates a reject message indicating that by the authentication notification generation unit 265, and transmits it to the content providing apparatus 101b by the authentication notification output unit 223. (Step S992).

  On the other hand, following step S957, the content providing apparatus 101b determines whether or not an authentication notification is received from the authentication management apparatus 200 by the received data analysis unit 161A (step S961). When the authentication notification is received (step S961: Yes), the content providing apparatus 101b generates an authentication message by the authentication message generation unit 164A, and transmits the authentication message to the digital broadcast receiver 1A by the authentication message transmission unit 124. (Step S963). Then, the content is distributed (step S965). On the other hand, when a reject message is received (step S961: No), the content providing apparatus 101b similarly generates a reject message and transmits it to the digital broadcast receiver 1A (step S964).

The digital broadcast receiver 1A sequentially processes steps S923 to S925 following step S915. Steps S923 to S925 are the same as steps S911 to 913 shown in FIG. In step S924, the authentication status generated based on the authentication message created by the content providing apparatus 101b is transmitted. That is, the authentication status includes time information when the authentication is confirmed by the content providing apparatus 101b. This authentication status is received by the authentication management apparatus 200 (step S994), and is stored in the authentication status storage unit 241 as a history or updated. Note that the authentication management apparatus 200 returns to step S987 following step S994. In addition, when the digital broadcast receiver 1A receives a user operation for instructing the end of the content receiving operation (step S927: Yes), the digital broadcast receiver 1A ends the process, and performs the user operation for instructing the third and subsequent content receiving operations. If accepted (step S927: No), the process returns to step S915.

  According to the second embodiment, the digital broadcast receiver 1A transmits authentication data only to the content providing apparatus 101a (101) that is connected for communication for the first time, and the content providing apparatus 101b (101) that is connected for the second time or later. A content request is transmitted without transmitting authentication data. Therefore, the user of the digital broadcast receiver 1 </ b> A can obtain desired content from different member-limited sites by performing authentication input with the content providing apparatus 101 only once.

(Third embodiment)
Another content reception system including the digital broadcast receiver 1 having the configuration of the first embodiment will be described as a third embodiment. Since this content receiving system is configured to include an authentication management device as in the second embodiment shown in FIG. This content receiving system includes a digital broadcast receiver 1 (see FIG. 2), a content providing apparatus 102 (see FIG. 11), and an authentication management apparatus 200A (see FIG. 12) connected to each other via a network N. I have.

[Configuration of content providing device]
FIG. 11 is a functional block diagram illustrating a configuration of a content providing apparatus that configures the content receiving system according to the third embodiment.
As shown in FIG. 11, the content providing apparatus 102 has different functions between the network communication unit 120B and the reception data management unit 160B, and the storage unit 140B does not include the registration information storage unit 141. Since it is the same structure as the content provision apparatus 100 shown in FIG. 3, the same code | symbol is attached | subjected to the same structure and description is abbreviate | omitted.

The network communication unit 120B includes an authentication response acquisition unit 135, a certification request transmission unit 136, and a certificate acquisition unit 137.
The authentication response acquisition unit 135 acquires an authentication response from the authentication management apparatus 200A (see FIG. 12).
The certification request transmission unit 136 transmits the certification request generated by the certification request generation unit 173 to the authentication management apparatus 200A.
The certificate acquisition unit 137 acquires an authentication certificate (certificate) from the authentication management apparatus 200A.

The reception data management unit 160B includes a connection instruction unit 172 and a proof request generation unit 173.
When the content request acquisition unit 121 acquires a content request, the connection instruction unit 172 switches connection to the authentication management apparatus 200A by redirection with respect to the digital broadcast receiver 1 (see FIG. 2) that transmitted the content request. Is to instruct. Note that the content providing apparatus 102 recognizes that the authentication has failed when there is no authentication response even after a predetermined time has elapsed after switching the connection.
The certification request generation means 173 generates a certification request for requesting the authentication management apparatus 200A for an authentication certificate for authenticating the user of the digital broadcast receiver 1 that has transmitted the content request.

[Configuration of authentication management device]
FIG. 12 is a functional block diagram showing the configuration of the authentication management apparatus that constitutes the content receiving system of the third embodiment.
As shown in FIG. 12, the authentication management apparatus (IDP server: Identity Provider) 200A includes network communication means 220A, storage means 240A, and authentication status management means 260A. In addition, the same code | symbol is attached | subjected to the structure same as the authentication management apparatus 200 shown in FIG. 8, and description is abbreviate | omitted.

The network communication unit 220A includes an authentication request transmission unit 224, an authentication data acquisition unit 225, an authentication response output unit 226, an authentication message output unit 227, a certification request acquisition unit 228, and a certificate output unit 229. ing.
The authentication request transmission unit 224 transmits the authentication request generated by the authentication request generation unit 267 to the digital broadcast receiver 1.
The authentication data acquisition means 225 acquires authentication data from the digital broadcast receiver 1 (see FIG. 2).
The authentication response output unit 226 transmits the authentication response generated by the authentication response generation unit 269 to the content providing apparatus 102 (see FIG. 11).
The authentication message output unit 227 transmits the authentication message generated by the authentication message generation unit 270 to the digital broadcast receiver 1.
The certification request acquisition unit 228 acquires a certification request from the content providing apparatus 102.
The certificate output unit 229 transmits the authentication certificate generated by the certificate generation unit 271 to the content providing apparatus 102.

The storage unit 240A includes, for example, a memory and an HDD, and includes an authentication user storage unit 242 and a registration information storage unit 243.
The authentication user storage unit 242 stores the authentication status acquired by the authentication status acquisition unit 221 for each user, and is a general recording medium such as an HDD.
The registration information storage unit 243 stores authentication data generated by the digital broadcast receiver 1 in advance as user registration information, and is a general recording medium such as an HDD.

The authentication status management unit 260A includes a determination unit 264A, an authentication user management unit 266, an authentication request generation unit 267, a registration information search unit 268, an authentication response generation unit 269, an authentication message generation unit 270, and a certificate generation. Means 271.
Based on the search result of the registration information search unit 268, the determination unit 264A determines whether or not the user registration information specified by the authentication data acquired from the digital broadcast receiver 1 is registered (authenticates the user). It is to be determined. The determination unit 264A instructs the authentication response generation unit 269 and the authentication message generation unit 270 to generate a message according to the determination result.

  The authentication user management unit 266 refers to the authentication user storage unit 242 to determine whether or not the user of the digital broadcast receiver 1 connected for communication has been authenticated. If it is determined that the user has been authenticated, the authentication user management unit 266 instructs the authentication response generation unit 269 and the authentication message generation unit 270 to generate a message. If it is determined that the user has not been authenticated, the authentication request generation unit 266 The generation unit 267 is instructed to generate a message.

The authentication request generation unit 267 is an authentication request that is a message for requesting the digital broadcast receiver 1 for authentication data when the authentication user management unit 266 determines that the user of the digital broadcast receiver 1 has not been authenticated. Is generated.
The registration information search unit 268 searches the registration information storage unit 243 for user registration information (authentication data) specified by the authentication data acquired by the authentication data acquisition unit 225, and outputs it to the determination unit 264A. is there.
The authentication response generation unit 269 determines that the registration information of the user specified by the acquired authentication data is registered by the determination unit 264A, or the authentication user management unit 266 uses the user of the digital broadcast receiver 1 Is determined to be authenticated, an authentication response that is a response message is generated in the content providing apparatus 102.

The authentication message generation unit 270 determines that the registration information of the user specified by the acquired authentication data is registered by the determination unit 264A, or the authentication user management unit 266 uses the user of the digital broadcast receiver 1 Is determined to be authenticated, an authentication message that is a response message is generated in the digital broadcast receiver 1. The authentication message generation unit 270 generates a reject message to the digital broadcast receiver 1 when the determination unit 264A determines that the registration information of the user specified by the acquired authentication data is not registered.
The certificate generation unit 271 generates (issues) an authentication certificate that proves that the user of the digital broadcast receiver 1 has been authenticated when the certification request acquisition unit 228 receives a certification request from the content providing apparatus 102. )

[Operation of content receiving system]
Next, the operation of the content receiving system will be described with reference to FIG. 13 (refer to FIGS. 2, 11 and 12 as appropriate). FIG. 13 is a flowchart showing a content receiving operation in the content receiving system of the third embodiment.
The precondition is the same as that of the first embodiment described with reference to the flowchart of FIG. The digital broadcast receiver 1 generates a content request by the content request generation unit 31, and transmits the content request to the content providing apparatus 102 via the network N by the content request transmission unit 21 (step S1301).

  When the content request is received by the content request acquisition unit 121 (step S1331), the content providing apparatus 102 redirects the digital broadcast receiver 1 that has transmitted the content request by the connection instruction unit 172 to the authentication management apparatus 200A. To switch the connection (step S1333). Thereby, the digital broadcast receiver 1 that has transmitted the content request is connected to the authentication management apparatus 200A via the network N.

  Subsequent to step S 1333, the authentication management apparatus 200 A uses the authentication user management unit 266 to refer to the authentication user storage unit 242 to determine whether or not the user of the digital broadcast receiver 1 connected for communication has been authenticated. (Step S1353). When it is determined that the user has been authenticated (step S1353: Yes), the authentication management apparatus 200A executes a process of step S1361 described later. On the other hand, when it is determined that the user has not been authenticated (step S1353: No), the authentication management apparatus 200A generates an authentication request by the authentication request generation unit 267 and transmits the authentication request to the digital broadcast receiver 1 (step). S1355).

  Subsequent to step S1355, the digital broadcast receiver 1 sequentially processes steps S1305 to S1317. Steps S1305 to S1317 are the same as steps S403 to S409 shown in FIG. However, when the content receiving operation is repeated from another content providing apparatus 102 after receiving the content in step S1317, the process returns to step S1301.

  Further, in response to the authentication data transmission processing in step S1307, which is not described, the authentication management apparatus 200A receives authentication data by the authentication data acquisition unit 225 (step S1357). Then, the authentication management apparatus 200A searches the registration information storage unit 243 for registration information of the user specified by the authentication data using the registration information search unit 268, and determines whether the registration is performed using the determination unit 264A. (Step S1359). When the registration information of the user is registered (step S1359: Yes), the authentication response generation unit 269 generates an authentication response, the authentication response output unit 226 transmits the authentication response to the content providing apparatus 102, and authentication is performed. The message generation unit 270 generates an authentication message, and the authentication message output unit 227 transmits the authentication message to the digital broadcast receiver 1 (step S 1361). Further, as described above, the authentication management apparatus 200A performs the same process even when the authenticated user management unit 266 determines that the user has been authenticated (step S1353: Yes). On the other hand, when the registration information of the user is not registered (step S1359: No), a rejection message is generated by the authentication message generation unit 270, and is transmitted to the digital broadcast receiver 1 by the authentication message output unit 227 (step S1362). ).

  In response to step S 1361 or S 1362, the digital broadcast receiver 1 executes the determination process of step S 1311 that is not described, and the content providing apparatus 102 executes the determination process of step S 1341. When the content providing apparatus 102 does not receive the authentication response (step S1341: No), the content providing apparatus 102 ends the process. On the other hand, when an authentication response is acquired by the authentication response acquisition unit 135 (step S1341: Yes), a certification request is generated by the certification request generation unit 173, and the certification request is transmitted to the authentication management apparatus 200A by the certification request transmission unit 136. (Step S1343).

  Subsequent to step S1343, the authentication management apparatus 200A receives the certification request by the certification request acquisition unit 228 (step S1363). Then, the authentication management apparatus 200A generates an authentication certificate by the certificate generation unit 271 and transmits the authentication certificate to the content providing apparatus 102 by the certificate output unit 229 (step S1365), and returns to step S1353. Subsequent to step S1365, the content providing apparatus 102 receives the authentication certificate by the certificate acquisition unit 137 (step S1345), and distributes the content to the digital broadcast receiver 1 by the content distribution unit 125 (step S1347). .

Next, a user operation when the digital broadcast receiver 1 sequentially receives content from different content providing apparatuses 102a and 102b by single sign-on will be described with reference to FIG. FIG. 14 is an explanatory diagram of user operations in the digital broadcast receiver.
First, the user of the digital broadcast receiver 1 makes a content request to the content providing apparatus 102a (1401). Specifically, this user operates the remote controller R to access a site that has already been registered as a member.

  The content providing apparatus 102a sets a URL (Uniform Resource Locator) 200A of the authentication management apparatus (hereinafter referred to as IDP) 200A in the digital broadcast receiver 1 by redirection (1402). The IDP 200A is inquired about authentication (1403). Then, the user executes an authentication process with the IDP 200A (1404). Specifically, when the message “Please enter password” is displayed on the display device D of the digital broadcast receiver 1, the user selects, for example, a display button displayed as “Password generation”. . As a result, when the IDP 200A authenticates the generated password, the IDP 200A sends a response to the authentication inquiry to the content providing apparatus 102a via the digital broadcast receiver 1 (1405). When the content providing apparatus 102a requests an authentication certificate (assertion), the IDP 200A issues an authentication certificate (1406) and returns it. Then, the content providing apparatus 102a provides the content to the digital broadcast receiver 1 (1407).

  Subsequently, the user makes a content request to the content providing apparatus 102b (1408). Specifically, this user operates the remote controller R to access another site that has already been registered as a member. The content providing apparatus 102b sets the URL of the IDP 200A by redirection (1409), and inquires of the IDP 200A for authentication via the digital broadcast receiver 1 (1410). The IDP 200A determines that the user has been authenticated, and sends a response to the authentication inquiry to the content providing apparatus 102b without repeating the authentication process with the user (1411). Similarly, when IDP 200A issues an authentication certificate (1412), content providing apparatus 102b provides content to digital broadcast receiver 1 (1413).

  According to the third embodiment, when the digital broadcast receiver 1 transmits a content request to the content providing apparatus 102 (for example, 102a) that is connected for communication for the first time, the communication connection is switched to the authentication management apparatus 200A, and the user operation is performed. Accordingly, the authentication data is transmitted to the authentication management apparatus 200A. Further, when a content request is transmitted to the content providing apparatus 102 (for example, 102b) that is connected for communication after the second time, the user does not need an operation of transmitting authentication data anywhere. Therefore, the user of the digital broadcast receiver 1 can acquire desired content from different member-limited sites by inputting for authentication only once with the authentication management apparatus 200A.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to each embodiment. For example, in each embodiment, the digital broadcast receiver 1 (1A) extracts the work key Kw as the key information from the broadcast data of the digital broadcast. However, the present invention is not limited to this. May be a scramble key Ks for scrambling content, a content key Kc for encrypting the scramble key Ks in units of content, or a combination thereof.

  In each embodiment, the identification information storage unit 8 of the digital broadcast receiver 1 (1A) has been described as an IC card such as a CAS card. However, the present invention is not limited to this, and the identification information storage unit 8 is not limited thereto. May be a general recording medium such as a ROM or HDD. When a plurality of users use the digital broadcast receiver 1 (1A), identification information may be given to each user.

  The authentication data generation means 32 of the digital broadcast receiver 1 (1A) generates a password by fixing the user ID in the authentication data, but conversely fixes the user ID and fixes the user ID. You may produce | generate and you may produce | generate both. Further, the user ID and the password are examples, and the authentication data may be other than them, not limited to two types, and may be one type or three or more types. Further, the authentication data generating means 32 is not limited to generating authentication data only with the key information and the identification information, and other information may be used when generating the authentication data. For example, information such as the URL of the content providing apparatus 100 (101, 102) that transmitted the content request, the name of the site where the content is provided, the name of the content, and the like, or information generated by appropriately combining or converting them. The authentication data is generated by multiplying the key information and the identification information by a predetermined method. In this case, different authentication data (user ID, password) is generated depending on the access destination. Therefore, different authentication data (user) for each content providing apparatus 100 (101, 102) (or for each member-limited site). ID, password) can be generated. Further, the authentication data generation means 32 may generate the identification information stored in the identification information storage means 8 as authentication data without using the key information.

  Further, when communication is performed among the digital broadcast receiver 1 (1A), the content providing apparatus 100 (101, 102), and the authentication management apparatus 200 (200A), encryption is performed using a predetermined encryption method. Data (such as authentication data) may be transmitted and received.

  In the content receiving systems of the first and second embodiments, the digital broadcast receiver 1 (1A) is output by the authentication data output from the authentication data transmitting unit 23 and the content request transmitting unit 21. The content request may be output to the content providing apparatus 100 (101) at the same timing. In this case, the processing of steps S401 to S405 shown in FIG. 4 or steps S905 to S909 shown in FIG. 9 is a batch transmission process of content request and authentication data. As a result, the session time can be shortened. In this case, the content providing apparatus 100 (101) can simplify the function because the authentication request generation unit 162 and the authentication request transmission unit 122 can be omitted.

It is a block diagram which shows the structure of the content reception system containing the digital broadcast receiver which concerns on the 1st Embodiment of this invention. It is a functional block diagram which shows the structure of the digital broadcast receiver shown in FIG. It is a functional block diagram which shows the structure of the content provision apparatus shown in FIG. It is a flowchart which shows operation | movement of the content reception system shown in FIG. It is a block diagram which shows the structure of the content reception system containing the digital broadcast receiver which concerns on the 2nd Embodiment of this invention. It is a functional block diagram which shows the structure of the digital broadcast receiver shown in FIG. It is a functional block diagram which shows the structure of the content provision apparatus shown in FIG. It is a functional block diagram which shows the structure of the authentication management apparatus shown in FIG. 6 is a flowchart illustrating a first content reception operation in the content reception system illustrated in FIG. 5. 6 is a flowchart showing a content receiving operation for the second time and thereafter in the content receiving system shown in FIG. 5. It is a functional block diagram which shows the structure of the content provision apparatus which comprises the content reception system of 3rd Embodiment. It is a functional block diagram which shows the structure of the authentication management apparatus which comprises the content reception system of 3rd Embodiment. It is a flowchart which shows the content reception operation | movement in the content reception system of 3rd Embodiment. It is explanatory drawing of user operation in a digital broadcast receiver.

Explanation of symbols

1, 1A Digital broadcast receiver 100, 101 (101a, 101b), 102 Content providing device 200, 200A Authentication management device N Network 2 Network communication means 21 Content request transmitting means 22 Authentication request receiving means 23 Authentication data transmitting means (authentication) Data output means)
24 Authentication message receiving means (authentication message obtaining means)
25 Content receiving means (content obtaining means)
3 Authentication management means 31 Content request generation means 32 Authentication data generation means 4 Received data management means 41 Analysis means 42 Write means 43 Read means 5 Broadcast reception means 6 Key information extraction means (limited reception information extraction means)
7 Key information storage means 8 Identification information storage means 9 Operation control means 10 Storage means 11 Switching means 12 Content playback means 13 Display control means R Remote control D Display device

Claims (7)

In a digital broadcast receiver having broadcast receiving means for receiving a digital broadcast and network communication means for communicating with a device connected to a network,
Content request generating means for generating a content request for requesting a content that requires user authentication to a content providing apparatus that is the device connected to the network;
Conditional access information extraction means for extracting conditional access information multiplexed in advance on the broadcast data of the digital broadcast;
Identification information storage means for storing identification information for identifying a user of the digital broadcast receiver;
The identification information stored in the identification information storage means is used as authentication data for authenticating the user, or the limited reception information extracted by the limited reception information extraction means and stored in the identification information storage means. Authentication data generating means for generating the authentication data based on the identification information,
Authentication data output means for outputting the authentication data generated by the authentication data generation means;
Content acquisition means for acquiring content in response to the content request;
A digital broadcast receiver comprising: In a digital broadcast receiver having broadcast receiving means for receiving a digital broadcast and network communication means for communicating with a device connected to a network,
SSO request generation means for generating an SSO request for performing single sign-on to the content providing apparatus that is the device connected to the network when connecting to the network for the first time;
Content request generation means for generating a content request for requesting content that requires user authentication to the content providing device;
Conditional access information extraction means for extracting conditional access information multiplexed in advance on the broadcast data of the digital broadcast;
Identification information storage means for storing identification information for identifying a user of the digital broadcast receiver;
The identification information stored in the identification information storage means is used as authentication data for authenticating the user, or the limited reception information extracted by the limited reception information extraction means and stored in the identification information storage means. Authentication data generating means for generating the authentication data based on the identification information,
Authentication data output means for outputting the authentication data generated by the authentication data generation means to the content providing device;
Authentication message acquisition means for acquiring an authentication message corresponding to the authentication data from the content providing device;
Content acquisition means for acquiring content in response to the content request;
An authentication result transmitting means for transmitting an authentication result based on the authentication message acquired by the authentication message acquiring means to an authentication management apparatus which is connected to the network and is a third party for realizing single sign-on;
A digital broadcast receiver comprising: A content providing apparatus that is connected to the digital broadcast receiver according to claim 1 via a network and provides content that requires user authentication,
Content request acquisition means for acquiring the content request from the digital broadcast receiver;
Authentication data acquisition means for acquiring the authentication data from the digital broadcast receiver;
Registration information storage means for storing authentication data generated by the digital broadcast receiver in advance as user registration information;
Based on the authentication data acquired by the authentication data acquisition unit, a determination unit that determines whether to authenticate the user with reference to the registration information storage unit;
Content distribution means for distributing content based on the content request acquired by the content request acquisition means to the digital broadcast receiver when it is determined that the user is authenticated by the determination means;
A content providing apparatus comprising: A content providing apparatus that is connected to the digital broadcast receiver according to claim 1 via a network and provides content that requires user authentication,
Content request acquisition means for acquiring the content request from the digital broadcast receiver;
Connection instruction means for instructing the digital broadcast receiver to switch connection by redirection when the content request is acquired;
A certificate request for generating a certificate request for requesting a certificate for authentication of a user of the digital broadcast receiver to a certificate management apparatus which is connected to the network and realizes single sign-on and which is a third-party certificate authority Generating means;
Certificate acquisition means for acquiring the certificate from the authentication management device;
Content distribution means for distributing content based on the content request acquired by the content request acquisition means to the digital broadcast receiver when the certificate is acquired;
A content providing apparatus comprising: A content providing apparatus that is connected to the digital broadcast receiver according to claim 2 via a network and provides content that requires user authentication,
SSO request acquisition means for acquiring the SSO request from the digital broadcast receiver;
Content request acquisition means for acquiring the content request from the digital broadcast receiver;
Authentication request generating means for generating an authentication request for requesting the authentication data when the SSO request and the content request are acquired;
Authentication data acquisition means for acquiring the authentication data from the digital broadcast receiver;
An authentication query generating means for generating an authentication query for querying a user of the digital broadcast receiver to the authentication management device when acquiring the content request and not acquiring the SSO request;
Registration information storage means for storing authentication data generated by the digital broadcast receiver in advance as user registration information;
Based on the authentication data acquired by the authentication data acquisition unit, a determination unit that determines whether to authenticate the user with reference to the registration information storage unit;
An authentication message generating means for generating an authentication message when it is determined that the user is authenticated by the determining means, or when an authentication notification indicating that the user is authenticated is received from the authentication management device;
Content delivery means for delivering content based on the content request acquired by the content request acquisition means to the digital broadcast receiver when the authentication message is generated;
A content providing apparatus comprising: An authentication management apparatus that is connected to the digital broadcast receiver according to claim 1 via the network and serves as a third-party certification body that realizes single sign-on,
Registration information storage means for storing authentication data generated by the digital broadcast receiver in advance as user registration information;
Authentication data acquisition means for acquiring the authentication data from the digital broadcast receiver;
Determining means for determining whether or not to authenticate the user based on the user registration information stored in the registration information storage means when the authentication data acquisition means acquires the authentication data;
An authentication response output means for outputting an authentication response to the content providing apparatus according to claim 4, when the determination means determines that the user is to be authenticated,
Certification request acquisition means for acquiring the certification request according to the authentication response from the content providing device;
Certificate generating means for generating a certificate that proves that the user of the digital broadcast receiver has been authenticated;
Certificate output means for outputting the certificate generated by the certificate generation means;
An authentication management apparatus comprising: An authentication management device connected to the digital broadcast receiver according to claim 2 via the network and serving as a third party for realizing single sign-on,
Authentication result acquisition means for acquiring the authentication result from the digital broadcast receiver;
Authentication result storage means for storing the authentication result acquired by the authentication result acquisition means for each user;
A determination unit configured to determine whether to authenticate the user based on an authentication result stored in the authentication result storage unit when the authentication inquiry is received from the content providing apparatus according to claim 5;
An authentication notification output means for outputting an authentication notification indicating that the user is authenticated to the content providing apparatus when the determination means determines that the user is authenticated;
An authentication management apparatus comprising:

Images