Advanced Conditional Access System for Digital Broadcasting Using Metadata

Transcription

1 Advanced Conditional Access System for Digital Broadcasting Using Digital broadcasting based on home servers is a term describing new broadcasting services offered by utilizing a receiver with storage. The services include program viewing that does not depend on normal broadcasting hours and highlight viewing that uses program-related information called metadata. Preventing unauthorized use of stored programs is a critical issue in these services. It is extremely easy to edit programs that the broadcaster requires by using a program usage control mechanism. We propose an advanced Conditional Access System (CAS) for the new digital broadcasting using metadata. It achieves a secure environment for content and metadata by preventing tampering and ensuring that only metadata certificated by the broadcaster can be utilized. We also developed a prototype receiver on a PC and an advanced CAS card on a Java Card to evaluate the system. We confirmed through on the implementation experiment that the advanced CAS could be utilized in broadcasting services.. Introduction In utilizing large-capacity program-storage devices fitted with receivers and metadata containing information related to programs and scenes, broadcasting based on home servers realizes a new broadcasting service for replaying stored content. This service not only enables program viewing unfettered by broadcasting times but also provides viewers with a variety of broadcasting services like "digest viewing" of key scenes only and "content retrieval" of blocks of scenes. By utilizing metadata, content can be easily edited and reconstructed, and once viewing in this way has become familiar, these services will become beneficial to viewers. On the other hand, it is feared that the content might be used in ways unintended by the broadcaster. For example, it could be the case that stories stringing together several scenes cut-out from certain parts of news broadcasts are created and replayed as fundamentally different information. It is therefore essential to provide an access-control system that covers all content and enables broadcasters to control content utilization by means of metadata. As copyright-protection technology, Content Protection for Recordable Media (CPRM) adopted in "removable media" for storage and Digital Transmission Content Protection (DTCP) adopted in IEEE394 are available. Although these methods are "copy control technologies" for controlling multiple copying and preventing duplication of content, they cannot provide a function to control access to content. Furthermore, as access-control methods for digital broadcasting, an access-control system for use with satellite digital audio broadcasting systems and the Conditional Access System (CAS) are being provided. These methods can restrict the reception of broadcast content. Moreover, with CAS, the playback of entire stored content can be controlled. These methods, however, cannot handle complicated viewing patterns, such as only viewing certain scenes within content, made possible by introducing metadata. In this paper, first, we clarify requirements that must be satisfied by a CAS for broadcasting using metadata. Next, aimed at solving these problems, an access-control method that extends the functions of conventional CAS is proposed. Furthermore, the results of investigations utilizing a prototype test system and verifying the feasibility and security of this method are presented. 2. Requirements on CAS for Broadcasting Using -which takes into consideration utilization of content after being broadcast to the receiver and extensibility of services in the future--is defined in XML (extensible markup language). Moreover, the description scheme for metadata, which defines semantics (the aspects of meaning) and syntax (the hierarchical relations between component parts), is prescribed in broadcasting standard ARIB (Association of Radio Industries and Businesses) STD-B38 can be classified as the following four kinds: () Content description metadata Defines general content information (like title and genre) (2) Instance description metadata Defines information on transmitting process for content (like channel name) (3) Segmentation metadata Defines segment information within program scenes, etc. and segment-group information for organizing that segment information (4) Viewer metadata Defines metadata configured by viewers (such as bookmarks) in categories (3) and (4) are editing data of content. Utilizing such metadata enables viewing of segment blocks and "digest viewing" of grouped content 2 Broadcast Technology no.30, Spring 2007 C NHK STRL

2 Feature of such segment blocks. Allowing content to be edited and viewed easily, however, leads to the concern that content will be used in illicit ways not supposed by the broadcaster. As a result, to realize services utilizing this metadata, access control of content utilization with metadata is necessary. Moreover, in the case of digital broadcasting based on home servers, it is assumed that functions will be added to existing broadcasting services and other services will be extended; it is thus necessary to ensure compatibility with CAS utilized by existing broadcasting services. In consideration of the above points, the following requirements regarding an access-control system must be satisfied. (a) Access to stored data must be controlled in terms of content blocks. (b) Tampering with metadata must be prevented, and the user of the metadata must be certified. (c) Broadcasters must be able to control content utilization via segmentation metadata. (d) Broadcasters must be able to control content utilization via viewer metadata. (e) Compatibility with current CAS must be ensured. As a fundamental distribution pattern of metadata, the case where metadata is created and delivered by metadata producers (like broadcasters) and then used by receivers is often cited. At that time, in the case of providing the metadata of interest as a charged service, access control of metadata for accounting is needed. Access control of metadata is accomplished by licensing an encryption key for encrypting metadata and then decrypting the encrypted data and by controlling usage propriety of that metadata. Moreover, in the case of executing scene retrieval and program retrieval, metadata is provided in the form of non-encrypted text. Circulation of not only metadata created by broadcasters but also metadata created by viewers and third parties receiving a commission from broadcasters is supposed in this work. Up until now, broadcasters have organized and delivered all the required information for programs. For example, in the case of data broadcasting, video and sound content and data are created and delivered at the same time. In the case of existing services using metadata, however, it is assumed that video and sound data are created and delivered by the broadcaster, and the creation and delivery of metadata is done independently by commissioned businesses. Furthermore, it is supposed that not only will broadcasters perform metadata delivery by creating, broadcasting, and transmitting all metadata of types () to (3) but also multiple producers will cooperate in producing metadata. For example, a content author produces content-description metadata and segmentation data, a broadcaster and communications carrier produces "instance metadata", and a viewer produces "viewer metadata", and it is considered that an operation pattern creates a single metadata. On this other front, it is feared that legitimate metadata from metadata-producing enterprises might be falsified to malicious metadata during the distribution process or that dishonest persons might make malicious metadata themselves and distribute it. As a result, it is necessary to create a distribution environment for secure metadata that can prevent viewers from becoming perplexed by malicious metadata and to ensure reusability according to the intent of broadcasters of content accumulated on the broadcasting route. In the present work, to guarantee compatibility with CAS (adopted as a broadcasting standard), we propose a method for realizing "access control" of content usage by using metadata to extend the functions of CAS. 3. Proposed CAS for Broadcasting Using In this section, developed to solve the issues cited in section 2, a CAS for content usage is presented. This system has an access-control method that combines (i) metadata-use digital-signature technology for producer authentication and preventing metadata tampering and (ii) access-control technology for prevention of content use with unauthorized metadata. 3. Digital-signature technology for metadata As regards a method that can prevent tampering with XML documents certify the author of documents, there are two possibilities available: (i) encrypting metadata in conjunction with a producer identifier and tamperingdetection code or (ii) attaching a digital signature to the metadata of documents. As a single method for applying both encryption metadata assumed to be used in digital broadcasting based on home servers and document metadata, and as an approach for meeting requirement (b) mentioned in section 2, the latter method--digitalsignature technology--was investigated and is described in the following. First, the digital signature is described in general terms as follows. By adding a digital signature, it is possible to secure the integrity of data and authenticate the author of data. From the viewpoint of a digital signature, a "digest value" (with a short data row at a fixed length) is generated form original data by using message-digest function. The digest value is encrypted with a secret key, and the signature value resulting from that encryption is affixed to the data. It is also possible to attach a certificate that contains the public key that is paired with the secret key. At data-utilization time, the public-key certificate is verified, and a decrypted value (the affixed signature value decrypted by the public key of the publickey certificate) and the digest value of the data are compared, and the digital signature is verified. At that time, if the compared values are in accordance, the data can be judged integrity, and the producer of the data can be identified from the public-key certificate. As public information, the appropriate signature value, the Broadcast Technology no.30, Spring 2007 C NHK STRL 3

3 identifier of the public-key certificate, and the identifier of the digest function are attached to the data defined in the signature document. Moreover, to protect the integrity of the data, the data-producer side must keep a secret key on a pair of public-key certificates secure as secret information. In the following, the digital signature used for the investigated metadata is described. A digital signature used for metadata can be arranged in two ways: (i) making a digital signature with XML metadata as binary data or (ii) making a digital signature by analyzing the construction of XML documents. Furthermore, in the case of method (ii) either a digital signature is dispensed to the entire XML document or to certain elements of the XML document. In the following, generally used digitalsignature technology is classified as three types: binarytype digital signature, XML signature, and partial signature. And the three methods are compared when applied as signature technology for metadata. () Binary-format digital signature As for the binary-format digital signature, signature documents are defined in terms of binary data such as PKCS #7 (Public-Key Cryptography Standards, No. 7). is treated as binary data, and a signature is Data parameters Content Info Content Type Signed Data Version Digest Algorithm Content Info Content Type Content Certificate Signer Info Version Issuer, Serial Number Digest Algorithm Encrypted Digest Contents example PKCS#7 data Type of signature text data value Format version Message digest function Target signature data Type of target signature data Target signature data (metadata) Certificate of signer and certificate of CA Signer's information Format version Name of certificate publisher and certificate of CA Hash function used by signature value Figure : Example of PKCS #7 format appended to the entire body of metadata. An example format of PKCS #7 is given in Figure. with a signature value and public-key certificate and/or signature subject data can be defined in the format of PKCS #7. In the present study, to make handling of metadata with XML format easy, a configuration that circulates a signature document with PKCS #7 format and a metadata document in several is assumed. By this method, although file management becomes complicated because it is necessary to distribute and manage two documents simultaneously, the existing description scheme for metadata can be used without alteration. (2) XML signature As for the XML signature, the signature document is described in XML format, the construction of the XML document with metadata is analyzed, and a digital signature is created. Here, by defining the signature document as one element of metadata and arranging the signature document and the metadata in one document, management of metadata files is made simple. Moreover, by such treatment as one XML document, a delivery method for conventional metadata without a digital signature can be applied, so secondary distribution of received metadata becomes simple. (3) Partial signature Using the XML signature can not only create a signature for the entire body of metadata but can also create partial signatures for tags of parts of metadata. As shown in Figure 2, under the assumption that metadata production involves cooperation between multiple producers, it is assumed that the content creator produces content-description metadata and segmentation metadata and then attaches a signature. The broadcaster or communications carrier then adds instance-description metadata and, after that, their signature. In addition, the viewer can add viewer metadata and their own signature. At that time, if the XML signature method for creating a signature for the Content description production -delivery side Instance description addition -receiving side Viewer-metadata addition DATA Digital signature DATA Added metadata DATA Added metadata 2 2 Content author Delivery Broadcaster/communications carrier Delivery Viewer 3 Figure 2: Example of distribution state of metadata in case of digital broadcasting based on home servers 4 Broadcast Technology no.30, Spring 2007 C NHK STRL

4 Feature Table : Filtering method for handling multiple signers with XML signatures Categories of metadata producers Producers of content-describing metadata and segmentation metadata Producers of instance-description metadata Producers of viewer metadata Target signature Whole set of metadata Partial metadata - ProtgamLocation Table - ServicInformation Table Partial metadata - SegmentInformation - SegmentGroupInformation Filtering method Other than next tag is target - ProtgamLocation Table - ServicInformation Table - Created somewhere else - SegmentInformation - SegmentGroupInformation Next tag is target - ProtgamLocation Table - ServicInformation Table Additional tag is target - SegmentInformation - SegmentGroupInformation Assignment procedure Xpath Xpath Xpath entire XML document is applied, the point that the broadcaster or communications carrier adds instance-description metadata and adds their signature is considered as an alteration. As a consequence, each producer should consider the metadata affixed after each signature. With that in mind, here we propose a method of filtering signature targets with XPath (XML Path Language) and adding one's signature. Kinds of metadata produced by each producer and the related filtering method for handling them are listed in Table. A metadata instance produced by using the partial-signature method is shown in Figure 3. The filter defined in Table is specified in "reference" elements of the XML signature. It is assumed that the signature value of each producer is listed at the end of the metadata document. Since signature values only are added, alteration of the already standardized description scheme of metadata is minor. In the case it is supposed that a service for providing metadata-production is provided through cooperation between multiple produces, method (3)-partial signature-is ideal. However, in the case that cooperation does not exist between multiple produces, methods () or (2) should be chosen. 3.2 Access-control technology for content CAS adopted as a broadcasting standard is provided as an access-control technology for content. It is generally categorized as two types: access control at either <?xml version = ".0" encoding = "UTF-="?> <TVAMain xmlns = xmlns:mpeg7="urn:mpeg:mpeg7:schema:200" xmlns:ds=" <Program Description> <ProgramInformationTable>... </ProgramInformationTable> <ProgramLocationTable>... </ProgramLocationTable> <ServiceInformationTable>... </ServiceInformationTable> <SegmentInformationTable>... </SegmentInformationTable> </Program Description> <issuer> <ds: id="content provider"> <signedinfo> <Method Algorithm=.../> <Reference URI=""> <Transform Algorithm=...> <XPath>... </XPath> </Transform> </Reference>... </signedinfo> < Value> XXXXXXXXXXXXXXXX </ Value> <KeyInfo> <X509Data> </X509Data> </KeyInfo> </ds:> <ds: id="network provider">... </ds:> <ds: id="user">... </ds:> <ds: id="user2">... </ds:> </issuer> <TVAMain> instance of description scheme specified in ARIB -Signer ID -Filtering - value -Public-key certificate of signer Expanded part (-signature part) Multiple signers are listed Figure 3: Instance of metadata attached with partial signature broadcast-reception time or at content-playback time. As for the latter type, content-reuse technology, encrypted content and a license required for viewing it are sent. On the reception side, by processing the license on a CAS card and deciphering the encrypted content in accordance with the license, access control at playback time is realized. In this way, requirement (a) stated in section 2 is satisfied. Access control for playback of the entire content is handled; however, recycling by means of metadata (such as segment utilization of content) is not Broadcast Technology no.30, Spring 2007 C NHK STRL 5

5 Broadcaster Receiver Transmit value () Public-key certificate is verified, and producer ID is identified. Content License Content key Producer ID Producer group ID Transmit CAS card Certificate Producer ID Producer group ID Content key Producer ID Producer group ID (2) Digital signature of metadata is verified (3) Producer IDs are compared In agreement: Utilization permission No agreement: Invalid (4) Content-key acquirement (5) is used and content is presented Figure 4: Developed content-access control method Descriptor name -accesscontrol descriptor Descriptor name -accesscontrol descriptor2 ECM section header Not-encrypted ECM-fixed part ECM section ECM main body Encryption part ECM-variable part Tampering detection Section CRC 6byte 26byte 4byte 4byte Content key, metadataaccess-control descriptor, etc Figure 5: License format of content Item mane Byte length Remarks Descriptor tag Descriptor length -producer ID 0 In the case that metadata-producer ID is listed in N units, value equals N x 0. Up to a maximum of 0 units described. Item mane Byte length Remarks Descriptor tag Descriptor length -producer group ID 0 In the case that metadata-producer group ID is listed in N units, value equals N x 0. Up to a maximum of 0 units described. Figure 6: -access-control descriptor in licenses considered. In this study, by extending the functions of accesscontrol technology used at playback time, we have developed a content-access control method that allows broadcasters to control metadata usage. This developed access-control technology is shown schematically in Figure 4. The license needed for viewing content and the metadata annotated with the digital signature (described in section 3.) are delivered by the broadcaster. The format of the license is given in Figure 5. Under the assumption of an ECM (Entitlement Control Message) format (common information on receivers), a content key with a decryption key for content in ECM variable parts and an ID of a metadata producer (giving permission to access content) in a metadata-access control descriptor (for indicating the kind of producer) (Figure 6) are introduced. As the type of producer, groups of users (like third parties and end users) are formed, and IDs assigned to each group are Relative Distinguished Name C (Country) O (Organization) OU (Organizational Unit) CN (Common Name) Content Country name (Japan, etc.) Certificate-control company -producer group ID (ContentProvider, NetworkProvider, EndUser, ThirdPirty etc.) -producer ID (NHK, User etc.) Figure 7: Structure of items in certificates shown. The description method for a "subject", which differentiates between holders of public-key certificates, is given in Figure 7. By verifying the public-key certificates included in the signature document with metadata, the producer of the metadata can be identified. 3.3 Procedure for access control By means of the following steps, access control for content utilization by metadata is realized for each set of 6 Broadcast Technology no.30, Spring 2007 C NHK STRL

6 Feature content (see Figure 4). When the ECM is received, the ECM is deciphered by a common key shared between the sender side and the CAS card, and a content key deciphered in the CAS card and a metadata-access control descriptor are stored.. The public-key certificate including metadata is verified, and the producer's ID (or the type of producer) is identified. 2. The digital signature of the metadata is verified, and if the producer is truthful, it is confirmed that the metadata has not been tampered with (i.e., authentication and integrity). 3. The producer ID (or type of producer) in the metadataaccess control descriptor is compared. 4. In the case that the metadata producer is specified by the broadcaster, a content key is acquired from the CAS card. In the case that the producer is not specified, a content key can not be acquired. 5. By means of the acquired content key, the content is deciphered and presented. The above procedure is a way of indicating access control of content and showing that access control has not been not performed on metadata. That is to say, the characteristic of this method is that by performing access control on content when metadata is utilized and content is played back, it controls the use of metadata. Moreover, since the producer of the approved metadata is defined in the content license, an enterprise can assign a metadata producer that wants to license certain content. In this way, major problems such as content usage by means of tampered-with metadata or false metadata can be prevented, and the user can use metadata with the approval of the content producer. And under the management of the broadcaster, it is possible to distribute metadata produced by third parties and viewers on one's own initiative. 4. Experimental Evaluation The experimental verification system set up to test the feasibility of the proposed access-control method is shown in Figure 8. The content author produces metadata and Content author generation generation - Public-key certificate - Secret key - Certificate-authority public-key certificate Certificate authority Broadcaster/ communications carrier addition generation - Public-key certificate - Secret key - Certificate-authority public-key certificate verification Access control - Public-key certificate - Secret key - Certificate-authority public-key certificate assigns it a digital signature. The broadcaster and/or communication carrier then adds more metadata and assigns it another digital signature. The receiver executes verification of the Figure 9: CAS card for handling digital signature of access-control method for content utilization by metadata the received metadata and performs access control. The certificate authority also issues a public-key certificate and secret key to the content author, broadcaster and/or communication carrier, and receiver. In the case of digital broadcasting based on home servers, it is assumed that as well as built-in devices like set-top boxes (STBs), PCs fitted with receivers will be used. In the present verification system, a PC receiver (whose strong point is retrieval and detailed presentation utilizing metadata) is supposed, and a prototype composed of a Pentium GHz, 52MB memory PC was made up. An RSA digital signature was also assumed. Invalidation verification used a "certificate revocation list" stored beforehand in the receiver via the broadcaster. The CAS card loaded with the developed content-access-control technology is shown in Figure 9. In consideration of extendibility of security functions, a JavaCARD2.. was utilized for the CAS card. 5. Implementation Evaluation 5. Processing time for verification of digital signature As regards the developed access-control method, digital-signature verification by read processing of metadata is necessary. This processing is assigned to the receiver. In the following, the read-processing times for the respective metadata affixed with digital signatures (described in section 3) are evaluated. In this evaluation, metadata supposed to be provided by a digital broadcasting based on home servers service was used. The specification of the Receiver Content playback Figure 8: Experimental system for prototype verification addition generation Presentation Encrypted content evaluated metadata is given in Table 2. The metadata of the content author is defined in a program information table and segment information table prescribed in ARIBSTD-B38. The metadata of the broadcaster and communications carrier is composed of added parameters in a program location table and service information table corresponding with the metadata of the content author. These digital-signature-attached metadata were prepared, and the Broadcast Technology no.30, Spring 2007 C NHK STRL 7

7 Main parameters for description size Table 2: Specification of evaluated metadata Content author Broadcaster/ communications carrier Content author Broadcaster/ communications carrier PKCS#7 format XML signature Content author only XML signature Content author plus broadcaster/ communication carrier Partial signature Content author only Partial signature Content author plus broadcaster/ communication carrier processing time for verification of these digital signatures was evaluated. The results of the experimental evaluation are plotted in Figure 0. The XML reading time is the time required for analyzing the data construction by a document object model and reading the metadata. The signatureverification time is the time required for filtering processing of XML and verification of the digital signature. As regards standard PKCS #7, since it cannot address a partial signature for metadata connecting both the content author and broadcaster/communications carrier, only the signature verification time for the metadata of the content author was evaluated. The time required for verifying the XML signature of the content author, 3635ms, which is about nine times longer than that required for the PKCS #7 format. The main reason for this big difference is the XML filtering processing (such as normalization processing of XML documents). As for partial signature, XML filtering time for applying XPATH (XML path language) is further increased. In the case that only content author have a partial signature, signature verification takes 7206 ms. And in the case of two partial signatures (namely, those of the content author and broadcaster/communications carrier), it takes,482 ms. In other words, as the segment number included in the metadata gets bigger, filtering processing for XPATH increases and signatureverification processing time gets longer. Furthermore, as regards XML signature and partial signature, since total XML read time and signature-verification time are several to several tens of seconds, to lighten the load during metadata-utilization time, a method that previously verifies a signature and stores it at metadata reception time and only handles metadata that has been signature verified is assumed. In this way, metadata utilization time becomes only the XML read time, and a partial signature (broadcaster and/or communications carrier) can be processed in 206 ms. That is to say, processing within the same time as that for processing conventional metadata without a digital signature is possible. At that time, it is necessary to securely store only signature-verified metadata. In the present study, feasibility of the access-control method with a PCmounted receiver was shown. And in built-in devices of any STBs, though a balance between receiver cost and receiver performance exists, the method shows enough feasibility when utilized with any system LSIs. - ProgramInformation Table - SegmentInformation Table Segment number=8 Segment group number=2 - ProgramLocation Table - SegmentLocation Table 7982 bytes 8760 bytes Description in conjunction with content author Processing time [ms] -verification time (contents author) XML-read time -verification time (broadcaster/communication carrier) Figure 0: Processing time for digital signature of metadata 5.2 Access-processing time for CAS card License processing executed after the digital signature is verified was investigated next. In accordance with the CAS card, the processing time for setting the ID of the author of the license and metadata from the receiver and for obtaining the content key from the license were evaluated. CAS switches the "scramble key" containing the encryption key of the content in about two seconds. This scramble key is encrypted, so the CAS card must decipher it in two seconds. Accordingly, if the time required for deciphering the scramble key is maximized to 800 ms, the CAS card must execute processing of the license within 200 ms. The prototype CAS card can process one license in 360 ms, which is sufficiently within 200 ms for actual services. 6. Security Evaluation The proposed CAS is premised on the correct processing of metadata producer information on receivers so that only the metadata created by parties authorized by the broadcaster will be judged as valid. A schematic of security evaluation is shown in Figure. We considered the three ways of using unauthorized metadata listed below. () Unauthorized generation of the metadata producer's digital signature (Figure (a)). 8 Broadcast Technology no.30, Spring 2007 C NHK STRL

8 Feature Method (a) : Falsification of signature of metadata Measures: Secret key is distributed by CAS card affixed with digital signature License Receiver Verification of metadata Access control License processing CAS card Method (b) : Tampering with metadata-access-control descriptor Measures: Tampering-detection code is input into license Method (c) : Comparison of falseness of producer IDs Measures: Compliance rules and robustness rules for receiver are set Figure : Security evaluation (2) Tampering with the metadata-producer ID in the license (Figure (b)). (3) Illegal comparison of the metadata producer IDs (Figure (c). First, the fraudulent generation of the digital signature of the metadata in step () is explained as follows. In this step, in the case that a business or enterprise is a metadata producer, a digital signature is generated by a secret key held on the metadata-producer side. In the case a viewer produces the metadata, a signature is generated by a secret key managed by a tamper-proof module such as a CAS card. As a result, acquiring the secret key fraudulently is difficult, and falsification of a digital signature is also difficult. Next, the tampering of the license, step (2), is explained below. In this step, an encrypted ECM (containing a content key, metadata-access-control descriptor, and tampering-detection code) is sent as a license. As a result, even if the metadata-access-control descriptor is tampered with, the CAS card can use the tamperingdetection code to judge whether a license is invalid or not. The comparison processing in step 3 for comparing metadata-producer information is explained next. Since the size of the metadata is large, the signatureverification processing of metadata cannot be performed on the CAS card. Consequently, in this step, the metadata-producer ID acquired by executing the signature-verification processing on the receiver side is declared to the CAS card. Moreover, content presentation using metadata and conventional content presentation not using metadata cannot be distinguished from the CAS-card side; therefore, the discrimination of metadata utilization must be performed from the receiver side. Accordingly, to address this requirement, in regards to the above-mentioned comparison processing of metadataproducer information, we propose to define an implementation policy for the receiver-equipment side. By establishing a "compliance rule" for setting the implementation method of the receiver and a "robustness rule" and issuing terms for the CAS card, the developed access-control method guarantees security. In regards to handling of plain-text metadata not given a digital signature, adequate caution must be taken. Plain-text metadata can be created on any kind of PC and easily distributed via notice boards and s on the Internet. Since plain text is handled in a state without a digital signature, the producer certificate of the metadata or possible tampering cannot be detected. In the case that metadata of the plain text is input into a receiver, and a digital signature is attached as viewer metadata on the receiver, the desired access control for that content (plain text) becomes impossible. As a consequence, an implementation policy for preventing input of metadata without a digital signature into a receiver becomes necessary. In that case, the receiver discriminates metadata without a digital signature as improper metadata. Moreover, the viewer can create viewer metadata only on a receiver that can generate a valid digital signature. 7. Summary This paper described challenges regarding metadata services conceivable for digital broadcasting based on home servers and proposed an access-control method for addressing those challenges when content are utilized. Moreover, the feasibility of the proposed method was confirmed by means of an implementation evaluation and security evaluation using a prototype system used for experimental verification. By means of this method, metadata produced by various metadata producers under the control of a broadcaster can be distributed and a variety of metadata services can be provided. (Yusei NISHIMOTO and Akitsugu BABA) Broadcast Technology no.30, Spring 2007 C NHK STRL 9