In recent years, studies have been conducted on a variety of digital television broadcasting standards. One example of such standards is MHP (Multimedia Home Platform) which is employed in many countries. According to MHP, a broadcast device multiplexes an application program (hereafter simply referred to as an “application”) in a broadcast wave and transmits it using an object carousel, and a digital television reception device receives and executes the application.
By executing such an application, the digital television reception device can achieve various functions which are unavailable to conventional television reception devices. As one example, an interactive television system can be realized whereby the digital television reception device transmits information which is collected by an application in conjunction with a broadcast program received from a broadcast wave, to a broadcast station via a network such as the Internet.
However, if unrestricted access to resources, such as use of a file system in the digital television reception device and connection to the network, is granted to the application, the user may suffer damage or a control system in the digital television reception device may be adversely affected in a case when the application contains malicious code. For instance, executing an application containing malicious code may cause a channel switch to occur during viewing, or information stored in the digital television reception device to be leaked out or destroyed. To avoid this, Section 12 “Security” of the MHP specification defines how to execute applications securely.
According to this section, there are two types of applications: an unsigned application which need not be authenticated; and a signed application which need be authenticated.
The unsigned application is executed without being authenticated, but, in order to protect the system, prohibited from such access to resources that may adversely affect the system.
The signed application is permitted to access more resources than the unsigned application. Before activation, however, authentication is performed on the signed application by identifying a transmitter of the application using an X.509 certificate and checking whether the application has been tampered with based on hash values. Only when the authentication is successful, the signed application is activated. Thus, the system is protected by executing only signed applications that are authenticated as valid applications sent from trusted transmitters.
This technique, however, has the following problem. Though the signed application delivers higher functions than the unsigned application, the signed application cannot be activated promptly as it needs to be authenticated first. This arises the demand for a technique of activating high-function applications more speedily.