JP2008092432A - Digital content transmitting method and receiving apparatus - Google Patents

Abstract

Provided is a system capable of encrypting and distributing content by a higher-strength encryption method based on an encryption key inserted by a broadcaster into the digital broadcast content when distributing the digital broadcast content through the IP network.
Encryption of input digital broadcast content is released using a scramble key Ks reproduced from EMC. The encrypted digital broadcast content is re-encrypted with a 128-bit encryption key that is a combination of the 64-bit or longer extended encryption key Kx and the 64-bit scramble key Ks given by the license server 326. The encrypted content is multiplexed with the ECM and distributed to the receiving side through the IP network. In addition, the extended encryption key Kx is transmitted to the receiving side through a different route from the content distribution.
[Selection] Figure 2

Description

  The present invention relates to a transmission method and a receiving apparatus used in a system for distributing digital contents such as video and audio over an IP network.

  In recent years, services for distributing digital contents such as video and audio using an IP (Internet Protocol) network have been started. The distribution using the IP network is typically a so-called IP broadcast service using an IP multicast distribution technique and a VoD (Video On Demand) service for distributing desired contents by unicast.

  In particular, in IP broadcasting, it is assumed that digital terrestrial broadcasting is retransmitted. However, in order to distribute digital content safely, it is important to protect the content. For example, in BS digital broadcasting, pay billing is performed by a CAS (Conditional Access System) system defined in ARIB-STD B25, and in terrestrial digital broadcasting, copyright protection using the system is performed. Even when digital terrestrial broadcasting is distributed using an IP network, it is naturally desirable to use these copyright protection methods.

  However, unlike digital broadcasting transmitted by broadcast waves, there is a risk of server impersonation, eavesdropping, and tampering in IP network distribution, and information security issues are more serious than digital content transmission by broadcast waves. is there.

  Currently, digital broadcasting uses a scheme having an encryption strength equivalent to 64 bits, and no countermeasures such as impersonation of a server are taken. Therefore, when the above problems are taken into consideration, using the copyright protection method used in the current digital broadcasting has a security problem in the distribution over the IP network. However, regarding copyright protection and chargeable billing provided by the broadcaster's intention, conversion to a completely different system when distributed over the IP network causes a problem because it does not conform to the broadcaster's intention. To solve this problem, for example, it is conceivable to encrypt only the communication path on the IP network and transmit the digital broadcast signal as it is. In this case, the encryption of the communication path and the encryption of the digital broadcast signal are considered. Double encryption. On the receiving device side, it is necessary to process the double encryption at a high speed, which increases the load for verification.

By the way, Patent Document 1 discloses a technique in which a root key is acquired from a content server, a subkey is acquired from a license server, and a content key is generated by exclusive OR operation of both.
JP2003-309545A (FIG. 26)

  As described above, it is necessary to respect the intentions of broadcasters while using the copyright protection and billing methods used in current digital broadcasting as they are for IP distribution has security problems. It is necessary to solve both of these. In addition, DRM is also essential for services that are conventionally performed using an IP network, such as a VoD service, and it is not desirable from the viewpoint of receiver implementation to adopt different systems for IP broadcasting and VoD.

  In view of such circumstances, when distributing digital content over an IP network, it is possible to encrypt and distribute the content using a stronger encryption method based on the encryption key inserted into the content by the broadcaster. An object of the present invention is to provide a digital content transmission method and reception device that can be used.

  In order to achieve the above object, a digital content transmission method of the present invention includes a step of generating a first encryption key and a second encryption key, and the generated first encryption key and second encryption key. Generating a third encryption key having a bit length equal to or greater than that of the first encryption key, encrypting the digital content using the third encryption key, and converting the encrypted digital content into And a step of multiplexing the information obtained by encrypting the first encryption key or the second encryption key and distributing the information to a receiving apparatus which is a content request source through an IP network.

  In the digital content transmission method of the present invention, the content requesting source is different from the distribution of the digital content over the IP network by using one of the first encryption key and the second encryption key that is not multiplexed with the digital content. The method may further comprise a step of transmitting to.

  The digital content transmission method according to the present invention includes a step of receiving encrypted digital broadcast wave content, a first step of extracting encrypted encryption key information from the received digital broadcast wave content. Playing back the encryption key; decrypting the received digital broadcast wave content with the first encryption key; generating the second encryption key; the first encryption key and the second encryption key; Generating a third encryption key having a bit length equal to or greater than the first encryption key from the encryption key, and re-encrypting the decrypted content using the third encryption key A step of multiplexing information obtained by encrypting the first encryption key or the second encryption key on the re-encrypted content and distributing the multiplexed information to a receiving device that is a content request source through the IP network; Characterized by comprising the step of transmitting the encryption key of the person who is not multiplexed in the digital content of the encryption key or the second cryptographic key to the content requesting a different path from the distribution of digital content through the IP network.

  A digital content receiving apparatus according to another aspect of the present invention generates a first encryption key and a second encryption key, and generates a first encryption key and a second encryption key from the generated first encryption key and second encryption key. A third encryption key having a bit length equal to or greater than that of the encryption key, encrypting the digital content using the third encryption key, and adding the first encryption key or the second encryption key to the encrypted digital content. Information obtained by encrypting the encryption key of 2 is distributed to the IP network, and the first encryption key or the second encryption key that is not multiplexed with the digital content is distributed through the IP network as digital content distribution. The content receiving unit that receives the content multiplexed by the encrypted encryption key information transmitted from the transmitting device that transmits by another route through the IP network, and the content received by the content receiving unit The encryption key reproducing unit that extracts the overlapped encrypted encryption key information and reproduces the first encryption key or the second encryption key and the encryption key distribution unit of the transmission device communicates with each other through the IP network. The third encryption key is obtained from the encryption key receiving unit that receives the first encryption key or the second encryption key, the encryption key reproduced by the encryption key reproducing unit, and the encryption key received by the encryption key receiving unit. And a decrypting unit that generates and decrypts the content with the third encryption key.

  According to the present invention, when digital content is distributed through the IP network, the content can be encrypted and distributed by a stronger encryption method based on the encryption key inserted into the content by the broadcaster.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram illustrating a configuration of a distribution system according to the first embodiment. As shown in the figure, the distribution system includes a transmission device 30 that receives a digital broadcast wave from the digital broadcast wave transmission device 10 and transmits digital broadcast content with enhanced encryption strength to the IP network 20, and an IP network 20. The receiving apparatus 40 is configured to receive and reproduce digital broadcast content. This embodiment employs the transmission method of claim 5 and the reception apparatus of claim 6 of the present invention.

  FIG. 2 is a block diagram showing a detailed configuration of the transmission device 30 in the distribution system of FIG. The transmission device 30 includes a broadcast receiving unit 31, a distribution processing unit 32, and an IP distribution unit 33.

  The broadcast receiving unit 31 is means for receiving a digital broadcast wave transmitted from the digital broadcast wave transmitting apparatus 10 and converting it into a TS (Transport Stream).

  The distribution processing unit 32 includes a reception extraction unit 321, a security module 322, a decryption unit 323, a re-encryption unit 324, a multiplex transmission unit 325, and a license server 326.

  The reception extraction unit 321 extracts an ECM (Entitle Control Message) inserted by the broadcaster from the TS obtained from the digital broadcast wave by the broadcast reception unit 31, and sends it to the security module 322 and the multiplex transmission unit 325. At the same time, the digital broadcast content is output to the decoding unit 323. The ECM contains a scramble key Ks necessary for releasing the encryption of the digital broadcast content.

  The security module 322 reproduces the scramble key Ks from the ECM input from the reception extraction unit 321 and inputs it to the decryption unit 323 and the re-encryption unit 324.

  The decryption unit 323 uses the scramble key Ks input from the security module 322 to decrypt the digital broadcast content input from the reception extraction unit 321.

  The re-encryption unit 324 uses the combination of the extended encryption key Kx given from the license server 326 and the scramble key Ks inputted from the security module 322 for the digital broadcast content decrypted by the decryption unit 323. Re-encrypt. Here, an encryption method of 128 bits or more is used for re-encryption. For example, in the case of 128-bit encryption (L = 128), the length of the scramble key Ks is set to 64 bits (M = 64), and the length of the extended encryption key Kx is set to 64 bits (N = 64). It is a 128-bit encryption key. More specifically, 128-bit encryption is performed with the scramble key Ks as the lower 64 bits and the extended encryption key Kx as the upper 64 bits. Of course, the scramble key Ks may be the upper 64 bits and the extended encryption key Kx may be the lower 64 bits. The digital broadcast signal encrypted by the re-encryption unit 324 is input to the multiplex transmission unit 325.

  The present invention is not limited to N = 64 and M = 64. The values of N and M can be arbitrarily selected. For example, it is possible to perform encryption using a 256 (= L) -bit encryption key with M = 64 and N = 192. However, since the encryption method used in digital broadcasting is 64 bits, it is desirable that M = 64. The scramble key Ks corresponds to the first encryption key of the present invention, and the extended encryption key Kx corresponds to the second encryption key of the present invention.

The multiplex transmission unit 325 multiplexes the digital broadcast content re-encrypted by the re-encryption unit 324 and the ECM input from the reception extraction unit 321, converts it into a TS, and outputs the TS to the IP distribution unit 33. The stream at this time may be not only TS but also PS (Program Stream) or other multiple formats.

  The license server 326 is a unit that generates an extended encryption key Kx, gives it to the re-encryption unit 324, and transmits it to the receiving device 40 through the IP network 20. Transmission of the extended encryption key Kx via the IP network 20 is performed by a secure communication method such as SSL (Secure Sockets Layer).

  The IP distribution unit 33 generates an IP packet from the TS input from the multiplex transmission unit 325 and sends it to the IP network 20.

  The scramble key Ks is multiplexed on the broadcast wave by the broadcaster and changes with time. Similarly, the extended encryption key Kx may be changed with time.

  Next, a detailed configuration of the receiving device 40 will be described.

  FIG. 3 is a block diagram showing a detailed configuration of the receiving device 40 in the distribution system of FIG. As shown in the figure, the reception device 40 includes an IP reception unit 41 and a reception processing unit 42.

  The IP reception unit 41 corresponds to the content reception unit of the present invention, receives an IP packet of digital broadcast content from the IP network 20, extracts a TS from the IP packet, and inputs the TS to the reception processing unit. The reception processing unit 42 includes a reception extraction unit 421, a security module 422, a reception module 423, a decoding unit 424, and a decoding unit 425.

  The reception extraction unit 421 extracts the ECM from the digital broadcast content TS input from the IP reception unit 41 and outputs the ECM to the security module 422, and also outputs the digital broadcast content to the decryption unit 424. The security module 422 corresponds to the encryption key reproduction unit of the present invention, reproduces the scramble key Ks from the ECM input from the reception extraction unit 421, and sends the lower 64 bits of the 128-bit encryption key to the decryption unit 424. Give as.

  The receiving module 423 corresponds to the encryption key receiving unit of the present invention. The receiving module 423 acquires the extended encryption key Kx from the license server 326 through the IP network 20 by secure communication, and sends the upper 64 bits of the 128-bit encryption key to the decryption unit 424. Give as. The decryption unit 424 generates a 128-bit encryption key by synthesizing the scramble key Ks given from the security module 422 and the extended encryption key Kx given from the reception module 423, and receives and extracts the 128-bit encryption key. The digital broadcast content input from the unit 421 is decrypted.

  The decoding unit 425 decodes video and audio reproduction signals from the digital broadcast content decrypted by the decoding unit 424.

  Next, the operation of the distribution system of this embodiment will be described.

  FIG. 4 is a diagram showing a communication sequence of the distribution system of FIG. When the program is selected by the viewer, the selection information of the program is input to the receiving module 423 of the receiving device 40 (S1). The reception module 423 transmits a request message to the license server 326 of the transmission device 30 through the IP network 20 (S2). The license server 326 performs license processing (S3), and transmits the extended encryption key Kx stored therein to the reception module 423 of the reception device 40 through the IP network 20 (S4). The above communication is performed using a secure communication method such as SSL.

  The license processing is, for example, processing such as terminal authentication, personal authentication, contract information verification, credit for content purchase, and settlement. In the case of free content, a part of it is performed.

  The reception module 423 sets the acquired extended encryption key Kx in the decryption unit 424 as the upper 64 bits of the 128-bit encryption key (S5). Thereafter, the reception module 423 transmits a request message to the IP distribution unit 33 of the transmission device 30 through the IP network 20 (S6). Upon receiving the request message, the IP distribution unit 33 starts transmission of the digital broadcast content multiplexed with the ECM (S7).

  The reception extraction unit 421 of the reception device 40 extracts the ECM from the TS of the digital broadcast content received through the IP reception unit 41 and inputs it to the security module 423 (S8). The security module 423 reproduces the scramble key Ks from the input ECM, and sets it in the decryption unit 424 as the lower 64 bits of the 128-bit encryption key (S9). During this time, the digital broadcast content is input to the decryption unit 424. The decryption unit 424 creates a 128-bit encryption key by combining the acquired extended encryption key Kx (upper 64 bits) and the scramble key Ks (lower 64 bits), and encrypts the digital broadcast content with the 128-bit encryption key. Is released and output to the decoding unit 425.

  According to the present embodiment, when distributing digital content through the IP network 20, the content can be encrypted and distributed by a stronger encryption method based on the encryption key inserted into the content by the broadcaster. it can.

(Second Embodiment)
Next, a distribution system according to the second embodiment of the present invention will be described.

  For example, in pay broadcasting such as BS digital broadcasting, control is performed with a pair of EMM (Entitle Management Message) and ECM. In EMM, reservation information related to a program is transmitted, and a process for charging is performed by comparison with program attribute information listed in the ECM.

  FIG. 5 is a block diagram illustrating a configuration of the transmission device 30A of the distribution system according to the second embodiment.

The reception extraction unit 321A of the distribution processing unit 32A extracts the ECM and EMM inserted by the broadcaster from the digital broadcast TS input from the broadcast reception unit 31, and sends them to the security module 322A and the multiplex transmission unit 325A. In addition to outputting, the digital broadcast content is output to the decoding unit 323.

  The security module 322A reproduces the scramble key Ks from the ECM and EMM input from the reception extraction unit 321A, and inputs the scramble key Ks to the decryption unit 323 and the re-encryption unit 324.

  The multiplex transmission unit 325 </ b> A multiplexes the digital broadcast content re-encrypted by the re-encryption unit 324 and the ECM and EMM given from the reception extraction unit 321 </ b> A, converts them into TS, and outputs them to the IP distribution unit 33. Other configurations and operations of the transmission device 30 are the same as those in the first embodiment.

  FIG. 6 is a block diagram illustrating a configuration of the receiving device 40A of the distribution system according to the second embodiment.

  Here, the reception extraction unit 421A extracts the ECM and EMM from the TS input from the IP reception unit 41, outputs the ECM and EMM to the security module 422A, and outputs the digital broadcast content to the decryption unit 424.

  The security module 422A reproduces the scramble key Ks from the ECM and EMM input from the reception extraction unit 421A, and gives the decryption unit 424 as the lower 64 bits of the 128-bit encryption key. Other configurations and operations of the receiving device 40A are the same as those in the first embodiment.

  Here, the mechanism for extracting the scramble key Ks from the ECM and EMM is in accordance with a general encryption method employed in the CAS method.

  FIG. 7 is a block diagram relating to a general encryption method employed in the CAS method. The encryption method shown here is a method of encrypting content by a triple key method of a work key Kw for encrypting the scramble key Ks and a master key Km unique to the security module of the receiving apparatus.

  The encoding unit 501 inputs the result of encoding the broadcast content to the encryption unit 502 on the transmission side. The encryption unit 502 encrypts the digital broadcast content input from the encoding unit 501 with the scramble key Ks. The digital broadcast content encrypted by the encryption unit 502 is transmitted to the receiving side through the IP network 20. The decryption unit 511 on the receiving side releases the encryption of the digital broadcast content input through the IP network 20 with the scramble key Ks and inputs the decrypted content to the decoding unit 512. The decoding unit 512 decodes the encrypted digital broadcast content and outputs a reproduction signal.

  The transmission-side encryption key generation unit 500 includes two encryption units 503 and 504. The encryption unit 503 receives the scramble key Ks and the program attribute information, and is encrypted with the encryption key Kw supplied separately. This encrypted information is assumed to be Ekw (program attribute + scramble key Ks). This means that the information in parentheses is encrypted with the encryption key Kw. This Ekw (program attribute + scramble key Ks) is output as an ECM from the encryption unit 503 and transmitted to the receiving side through the IP network 20.

  On the other hand, the contract information and the encryption key Kw are input to the encryption unit 504. The encryption unit 504 encrypts the contract information and the encryption key Kw with the encryption key Km prepared in advance. This encrypted information is assumed to be Ekm (contract information + encryption key Kw). This Ekm (reservation information + Kw) is output from the encryption unit 504 as EMM and transmitted to the receiving side through the IP network 20.

  The receiving-side security module 510 has two decrypting units 513 and 514. The decryption unit 514 decrypts the EMM cipher input through the IP network 20 by using the encryption key Km that is held in advance, and extracts the contract information and the encryption key Kw. The contract information is input to the determination unit 515, and the encryption key Kw is input to the decryption unit 513.

  The decryption unit 513 reproduces the program attribute information and the scramble key Ks from the ECM by resolving the encryption of the ECM input through the IP network 20 using the encryption key Kw input from the decryption unit 514, and determines the program attribute determination unit 515. To enter. The determination unit 515 compares the contract information input from the decryption unit 514 with the program attribute information input from the decryption unit 513 to determine whether or not a predetermined condition is satisfied. If the switch 516 is not established, the switch 516 is switched off. The switch 516 is means for switching whether to supply the scramble key Ks extracted by the decryption unit 513 to the decryption unit 511 for decrypting the broadcast content.

  When the switch 516 is turned on, the scramble key Ks extracted by the decryption unit 513 is supplied to the decryption unit 511. As a result, the decryption unit 512 releases the encryption of the broadcast content input through the IP network 20 using the scramble key Ks.

  The generation of the scramble key Ks from the ECM and EMM by the security module 322A in FIG. 5 and the security module 422A in FIG. 6 is performed by decryption in the two decryption units 513 and 514 of the security module 510 in FIG.

(Third embodiment)
Next, a third embodiment of the present invention will be described. This embodiment corresponds to claim 7 of the present invention.

  FIG. 8 is a diagram showing the configuration of the receiving device 40B in the distribution system of this embodiment. The receiving apparatus 40B according to the present embodiment can receive both the digital broadcast content distributed through the IP network 20 and the digital broadcast content transmitted through broadcast waves, in the first embodiment shown in FIG. A tuner 43, a switch 44, a broadcast wave 64-bit decoding unit 427, and a switch 428 are added to the configuration of the receiver 40.

  The tuner 43 receives digital broadcast content by broadcast waves. The switch 44 is means for switching between the digital broadcast content obtained from the IP receiver 41 and the broadcast digital broadcast content obtained from the tuner 43. The 64-bit decryption unit 427 corresponds to the broadcast wave content decryption unit of the present invention, and decrypts the digital broadcast content by the broadcast wave with the 64-bit scramble key Ks given from the security module 422. . That is, the security module 422 extracts the ECM that is the encryption key information encrypted from the broadcast wave content received by the tuner 43 and reproduces the 64-bit scramble key Ks that is the broadcast wave encryption key. And a broadcast wave encryption key reproducing unit. The switch 428 selects the digital broadcast content based on the broadcast wave decrypted by the 64-bit decryption unit 427 and the digital broadcast content of the IP network 20 decrypted by the decryption unit 424 using the 128-bit encryption key. The data is switched and output to the decoding unit 425. Other configurations and operations of the receiving device 40B are the same as those of the receiving device 40 of the first embodiment shown in FIG.

  Next, the operation of the receiving device 40B will be described.

  When digital broadcast content by broadcast waves is received by the receiving device 40B, the digital broadcast content by broadcast waves is first received by the tuner 43 and input to the switch 44. When the broadcast wave is received, the output of the tuner 43 is selected by the switch 44, and the digital broadcast content by the broadcast wave is input to the reception extraction unit 421. The reception extraction unit 421 extracts the ECM from the digital broadcast content by the broadcast wave and outputs it to the security module 422. The security module 422 generates a scramble key Ks from the ECM input from the reception extraction unit 421 and inputs it to the 64-bit decryption unit 427. Since the broadcast wave digital broadcast content is encrypted with a 64-bit length encryption key, the 64-bit decryption unit 427 can decrypt the broadcast wave digital broadcast content with the 64-bit length scramble key Ks. . Further, when a broadcast wave is received, the output of the 64-bit decryption unit 427 is selected by the switch 428, and the digital broadcast content decrypted by the 64-bit decryption unit 427 is input to the decoding unit 425 through the switch 428. Then, the digital broadcast is played back.

  When selecting the digital broadcast content of the IP network 20, the output of the IP receiver 41 is selected by the switch 44, and the output of the decoder 424 is further selected by the switch 428. The operation in this case is the same as that of the receiving device 40 of the first embodiment.

  According to this embodiment, both reception from the IP network and reception by broadcast waves can be performed without changing the security module.

(Fourth embodiment)
Next, a delivery system according to a fourth embodiment of this invention will be described.

  FIG. 9 is a diagram illustrating a configuration of a transmission device 30C in the distribution system of the fourth embodiment. This transmission device 30C is characterized in that a calculation unit 327 is provided in the configuration of the transmission device 30 of the first embodiment shown in FIG. The calculation unit 327 corresponds to the third encryption key generation unit of the present invention. In the transmission apparatus 30 of the first embodiment, the license server 326C generates a 64-bit extended encryption key Kx, whereas in this embodiment, the license server 326C generates a 128-bit extended encryption key Kx. . Further, the 128-bit extended encryption key Kx output from the license server 326 is input to the calculation unit 327. In addition, a 64-bit scramble key Ks obtained by the security module 322 is also input to the calculation unit 327 at the same time.

  Here, the operation unit 327 performs an operation using the 64-bit scramble key Ks and the 128-bit extended encryption key Kx to generate a new 128-bit encryption key. For example, two scramble keys Ks are combined as upper 64 bits and lower 64 bits to form a 128-bit bit string, and then exclusive ORed with a 128-bit extended encryption key Kx to obtain a new 128-bit length There is a method of generating a bit string as an encryption key. Other configurations and operations are the same as those of the transmission device 30 of the first embodiment.

  FIG. 10 is a diagram illustrating a configuration of the receiving device 40C in the distribution system according to the fourth embodiment.

  This receiving device 40C is characterized in that a calculation unit 426 is provided in the configuration of the receiving device 40 of the first embodiment shown in FIG. In the receiving device 40 of the first embodiment, the receiving module 423 generates a 64-bit extended encryption key Kx, whereas the receiving module 423C of the present embodiment has a 128-bit extended encryption key. Generate Kx. Further, the 128-bit extended encryption key Kx obtained by the reception module 423C is input to the calculation unit 426. A 64-bit scramble key Ks obtained by the security module 422 is also input to the calculation unit 426 at the same time.

  Here, the operation unit 426 performs an operation using the 64-bit scramble key Ks and the 128-bit extended encryption key Kx to generate a new 128-bit encryption key. As in the case of the transmitting apparatus 30C, for example, the two scramble keys Ks are combined as the upper 64 bits and the lower 64 bits to form a 128-bit bit string, and then the 128-bit extended encryption key Kx A method of taking an exclusive OR with can be adopted. Other configurations and operations are the same as those of the receiving device 40 of the first embodiment.

  Other calculation methods by the calculation unit 327C and the calculation unit 426C include the following.

(1) The scramble key Ks is set to the upper 64 bits, the lower 64 bits are all set to 1 and set to 128 bits, and then exclusive ORed with the 128-bit extended encryption key Kx to obtain a new 128-bit encryption key. Generate.

(2) The scramble key Ks is set to the lower 64 bits, the upper 64 bits are all set to 1 and set to 128 bits, and then exclusive ORed with the 128-bit extended encryption key Kx to generate a new 128-bit encryption key. To do.

  If it is possible to finally generate a 128-bit encryption key, other calculation methods may be adopted. Further, a plurality of calculation methods may be prepared in advance, and the calculation method to be adopted may be notified from the transmission device 30C to the reception device 40C. In this case, for example, the calculation method is notified by communication from the license server 326 to the reception module 423.

  Further, the length of the encryption key obtained by the calculation does not necessarily need to be 128 bits, and may be 128 bits or more.

(Fifth embodiment)
Next, an embodiment in which the present invention is applied to a VoD distribution system will be described. This embodiment particularly corresponds to claim 1 of the present invention.

  FIG. 11 is a block diagram illustrating a configuration of a transmission device in the VoD distribution system according to the present embodiment. As shown in the figure, the transmission device 60 includes a content holding unit 61, an encoding unit 62, an encryption unit 63, a multiplex transmission unit 64, an IP distribution unit 65, a portal server 66, a license server 67, and an ECM generation unit 68. Have.

  The content holding unit 61 is a storage unit that holds digital content for distribution. The encoding unit 62 encodes the digital content read from the content holding unit 61. The encryption unit 63 generates a 128-bit encryption key using the upper 64 bits key and the lower 64 bits key acquired from the license server 67, and is output from the encoding unit 62 using the 128 bit encryption key. Encrypt digital content. The multiplex transmission unit 64 multiplexes the encrypted digital content and the ECM acquired from the ECM generation unit 68 to generate a TS, and outputs the TS to the IP distribution unit 65. The IP distribution unit 65 generates an IP packet from the TS input from the multiplex transmission unit 64 and sends it to the IP network 20.

  The portal server 66 receives a content distribution request from the receiving device sent via the IP network 20 and sends a content distribution request message to the license server 67.

  Upon receiving the content distribution request message from the portal server 66, the license server 67 controls to read out the requested digital content from the content holding unit 61, and the 64-bit extended encryption key Kx stored in itself. Is transmitted to the content distribution request source receiving apparatus through the IP network 20 and output to the encryption unit 63. Further, the license server 67 outputs the 64-bit scramble key Ks stored therein to the encryption unit 63 and the ECM generation unit 68. The ECM generation unit 68 generates an ECM based on the scramble key Ks acquired from the license server 67 and outputs it to the multiplex transmission unit 64.

  The operation of the transmission device 60 is as follows. First, the portal server 66 transmits a list of digital contents that can be distributed stored in the content holding unit 61 to the receiving device through the IP network 20. When the portal server 66 receives a content distribution request from the receiving device through the IP network 20, the portal server 66 sends a content distribution request message to the license server 67. Upon receiving the content distribution request message from the portal server 66, the license server 67 performs control so that the requested digital content data is output from the content holding unit 61 to the encoding unit 62. Further, the license server 67 transmits the 64-bit extended encryption key Kx to the content distribution request receiving device via the IP network 20 and outputs the same to the encryption unit 63, and further converts the 64-bit scramble key Ks to the encryption unit. 63 and the ECM generator 68.

  On the other hand, the encoding unit 62 encodes the digital content acquired from the content holding unit 61 and outputs the result to the encryption unit 63. The encryption unit 63 generates a 128-bit encryption key from the extended encryption key Kx and the scramble key Ks acquired from the license server 67, and the digital content output from the encoding unit 62 with this 128-bit encryption key. Encryption is performed, and the result is supplied to the multiplex transmission unit 64. In the multiplex transmission unit 64, the encrypted digital content and the ECM acquired from the ECM generation unit 68 are multiplexed to generate a TS, which is output to the IP distribution unit 65. In the IP distribution unit 65, an IP packet is generated from the TS input from the multiplex transmission unit 64 and transmitted through the IP network 20 to the content distribution request source receiving device.

  FIG. 12 is a block diagram showing a configuration of a receiving device in the VoD distribution system according to the present embodiment. As shown in the figure, the receiving device 70 includes an IP receiving unit 71 that receives digital content through the IP network 20, and a reception processing unit 72 that decrypts and reproduces the received digital content. .

  The IP receiving unit 71 receives an IP packet of digital content distributed from the IP network 20, extracts a TS from the IP packet, and inputs the TS to the reception processing unit 72. The reception processing unit 72 includes a reception extraction unit 721, a security module 722, a reception module 723, a decryption unit 724, a decode unit 725, and a browser 726.

  The reception extraction unit 721 extracts the ECM from the TS input from the IP reception unit 71, outputs the ECM to the security module 722, and outputs the digital content to the decryption unit 724. The security module 722 reproduces the scramble key Ks from the ECM input from the reception extraction unit 721, and sets it as the lower 64 bits of the 128-bit encryption key in the decryption unit 724.

  The receiving module 723 acquires the extended encryption key Kx from the license server 67 through the IP network 20 by secure communication, and sets it in the decryption unit 724 as the upper 64 bits of the 128-bit encryption key. The decryption unit 724 generates a 128-bit encryption key by synthesizing the scramble key Ks given from the security module 722 and the extended encryption key Kx given from the reception module 723. With this 128-bit encryption key, The digital content input from the reception extraction unit 721 is decrypted.

  The decoding unit 725 decodes video and audio reproduction signals from the digital content decrypted by the decoding unit 724. The browser 726 communicates with the portal server 66 through the IP network 20 to acquire and display a list of digital contents that can be distributed. Further, the browser 726 generates a message requesting distribution of the digital content selected by the viewer from the displayed digital content list, and communicates with the portal server 66 through the IP network 20. Further, the browser 726 outputs a message to the effect that a digital content distribution request has been made to the reception module 723. Upon receiving this message, the receiving module 723 communicates with the license server 67 through the IP network 20 and acquires the 64-bit extended encryption key Kx from the license server 67. Further, if the digital content requested to be distributed is charged, the receiving module 723 simultaneously performs a charging process necessary for the charge.

  The operation of the receiving device 70 is as follows. First, the browser 726 receives a list of digital contents that can be distributed from the portal server 66 through the IP network 20, and displays this list. When the viewer selects a digital content to be viewed from the list of digital contents, the browser 726 generates a message requesting distribution of the selected digital content and transmits the message to the portal server 66 through the IP network 20. To do. At the same time, a message is sent from the browser 726 to the receiving module 723 indicating that a digital content distribution request has been made. Upon receiving this message, the receiving module 723 communicates with the license server 67 through the IP network 20, acquires the 64-bit extended encryption key Kx from the license server 67, and sets it in the decryption unit 724.

  On the other hand, the IP packet of the digital content is received by the IP receiving unit 71 of the receiving device 70 from the transmitting device 60 through the IP network 20. The IP packet is converted into a TS by the IP reception unit 71 and input to the reception extraction unit 721. In the reception extraction unit 721, the ECM is extracted from the TS and output to the security module 722, and the digital content is output to the decryption unit 724. The security module 722 reproduces the scramble key Ks from the ECM and sets it in the decryption unit 724 as the lower 64 bits of the 128-bit encryption key.

  The decryption unit 724 generates a 128-bit encryption key by synthesizing the scramble key Ks given from the security module 722 and the extended encryption key Kx given from the reception module 723, and uses this 128-bit encryption key to generate digital content. Unencrypt the. The decrypted digital content is input to the decoding unit 725, and video and audio playback signals are decoded.

(Sixth embodiment)
Next, a sixth embodiment of the present invention will be described.

  In terrestrial digital broadcasting, unlike BS broadcasting and CS broadcasting, the range (broadcasting area) where radio waves can be transmitted is limited. Each broadcaster broadcasts within a limited range (broadcast area). Therefore, when terrestrial digital broadcasting is distributed over an IP network, it is necessary to provide a restriction so that broadcast content can be distributed only to receiving devices within a range (broadcast area) determined by a broadcast license. In the present embodiment, such regional distribution restrictions on broadcast contents are realized by using an extended encryption key Kx.

  FIG. 13 is a block diagram showing a method for realizing regional distribution restrictions on broadcast content using the extended encryption key Kx.

  Each receiving device 40-1, 40-2, 40-3, 40-4 is connected to the IP network 20-1, 20-2 via the edge routers 50-1, 50-2, 50-3, 50-4. 20-3. The IP networks 20-1, 20-2, and 20-3 correspond to broadcasting areas defined by terrestrial digital broadcasting, and each IP network 20-1, 20-2, and 20-3 has a broadcasting business. The local distribution servers 51-1, 51-2, and 51-3 of the user are connected.

  The receiving devices 40-1, 40-2, 40-3, 40-4 are grouped by broadcasting area from the edge routers 50-1, 50-2, 50-3, 50-4 connected thereto. One IP address is assigned from the IP address group.

  Each local distribution server 51-1, 51-2, 51-3 stores unique extended encryption keys Kx1, Kx2, Kx3, respectively. When the local distribution servers 51-1, 51-2, 51-3 receive a broadcast content distribution request from the receiving devices 40-1, 40-2, 40-3, 40-4 in the same broadcast area, The broadcast contents are encrypted using the stored extended encryption keys Kx1, Kx2, Kx3 and the scramble key, and information obtained by encrypting the scramble key is multiplexed on the receiver 40-1, 40-2, 40- 3, Respond to 40-4.

  A global management server 52 is connected to each IP network 20-1, 20-2, 20-3. The global management server 52 stores and manages the following information in a database.

Correspondence relationship between broadcast area, edge router, and local distribution server URL of local distribution server and extended encryption key Correspondence relationship between IP address and broadcast area The global management server 52 is accessed from the receiving device 40-1, for example. In response, the IP address of the receiving device added to the access information is acquired, and the broadcast area of the receiving device 40-1 is specified by referring to the database based on the IP address. Next, the global management server 52 specifies the local distribution server 51-1 corresponding to the specified broadcast area with reference to the database. Furthermore, the global management server 52 reads the specified URL of the local distribution server 51-1 and the extended encryption key Kx1 from the database, and transmits them to the receiving device 40-1 through the IP network 20-1 by secure communication such as SSL. The same applies when the global management server 52 receives access from other receiving apparatuses 40-2, 40-3, and 40-4. In the example of FIG. 13, since the receiving device 40-3 and the receiving device 40-4 belong to the same broadcast area, the global management server 52 can access from these receiving devices 40-3 and 40-4. In response, the URL of the same local distribution server 51-3 and the extended encryption key Kx3 are returned.

  Next, the operation for limiting the broadcast area using the extended encryption key will be described.

  FIG. 14 is a sequence diagram of an operation for performing regional distribution restrictions on broadcast content using the extended encryption key.

  Consider a case where the power of the receiving device 40-4 is turned on. When the power of the receiving device 40-4 is turned on (S1), the receiving device 40-4 transmits a request message to the edge router 50-4 (S2). Upon receiving the request message from the receiving device 40-4, the edge router 50-4 pays out one of the IP address groups that can be assigned by itself to the receiving device 40-4 (S3). An IP address is obtained.

  When receiving the IP address, the receiving device 40-4 transmits a request message to the global management server 52 (S4). When the global management server 52 receives the request message from the receiving device 40-4, the global management server 52 extracts the IP address of the transmission source added to the request message, refers to the database, and broadcast area corresponding to the IP address. Is determined (S5). After determining the broadcasting area, the global management server 52 reads the URL of the local distribution server 51-3 and the extended encryption key Kx3 corresponding to the broadcasting area from the database, and transmits them to the receiving device 40-4 by secure communication (S6). , S7).

  The receiving device 40-4 accesses the local distribution server 51-3 based on the acquired URL (S8), and acquires an initial setting value (S9). Here, the obtained initial setting value is a correspondence table between a multicast address and channel selection information so that channel selection of digital terrestrial broadcasting is possible.

  After the above exchange, when the viewer selects a channel in the receiving device 40-4, the content of the terrestrial digital broadcast is distributed from the local distribution server 51-3. The local distribution server 51-3 is set with an extended encryption key Kx3 corresponding to the broadcasting region, and the local distribution server 51-3 encrypts the content of digital terrestrial broadcasting using the extended encryption key Kx3 and the scramble key. And scramble key is multiplexed on this content to generate an IP packet, and this IP packet is distributed to the receiving device 40-4 through the IP network 20-3.

  When receiving the content of the terrestrial digital broadcast signal, the receiving device 40-4 encrypts the content of the terrestrial digital broadcast signal using the scramble key multiplexed on the content and the extended encryption key Kx3 acquired from the global management server 52. Cancel the conversion. As a result, regional distribution restrictions can be made when digital terrestrial broadcasting is distributed over an IP network.

  Further, the extended encryption key Kx can be used not only for regional distribution restrictions when distributing terrestrial digital broadcasting through the IP network, but also for use of pay broadcasting service and VoD service.

  A mechanism for switching the extended encryption key Kx according to the service to be used may be incorporated in the receiving apparatus.

  FIG. 15 is a flowchart showing the operation of the mechanism for switching the extended encryption key Kx according to the service used.

  When the power is turned on in the receiving device (S1501), the receiving device receives the IP address allocation from the edge router by the above procedure (S1502). Thereafter, a service desired to be used is selected by the viewer. When viewing of the terrestrial digital broadcast is selected (S1503), the receiving apparatus accesses the global management server (S1504), and acquires the extended encryption key Kx for broadcasting area limitation (S1505). Thereafter, the receiving apparatus receives the terrestrial digital broadcast from the local distribution server by multicast (S1506).

  When the use of the VoD service or the pay broadcast service is selected (S1503), the receiving apparatus accesses the license server (S1507). The receiving apparatus determines the service to be used based on the response from the license server (S1508). If the service is VoD, the receiving apparatus acquires the extended encryption key Kx for using the VoD service from the license server (S1509). Digital content is received by unicast from the transmission device of the VoD distribution system (S1510). If the service to be used is a pay broadcast, an extended encryption key Kx for pay broadcast is acquired from the license server (S1511), and the pay broadcast is received by multicast (S1512).

(Seventh embodiment)
Next, a distribution system according to a seventh embodiment of the present invention will be described.

  FIG. 16 is a block diagram illustrating a configuration of a transmission device 30D in the distribution system according to the seventh embodiment. The transmission device 30D includes a broadcast receiving unit 31, a distribution processing unit 32D, and an IP distribution unit 33.

  The broadcast receiving unit 31 receives a digital broadcast wave, converts it into a TS (Transport Stream), and inputs it to the distribution processing unit 32D.

  The distribution processing unit 32D includes a reception extraction unit 321, a first security module 322D, a decryption unit 323, a re-encryption unit 324D, a multiplex transmission unit 325D, and a license server 326.

  The reception extraction unit 321 extracts an ECM (Entitle Control Message) inserted by the broadcaster from the TS obtained from the digital broadcast wave in the broadcast reception unit 31, and outputs the extracted ECM to the security module 322D and the license server 326D. At the same time, the digital broadcast content is output to the decryption unit 323. The ECM includes information obtained by encrypting the scramble key Ks necessary for decrypting the digital broadcast content.

  The first security module 322D corresponds to the first encryption key reproduction unit of the present invention. The first security module 322D reproduces the scramble key Ks from the ECM input from the reception extraction unit 321 and inputs it to the decryption unit 323. . The decryption unit 323 decrypts the digital broadcast content input from the reception extraction unit 321 using the 64-bit scramble key Ks input from the security module 322D.

  The license server 326D generates a 128-bit encryption key from the scramble key Ks given by the security module 322D and the 128-bit extended encryption key Kx generated inside the license server 326D, and re-encrypts the unit 324D. To enter. Further, the license server 326D transmits the original ECM extracted by the reception extraction unit 321 to the receiving device 40 through the IP network 20 by a secure communication method such as SSL (Secure Sockets Layer). Further, the license server 326D inputs a new ECM obtained by encrypting the 128-bit extended encryption key Kx to the multiplex transmission unit 325D.

  The re-encrypting unit 324D re-encrypts the digital broadcast content decrypted by the decrypting unit 323 using the 128-bit encryption key given from the license server 326D. The digital broadcast content encrypted by the re-encryption unit 324D is input to the multiplex transmission unit 325D.

  Here, the re-encryption uses an encryption method of 128 bits or more. For example, in the case of 128-bit encryption (L = 128), the length of the scramble key Ks is set to 64 bits (M = 64), and the length of the extended encryption key Kx is set to 128 bits (N = 128). A 128-bit encryption key is generated by exclusive OR. For example, two scramble keys Ks (odd / even) included in the original ECM are combined as upper 64 bits and lower 64 bits to form a 128-bit bit string, and two extended encryption keys Kx are converted into upper 64 bits and lower bits. There is a method in which a 128-bit encryption key is generated by combining the 64 bits into a 128-bit bit string and taking the exclusive OR of these.

  Note that the present invention is not limited to N = 128 and M = 64. The values of N and M can be arbitrarily selected. For example, it is possible to perform encryption using a 128 (= L) -bit encryption key, where N = 128 and M = 128. Further, the operation is not limited to exclusive OR. For example, it is possible to combine the scramble key Ks with the upper 64 bits and the extended encryption key Kx with the lower 128 bits to form a 128-bit encryption key. A 128-bit encryption key may be generated by other calculation methods.

  The multiplex transmission unit 325 </ b> D multiplexes the digital broadcast content encrypted by the re-encryption unit 324 </ b> D and the new ECM given from the license server 326 </ b> D, converts it into a TS, and outputs it to the IP distribution unit 33. Here, the new ECM is obtained by encrypting the 128-bit extended encryption key Kx. Note that the stream may be not only TS but also PS (Program Stream) or other multiplexed formats.

  The IP distribution unit 33 generates an IP packet from the TS input from the multiplex transmission unit 325D and sends it to the IP network 20.

  The scramble key Ks is multiplexed on the broadcast wave by the broadcaster and changes with time. Similarly, the extended encryption key Kx may be changed with time.

  Next, a detailed configuration of the receiving device will be described.

  FIG. 17 is a block diagram illustrating a configuration of a receiving device 40D according to the seventh embodiment. The receiving device 40D includes an IP receiving unit 41 and a reception processing unit 42D.

  The IP reception unit 41 receives an IP packet of digital broadcast content from the IP network 20, extracts a TS from the IP packet, and inputs the TS to the reception processing unit 42D. The reception processing unit 42D includes a reception extraction unit 421, a second security module 422D, a security module 423D, a decoding unit 424D, and a decoding unit 425.

  The reception extraction unit 421 extracts the ECM from the digital broadcast content TS input from the IP reception unit 41 and outputs the ECM to the second security module 422D, and outputs the digital broadcast wave content to the decoding unit 424D. The second security module 422D extracts the extended encryption key Kx from the new ECM input from the reception extraction unit 421, and provides it to the decryption unit 424D as a 128-bit encryption key. The security module 423D acquires the original ECM by secure communication from the license server 326D through the IP network 20, and provides two 64-bit scramble keys Ks (odd / even) to the decryption unit 424D.

  The decryption unit 424D arranges the extended encryption key Kx given from the second security module 422D and the two 64-bit scramble keys Ks (odd / even) given from the security module 423D in the upper / lower order, respectively. A 128-bit encryption key is created by combining the 128-bit bit string, and the digital broadcast wave content input from the reception extraction unit 421 is decrypted with this 128-bit encryption key. The decoding unit 425 decodes video and audio reproduction signals from the digital broadcast content decrypted by the decoding unit 424.

  Next, the operation of the distribution system of this embodiment will be described.

  FIG. 18 is a diagram showing a communication sequence of the distribution system of this embodiment. When the program is selected by the viewer, the selection information of the program is input to the security module 423D of the receiving device 40D (S1). The security module 423D transmits a request message to the license server 326D of the transmission device 30D through the IP network 20 (S2). The license server 326D performs license processing (S3), and transmits the original ECM to the security module 423D of the receiving device 40D through the IP network 20 (S4). The above communication is performed using a secure communication method such as SSL.

  The license processing is, for example, processing such as terminal authentication, personal authentication, contract information verification, credit for content purchase, and settlement. In the case of free content, a part of it is performed. The security module 423D sets the two scramble keys Ks (odd / even) extracted from the acquired original ECM in the decryption unit 424D (S5). Thereafter, the security module 423D transmits a request message to the IP distribution unit 33 of the transmission device 30D through the IP network 20 (S6). Upon receiving the request message, the IP distribution unit 33 starts transmission of digital broadcast content (IP packet) on which a new ECM is multiplexed (S7).

  The reception extraction unit 421D of the reception device 40D extracts a new ECM from the digital broadcast content TS received through the IP reception unit 41, and inputs the new ECM to the second security module 423D (S8). The second security module 423D takes out the extended encryption key Kx from the input new ECM and sets it as a 128-bit encryption key in the decryption unit 424D (S9). During this time, the digital broadcast content is input to the decryption unit 424D. The decryption unit 424D creates a 128-bit encryption key by combining the obtained two scramble keys Ks (arranged at the upper / lower order of 128 bits) and the extended encryption key Kx (128 bits), and digitally uses the 128-bit encryption key. The broadcast content is decrypted and output to the decoding unit 425.

(Eighth embodiment)
Next, a distribution system according to an eighth embodiment of the present invention will be described.

  In digital broadcasting, a revoke operation is performed to eliminate a receiver that performs an illegal operation. In EMM (Entitle Management Message), information related to revocation is sent from the transmission side to the reception side, and an operation in accordance with the revocation function is performed by the reception device. The eighth embodiment supports the revoke operation by this EMM.

  FIG. 19 is a block diagram showing the configuration of the transmission device 30E in the distribution system of this embodiment.

  The reception extraction unit 321E of the distribution processing unit 32E extracts the ECM and EMM inserted by the broadcaster from the digital broadcast TS input from the broadcast reception unit 31, and each of them extracts the first security module 322D. In addition, the ECM is output to the license server 326D, and the EMM is output to the multiplexing transmission unit 325E. The multiplex transmission unit 325E multiplexes the digital broadcast content encrypted by the re-encryption unit 324D and the new ECM and EMM given from the license server 326D, converts them into TS, and outputs the TS to the IP distribution unit 33. Other configurations and operations of the transmission device 30E are the same as those of the transmission device 30D of the seventh embodiment.

  FIG. 20 is a block diagram showing the configuration of the receiving device 40E of this embodiment.

  The reception extraction unit 421E extracts the ECM and EMM from the digital broadcast content TS input from the IP reception unit 41, outputs the ECM to the second security module 422D, and outputs the EMM to the security module 423E. The security module 423E performs based on the EMM that has acquired the revoke operation according to the CAS method. As the revoking operation of the receiving device 40E, it is conceivable to stop or limit the operation or renewability. Other configurations and operations of the receiving device 40E of the present embodiment are the same as those of the receiving device 40D of the seventh embodiment.

  As a result, the revoke operation performed between transmission and reception of digital terrestrial broadcasting can be performed between transmission and reception of digital broadcast content via the IP network 20.

  Although not particularly illustrated, a new EMM may be provided from the license server 326D in FIG. 19 and the new EMM may be acquired together with the new ECM in the second security module in FIG. In this case, access control such as a new revoke operation can be performed in addition to the above.

  It should be noted that the present invention is not limited to the above-described embodiment, and it is needless to say that various updates can be added without departing from the gist of the present invention.

  For example, in the transmission apparatus of each embodiment, a transcoding unit is provided between the decoding unit and the multiplexing unit, for example, MPEG-2 → H. H.264 video encoding system conversion may be performed to multiplex and output IP. In this case, the decoding unit of the receiving apparatus is not a broadcast type MPEG-2 decoding process but an H.264. It may be H.264 decoding processing.

It is a block diagram which shows the structure of the delivery system of the 1st Embodiment of this invention. It is a block diagram which shows the detailed structure of the transmitter of 1st Embodiment. It is a block diagram which shows the detailed structure of the receiver of 1st Embodiment. It is a figure which shows the communication sequence of the delivery system of 1st Embodiment. It is a block diagram which shows the structure of the transmitter of 2nd Embodiment. It is a block diagram which shows the structure of the receiver of 2nd Embodiment. It is a block diagram regarding the general encryption system employ | adopted by the CAS system. It is a figure which shows the structure of the receiver of 3rd Embodiment. It is a figure which shows the structure of the transmitter of 4th Embodiment. It is a figure which shows the structure of the receiver of 4th Embodiment. It is a block diagram which shows the structure of the transmitter in the VoD system delivery system of 5th Embodiment. It is a block diagram which shows the structure of the receiver in the VoD system delivery system of 5th Embodiment. It is a block diagram which shows the system which implement | achieves the regional distribution restrictions of broadcast content using an extended encryption key. It is a sequence diagram of the system of FIG. It is a flowchart which shows operation | movement of the mechanism which switches an extended encryption key according to a utilization service. It is a block diagram which shows the structure of the transmitter of 7th Embodiment. It is a block diagram which shows the structure of the receiver of 7th Embodiment. It is a figure which shows the communication sequence of the delivery system of 7th Embodiment. It is a block diagram which shows the structure of the transmitter of 8th Embodiment. It is a block diagram which shows the structure of the receiver of 8th Embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Digital broadcast wave transmission apparatus, 20 ... IP network, 30 ... Transmission apparatus, 31 ... Broadcast reception part, 32 ... Distribution processing part, 33 ... IP distribution part, 40 ... Reception apparatus, 41 ... IP reception part, 42 ... Reception Processing unit, 43 ... tuner, 44 ... switch, 50-1, 50-2, 50-3, 50-4 ... edge router, 51-1, 51-2, 51-3 ... local distribution server, 52 ... global management Server: 60 ... Transmission device 61 ... Content holding unit 62 ... Encoding unit 63 ... Encryption unit 64 ... Multi-transmission unit 65 ... IP distribution unit 66 ... Portal server 67 ... License server 68 ... ECM generation 70: Receiving device, 71 ... IP receiving unit, 72 ... Reception processing unit, 321 ... Reception extracting unit, 322 ... Security module, 323 ... Decrypting unit 324: Re-encryption unit, 325 ... Multiple transmission unit, 326 ... License server, 327 ... Operation unit, 421 ... Reception extraction unit, 422 ... Security module, 423 ... Reception module, 424 ... Decryption unit, 425 ... Decoding unit, 426 ... arithmetic unit, 427 ... 64-bit decoding unit, 428 ... switch.

Claims (7)

Generating a first encryption key and a second encryption key;
Generating a third encryption key having a bit length equal to or greater than the first encryption key from the generated first encryption key and the second encryption key;
Encrypting digital content using the third encryption key;
Multiplexes information obtained by encrypting the first encryption key or the second encryption key on the encrypted digital content and distributes the information to a receiving device which is a content request source through an IP network. A digital content transmission method as a feature.   The method further comprises the step of transmitting the encryption key that is not multiplexed with the digital content out of the first encryption key or the second encryption key to a content requester through a route different from the distribution of the digital content through the IP network. The digital content transmission method according to claim 1, wherein:   From the first encryption key and the second encryption key, the bit length of the first encryption key is N, the bit length of the second encryption key is M, and the bit length of (N + M) 3. The digital content transmission method according to claim 1, wherein the encryption key of 3 is generated.   The first encryption key and the second encryption key are concatenated, the bit length of the first encryption key is N, the bit length of the second encryption key is M, and the bit length is (N + M) The digital content transmission method according to claim 1, wherein the third encryption key is generated. Receiving encrypted digital broadcast wave content;
Extracting encrypted encryption key information from the received digital broadcast wave content and reproducing the first encryption key;
Decrypting the received digital broadcast wave content with the first encryption key;
Generating a second encryption key;
Generating a third encryption key having a bit length equal to or greater than the first encryption key from the first encryption key and the second encryption key;
Re-encrypting the decrypted content using the third encryption key;
Multiplexes the information obtained by encrypting the first encryption key or the second encryption key on the re-encrypted content, and distributes the information to a receiving device which is a content request source through an IP network;
Transmitting the encryption key which is not multiplexed with the digital content out of the first encryption key or the second encryption key to the content requester through a route different from the distribution of the digital content through the IP network. A digital content transmission method characterized by: A first encryption key and a second encryption key are generated, and a third bit having a bit length equal to or greater than the first encryption key is generated from the generated first encryption key and the second encryption key. An encryption key is generated, the digital content is encrypted using the third encryption key, and the information obtained by encrypting the first encryption key or the second encryption key is multiplexed on the encrypted digital content. And transmitting the first encryption key or the second encryption key, which is not multiplexed with the digital content, through a route different from the distribution of the digital content through the IP network. A device, a receiving device capable of receiving distribution of content,
A content receiving unit that receives the content transmitted from the transmission device and multiplexed with encrypted encryption key information through the IP network;
An encryption key reproducing unit for extracting the encrypted encryption key information multiplexed on the content received by the content receiving unit and reproducing the first encryption key or the second encryption key;
An encryption key receiving unit that receives the first encryption key or the second encryption key through an IP network by communication with the encryption key distribution unit of the transmission device;
The third encryption key is generated from the encryption key reproduced by the encryption key reproducing unit and the encryption key received by the encryption key receiving unit, and the content is encrypted with the third encryption key. And a decrypting unit for canceling the digital content receiving apparatus. A broadcast receiver for receiving content by means of encrypted broadcast waves;
A switch unit that switches between the content received by the content receiving unit and the content received by the broadcast receiving unit;
A broadcast wave encryption key reproduction unit that extracts encrypted key information encrypted from the content received by the broadcast reception unit and reproduces the broadcast wave encryption key;
The digital content receiving apparatus according to claim 6, further comprising: a broadcast wave content decrypting unit configured to decrypt the content received by the broadcast receiving unit using the broadcast wave encryption key. .

Images