1. Field of the Invention
The present invention relates to a broadcast receiving apparatus and a control method thereof, and particularly relates to a technique related to the protection of content.
2. Description of the Related Art
In digital terrestrial broadcasting, content is sent in a scrambled state. The content is scrambled using a Conditional Access System (CAS). At present, a B-CAS system, which uses a smartcard, is employed as such a Conditional Access System.
This system of protecting content (and the copyright of the content in particular) in a broadcast receiving apparatus is called RMP (Rights Management and Protection). A system that encrypts content using an encryption key is used as one system of RMP. For example, in the current B-CAS system, three types of encryption keys, or a scrambling key, a work key, and a master key, are used hierarchically.
Meanwhile, a new content protection system (called a “new RMP system” hereinafter) is being proposed as of late. In the new RMP system, three types of encryption keys, or a scrambling key, a work key, and a device key are used hierarchically.
The scrambling key is changed every few seconds in order to improve the reliability of the content protection. The scrambling key is sent in a state in which it has been encrypted using the work key. The encrypted scrambling key is contained in data called an ECM (Entitlement Control Message).
The work key is also sent in an encrypted state. The key for encrypting the work key is the master key, in the conventional RMP system, and the device key, in the new RMP system. The encrypted work key is contained in data called an EMM (Entitlement Management Message).
The master key is a key stored in the B-CAS card, provided on a card-by-card basis. On the other hand, the device key is a key provided on a maker-by-maker or model-by-model basis. Thus broadcast receiving apparatuses from the same maker or broadcast receiving apparatuses of the same model have identical device keys. Broadcast receiving apparatuses also have device IDs corresponding to their device keys. Broadcast receiving apparatuses hold, as firmware, a program that generates a device key from device key information corresponding to a device ID, and the device ID.
The new RMP system has a scheme for revoking broadcast receiving apparatuses that improperly avoid the content protection (called “unauthorized receivers”). Revoking an unauthorized receiver is realized by updating the encryption key used in the encryption of the content and the encryption key held by an authorized receiver (that is, a broadcast receiving apparatus aside from the unauthorized receiver). At that time, the unauthorized receiver cannot update the encryption key, and as a result cannot decrypt the content (see Japanese Patent Laid-Open No. 2006-74209).
The process for revoking an unauthorized receiver is called “revocation”. The device key is designed so as to be updatable so that this revocation can be executed. For example, when a device key has been tampered with, the old device key is revoked. In such a case, it is necessary to update both the device key used by the broadcasting station to encrypt the work key and the device key used by the broadcast receiving apparatus to new keys.
However, the following problems arise when executing revocation according to the stated conventional techniques.
First, consider the case where a broadcast receiving apparatus with a certain device ID has been identified as an unauthorized receiver. In this case, the broadcaster performs revocation with respect to the broadcast receiving apparatus that has that device ID. However, the broadcast receiving apparatuses that have that device ID include both unauthorized receivers and authorized receivers.
As a result, when the revocation is executed, the authorized receivers that have that device ID are also revoked in spite of the fact that they are not being used improperly. For this reason, users of authorized receivers suffer in that they cannot view broadcasted content.
To prevent users of authorized receivers from actually suffering in such a manner, the maker of the broadcast receiving apparatuses distributes, to authorized receivers, new device IDs, and programs for generating new device keys corresponding thereto. This information is, as described earlier, contained within the firmware, and thus this distribution is realized through a firmware update performed by the broadcast receiving apparatus. Therefore, users of authorized receivers are required to execute this firmware update.
However, if a broadcast receiving apparatus executes the firmware update before the device key used by the broadcasting station is updated, that broadcast receiving apparatus cannot decrypt content, and thus the user thereof cannot view that content.