JP2005020703A - Copyright protection system, recording apparatus, reproduction apparatus, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a recording apparatus and reproduction apparatus that are able to prevent illegitimate use of contents. <P>SOLUTION: The recording medium stores therein a medium inherent number in the unrewritable area. The recording apparatus writes media key data and encrypted contents onto the recording medium. The media key data includes a plurality of encrypted media keys generated by, for each of disabled reproduction apparatuses, encrypting a media key using a device key of the disabled reproduction apparatus respectively, and, for each of revoked reproduction apparatuses, encrypting detection information using a device key of the reproduction apparatus respectively. The reproduction apparatus decrypts the encrypted media key using a device key to generate a decryption media key, judges whether the decryption media key is the detection information or not, and prohibits the encrypted content recorded on the recording medium from being decrypted when having judged in the affirmative. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a technique for recording and reproducing digital data on a large-capacity recording medium, and more particularly to a technique for preventing unauthorized recording and unauthorized reproduction of content by an unauthorized device.

In recent years, with the development of multimedia-related technology and the advent of large-capacity recording media, digital content (hereinafter referred to as “content”) consisting of moving images, audio, etc. is generated, stored in a large-capacity recording medium such as an optical disc, and distributed. However, systems that distribute via a network are becoming widespread.
The distributed content is read out by a computer, a playback device, or the like, and is subject to playback or duplication.

  In general, an encryption technique is used to protect the copyright of content, that is, to prevent unauthorized use such as unauthorized reproduction or unauthorized copying of content. Specifically, the recording device encrypts the content using an encryption key, records the content on a recording medium such as an optical disc, and distributes the content. On the other hand, only a playback device having a decryption key corresponding to the encryption key can decrypt the encrypted content read from the recording medium using the decryption key, and reproduce the content. .

When content is encrypted and recorded on a recording medium, the content itself is encrypted and recorded using an encryption key corresponding to the decryption key held by the playback device, or the content is encrypted with a certain key. For example, a method may be used in which a decryption key corresponding to the key is encrypted and recorded with an encryption key corresponding to the decryption key held by the playback device.
At this time, it is necessary to strictly manage the decryption key held by the playback device so as not to be exposed to the outside, but there is a risk that the decryption key may be exposed to the outside due to unauthorized analysis inside the playback device by an unauthorized person. There is. Once the decryption key is exposed by an unauthorized person, the unauthorized person manufactures a recording device or a playback device that illegally uses the content and illegally sells it, or creates a computer program for illegally using the content However, it is conceivable to distribute such a program via the Internet or the like.

In such a case, the copyright holder wants to make it impossible to handle the content to be provided next with the decryption key once disclosed. A technique for realizing this is called a key invalidation technique, and Patent Document 1 discloses a system for realizing key invalidation.
In the conventional key revocation technique, key revocation information indicating that the key held by the apparatus has been revoked is recorded in advance in a non-rewritable area of the recording medium. The device uses the key revocation information recorded on the recording medium to determine whether or not the key held by the device is revoked. When the device holds the revoked key, the device The recording medium cannot be used. Further, when a key revocation is newly generated, the key revocation information is updated, and the updated key revocation information is recorded on a new recording medium manufactured after the revocation occurs. In this way, a new recording medium cannot be used with the revoked key.

  On the other hand, reading or writing of content recorded on a recording medium such as an optical disc is generally performed by a personal computer peripheral device called an optical disc drive. In order to achieve device compatibility, The input / output method is standardized as public information and is generally not kept secret. Therefore, the content recorded on the recording medium can be easily read by a personal computer or the like, and the read data can be easily written on another recording medium. Therefore, in a system for protecting the copyright of content, a system having an effective function for preventing an action that a normal user can perform, such as reading data on a recording medium and writing to another recording medium. Must. A technique for preventing data read from a recording medium from being written to another recording medium is called a media binding technique, and Patent Document 2 discloses a mechanism for realizing media binding.

In order to realize copyright protection using the conventional media binding technology, a medium identifier for identifying the recording medium is recorded in advance in the non-rewritable area of the recording medium, and is recorded on the recording medium. The encrypted content is encrypted based on this medium identifier. Therefore, even if only the encrypted content is copied to another recording medium, the other recording medium records another medium identifier, and correctly decrypts the encrypted content based on this other medium identifier. I can't.
JP 2002-281913 A Japanese Patent No. 3073590 JP 09-160492 A

However, in order to prevent the unauthorized use of content, the realization of various fraud prevention technologies is desired.
The present invention provides a copyright protection system, a recording apparatus, a recording method, a reproducing apparatus, a reproducing method, a computer program, and a recording medium that can prevent unauthorized use of content in order to cope with the above-described demand. Objective.

In order to achieve the above object, the present invention is a literary work comprising a recording device that encrypts and writes content on a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium. It is a protection system.
Any one or more of the plurality of playback devices are invalidated.
The recording medium includes a read-only non-rewritable area and a readable / writable rewritable area, and a medium unique number unique to the recording medium is recorded in advance in the non-rewritable area.

  The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Storage means for storing media key data composed of a plurality of encrypted media keys, reading means for reading the medium unique number from the non-rewritable area of the recording medium, read medium unique number and Generation means for generating an encryption key based on the media key, encryption means for generating encrypted content by encrypting content that is digital data based on the generated encryption key, and storage means Reading means for reading the media key data from, and the recording media key data read and the generated encrypted content And a writing means for writing to the rewritable region of the body.

  Each playback device is read using a reading means for reading an encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium, and a device key of the playback device. Decrypting means for decrypting the encrypted media key to generate a decrypted media key, and determining whether or not the generated decrypted media key is the detection information. Control means for prohibiting decryption of the encrypted content recorded on the medium and permitting decryption of the encrypted content when it is not the detection information; and when the decryption is permitted, the encrypted content from the recording medium And decryption means for decrypting the read encrypted content and generating the decrypted content based on the generated decryption media key.

  According to this configuration, the recording device encrypts the media key for each playback device that has not been invalidated and the predetermined detection information for each playback device that has been invalidated using the device key of the playback device. The media key data composed of a plurality of encrypted media keys generated by the encryption is written to the recording medium, and the generated encryption key is generated based on the media unique number and the media key. Based on the encryption key, the generated encrypted content is written to the recording medium. In addition, the playback device uses the device key to decrypt the encrypted media key to generate a decrypted media key, and when the generated decrypted media key is the detection information, the playback device is recorded on the recording medium. Prohibit decryption of encrypted content.

Since it is configured in this way, it is possible to eliminate the disabled playback device.
Here, another recording medium encrypts the media key for each playback device that has not been invalidated and the predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Another media key data composed of a plurality of other encrypted media keys generated in this manner is stored. The recording apparatus further includes comparing means for comparing the new and old of another media key data stored in the other recording medium and the media key data stored in the storage means, and the other media. When it is determined that the key data is newer, the other media key data is read from the other recording medium, and the read another media key data is stored in the storage means. Update means for overwriting, the reading means reads the other media key data from the storage means instead of reading the media key data, and the writing means writes the media key data Instead, the read another media key data is written in the rewritable area of the recording medium.

According to this configuration, the recording apparatus can update the media key data stored therein to another encrypted media key acquired from another recording medium.
Here, the storage means further stores revocation data indicating that a public key assigned to any of the recording device and the plurality of playback devices is revoked, and the recording device And a signature generating unit that generates a verification information by applying a digital signature to the invalidated data, and the writing unit further writes the generated verification information in the rewritable area of the recording medium. . Further, the recording device further stores invalidation data indicating that a public key assigned to either the recording device or the plurality of playback devices is invalidated, and the invalidation data is stored in the invalidation data. The verification information is generated by applying a digital signature to the verification information, and the generated verification information is written in the rewritable area of the recording medium, and the reading unit is further written in the rewritable area of the recording medium. Reading the verification information, the playback device further includes a verification unit that performs signature verification based on the read verification information and outputs a verification result indicating the success or failure of the verification, and the control unit further includes: The decryption of the encrypted content is prohibited when the verification result indicates a verification failure, and the decryption of the encrypted content is prohibited when the verification result indicates a successful verification. Allow.

According to this configuration, the recording device further writes the verification information generated by the digital signature to the recording medium, so that the illegal reproducing device can be eliminated by verifying the verification information in the reproducing device.
Here, the storage means further stores a public key certificate of the recording apparatus, the reading means further reads the public key certificate from the storage means, and the writing means reads The issued public key certificate is written in the rewritable area of the recording medium. The recording device further stores the public key certificate of the recording device, reads the public key certificate, writes the read public key certificate to the rewritable area of the recording medium, The playback device further includes storage means for storing first revocation data indicating that a public key assigned to either the recording device or the plurality of playback devices has been revoked, and the recording Certificate reading means for reading the public key certificate from the medium, and verifying whether or not the public key included in the read public key certificate indicates that it has been revoked by the first revocation data Public key verifying means, wherein the control means further prohibits decryption of the encrypted content when the public key is revoked, and when the public key is not revoked, Allow the decoding of serial encrypted content.

According to this configuration, the recording device writes the public key certificate to the recording medium, and the playback device reads the public key certificate from the recording medium, and decrypts the encrypted content when the public key is invalidated. Can be prohibited.
Here, another recording medium stores second revocation data indicating that a public key assigned to any of the recording device and the plurality of reproducing devices is revoked, and the reproducing device Further includes a comparing means for comparing the second invalidation data stored in the other recording medium with the first invalidation data stored in the storage means, and the second invalidation data. When it is determined that the deactivation data is newer, the second invalidation data is read from the other recording medium, and the read second invalidation data is stored in the storage means as the first invalidation data. Updating means for overwriting the digitized data.

According to this configuration, the playback device can update the invalidation data to the latest state.
Here, the storage means further stores a device identifier for identifying the recording device, and the recording device further reads the device identifier from the storage means, and uses the read device identifier as the content. Embedding means for embedding as an electronic watermark is provided, and the encryption means encrypts the content in which the device identifier is embedded. Further, the playback device further stores the device identifier for storing the device identifier for identifying the playback device, and reads the device identifier from the storage device when decoding is permitted, and reads the device identifier. Is embedded in the encrypted content as a digital watermark, and the encrypted content in which the device identifier is embedded is written in the recording medium.

Since the recording device and the playback device write the content in which the device identifier is embedded in the recording medium, when the content is illegally distributed, the content is extracted by extracting the embedded device identifier from the content. Can be specified.
Here, the media key data stored in the storage means further includes a data identifier for identifying the media key data, and the writing means associates the data identifier with the encrypted content. And writing into the rewritable area of the recording medium, and writing the media key data including the data identifier into the rewritable area. The media key data stored in the recording device further includes a data identifier for identifying the media key data, and the recording device associates the data identifier with the encrypted content, and Writing to the rewritable area of the recording medium, writing the media key data including the data identifier to the rewritable area, and the playback device further accepts designation of the encrypted content recorded on the recording medium Receiving means, reading means for reading out the data identifier associated with the encrypted content for which designation has been received from the recording medium, and reading means for reading out the media key data including the read data identifier from the recording medium And the control means, based on the read media key data, To determine the propriety of the decoding of the serial encrypted content.

The recording device associates the data identifier with the encrypted content, writes the data identifier to the recording medium, and writes the media key data including the data identifier to the recording medium. The media key data corresponding to the encrypted content can be acquired, and based on the acquired media key data, it can be determined whether or not the encrypted content can be decrypted.

1. First Embodiment A content supply system 10 as one embodiment according to the present invention will be described.
1.1 Configuration of Content Supply System 10 As shown in FIG. 1, the content supply system 10 includes a content server device 500, a recording device 100, and playback devices 200a, 200b, 200c, 200d, 200e,. Yes. The total number of recording devices 100 and reproducing devices 200a, 200b, 200c, 200d, 200e,... Is n. A device number “1” is assigned to the recording device 100, and device numbers “2”, “3”, “4” are assigned to the playback devices 200a, 200b, 200c, 200d, 200e,. , ..., "n" is assigned. Each device is identified by its assigned device number.

Of these n devices, the playback device 200b and the playback device 200c have been exposed to an unauthorized attack by an unauthorized third party, and thus a key that should be secretly stored is exposed. The 200b and the playback device 200c are disabled.
A supplier of content such as music and movies has a content server device 500 and a recording device 100, and the content server device 500 and the recording device 100 are connected via a dedicated line 30.

The content server device 500 has a content and a content key used when encrypting the content, and records the content and the corresponding content key via the dedicated line 30 in response to a request from the recording device 100. Transmit to device 100.
The recording device 100 receives the content and the corresponding content key from the content server device 500 via the dedicated line 30, encrypts the received content and the content key, and encrypts the content, the encrypted content key, and other related information. Information to be written on the recording medium 120.

The recording medium 120 on which the encrypted content, the encrypted content key, and other related information are recorded is sold at a store, and the user purchases the recording medium 120.
When the recording medium 120 is loaded, the playback device 200a of the user reads the encrypted content, the encrypted content key, and other related information from the recording medium 120, and uses the read other related information, When it is determined whether or not the content can be decrypted, and when it is determined that the content can be decrypted, a decrypted content key is generated from the encrypted content key, decrypted content is generated using the decrypted content key, and a movie or Generate and output music.

1.2 Content server device 500
The content server device 500 includes an information storage unit 501, a control unit 502, an input unit 503, a display unit 504, and a transmission / reception unit 505 (not shown).
Specifically, the content server device 500 is a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a communication unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or the hard disk unit. Each component of the content server device 500 achieves its function by the microprocessor operating according to the computer program.

The transmission / reception unit 505 is connected to the recording apparatus 100 via the dedicated line 30 and transmits / receives information between the recording apparatus 100 and the control unit 502.
The information storage unit 501 stores in advance a plurality of sets of content keys that are generated by compressing and encoding video information and audio information with high efficiency and content keys used as keys when the content is encrypted. .

  The control unit 502 receives any content acquisition request from the recording apparatus 100 via the dedicated line 30 and the transmission / reception unit 505. Upon receiving the acquisition request, the control unit 502 reads the content and content key indicated by the acquisition request from the information storage unit 501, and transmits the read content and content key via the transmission / reception unit 505 and the dedicated line 30. Transmit to the recording device 100.

The input unit 503 receives an instruction from the operator of the content server device 500 and outputs the received instruction to the control unit 502.
The display unit 504 displays various information under the control of the control unit 502.
1.3 Recording device 100
As shown in FIG. 2, the recording apparatus 100 includes a device key storage unit 101, a media key data storage unit 102, a key calculation unit 103, a key calculation unit 104, an encryption unit 105, an encryption unit 106, and a secret key storage unit 107. , A certificate storage unit 108, a CRL storage unit 109, a signature generation unit 110, a drive unit 111, a control unit 112, and a transmission / reception unit 113.

  Specifically, the recording device 100 is a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, and the like, like the content server device 500. A computer program is stored in the RAM or the hard disk unit. The recording apparatus 100 achieves its functions by the microprocessor operating according to the computer program.

(1) Device key storage unit 101
The device key storage unit 101 secretly stores the device key DK_1 so that it cannot be accessed from an external device. The device key DK_1 is a key unique to the recording apparatus 100. In this specification, the device key held by the device m is expressed as DK_m.
(2) Media key data storage unit 102
The media key data storage unit 102 stores media key data MDATA. The media key data MDATA includes n sets, and each set includes an encrypted media key and a device number. The encrypted media key and the device number included in each set correspond to each other. Here, n is the total value of the number of recording devices 100 and reproducing devices 200a, 200b,... As described above.

  Of the n sets, the first set includes a first encrypted media key and a device number “1”. The device number “1” is identification information for identifying the recording device 100. The first encrypted media key is generated by applying the encryption algorithm E1 to the media key MK using the device identified by the device number “1”, that is, the device key DK_1 assigned to the recording device 100. Is.

First encrypted media key = E1 (DK_1, MK)
Here, the encryption algorithm E1 is based on DES (Data Encryption Standard) as an example. E (A, B) indicates a ciphertext obtained by applying the encryption algorithm E to the plaintext B using the key A.
The media key MK is a key unique to the recording medium 120.

  Of the n sets, the second set includes a second encrypted media key and a device number “2”. Here, the device number “2” identifies the playback device 200a. The second encrypted media key is generated by applying the encryption algorithm E1 to the media key MK using the device key DK_2 assigned to the device number “2”, that is, the playback device 200a. It is.

Second encrypted media key = E1 (DK_2, MK)
Of the n sets, the third and fourth sets are composed of a third encrypted media key and device number “3”, a fourth encrypted media key and device number “4”, respectively. ing. Here, the device numbers “3” and “4” identify the playback devices 200b and 200c, respectively. Also, the third and fourth encrypted media keys are respectively used by the devices identified by the device numbers “3” and “4”, that is, the device keys DK_3 and DK_4 assigned to the playback devices 200b and 200c. , Instead of the media key MK, the value “0” is generated by applying the encryption algorithm E1.

Third encrypted media key = E1 (DK — 3, 0)
Fourth encrypted media key = E1 (DK — 4, 0)
Here, the value “0” is data completely unrelated to the media key (MK). The reason why the value “0” is used instead of the media key MK is because the playback devices 200b and 200c corresponding to the third and fourth encrypted media keys are invalidated, respectively. And 200c are used as detection information for knowing that they are invalidated.

For a revoked device, the device key of the revoked device is used to create an encrypted media key by encrypting data completely unrelated to the media key MK, that is, the value “0”. Only the devices other than the registered device can share the media key MK. Also, disabled devices can be excluded from this system.
Here, the value “0” is used, but the media key MK may be other data completely unrelated. For example, “0xFFFF” which is another fixed value, information indicating the date and time when the encrypted media key is generated, the device key of the invalidated device, and the like may be used.

Note that other methods may be used as the device invalidation method. For example, Patent Literature 1 discloses a nullification method using a tree structure.
Of the n sets, the fifth,..., And nth sets are the fifth encrypted media key and device number “5”,. It consists of a device number “n”. Here, the device numbers “5”,..., “N” identify the playback devices 200d, 200e,. In addition, the fifth,..., And nth encrypted media keys are assigned to devices with device numbers “5”,..., “N”, that is, playback devices 200d, 200e,. This is generated by applying the encryption algorithm E1 to the media key MK using the device keys DK_5,..., DK_n.

Fifth encrypted media key = E1 (DK_5, MK)
...
Nth encrypted media key = E1 (DK_n, MK)
(3) Key calculation unit 103
The key calculation unit 103 stores in advance the device number “1” assigned to the recording device 100.

The key calculation unit 103 searches for and reads out a set including the device number “1” stored in advance from the n sets constituting the media key data MDATA stored in the media key data storage unit 102. The encrypted media key E1 (DK_1, MK) corresponding to the device number “1” is extracted from the set.
Next, the key calculation unit 103 reads the device key DK_1 from the device key storage unit 101, applies the decryption algorithm D1 to the extracted encrypted media key E1 (DK_1, MK) using the read device key DK_1, A media key MK is generated.

Media key MK = D1 (DK_1, (E1 (DK_1, MK))
Here, the decryption algorithm D1 is an algorithm for decrypting a ciphertext generated by applying the encryption algorithm E1, and as an example, is based on DES. D (A, B) indicates a decrypted text obtained by applying the decryption algorithm D to the cipher text B using the key A.

Next, the key calculation unit 103 outputs the generated media key MK to the key calculation unit 104.
In FIG. 2, each block showing each component of the recording apparatus 100 is connected to another block by a connection line. However, some connection lines are omitted. Here, each connection line indicates a path through which signals and information are transmitted. In addition, among a plurality of connection lines connected to the block indicating the key calculation unit 103, a key mark drawn on the connection line indicates a path through which information as a key is transmitted to the key calculation unit 103. ing. The same applies to blocks indicating other components. The same applies to other drawings.

(4) Key calculation unit 104
The key calculation unit 104 receives the media key MK from the key calculation unit 103, and reads the medium unique number MID from the unique number recording area 121 of the recording medium 120 via the drive unit 111.
Next, the key calculation unit 104 combines the received media key MK and the read medium unique number MID in this order to generate a combined value (MK || MID). Here, “A || B” indicates that data A and data B are bit-coupled in this order. Next, the key calculation unit 104 performs a hash function SHA-1 on the generated combined value (MK || MID) to obtain a hash value H = SHA-1 (MK || MID), and the obtained hash value H is the key encryption key KEK, and the key encryption key KEK is output to the encryption unit 105 and the signature generation unit 110.

Here, SHA-1 (A) indicates a hash value obtained by applying the hash function SHA-1 to the information A.
The key calculation unit 104 uses the hash value obtained by applying the hash function SHA-1 as the key encryption key KEK, but is not limited to this. A part of the obtained hash value may be used as the key encryption key KEK.

Further, since the hash function SHA-1 is publicly known, description thereof is omitted. Other hash functions may be used.
(5) Encryption unit 105
The encryption unit 105 receives the content key CK from the content server device 500 via the transmission / reception unit 113 and receives the key encryption key KEK from the key calculation unit 104.

Next, the encryption unit 105 applies the encryption algorithm E2 to the received content key CK using the received key encryption key KEK to generate an encrypted content key ECK.
Encrypted content key ECK = E2 (KEK, CK)
Here, the encryption algorithm E2 is based on DES as an example.
Next, the encryption unit 105 secures the key recording area 123 on the recording medium 120 via the drive unit 111, and then uses the generated encrypted content key ECK via the drive unit 111 to the recording medium. Write to the 120 key recording area 123.

(6) Encryption unit 106
The encryption unit 106 receives the content key CK and the content CNT from the content server device 500 via the transmission / reception unit 113, and encrypts the received content CNT using the received content key CK by applying an encryption algorithm E3. Content ECNT is generated.

Encrypted content ECNT = E3 (CK, CNT)
Here, the encryption algorithm E3 is based on DES as an example.
Next, the encryption unit 106 secures the content recording area 124 on the recording medium 120 via the drive unit 111, and then generates the generated encrypted content ECNT via the drive unit 111. Are written in the content recording area 124.

(7) Private key storage unit 107
The secret key storage unit 107 stores the secret key SK_1 of the recording device 100 so that it cannot be accessed from an external device. The secret key SK_1 is based on a public key cryptosystem. Here, the public key cryptosystem is, for example, an RSA (Rivest Shamir Adleman) cryptosystem.

(8) Certificate storage unit 108
The certificate storage unit 108 stores a public key certificate PKC. The public key certificate PKC includes a certificate identifier ID_1, a public key PK_1, and signature data Sig_1.
The certificate identifier ID_1 is identification information that uniquely identifies the public key certificate PKC. The public key PK_1 is a public key corresponding to the secret key SK_1 stored in the secret key storage unit 107. The signature data Sig_1 is generated by applying a digital signature Sig to the combined value (ID_1 || PK_1) of the certificate identifier ID_1 and the public key PK_1 using a secret key SK_CA of a certificate authority CA (Certificate Authority). It is a thing.

Signature data Sig_1 = Sig (SK_CA, ID_1 || PK_1)
Here, Sig (A, B) indicates signature data obtained by applying the digital signature Sig to the data B using the key A. An example of the digital signature Sig is a digital signature that uses RSA using the hash function SHA-1.
(9) CRL storage unit 109
The CRL storage unit 109 records a public key certificate revocation list (hereinafter referred to as a revocation list CRL) indicating a revoked public key certificate at the first time point.

The revocation list CRL includes one or more certificate identifiers, signature data SigID, and a version number.
Each certificate identifier is identification information for identifying a revoked public key certificate.
The signature data SigID uses the private key SK_CA of the certificate authority CA and the combined value of all certificate identifiers included in the revocation list CRL (one certificate identifier is included in the revocation list CRL). If it is, it is generated by applying a digital signature Sig).

Signature data SigID = Sig (SK_CA, combined value of all certificate identifiers)
For example, when the public key certificate identified by the certificate identifiers ID_3 and ID_4 has been revoked, the revocation list CRL includes the certificate identifiers ID_3 and ID_4 and the signature data SigID = Sig (SK_CA, (ID_3 | | ID — 4)) and version number.
The version number is information indicating the generation of the invalidation list CRL, and indicates that the invalidation list CRL is that at the first time point. The version number takes a larger value as the generation of the public key certificate revocation list is newer.

(10) Signature generation unit 110
The signature generation unit 110 reads the secret key SK_1 from the secret key storage unit 107, reads the revocation list CRL from the CRL storage unit 109, and receives the key encryption key KEK from the key calculation unit 104.
Next, the signature generation unit 110 combines the received key encryption key KEK and the read revocation list CRL in this order to generate a combined value (KEK || CRL), and uses the read secret key SK_1. Then, the digital signature Sig is applied to the generated combined value (KEK || CRL) to generate the signature data SigCRL.

Signature data SigCRL = Sig (SK_1, (KEK || CRL))
Next, the signature generation unit 110 secures the signature recording area 125 on the recording medium 120 via the drive unit 111, and then the generated signature data SigCRL is stored in the recording medium 120 via the drive unit 111. Write to the signature recording area 125.
(11) Control unit 112
The control unit 112 transmits a content acquisition request to the content server device 500 via the transmission / reception unit 113.

Further, the control unit 112 reads the public key certificate PKC from the certificate storage unit 108, secures a certificate recording area 127 on the recording medium 120 via the drive unit 111, and then reads the read public key certificate The certificate PKC is written into the certificate recording area 127 of the recording medium 120 via the drive unit 111.
Further, the control unit 112 reads the media key data MDATA from the media key data storage unit 102, secures the media key data recording area 122 on the recording medium 120 via the drive unit 111, and then reads the read media key data Data MDATA is written to the media key data recording area 122 of the recording medium 120 via the drive unit 111.

Further, the control unit 112 reads the revocation list CRL from the CRL storage unit 109, secures the CRL recording area 126 on the recording medium 120 via the drive unit 111, and then drives the read revocation list CRL. Write to the CRL recording area 126 of the recording medium 120 via the unit 111.
The control unit 112 receives instruction information from the keyboard 180 according to an operation instruction from an operator of the recording apparatus 100, and operates according to the instruction information. In addition, it controls the operation of the other components constituting the recording apparatus 100.

(12) Transmission / reception unit 113
The transmission / reception unit 113 is connected to the content server device 500 via the dedicated line 30, and transmits / receives information between the content server device 500 and the control unit 112. Further, information is transmitted / received between the content server device 500 and the encryption unit 105 and between the content server device 500 and the encryption unit 106 under the control of the control unit 112.

(13) Drive unit 111
The drive unit 111 reads the medium unique number MID from the unique number recording area 121 of the recording medium 120 under the control of the control unit 112, and outputs the read medium unique number MID to the key calculation unit 104.
Further, the drive unit 111 receives each information from the encryption unit 105, the encryption unit 106, and the signature generation unit 110 under the control of the control unit 112, and sets each area for writing the received information on the recording medium 120. And the information is written in the reserved area.

In addition, the drive unit 111 receives information from the control unit 112, secures each area for writing the received information on the recording medium 120, and writes the information in the secured area.
(14) Keyboard 180 and monitor 190
The keyboard 180 receives an operation instruction from the operator of the recording apparatus 100 and outputs instruction information corresponding to the received operation instruction to the control unit 112.

The monitor 190 displays various information under the control of the control unit 112.
1.4 Recording medium 120
The recording medium 120 is an optical disk medium, and includes a unique number recording area 121 and a general area 129 as shown in FIG.
In the unique number recording area 121, a medium unique number MID that is a unique number for identifying the recording medium 120 is recorded in advance. The unique number recording area 121 is a non-rewritable area where other information cannot be written or the recorded medium unique number MID cannot be rewritten. As an example, the medium unique number MID is represented by eight hexadecimal digits, and is “0x00000006”. In this specification, “0x” indicates that the subsequent display is in hexadecimal.

The general area 129 is an area where other information can be written, and initially no information is written in the general area 129.
After the above-described operation of the recording apparatus 100 ends, the general area 129 includes a media key data recording area 122, a key recording area 123, a content recording area 124, a signature recording area 125, a CRL recording area as shown in FIG. 126 and certificate recording area 127 are secured.

  As described above, in the first embodiment, the total number of recording devices 100 and playback devices 200a, 200b, 200c, 200d, 200e,... It is assumed that the 200b and the playback device 200c are invalidated, and each of the n devices has only one unique device key. Based on such an assumption, various data as specific examples are recorded in each area included in the general area 129 of the recording medium 120.

(Media key data recording area 122)
Media key data MDATA is recorded in the media key data recording area 122. The media key data MDATA is composed of n sets, and each set includes an encrypted media key and a device number.
The device number is identification information for identifying the device.

The encrypted media key is generated by applying the encryption algorithm E1 to the media key MK or the value “0” using the device key DK_m assigned to the device m indicated by the corresponding device number “m”. is there. Here, if the device m is invalidated, the value “0” is used. If the device m is not invalidated, the media key MK is used.
Encrypted media key = E1 (DK_m, MK) or Encrypted media key = E1 (DK_m, 0)
(Key recording area 123)
In the key recording area 123, an encrypted content key ECK is recorded. The encrypted content key ECK is generated by applying the encryption algorithm E2 to the content key CK using the key encryption key KEK.

Encrypted content key ECK = E2 (KEK, CK)
Here, the key encryption key KEK is a key calculated using an output value of the hash function with a value obtained by combining the media key MK and the medium unique number MID as an input value.
Key encryption key KEK = SHA-1 (MK || MID)
(Content recording area 124)
In the content recording area 124, the encrypted content ECNT is recorded. The encrypted content ECNT is generated by applying the encryption algorithm E3 to the content using the content key CK.

Encrypted content ECNT = E3 (CK, CNT)
(Signature recording area 125)
In the signature recording area 125, signature data SigCRL is recorded.
The signature data SigCRL is generated by applying the digital signature Sig to the combined value (KEK || CRL) of the key encryption key KEK and the revocation list CRL using the secret key SK_1.

Signature data SigCRL = Sig (SK_1, (KEK || CRL))
(CRL recording area 126)
The revocation list CRL is recorded in the CRL recording area 126, and the revocation list CRL describes the ID of a certificate to be revoked. The revocation list CRL includes, for example, certificate identifiers ID_3, ID_4, signature data SigID, and version number.

Certificate identifiers ID_3 and ID_4 are identification information for identifying a revoked public key certificate.
The signature data SigID uses the private key SK_CA of the certificate authority CA and the combined value of all certificate identifiers included in the revocation list CRL (one certificate identifier is included in the revocation list CRL). If it is, it is generated by applying a digital signature Sig).

Signature data SigID = Sig (SK_CA, combined value of all certificate identifiers)
The signature data from the certificate authority CA is included in order to guarantee the validity of the revocation list CRL.
The version number is information indicating the generation of the invalidation list CRL.
The CRL format may be a known format or a format specialized for a certain system.

(Certificate recording area 127)
In the certificate recording area 127, the public key certificate PKC is recorded. The public key certificate PKC includes a certificate identifier ID_1, a public key PK_1, and signature data Sig_1.
The certificate identifier ID_1 is identification information for identifying the public key certificate PKC.
The public key PK_1 is based on the public key cryptosystem, and corresponds to the secret key SK_1.

The signature data Sig_1 is generated by applying a digital signature Sig to the combined value (ID_1 || PK_1) of the certificate identifier ID_1 and the public key PK_1 using the private key SK_CA of the certificate authority CA.
Signature data Sig_1 = Sig (SK_CA, ID_1 || PK_1)
The signature data from the certificate authority CA is included in order to guarantee the validity of the public key certificate.

The public key certificate format may be a publicly known format or a format specialized for a certain system.
1.5 Playback device 200
Since the playback devices 200a, 200b, 200c,... Have the same configuration, the playback device 200 will be described here.

  As shown in FIG. 4, the playback device 200 includes a device key storage unit 201, a key calculation unit 202, a key calculation unit 203, a decryption unit 204, a decryption unit 205, a CA public key storage unit 206, a certificate verification unit 207, a CRL. A storage unit 208, a CRL verification unit 209, a CRL comparison update unit 210, a certificate determination unit 211, a signature verification unit 212, a switch 213, a playback unit 214, a control unit 215, an input unit 216, a display unit 217, and a drive unit 218 Has been.

  Specifically, the playback device 200 is a computer system that includes a microprocessor, a ROM, a RAM, a hard disk unit, and the like, like the content server device 500. A computer program is stored in the RAM or the hard disk unit. The playback apparatus 200 achieves its functions by the microprocessor operating according to the computer program.

(1) Device key storage unit 201
The device key storage unit 201 secretly stores the device key DK_x so that it cannot be accessed from an external device. The device key DK_x is a key unique to the playback device 200.
The device key DK_x stored in the device key storage unit 201 differs depending on the playback devices 200a, 200b, 200c, 200d, 200e,. The device key storage units 201 of the playback devices 200a, 200b, 200c, 200d, 200e,... Store device keys DK_2, DK_3, DK_4, DK_5, DK_6,.

(2) Key calculation unit 202
The key calculation unit 202 stores in advance the device number “x” assigned to the playback device 200. The device number “x” stored in the key calculation unit 202 differs depending on the playback devices 200a, 200b, 200c, 200d, 200e,. The key calculation units 202 of the playback devices 200a, 200b, 200c, 200d, 200e,... Respectively have device numbers “2”, “3”, “4”, “5”, “6”,. I remember it.

  The key calculation unit 202 sequentially reads n sets constituting the media key data MDATA from the media key data recording area 122 of the recording medium 120 via the drive unit 218, and stores them from the read sets. Find the set containing the device number “x”. When a set including the device number “x” is found, the encrypted media key E1 (DK_x, y) corresponding to the device number “x” is extracted from the found set. Here, when the playback device 200 is the playback device 200b or 200c, y is a value “0”. When the playback device 200 is a playback device other than the playback devices 200b and 200c, y is the media key MK.

Next, the key calculation unit 202 reads the device key DK_x from the device key storage unit 201, applies the decryption algorithm D1 to the extracted encrypted media key E1 (DK_x, y) using the read device key DK_x, A decryption media key y is generated.
Decryption media key y = D1 (DK_x, (E1 (DK_x, y))
Here, the decryption media key y is either the media key MK or the value “0”.

Next, the key calculation unit 202 outputs the generated decryption media key y to the key calculation unit 203.
(3) Key calculation unit 203
The key calculation unit 203 operates in the same manner as the key calculation unit 104.
The key calculation unit 203 receives the decryption media key y from the key calculation unit 202, and reads the medium unique number MID from the unique number recording area 121 of the recording medium 120 via the drive unit 218.

  Next, the key calculation unit 203 combines the received decryption media key y and the read medium unique number MID in this order to generate a combined value (y || MID). Next, the key calculation unit 203 performs a hash function SHA-1 on the generated combined value (y || MID) to obtain a hash value H ′ = SHA-1 (y || MID), and the obtained hash The value H ′ is set as the key decryption key KDK, and the key decryption key KDK is output to the decryption unit 204 and the signature verification unit 212.

As described above, when the key calculation unit 104 uses a part of the obtained hash value as the key encryption key KEK, the key calculation unit 203 also uses the same part as the part of the obtained hash value as the key. The decryption key KDK is used.
(4) Decoding unit 204
The decryption unit 204 reads the encrypted content key ECK from the key recording area 123 of the recording medium 120 via the drive unit 218 and receives the key decryption key KDK from the key calculation unit 203.

Next, using the received key decryption key KDK, the decryption unit 204 performs a decryption algorithm D2 on the read encrypted content key ECK to generate a decrypted content key DCK.
Decrypted content key DCK = D2 (KDK, ECK)
Here, the decryption algorithm D2 is an algorithm for decrypting the ciphertext generated by applying the encryption algorithm E2, and as an example, is based on DES.

Next, the decrypting unit 204 outputs the generated decrypted content key DCK to the decrypting unit 205.
(5) Decoding unit 205
The decryption unit 205 reads the encrypted content ECNT from the content recording area 124 of the recording medium 120 via the drive unit 218 and receives the decrypted content key DCK from the decryption unit 204.

Next, using the received decrypted content key DCK, the decrypting unit 205 performs decryption algorithm D3 on the read encrypted content ECNT to generate decrypted content DCNT.
Decrypted content DCNT = D3 (DCK, ECNT)
Here, the decryption algorithm D3 is an algorithm for decrypting the ciphertext generated by applying the encryption algorithm E3, and as an example, is based on DES.

Next, the decryption unit 205 outputs the generated decrypted content DCNT to the switch 213.
(6) CA public key storage unit 206
The CA public key storage unit 206 stores in advance the public key PK_CA of the certificate authority CA.
(7) Certificate verification unit 207
The certificate verification unit 207 reads the public key PK_CA from the CA public key storage unit 206, and reads the public key certificate PKC from the certificate recording area 127 of the recording medium 120 via the drive unit 218.

Next, the certificate verification unit 207 extracts the certificate identifier ID_1, the public key PK_1, and the signature data Sig_1 from the read public key certificate PKC, and combines the extracted certificate identifier ID_1 and the public key PK_1 in this order. To generate a combined value (ID_1 || PK_1).
Next, the certificate verification unit 207 uses the read public key PK_CA to apply the signature verification algorithm Vrfy to the extracted signature data Sig_1 and the generated combined value (ID_1 || PK_1) to obtain a verification result RSL2. . The verification result RSL2 is information indicating either verification success or verification failure.

Here, the signature verification algorithm Vrfy is an algorithm for verifying signature data generated by the digital signature Sig.
Next, the certificate verification unit 207 outputs the verification result RSL2 to the switch 213.
(8) CRL storage unit 208
The CRL storage unit 208 records a public key certificate revocation list (hereinafter referred to as a storage revocation list CRL_ST) indicating a public key certificate revoked at the second time point.

The storage revocation list CRL_ST is one or more certificate identifiers, signature data SigID, version number, and revocation list CRL, which is a list indicating public key certificates revoked at the first time point. Is included.
The certificate identifier and signature data SigID are as described above.
The version number is information indicating the generation of the accumulation invalidation list CRL_ST, and indicates that the accumulation invalidation list CRL_ST is at the second time point. The version number takes a larger value as the generation of the public key certificate revocation list is newer.

(9) CRL verification unit 209
The CRL verification unit 209 reads the public key PK_CA from the CA public key storage unit 206, and reads the revocation list CRL from the CRL recording area 126 of the recording medium 120 via the drive unit 218.
Next, the CRL verification unit 209 extracts one or more certificate identifiers and signature data SigID from the read revocation list CRL. Here, when a plurality of certificate identifiers are extracted, they are combined in the order arranged in the revocation list CRL to generate a combined value. When only one certificate identifier is extracted, the extracted one certificate identifier is set as the combined value.

Next, the CRL verification unit 209 applies the signature verification algorithm Vrfy to the extracted signature data SigID and the generated combined value using the read public key PK_CA to obtain a verification result RSL3. The verification result RSL3 is either a verification success or a verification failure.
When the obtained verification result RSL3 indicates that the verification is successful, the CRL verification unit 209 outputs the read revocation list CRL to the signature verification unit 212 and the CRL comparison update unit 210.

(10) CRL comparison update unit 210
The CRL comparison / update unit 210 receives the revocation list CRL from the CRL verification unit 209.
When the invalidation list CRL is received, the CRL comparison / update unit 210 extracts the version number from the received invalidation list CRL, reads the accumulation invalidation list CRL_ST from the CRL storage unit 208, and reads the accumulated invalidation list CRL_ST. Extract the version number from. Next, it is determined whether or not the version number extracted from the invalidation list CRL is larger than the version number extracted from the storage invalidation list CRL_ST.

When it is determined that the version number extracted from the invalidation list CRL is larger than the version number extracted from the storage invalidation list CRL_ST, the CRL comparison / update unit 210 determines that the generation of the invalidation list CRL is the one in the storage invalidation list CRL_ST. The CRL storage unit 208 is overwritten with the invalidation list CRL as the accumulation invalidation list CRL_ST.
If it is determined that the version number extracted from the invalidation list CRL is smaller than or equal to the version number extracted from the accumulation invalidation list CRL_ST, is the generation of the invalidation list CRL older than the generation of the accumulation invalidation list CRL_ST? Or they are considered the same and the above overwrite is not performed.

(11) Certificate determination unit 211
The certificate determination unit 211 reads the accumulation invalidation list CRL_ST from the CRL storage unit 208. Here, the accumulation invalidation list CRL_ST stored in the CRL storage unit 208 is updated to the latest one by the CRL comparison / update unit 210. Further, the certificate determination unit 211 reads the public key certificate PKC from the certificate recording area 127 of the recording medium 120 via the drive unit 218.

  Next, the certificate determination unit 211 extracts the certificate identifier ID_1 from the read public key certificate PKC, and determines whether or not the extracted certificate identifier ID_1 is included in the storage invalidation list CRL_ST. Next, the determination result JDG is output to the switch 213. Here, the determination result JDG is information indicating whether or not the certificate identifier ID_1 is included in the storage invalidation list CRL_ST.

(12) Signature verification unit 212
The signature verification unit 212 receives the key decryption key KDK from the key calculation unit 203. Further, the signature data SigCRL is read from the signature recording area 125 of the recording medium 120 via the drive unit 218, and the public key certificate PKC is read from the certificate recording area 127 of the recording medium 120 via the drive unit 218. . Further, the revocation list CRL is received from the CRL verification unit 209.

  Next, the signature verification unit 212 extracts the public key PK_1 from the read public key certificate PKC, and combines the received key decryption key KDK and the received revocation list CRL to obtain a combined value (KDK || CRL). Using the generated and extracted public key PK_1, the signature verification algorithm Vrfy is applied to the read signature data SigCRL and the generated combined value (KDK || CRL) to obtain a verification result RSL1. The verification result RSL1 is information indicating either verification success or verification failure.

Next, the signature verification unit 212 outputs the verification result RSL1 to the switch 213.
(13) Switch 213
The switch 213 receives the decrypted content DCNT from the decryption unit 205. In addition, the determination result JDG is received from the certificate determination unit 211, the verification result RSL2 is received from the certificate verification unit 207, and the verification result RSL1 is received from the signature verification unit 212.

When the received verification result RSL1 indicates verification success, the received verification result RSL2 indicates verification success, and the received determination result JDG indicates that the certificate identifier ID_1 is not included in the storage invalidation list CRL_ST The switch 213 outputs the received decrypted content DCNT to the playback unit 214 only.
When the received verification result RSL1 indicates a verification failure, the received verification result RSL2 indicates a verification failure, or the received determination result JDG indicates that the certificate identifier ID_1 is included in the storage invalidation list CRL_ST In addition, the switch 213 does not output the received decrypted content DCNT to the playback unit 214.

(14) Playback unit 214
The playback unit 214 receives the decrypted content DCNT from the switch 213, generates video information and audio information from the received decoded content DCNT, converts the generated video information and audio information into analog video signals and audio signals, The video signal and the audio signal are output to the monitor 290.

(15) Control unit 215, input unit 216, display unit 217, drive unit 218, monitor 290, and remote control 280
The control unit 215 controls the operation of each component configuring the playback device 200.
The remote controller 280 includes various buttons, generates operation instruction information according to the operation of the button by the operator, and outputs the generated operation instruction information on infrared rays.

The input unit 216 receives the infrared light carrying the operation instruction information from the remote controller 280, extracts the operation instruction information from the received infrared light, and outputs the extracted operation instruction information to the control unit 215.
The display unit 217 displays various information based on the control of the control unit 215.
The drive unit 218 reads information from the recording medium 120.

The monitor 290 includes a CRT and a speaker, receives analog video signals and audio signals from the playback unit 214, displays video based on the video signals, and outputs audio based on the audio signals.
1.6 Operation of Content Supply System 10 Regarding the operation of the content supply system 10, in particular, the operation of writing data to the recording medium 120 by the recording device 100 and the reproduction of the data recorded on the recording medium 120 by the reproduction device 200. The operation will be described.

(1) Write Operation by Recording Device 100 An operation of writing data to the recording medium 120 by the recording device 100 will be described with reference to the flowchart shown in FIG.
The key calculation unit 103 reads the device key DK_1 and the media key data MDATA from the device key storage unit 101 and the media key data storage unit 102, respectively (step S301), and then reads the read device key DK_1 and media key data MDATA. Is used to generate a media key MK (step S302).

Next, the key calculation unit 104 reads the medium unique number MID from the unique number recording area 121 of the recording medium 120 (step S303), and uses the generated media key MID and the read medium unique number MID to perform key encryption. A key KEK is calculated (step S304).
Next, the encryption unit 105 encrypts the content key CK acquired from the content server device 500 using the calculated key encryption key KEK, and generates an encrypted content key ECK (step S305).

Next, the encryption unit 106 encrypts the content CNT acquired from the content server device 500 using the content key CK acquired from the content server device 500, and generates the encrypted content ECNT (step S306).
Next, the signature generation unit 110 reads the secret key SK_1 from the secret key storage unit 107 (step S307), and generates signature data SigCRL for the key encryption key KEK and the revocation list CRL using the read secret key SK_1. (Step S308).

Next, the recording apparatus 100 receives the media key data MDATA, the encrypted content key ECK, the encrypted content ECNT, the signature data SigCRL, the revocation list CRL, and the public key certificate PKC via the drive unit 111. (Step S309).
(2) Playback Operation by Playback Device 200 The playback operation of data recorded on the recording medium 120 by the playback device 200 will be described with reference to the flowcharts shown in FIGS.

The playback device 200 reads the media key data MDATA, the medium unique number MID, the encrypted content key ECK, the encrypted content ECNT, the signature data SigCRL, the revocation list CRL, and the public key certificate PKC from the recording medium 120 (Step S401). ).
Next, the key calculation unit 202 reads the device key DK_x from the device key storage unit 201 (step S402), and obtains a decryption media key y using the read media key data MDATA and device key DK_x (step S403).

Next, the key calculation unit 203 calculates a key decryption key KDK from the read medium unique number MID and the obtained decryption media key y (step S404).
Next, the decryption unit 204 decrypts the read encrypted content key ECK using the calculated key decryption key KDK to obtain a decrypted content key DCK (step S405).
Next, the decryption unit 205 decrypts the read encrypted content ECNT using the obtained decrypted content key DCK to obtain the decrypted content DCNT (step S406).

Next, the certificate verification unit 207 reads the public key PK_CA of the certificate authority CA from the CA public key storage unit 206 (step S407), and uses the read public key PK_CA of the certificate authority CA to read out the public key certificate. The validity of the PKC is verified (step S408).
If the verification of the validity of the public key certificate PKC has failed (step S409), the control moves to step S422. When the validity of the public key certificate PKC is successfully verified (step S409), the CRL verification unit 209 verifies the validity of the read revocation list CRL using the public key PK_CA of the certificate authority CA. (Step S410).

  If verification of the validity of the revocation list CRL fails (step S411), the control moves to step S422. When the validity of the invalidation list CRL is successfully verified (step S411), the CRL comparison / update unit 210 reads the accumulation invalidation list CRL_ST from the CRL storage unit 208 (step S412) and reads it from the recording medium 120. New and old of the invalidation list CRL and the accumulation invalidation list CRL_ST read from the CRL storage unit 208 are compared (step S413).

  When it is determined that the invalidation list CRL is newer than the accumulation invalidation list CRL_ST as a result of the above comparison (step S414), the CRL comparison / update unit 210 accumulates the invalidation list CRL that is judged as new. The CRL storage unit 208 is overwritten as the conversion list CRL_ST (step S415). If it is determined that the invalidation list CRL is older than the storage invalidation list CRL_ST (step S414), the control moves to step S416.

  Next, the certificate determination unit 211 reads the storage invalidation list CRL_ST from the CRL storage unit 208 (step S416), and the certificate identifier ID_1 extracted from the read public key certificate PKC is included in the storage invalidation list CRL_ST. By determining whether or not the public key certificate PKC is registered in the read storage invalidation list CRL_ST, it is determined (step S417).

If it is determined that it is registered (step S418), the control moves to step S422. When it is determined that it is not registered (step S418), the signature verification unit 212 verifies the validity of the signature data SigCRL using the key decryption key KDK, the public key certificate PKC, and the revocation list CRL (step S418). S419).
When verification of the signature data SigCRL fails (step S420), the switch 213 is opened, the content is not played back (step S422), and the playback operation of the playback device 200 ends.

On the other hand, when the validity of the signature data SigCRL is successfully verified (step S420), the switch 213 is closed and outputs the decrypted content DCNT to the playback unit 214, and the playback unit 214 plays back the decrypted content DCNT (step S420). S421), the playback operation of the playback device 200 ends.
1.7 Other Modifications (1) In the first embodiment, in order to realize a mechanism for propagating the invalidation list CRL through the recording medium, the recording apparatus uses the invalidation list CRL as a signature target. Although the signature data SigCRL is generated and the generated signature data SigCRL is written in the recording medium, the present invention is not limited to this configuration.

For example, the recording device may calculate a hash value of the revocation list CRL and generate signature data for the hash value.
Signature data = Sig (SK_1, HASH (CRL))
Here, HASH (A) is a hash value obtained by applying the hash function HASH to the data A.

The recording device may calculate a hash value of the revocation list CRL, perform an XOR (exclusive OR) operation on the hash value and the media key MK, and generate signature data for the calculation result. .
Signature data = Sig (SK_1, (HASH (CRL)) XOR (MK))
As described above, the recording apparatus generates signature data for the revocation list CRL and content, generates signature data for the revocation list CRL and various key data, and stores the generated signature data on the recording medium. By writing to, falsification and deletion of the invalidation list CRL on the recording medium can be prevented.

Also, in these cases, the playback device performs signature verification using the corresponding data.
(2) In the first embodiment, when comparing the old and new invalidation list CRL acquired from the outside and the invalidation list CRL stored inside, the version numbers are compared. However, the present invention is not limited to this configuration.

For example, if it can be assumed that the size of the revocation list CRL increases monotonically as the revocation list CRL is updated, the larger CRL size may be determined to be newer.
Similarly, if the number of devices to be invalidated can be assumed to increase monotonically as the invalidation list CRL is updated, the number of invalidated devices is determined to be new by comparing the number of devices to be invalidated. Also good.

As described above, any configuration may be used as long as information capable of comparing old and new can be obtained from the CRL.
(3) The latest version of the media key data may be propagated to the recording device via another recording medium.
On the other recording medium, the latest version of the media key data is recorded.

  The recording device has media key data in advance. When the other recording medium on which the media key data is recorded is loaded, the recording device compares the media key data held by itself with the media key data recorded on the recording medium. If the media key data recorded on the recording medium is newer than the media key data held by itself, the media key recorded on the recording medium is used instead of the media key data held by itself. Write data internally.

Here, each media key data is given a version number indicating its generation, and the recording apparatus compares the new and old media key data using each version number.
Further, a part of the media key calculated from the media key data may be a version number, and the remaining part may be generated using a random number. The recording apparatus extracts a part of the media key version number from each media key data, and compares the new and old media key data using each extracted version number.

  Further, the number of devices that are invalidated in the media key data, that is, the number of encrypted media keys whose value “0” is to be encrypted instead of the media key MK, is updated as the media key data is updated. Assuming that the number increases monotonically, the recording device may compare the new and old media key data using the number of invalidated devices included in the media key data.

Each media key data is given time information (year / month / day / hour / minute / second) when the media key data was generated, and the recording device uses each time information to determine whether the media key data is new or old. It may be compared.
As described above, any configuration may be used as long as the media key data can be correctly compared with each other.

Each media key data may be given a signature of the certificate authority CA for preventing falsification. The recording device verifies the validity of the media key data by verifying the signature.
(4) When another encrypted content is additionally written on a recording medium in which media key data and encrypted content are recorded in advance, the recording device adds the media key data held by itself to the recording medium. Based on the media key data recorded on the recording medium or based on the media key data, the content acquired from the outside (for example, the content server device) is encrypted to generate another encrypted content, and the generated another encryption The digitized content may be written to the recording medium.

In this case, there may be a plurality of media key data, a plurality of public key certificates, and a plurality of revocation lists CRLs on the recording medium.
Further, the recording device compares the media key data on the recording medium with the media key data held by the recording device, and if the media key data held by the recording device is newer, Decrypt the encrypted content recorded on the recording medium to generate the decrypted content, encrypt the generated decrypted content based on the new media key owned by itself, generate the re-encrypted content, and generate The re-encrypted content may be written to the recording medium. At this time, the encrypted content recorded on the recording medium may be deleted.

(5) In the first embodiment, a digital signature is applied to the key encryption key KEK to generate signature data. However, the present invention is not limited to this configuration.
For example, the signature data may be generated by applying a digital signature to the hash value of the entire content CNT.
Signature data = Sig (SK_1, (HASH (CNT))
In other words, since the purpose of the signature is to confirm the validity of the recording device that recorded the content, the data to be signed must be information related to the content or information related to the key used for encryption. Any information may be used.

  (6) In the first embodiment, as shown in FIG. 2, the recording apparatus 100 includes a device key storage unit 101, a media key data storage unit 102, a key calculation unit 103, a key calculation unit 104, and an encryption unit 105. , The encryption unit 106, the private key storage unit 107, the certificate storage unit 108, the CRL storage unit 109, the signature generation unit 110, the drive unit 111, the control unit 112, and the transmission / reception unit 113. However, the present invention is not limited to this configuration.

  For example, device key storage unit 101, media key data storage unit 102, key calculation unit 103, key calculation unit 104, encryption unit 105, encryption unit 106, secret key storage unit 107, certificate storage unit 108, CRL storage unit 109, a signature generation unit 110, a drive unit 111, and a control unit 112 are integrated into a drive device, and another part of the control unit 112 and a transmission / reception unit 113 are integrated into a processing device. It may be. In this configuration, a drive device that performs data reading / writing and encryption processing on a recording medium is separated from a processing device that performs other processing.

Further, the device key storage unit 101, the media key data storage unit 102, the secret key storage unit 107, the certificate storage unit 108, and the CRL storage unit 109 may be configured on a storage area of an external storage device. Here, an example of the external storage device is a portable secure memory card.
In the first embodiment, as shown in FIG. 4, the playback apparatus 200 includes a device key storage unit 201, a key calculation unit 202, a key calculation unit 203, a decryption unit 204, a decryption unit 205, and a CA public key storage. Unit 206, certificate verification unit 207, CRL storage unit 208, CRL verification unit 209, CRL comparison update unit 210, certificate determination unit 211, signature verification unit 212, switch 213, playback unit 214, control unit 215, input unit 216 The display unit 217 and the drive unit 218 are integrated devices, but the present invention is not limited to this configuration.

  Device key storage unit 201, key calculation unit 202, key calculation unit 203, decryption unit 204, decryption unit 205, CA public key storage unit 206, certificate verification unit 207, CRL storage unit 208, CRL verification unit 209, CRL comparison update Unit 210, certificate determination unit 211, signature verification unit 212, switch 213, and drive unit 218, and is composed of an integrated drive device. The playback unit 214, control unit 215, input unit 216, and display unit 217 It may be composed of an integrated processing apparatus. In this configuration, a drive device that performs data reading / writing and encryption processing on a recording medium is separated from a processing device that performs other processing.

The device key storage unit 201, the CA public key storage unit 206, and the CRL storage unit 208 may be configured on a storage area of an external storage device. Here, an example of the external storage device is a portable secure memory card.
As described above, the recording device and the reproduction device may be separate configurations of the data reading / writing device and the processing device, respectively, instead of an integrated device. In this case, encryption processing may be performed by the data reading / writing device, or encryption processing may be performed by the processing device.

(7) In the first embodiment, media key data MDATA, encrypted content key ECK, encrypted content ECNT, signature data SigCRL, revocation list CRL, and public key certificate PKC are all recorded on the same recording medium. However, the present invention is not limited to this configuration.
For example, the recording apparatus 100 records part of data such as the signature data SigCRL, the revocation list CRL, and the public key certificate PKC on a recording medium different from the recording medium 120, and the recording medium 120 and the other recording Media may be distributed.

Further, the recording apparatus 100 may be connected to a network represented by the Internet, and part of these data may be distributed via the network. The playback device 200 is also connected to the network, and acquires a part of these data from the recording device 100 via the network.
As described above, the media key data MDATA, the encrypted content key ECK, the encrypted content ECNT, the signature data SigCRL, the revocation list CRL, and the public key certificate PKC are recorded and distributed on one or more recording media, Alternatively, it may be recorded on one or more recording media and distributed via a network.

(8) In the first embodiment, the content is encrypted and the encrypted content is decrypted based on the device key. However, the present invention is not limited to this configuration.
For example, the recording apparatus and the playback apparatus may acquire usage conditions, and the recording and playback may be controlled based on the usage conditions. Here, the use condition is management information attached to the content, and is, for example, a date, a time, or a number of times for permitting recording and reproduction of the content.

(9) In the first embodiment, the playback device reads the revocation list CRL from the CRL storage unit, compares the old and new, stores the new revocation list CRL in the CRL storage unit, and whether or not the public key certificate is registered The revocation list CRL is read again at the time of confirmation, but the present invention is not limited to this configuration.
For example, the playback device registers the revocation list CRL in the revocation list CRL without comparing the revocation list CRL with the old one and without storing the revocation list CRL determined to be new in the CRL storage unit. After determining whether or not there is, the invalidation list CRL read from the recording medium 120 may be stored in the CRL storage unit.

Also, the order of signature verification, CRL verification, and public key certificate determination is not limited as described in the first embodiment, and the playback apparatus can perform signature verification, CRL verification, public key certificate in various orders. A determination may be made to control the reproduction of content.
(10) The recording apparatus and the playback apparatus may include a digital watermark processing unit that generates and embeds a digital watermark.

For example, the recording device may store a device ID that identifies the device, and the device ID may be embedded in the content as a digital watermark when the content is recorded on the recording medium.
At this time, when the content in which the device ID is embedded as an electronic watermark is illegally leaked, the recording device that has recorded the content can be specified by extracting the embedded device ID from the content.

Similarly, the playback device may be configured to embed its own device ID as a digital watermark in the content on the recording medium during playback. At this time, when the content in which the device ID is embedded leaks illegally, by extracting the embedded device ID from the content, it is possible to specify the playback device that has played the content.
(11) The content supply system may include a device key finding device that can identify a device key stored therein when an unauthorized device having an exposed device key is found. This fraudulent device has the same configuration as the playback device 200.

The device key discovery apparatus generates n recording media MD1, MD2, MD3,..., MDn as shown in FIG. In FIG. 8, illustration of data other than the media key data is omitted.
The recording media MD1, MD2, MD3,..., MDn record data having the same contents as those of the third recording medium 120 except for the following points.

(A) There is no revoked public key certificate registered in the revocation list CRL recorded in the recording media MD1, MD2, MD3,. That is, the revocation list CRL does not include the identifier of the public key certificate.
(B) Each media key data recorded on the recording media MD1, MD2, MD3,..., MDn is different from the media key data recorded on the recording medium 120. FIG. 8 shows an example of each media key data recorded on the recording media MD1, MD2, MD3,..., MDn.

(B-1) The media key data recorded on the recording medium MD1 is composed of n sets. Each set includes an encrypted media key and a device number. The device number is as described in the first embodiment.
The first encrypted media key is generated by applying the encryption algorithm E1 to the media key MK using the device key DK_1.

The second, third,..., Nth encryption media keys are generated by applying the encryption algorithm E1 to the value “0” using the device keys DK_2, DK_3,. It is a thing.
(B-2) The media key data recorded on the recording medium MD2 is composed of n sets. Each set includes an encrypted media key and a device number. The device number is as described in the first embodiment.

The first encrypted media key is generated by applying the encryption algorithm E1 to the value “0” using the device key DK_1.
The second encrypted media key is generated by applying the encryption algorithm E1 to the media key MK using the device key DK_2.
The third,..., And nth encrypted media keys are generated by applying the encryption algorithm E1 to the value “0” using the device keys DK_3,.

(B-3) The same applies to the recording media MD3,..., MDn.
For the integer i (1 ≦ i ≦ n), the media key data recorded on the recording medium MDi is composed of n sets. Each set includes an encrypted media key and a device number. The device number is as described in the first embodiment.
The i-th encrypted media key is generated by applying the encryption algorithm E1 to the value “0” using the device key DK_i.

Other encrypted media keys are generated by applying the encryption algorithm E1 to the media key MK using the corresponding device key.
Next, the operator attaches the recording media MD1, MD2, MD3,..., MDn one by one to the unauthorized device in order, and instructs the unauthorized device to reproduce the content.
In this way, n recording media are tried by the unauthorized device.

When the content is correctly played back by the unauthorized device, it is possible to specify the device key that the unauthorized device will contain by the attached recording medium.
For example, when the recording medium MD1 is loaded and the content is correctly reproduced by the unauthorized device, the device key incorporated in the unauthorized device is DK_1.
Generally speaking, if the content is correctly played back by the unauthorized device when the recording medium MDi is loaded, the device key built in the unauthorized device is DK_i.

Since the unauthorized device has the same configuration as the playback device 200 and operates as shown in FIGS. 6 to 7, any one of the recording media MD1, MD2, MD3,. Only when the content is played correctly.
(12) In the first embodiment, as a signature generation algorithm, an appendix-type signature that adds a signature to signature target data is used. However, the present invention is not limited to this configuration.

For example, a message recovery type signature may be used instead of a message appendix type signature. The message recovery type signature is disclosed in Patent Document 3.
In the message recovery type signature, a signer can embed secret information in a generated signature, and a verifier can obtain the secret information after signature verification. Using this feature, the recording device performs an XOR operation (exclusive OR) on the secret information and the key data (for example, the content key), and applies a message recovery type signature to the operation result to obtain the signature data. Generate. At this time, the playback device performs signature verification, and when the verification is successful, obtains the calculation result, performs XOR operation (exclusive OR) on the built-in secret information and calculation result, Obtain key data (eg, content key).

Note that the operation between the secret information and the key data need not be limited to the XOR operation, but is an addition operation or a configuration using the output value of the hash function with the combined data as input values. Also good.
Further, the information that acts on the secret information does not need to be a content key, and may be another key such as a key encryption key.

As described above, any configuration may be used as long as content cannot be reproduced unless confidential information obtained by signature verification is acquired. In this way, signature verification is indispensable for content reproduction by using a message recovery type signature.
(13) In the first embodiment, the content key and the content are acquired from the outside of the recording apparatus, but the present invention is not limited to this configuration.

For example, the content key and the content may be stored in advance in the content recording apparatus. Further, the content key may be generated inside the recording device every time it is used.
(14) In the first embodiment, the switch 213 controlled based on various verification and determination results is provided between the decryption unit 205 and the playback unit 214, and the decrypted content is provided to the playback unit 214. However, the present invention is not limited to this configuration.

For example, the switch 213 may be provided between the decryption unit 204 and the decryption unit 205, and may control whether or not to output the decrypted content key to the decryption unit 205.
The switch 213 may be provided between the key calculation unit 203 and the decryption unit 204 and may control whether or not to output the key decryption key KDK to the decryption unit 204.
As described above, any configuration may be used as long as it can control the reproduction of the final content based on the result of each verification. Furthermore, the switch 213 does not need to be a physical switch, and may be a software configuration as long as it can perform playback control.

Further, the key calculation unit 202 determines whether or not the generated decryption media key y is the value “0” that is the detection information, and determines that the decryption media key y is the value “0”. The switch 213 may be instructed not to output the decrypted content DCNT to the playback unit 214.
In addition, when the key calculation unit 202 determines that the decryption media key y has the value “0”, the key calculation unit 202 transmits the key decryption key to all or any of the key calculation unit 203, the decryption unit 204, and the decryption unit 205 It may be instructed not to generate, generate a decrypted content key, or generate decrypted content.

When the key calculation unit 202 determines that the decryption media key y has the value “0”, the key calculation unit 202 notifies the control unit 215 of a message that the decryption media key y has the value “0”. When the control unit 215 receives the message, the control unit 215 may instruct other constituent elements of the playback device 200 to stop the decryption and playback of the encrypted content.
(15) In the first embodiment, the encryption system is adopted from the three layers of the media key, the key encryption key, and the content key. However, the present invention is not limited to this configuration.

For example, the content key may be omitted, and the content may be directly encrypted with the key encryption key. Or the structure which introduces a new key and increases the hierarchy one layer may be sufficient.
(16) The recording device or the playback device may be configured to acquire the latest version of the media key data and the revocation list CRL via a network represented by the Internet and update the built-in data.

(17) In the first embodiment, the recording device records the invalidation list CRL on the recording medium, but the present invention is not limited to this configuration.
For example, the playback device may acquire the invalidation list CRL via a network, and the recording device may not be configured to record the CRL on the recording medium.
(18) In the first embodiment, the recording device generates signature data for content to be recorded on the recording medium or information related to the content, and records the generated signature data on the recording medium. The present invention is not limited to this configuration.

  For example, the recording device may not generate a signature. At this time, the recording device may encrypt the content based on the media key data and the medium unique number held by itself and record the media key data used for the encryption and the encrypted content on the recording medium. Good. At this time, the playback apparatus reads the media key data, the medium unique number, and the encrypted content from the recording medium, and decrypts the content based on the media key data and the medium unique number.

(19) In the first embodiment, the recording device realizes media binding by generating a key encryption key from a media key and a medium unique number. However, the present invention is limited to this configuration. It is not something.
For example, the recording device may realize media binding by generating an authenticator based on a media key and a medium unique number and recording the generated authenticator on a recording medium. At this time, the playback device similarly generates an authenticator from the media key and the medium unique number, determines whether the generated authenticator matches the authenticator recorded on the recording medium, and plays back the content. Control.

The method for generating the authenticator is, for example, as follows.
A hash function is applied to the value obtained by combining the media key, the medium unique number, and the encrypted content key, and the obtained hash value or a specific part of the hash value is used as an authenticator.
(20) In the first embodiment, one recording medium corresponds to only one content supply system, but the present invention is not limited to this configuration.

  There are a plurality of content supply systems. For example, one content supply system is a system for supplying movie content. Another content supply system is a system for supplying computer software. Yet another content supply system is a system for supplying music. Thus, different content supply systems are used depending on the type of content to be supplied.

  Also, for example, one content supply system is a system that supplies movie content by movie supplier A. Another content supply system is a system for supplying movie content by movie supplier B. Yet another content supply system is a system for supplying movie content by movie supplier C. Thus, different content supply systems may be used depending on the content supplier.

Here, a mechanism in which one recording medium is used in a plurality of different content supply systems will be described.
In the non-rewritable area of the recording medium, key invalidation data is recorded in advance in addition to the medium unique number unique to the recording medium. At this time, the first content supply system implements a mechanism for protecting the copyrighted work by using the key invalidation data recorded in advance in the non-rewritable area. In addition, the second content supply system implements a copyrighted work protection mechanism with the configuration shown in the first embodiment.

FIG. 9 shows an example of data recorded on the recording medium.
The recording medium 700 includes a non-rewritable area 710 and a rewritable area 720. The non-rewritable area 710 includes a key revocation data recording area 711 and a unique number recording area 712 for the first content supply system. Exists. The rewritable area 720 includes a key revocation data recording area 721 for the second content supply system, a first encrypted content key recording area 722, a second encrypted content key recording area 723, Other encrypted content recording areas (not shown) exist.

  Here, the key revocation data recording area 721 for the second content supply system corresponds to the media key data recording area 122 in the first embodiment. Further, in the first encrypted content key recording area 722, data encrypted based on the key revocation data for the first content supply system is recorded, and similarly, the second encrypted content key recording is recorded. In the area 723, data encrypted based on the key revocation data for the second content supply system is recorded.

In this way, when one recording medium supports a plurality of content supply systems, there is no need to have a plurality of medium unique numbers for each system, and it may be unique to each recording medium, and each content supply system has the same medium unique number. Alternatively, a configuration in which a part thereof is commonly used may be used.
Here, when a part of the medium unique number is used, for example, when there is a 128-bit medium unique number, the upper 32 bits are not used, and the lower 96 bits are used as the medium unique number. This means that the upper 32 bits are replaced with all 0s and used as a 128-bit medium unique number.

  As described above, by using a medium unique number recorded in advance on a recording medium in common for a plurality of content supply systems, even on a recording medium on which only a medium unique number that is already commercially available is recorded, A system capable of protecting the copyright of an object can be realized. Further, since it is not necessary to record the medium unique number for each system, the capacity of the non-rewritable area can be reduced.

As described above, the present invention is a copyright protection system that provides a copyright protection mechanism for at least the first and second content supply systems.
The recording medium includes a read-only non-rewritable area and a readable / writable rewritable area. The non-rewritable area includes a medium unique number unique to the recording medium and a first content supply system. And key revocation data are recorded in advance.

  The first content supply system includes a recording device that encrypts and writes content on the recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium. Any one or more of the plurality of playback devices are invalidated. The key revocation data recorded in the non-rewritable area of the recording medium indicates the revoked playback device key.

The recording device uses the invalidation data recorded in the non-rewritable area to encrypt the content, and writes the generated encrypted content to the rewritable area of the recording medium. A part.
The playback device includes the key revocation data recorded in the non-rewritable area of the recording medium, a reading unit that reads the encrypted content recorded on the recording medium, and the read key revocation data And a determination unit that determines whether or not the decryption of the encrypted content is permitted, and when the decryption is not permitted, the decryption of the encrypted content is prohibited and the decryption is permitted. A decrypting unit that decrypts the encrypted content and generates the decrypted content.

The second content supply system includes a recording device that encrypts and writes content on the recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium. Any one or more of the plurality of playback devices are invalidated.
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. A storage unit that stores media key data composed of a plurality of encrypted media keys, a reading unit that reads the medium unique number from the non-rewritable area of the recording medium, the read medium unique number, A generation unit that generates an encryption key based on a media key, an encryption unit that generates encrypted content by encrypting content that is digital data based on the generated encryption key, and the storage unit A reading unit for reading the media key data from the media key data and the generated encrypted content stored in the recording medium. And a writing unit that writes the region.

  Each playback device is read using a reading unit that reads out the encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium, and the device key of the playback device. A decrypting unit that decrypts the encrypted media key and generates a decrypted media key; and determines whether the generated decrypted media key is the detection information. A control unit that prohibits decryption of the encrypted content recorded on the medium and permits the decryption of the encrypted content when the detected information is not, and the encrypted content from the recording medium when the decryption is permitted And a decryption unit for decrypting the read encrypted content and generating the decrypted content based on the generated decryption media key.

1.8 Summary As described above, the present invention provides a recording device that encrypts and records content, a recording medium that records the encrypted content, and a playback device that reads and decrypts the encrypted content from the recording medium. A copyright protection system consisting of
The recording device holds invalidation data for invalidating a key held by a specific device, encrypts the content based on the invalidation data, and stores the invalidation data on the recording medium, and The encrypted content is recorded, a signature is further generated for the content or data related to the encryption of the content, and the generated signature is recorded on the recording medium.

The recording medium records an identification number that uniquely identifies the recording medium in an area that cannot be rewritten by the user, and further records the invalidation data, the encrypted content, and the signature.
The playback device reads the invalidation data, the encrypted content, and the signature from the recording medium, decrypts the content based on the invalidation data, and verifies the validity of the signature The reproduction of the decrypted content may be controlled based on the above.

Here, in the copyright protection system, the recording medium records the invalidation data and the encrypted content, and the signature is distributed via a recording medium different from the recording medium or a communication medium. It may be done.
Here, in the copyright protection system, the recording device may perform processing by a combination of two or more devices and share the processing for each device.

Here, in the copyright protection system, the playback device may perform processing by a combination of two or more devices and share the processing for each device.
Here, in the copyright protection system, the recording device may record the content based on a usage condition of the content.
Here, in the copyright protection system, the playback device may play back content based on content usage conditions.

Here, in the copyright protection system, the recording device may hold a device identification number that uniquely identifies the recording device, and may embed the device identification number as a digital watermark in the content when recording the content. Good.
Here, in the copyright protection system, the reproduction device may hold a device identification number that uniquely identifies the reproduction device, and embed the device identification number as a digital watermark in the content when reproducing the content. Good.

Here, the copyright protection system may include a key finding device that determines the type of key held by the unauthorized device when the unauthorized device is discovered.
The present invention is also a recording device that encrypts and records content. The recording device holds invalidation data for invalidating a key held by a specific device, encrypts the content based on the invalidation data, and stores the invalidation data on the recording medium, and the The encrypted content is recorded, a signature is further generated for the content or data related to the encryption of the content, and the generated signature is recorded on the recording medium.

Here, the recording device may encrypt the content based on an identification number that uniquely identifies the recording medium in addition to the invalidation data.
Here, the recording device may record a public key corresponding to the secret key used for generating the signature on the recording medium.
Here, the recording apparatus may generate a signature using a public key revocation list as a signature target.

Here, when invalidation data exists in the recording medium for recording the content, the recording device compares invalidation data held by the recording device with invalidity data of the invalidation data existing in the recording medium. New invalidation data may be held.
Here, the recording apparatus may compare old and new invalidation data by comparing the sizes of invalidation data and determine invalidation data having a large size as new.

Here, the recording apparatus may compare old and new invalidated data by comparing the number of invalidated keys, and may determine invalidated data having a large number of invalidated keys as new.
Here, the recording device compares old and new invalidation data by generation date or version number of invalidation data, and the generation date or version number is protected from tampering. Also good.

  Here, in the recording device, invalidation data and encrypted content exist on the recording medium for recording the content, and invalidation data held by the recording device is recorded on the recording medium. Similarly, the encrypted content recorded on the recording medium is once decrypted based on the invalidation data recorded on the recording medium when the data is newer than the invalidation data, and the recording apparatus holds the encrypted content. The re-encryption may be performed based on the invalidation data.

Here, the recording device generates secret information within the recording device, encrypts the content based on the secret information and the invalidation data, and generates a signature as information embedded in the signature You may do that.
The present invention is also a playback device that reads and decrypts encrypted content from a recording medium. The playback device reads invalidation data, the encrypted content, and a signature from the recording medium, decrypts the content based on the invalidation data, and verifies the validity of the signature Then, the reproduction of the decrypted content is controlled.

Here, the playback device may decrypt the encrypted content based on an identification number that uniquely identifies the recording medium in addition to the invalidation data.
Here, the playback apparatus has a public key revocation list, and the revocation list is used to register a public key used for verification of the validity of the signature in the revocation list. It may be determined whether or not the reproduction of the decrypted content is controlled based on the determination result.

Here, when the invalidation list exists in the recording medium, the reproduction device compares the invalidation list held by the reproduction device with the new and old invalidation lists existing in the recording medium, You may have an invalidation list.
Here, the playback device may compare old and new invalidation lists by comparing the sizes of invalidation lists and determine that the invalidation list having a large size is new.

Here, the playback device may compare the revocation list with the old and new by comparing the number of revoked public keys, and determine that the revocation list having a large number of revoked public keys is new. .
Here, the playback device may acquire secret information by verifying the validity of the signature, and decrypt the encrypted content based on the acquired secret information and invalidation data. .

The present invention is also a recording medium for recording encrypted content. The recording medium records an identification number that uniquely identifies the recording medium in an area that cannot be rewritten by the user, and further records invalidation data, encrypted content, and a signature.
Here, the recording medium may record the invalidated data and the content encrypted based on the identification number.

Here, the recording medium may record a public key corresponding to the secret key used for generating the signature.
Here, when the recording medium is recorded by two or more recording devices, two or more invalidation data and two or more public keys may be recorded.
As described above, in the first embodiment, the recording device encrypts the content based on the media key calculated from the media key data, and the recording device's own public key certificate and the generated signature. In addition, even if the recording medium has no key revocation information recorded in the non-rewritable area of the recording medium, the key revocation and media binding are realized and an unauthorized device is used. It is possible to prevent copyright infringement by recording or reproducing content.

  Specifically, when there is a regular recording device and an unauthorized playback device, the regular recording device encrypts the content based on the media key data indicating invalidation of the unauthorized playback device and records the content on the recording medium. . An unauthorized playback device in which the recording medium is inserted cannot decrypt the media key from the recorded media key data, so that the playback of content by the unauthorized playback device can be prevented.

  Further, when there is an unauthorized recording device and a regular playback device, the unauthorized recording device encrypts the content based on the old media key data that has not been revoked and records it on the recording medium. At this time, the recording device's own public key certificate and the generated signature data are also recorded. A legitimate playback device into which the recording medium is inserted can decrypt the media key from the recorded media key data. However, in order to determine whether the public key certificate of the recording device is registered in the revocation list CRL before the content is played back, the content recorded by the unauthorized recording device registered in the revocation list CRL is used. If so, you can stop the playback.

2. Second Embodiment A content supply system 20 as another embodiment according to the present invention will be described.
2.1 Configuration of Content Supply System 20 The content supply system 20 has a configuration similar to that of the content supply system 10, and as shown in FIG. 10, a distribution station device 1400, a content server device 1500, a recording device 1100, and The playback apparatus 1200a, 1200b, 1200c, 1200d, 1200e,...

As in the first embodiment, some of the playback devices are invalidated.
2.2 Distribution station apparatus 1400
The distribution station apparatus 1400 includes an information storage unit 1401, a control unit 1402, an input unit 1403, a display unit 1404, and a transmission / reception unit 1405 (not shown).
Specifically, the distribution station apparatus 1400 includes a microprocessor, a ROM, a RAM, a hard disk unit, a communication unit, a display unit, a keyboard, a mouse, and the like, similarly to the content server apparatus 500 of the first embodiment. It is a computer system. A computer program is stored in the RAM or the hard disk unit. Each component of the distribution station apparatus 1400 achieves its function by the microprocessor operating according to the computer program.

The transmission / reception unit 1405 is connected to the recording apparatus 1100 via the Internet 40 and transmits / receives information between the recording apparatus 1100 and the control unit 1402.
The information storage unit 1401 stores key invalidation data RDATA and version number VR in association with each other in advance.
The key revocation data RDATA is the same as the media key data MDATA of the first embodiment. Here, detailed description is omitted.

The version number VR is information indicating the generation of the key revocation data RDATA corresponding to the version number VR.
The control unit 1402 receives an acquisition request for the key revocation data RDATA from the recording device 1100 via the Internet 40 and the transmission / reception unit 1405. Upon receiving the acquisition request, the control unit 1402 reads the key revocation data RDATA and the version number VR from the information storage unit 1401, and transmits the read key revocation data RDATA and the version number VR to the transmission / reception unit 1405 and the Internet. 40 to the recording apparatus 1100.

The input unit 1403 receives an instruction from the operator of the distribution station device 1400 and outputs the received instruction to the control unit 1402.
The display unit 1404 displays various information under the control of the control unit 1402.
2.3 Content server device 1500
The content server device 1500 has the same configuration as the content server device 500 of the first embodiment. Here, the description is omitted.

2.4 Recording device 1100
As shown in FIG. 11, the recording apparatus 1100 includes a device key storage unit 1101, an invalidation data storage unit 1102, a key calculation unit 1103, an encryption unit 1105, an encryption unit 1106, an authenticator generation unit 1104, an allocation unit 1107, It comprises a comparison unit 1108, a control unit 1109, a drive unit 1110, and a transmission / reception unit 1111.

  Specifically, the recording apparatus 1100 is a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, and the like, like the recording apparatus 100. A computer program is stored in the RAM or the hard disk unit. The recording apparatus 1100 achieves its functions by the microprocessor operating according to the computer program.

(1) Device key storage unit 1101
The device key storage unit 1101 secretly stores the device key DK_1 so that it cannot be accessed from an external device. The device key DK_1 is a key unique to the recording apparatus 1100.
(2) Invalidation data storage unit 1102
The revocation data storage unit 1102 has an area for storing the key revocation data RDATA and the version number VR acquired from the distribution station device 1400.

(3) Key calculation unit 1103
The key calculation unit 1103 has the same configuration as the key calculation unit 103 according to the first embodiment.
The key calculation unit 1103 reads the key revocation data RDATA from the revocation data storage unit 1102 and reads the device key DK_1 from the device key storage unit 1101. Next, similarly to the key calculation unit 103, using the read device key DK_1, the read key revocation data RDATA is subjected to the decryption algorithm D1 to generate a media key MK, and the generated media key MK is generated as an authenticator. Output to the unit 1104 and the encryption unit 1105.

(4) Encryption unit 1105
The encryption unit 1105 receives the content key CK from the content server device 1500 via the transmission / reception unit 1111 and receives the media key MK from the key calculation unit 1103.
Next, the encryption unit 1105 applies the encryption algorithm E2 to the received content key CK using the received media key MK to generate an encrypted content key ECK.

Encrypted content key ECK = E2 (MK, CK)
Next, the encryption unit 1105 secures the key recording unit 1323 in the encrypted content file 1320 on the recording medium 1300 via the drive unit 1110, and then uses the generated encrypted content key ECK to the drive unit. Write to the key recording unit 1323 via 1110.
Also, the encryption unit 1105 outputs the generated encrypted content key ECK to the authenticator generation unit 1104.

(5) Encryption unit 1106
The encryption unit 1106 receives the content key CK and the content CNT from the content server device 1500 via the transmission / reception unit 1111, and encrypts the received content CNT using the received content key CK by applying an encryption algorithm E 3. Content ECNT is generated.

Encrypted content ECNT = E3 (CK, CNT)
Next, the encryption unit 1106 secures the content recording unit 1324 in the encrypted content file 1320 on the recording medium 1300 via the drive unit 1110, and then the generated encrypted content ECNT is stored in the drive unit 1110. To the content recording area 124.

(6) Authentication code generator 1104
The authenticator generation unit 1104 receives the media key MK from the key calculation unit 1103, receives the encrypted content key ECK from the encryption unit 1105, and reads the medium unique number MID from the unique number recording area 1301 of the recording medium 1300.
Next, the authenticator generation unit 1104 combines the received media key MK, the read medium unique number MID, and the received encrypted content key ECK in this order, generates combined data, and generates the generated combination A one-way function F is applied to the data to generate an authenticator MAC (Message Authentication Code).

MAC = F (MK || ECK || MID)
Here, F (A) represents a value obtained by applying the one-way function F to the data A. An example of the one-way function F is the hash function SHA-1.
Next, the authenticator generating unit 1104 secures the authenticator recording unit 1322 in the encrypted content file 1320 on the recording medium 1300 via the drive unit 1110, and the generated authenticator MAC is transmitted via the drive unit 1110. To the authenticator recording unit 1322.

The authenticator MAC generated in this way is used when the playback apparatus 1200 determines the validity of the content.
(7) Allocation unit 1107
For the key revocation data RDATA recorded on the recording medium 1300, the assigning unit 1107 generates a key revocation data identifier RID that uniquely identifies the key revocation data RDATA in the recording medium 1300. Next, the identifier recording unit 1321 is secured in the encrypted content file 1320 on the recording medium 1300 via the drive unit 1110, and the generated key revocation data identifier RID is transmitted to the identifier recording unit via the drive unit 1110. Write to 1321.

A specific method of assigning the key revocation data identifier RID by the assigning unit 1107 will be described later.
(8) Comparison unit 1108
The comparison unit 1108 confirms whether the key revocation data file exists in the recording medium 1300 via the drive unit 1110 according to an instruction from the control unit 1109. Next, presence / absence information indicating whether or not a key revocation data file exists is received from the drive unit 1110.

  When the received presence / absence information indicates that the key revocation data file does not exist in the recording medium 1300, the comparison unit 1108 instructs the allocation unit 1107 to generate the key revocation data identifier RID, and The key revocation data RDATA recorded in the revocation data storage unit 1102, the version number VR, and the key revocation data identifier RID generated by the assignment unit 1107 are configured for the drive unit 1110. An instruction to write the key revocation data file to the recording medium 1300 is given.

  When the presence / absence information indicates that a key revocation data file exists on the recording medium 1300, the comparison unit 1108 transmits the key revocation from each key revocation data file on the recording medium 1300 via the drive unit 1110. The version number VF included in the conversion data FDATA is read out. In this case, one or more version numbers VF are read. Also, the version number VR corresponding to the key revocation data RDATA is read from the revocation data storage unit 1102.

  Next, the comparison unit 1108 determines whether or not a version number having the same content as the read version number VR exists in the one or more read version numbers VF, and determines that it does not exist. In the same manner as described above, the allocation unit 1107 is instructed to generate the key revocation data identifier RID, and the drive unit 1110 receives the key revocation data RDATA recorded in the revocation data storage unit 1102. The key revocation data file composed of the version number VR and the key revocation data identifier RID generated by the assigning unit 1107 is instructed to be written in the recording medium 1300.

When determining that it exists, the comparison unit 1108 outputs information indicating that a version number having the same content as the read version number VR exists to the control unit 1109.
(9) Control unit 1109
The control unit 1109 transmits an acquisition request for the key revocation data RDATA to the distribution station device 1400 via the transmission / reception unit 1111 and the Internet 40. Further, the control unit 1109 transmits a content acquisition request to the content server device 1500 via the transmission / reception unit 1111.

The control unit 1109 instructs the comparison unit 1108 to check whether the key revocation data file exists in the recording medium 1300.
When information indicating that a version number having the same content as the version number VR exists from the comparison unit 1108, the version number having the same content as the version number VR on the recording medium 1300 is given to the drive unit 1110. The key revocation data identifier RID is instructed to be read from the included key revocation data file and the key revocation data identifier RID is received from the drive unit 1110.

  Next, the control unit 1109 instructs the key calculation unit 1103 to read the device key DK_1 and the key revocation data RDATA to generate the media key MK, and to the encryption unit 1105, the content key The CK is instructed to be encrypted, the authenticator generation unit 1104 is instructed to read the medium unique number MID and the authenticator MAC is generated, and the encryption unit 1106 is encrypted with the content CNT. Next, the drive unit 1110 is instructed to secure the encrypted content file on the recording medium 1300, and the authenticator generation unit 1104, the encryption unit 1105, and the encryption unit 1106 are instructed. For each of the generated authenticator MAC, the generated encrypted content key ECK, and the generated encrypted content ECNT. It instructs to write the encrypted content file on the medium 1300. Further, the drive unit 1110 is instructed to secure the identifier recording unit 1303 in the encrypted content file on the recording medium 1300, and the key invalidation generated by the allocation unit 1107 or received from the drive unit 1110 An instruction to write the data identifier RID to the identifier recording unit 1303 is given.

(10) Transmission / reception unit 1111
The transmission / reception unit 1111 is connected to the distribution station device 1400 via the Internet 40. Further, the content server apparatus 1500 is connected via the dedicated line 30.
The transmission / reception unit 1111 receives the key revocation data RDATA and the version number VR from the distribution station device 1400 via the Internet 40. When the key revocation data RDATA and the version number VR are received, the received key revocation data RDATA and the version number VR are associated and written to the revocation data storage unit 1102.

In addition, the transmission / reception unit 1111 receives the content key CK and the content CNT from the content server device 1500 via the dedicated line 30, outputs the received content key CK and the content CNT to the encryption unit 1106, and receives the received content The key CK is output to the encryption unit 1105.
(11) Drive unit 1110
The drive unit 1110 reads information from the recording medium 1300 and outputs the read information to the constituent elements in accordance with instructions from the constituent elements constituting the recording apparatus 1100.

Further, the drive unit 1110 secures each area in the recording medium 1300 according to an instruction of each component constituting the recording apparatus 1100, receives information from each component, and writes the received information in the secured area. .
(12) Keyboard 1180 and monitor 1190
The keyboard 1180 receives an operation instruction from the operator of the recording apparatus 1100 and outputs instruction information corresponding to the received operation instruction to the control unit 1109.

The monitor 1190 displays various information under the control of the control unit 1109.
2.5 Recording medium 1300
Similar to the recording medium 120, the recording medium 1300 is an optical disk medium, and includes a non-rewritable area 1308 and a rewritable area 1309 as shown in FIG.
The non-rewritable area 1308 has a unique number recording area 1301 as shown in FIG. At the time of manufacturing the recording medium 1300, a medium unique number MID unique to the recording medium 1300 is recorded in the unique number recording area 1301. At this time, nothing is recorded in the rewritable area 1309. In this figure, the medium unique number MID is expressed by eight hexadecimal digits, specifically “5”.

  Thereafter, as described above, when information is written on the recording medium 1300 by the recording apparatus 1100, the recording area 1305 and the recording area 1306 are secured by the recording apparatus 1100 in the rewritable area 1309. One or more key revocation data files are recorded, and one or more encrypted content files are recorded in the recording area 1306.

  As an example, as shown in FIG. 12, a key revocation data file 1310 is recorded in the recording area 1305, and an encrypted content file 1320 is recorded in the recording area 1306. In the recording medium 1300 shown in FIG. 12, one key revocation data file and one encrypted content file are recorded as an example, but one or more key revocation data files and 1 One or more encrypted content files may be recorded on the recording medium.

As shown in FIG. 12, the key revocation data file 1310 includes a version number recording unit 1311, an identifier recording unit 1312, and a data recording unit 1313.
The version number recording unit 1311 records a version number indicating the generation of the key revocation data RDATA, and the identifier recording unit 1312 stores the key revocation data identifier RID assigned by the assignment unit 1107 of the recording device 1100. The key revocation data RDATA is recorded in the data recording unit 1313.

Here, the version number, the key revocation data identifier RID, and the key revocation data RDATA are as described above.
In FIG. 12, the version number is represented by 4 hexadecimal digits, specifically “3”. In the second embodiment, the version number of the key revocation data is assigned from the distribution station device 1400.

In FIG. 12, the key revocation data identifier is represented by four hexadecimal digits, and specifically, the key revocation data identifier RID is “1”.
Further, as shown in FIG. 12, the encrypted content file 1320 includes an identifier recording unit 1321, an authenticator recording unit 1322, a key recording unit 1323, and a content recording unit 1324. The encrypted content file 1320 is added with a content number (not shown) for identifying the encrypted content included in the file.

In the identifier recording unit 1321, the key revocation data identifier RID is recorded. The key revocation data identifier RID is assigned by the assigning unit 1107 of the recording device 1100 to the key revocation data used in content encryption.
An authenticator MAC is recorded in the authenticator recording unit 1322. The authenticator MAC is generated by the authenticator generator 1104 of the recording device 1100.

In the key recording unit 1323, the encrypted content key ECK generated by the encryption unit 1105 of the recording device 1100 is recorded.
In the content recording unit 1324, the encrypted content ECNT generated by the encryption unit 1106 of the recording device 1100 is recorded.
2.6 Playback device 1200
Since the playback devices 1200a, 1200b, 1200c,... Have the same configuration, the playback devices 1200a, 1200b, 1200c,.

  As shown in FIG. 13, the playback device 1200 includes a device key storage unit 1201, a key calculation unit 1202, an authenticator generation unit 1203, a decryption unit 1204, a decryption unit 1205, a comparison unit 1206, a designation reception unit 1207, an acquisition unit 1208, A search unit 1209, a switch 1211, a drive unit 1213, a playback unit 1214, a control unit 1215, an input unit 1216, and a display unit 1217 are configured.

  Specifically, the playback device 1200 is a computer system that includes a microprocessor, a ROM, a RAM, a hard disk unit, and the like, like the playback device 200. A computer program is stored in the RAM or the hard disk unit. The playback apparatus 1200 achieves its functions by the microprocessor operating according to the computer program.

(1) Designation receiving unit 1207
The designation receiving unit 1207 receives designation of the content to be reproduced from the user via the remote control 1280 and the input unit 1216, and sends the content number for identifying the content for which designation is accepted to the acquisition unit 1208 and the authenticator generation unit 1203. Output.
(2) Acquisition unit 1208
The acquiring unit 1208 receives the content number from the designation receiving unit 1207, finds the encrypted content file 1320 to which the received content number is added from the recording area 1305 of the recording medium 1300 via the drive unit 1213, and finds the found encryption The key revocation data identifier RID is read from the identifier recording unit 1321 of the activated content file 1320. Next, the read key revocation data identifier RID is output to the search unit 1209.

(3) Search unit 1209
The search unit 1209 receives the key revocation data identifier RID from the acquisition unit 1208. When receiving the key revocation data identifier RID, the same content as the received key revocation data identifier RID from one or more key revocation data files recorded in the recording area 1305 of the recording medium 1300 via the drive unit 1213. The key revocation data file including the key revocation data identifier in the identifier recording unit is searched, and the key revocation data RDATA is read from the data recording unit of the searched key revocation data file.

Next, the search unit 1209 outputs the read key revocation data RDATA to the key calculation unit 1202.
(4) Device key storage unit 1201
Similar to the device key storage unit 201, the device key storage unit 1201 secretly stores the device key DK_x so that it cannot be accessed from an external device. The device key DK_x is a key unique to the playback device 1200.

(5) Key calculation unit 1202
The key calculation unit 1202 receives the key revocation data RDATA from the search unit 1209 and reads the device key DK_x from the device key storage unit 1201.
Next, in the same manner as the key calculation unit 202, the key calculation unit 1202 applies the decryption algorithm D1 to the received key revocation data RDATA using the read device key DK_x to generate a decryption media key y.

Here, the decryption media key y is either the media key MK or the value “0”.
Next, the key calculation unit 1202 outputs the generated decryption media key y to the authenticator generation unit 1203 and the switch 1211.
(6) Authentication code generator 1203
The authenticator generation unit 1203 receives the decryption media key y from the key calculation unit 1202 and reads the medium unique number MID from the unique number recording area 1301 of the recording medium 1300 via the drive unit 1213. Also, the content number is received from the designation receiving unit 1207, and the encrypted content file 1320 to which the received content number is added is identified on the recording medium 1300 via the drive unit 1213, and the identified encrypted content file is identified. The encrypted content key ECK is read from the key recording unit 1323 1320.

Next, the received decryption media key y, the read encrypted content key ECK, and the read medium unique number MID are combined in this order to generate combined data, and a one-way function is added to the generated combined data. F is applied to generate a decryption authenticator DMAC.
DMAC = F (y || ECK || MID)
Next, authenticator generation unit 1203 outputs the generated decryption authenticator DMAC to comparison unit 1206.

(7) Comparison unit 1206
The comparison unit 1206 receives the decryption authenticator DMAC from the authenticator generation unit 1203. Also, the comparison unit 1206 receives the content number from the designation receiving unit 1207, and specifies the encrypted content file 1320 to which the received content number is added on the recording medium 1300 via the drive unit 1213. The authenticator MAC recorded in the authenticator recording unit 1322 of the encrypted content file 1320 is read.

Next, the comparison unit 1206 determines whether or not the received decryption authenticator DMAC matches the read authenticator MAC. When it is determined that they match, a closing instruction is output to the switch 1211, and when it is determined that they do not match, an opening instruction is output to the switch 1211.
(8) Switch 1211
The switch 1211 is controlled to be opened and closed according to an instruction from the comparison unit 1206. The switch 1211 opens when it receives a close instruction from the comparison unit 1206, and opens when it receives an open instruction.

The switch 1211 receives the decryption media key y from the key calculation unit 1202. When the close instruction is received, the received decryption media key y is output to the decryption unit 1204. When the opening instruction is received, the decryption media key y is not output to the outside.
(9) Decoding unit 1204
The decryption unit 1204 receives the decryption media key y from the switch 1211. Also, the content number is received from the designation receiving unit 1207, and the encrypted content file 1320 to which the received content number is added is identified on the recording medium 1300 via the drive unit 1213, and the identified encrypted content file is identified. The encrypted content key ECK recorded in the key recording unit 1323 of 1320 is read, and the decrypted content key DCK is generated by applying the decryption algorithm D2 to the read encrypted content key ECK using the received decryption media key y. The generated decryption content key DCK is output to the decryption unit 1205.

(10) Decoding unit 1205
The decrypting unit 1205 receives the decrypted content key DCK from the decrypting unit 1204. Also, the content number is received from the designation receiving unit 1207, and the encrypted content file 1320 to which the received content number is added is identified on the recording medium 1300 via the drive unit 1213, and the identified encrypted content file is identified. The encrypted content ECNT recorded in the content recording unit 1324 of 1320 is read, and the decrypted content DCNT is generated by applying the decryption algorithm D3 to the read encrypted content ECNT using the received decrypted content key DCK. The decrypted content DCNT is output to the playback unit 1214.

(11) Playback unit 1214
The reproduction unit 1214 receives the decrypted content DCNT from the decryption unit 1205, generates video information and audio information from the received decoded content DCNT, converts the generated video information and audio information into analog video signals and audio signals, Are output to the monitor 1290.

(12) Control unit 1215, input unit 1216, display unit 1217, drive unit 1213, monitor 1290, and remote control 1280
The control unit 1215 controls the operation of each component constituting the playback device 1200.
The remote controller 1280 includes various buttons, generates operation instruction information according to the operation of the button by the operator, and outputs the generated operation instruction information on infrared rays.

The input unit 1216 receives the infrared ray carrying the operation instruction information from the remote controller 1280, extracts the operation instruction information from the received infrared ray, and outputs the extracted operation instruction information to the control unit 1215 or the designation receiving unit 1207.
The display unit 1217 displays various information based on the control of the control unit 1215.
The drive unit 1213 reads information from the recording medium 1300.

The monitor 1290 includes a CRT and a speaker, receives analog video signals and audio signals from the playback unit 1214, displays video based on the video signals, and outputs audio based on the audio signals.
2.7 Structure of Data Recorded on Recording Medium and Related Process (1) Version Number In FIG. 12, the version number is represented by 4 hexadecimal digits, specifically “3”. In the second embodiment, the version number of the key revocation data is assigned from the distribution station device 1400.

Specifically, “1” is assigned as the version number to the key revocation data issued first, and then the version numbers “2”, “3”, ... and so on.
When key revocation occurs, new key revocation data is issued, and a new version number is assigned at that time. The issuance of new key revocation data is not limited to the case where key revocation occurs. For example, from the viewpoint of security, new key revocation data may be issued every predetermined period.

(2) Key Revocation Data Identifier In FIG. 12, the key revocation data identifier recorded in the identifier recording unit 1312 is expressed by four hexadecimal digits, and the key revocation data identifier RID is “1”. is there.
Here, the key revocation data identifier RID is information for uniquely identifying each key revocation data recorded for each recording medium. Therefore, the key revocation data identifier can be assigned by an independent system for each recording medium.

As a specific method of assigning the key revocation data identifier RID by the assignment unit 1107 of the recording apparatus 1100, the assignment unit 1107 includes a key revocation data identifier assigned to the key revocation data already recorded on the recording medium, Assign different values.
For example, as shown in FIG. 14, the key revocation data file 1 and the key revocation data file 2 are already recorded on the recording medium 1300a, and the key revocation data identifiers are “1” and “2”, respectively. ”.

At this time, when the new key revocation data file 3 is recorded on the recording medium, the assigning unit 1107 assigns a value other than “1” and “2”, for example, “3” as the key revocation data identifier RID. .
(3) Device Key and Media Key In FIG. 12, the data recording unit 1313 encrypts the media key MK using n device keys DK_i (i = 1, 2,..., N), respectively. The encrypted media key E (DK_i, MK) obtained by doing so is recorded.

In FIG. 12, the device key held by the device n is expressed as DK_n. In the example of this figure, since the device 3 and the device 4 are invalidated, the data “0” completely unrelated to the media key MK is encrypted and recorded in the DK_3 and DK_4 held by each device. Yes.
By generating the key revocation data in this way, for example, the device 1 having the device key DK_1 decrypts the key revocation data E (DK_1, MK) with the device key DK_1, thereby obtaining the media key MK. Although it can be obtained, the device 3 having the device key DK_3 cannot obtain the media key MK even if the key revocation data E (DK_3,0) is decrypted with the device key DK_3.

As described above, in the example of FIG. 12, only all devices other than the device 3 and the device 4 can share the correct media key MK, and the device 3 and the device 4 cannot obtain the correct media key MK. In this way, the disabled devices 3 and 4 can be excluded from the system.
Note that other methods may be used as the device invalidation method. For example, Patent Literature 1 discloses a nullification method using a tree structure.

(4) Encrypted Content File In FIG. 12, the encrypted content file 1320 includes an identifier recording unit 1321, an authenticator recording unit 1322, a key recording unit 1323, and a content recording unit 1324.
In this figure, the key revocation data identifier recorded in the identifier recording unit 1321 is expressed by four hexadecimal digits, and specifically, the key revocation data identifier RID is “1”.

As will be described below, the key revocation data identifier RID is used in the playback device 1200 to acquire from the recording medium 1300 the key revocation data file 310 that is used to decrypt the encrypted content to be played back. .
That is, when the playback device 1200 decrypts and plays back the encrypted content recorded on the recording medium 1300, the key invalidation data identifier RID that is the same as the key revocation data identifier RID recorded in the identifier recording unit 1321 of the encrypted content file 1320 to be played back The key revocation data file 310 including the activation ID in the identifier recording unit 1312 is acquired from the recording medium 1300.

Here, it demonstrates more concretely using FIG. As shown in FIG. 15, the key revocation data file 1, the key revocation data file 2, the encrypted content file A, the encrypted content file B, and the encrypted content file C are recorded on the recording medium 1300b.
As shown in this figure, the key revocation data identifiers of the key revocation data file 1 and the key revocation data file are “1” and “2”, respectively. The key revocation data identifiers of the encrypted content file A, the encrypted content file B, and the encrypted content file C are “1”, “1”, and “2”, respectively.

  This is because the recording device 1100 uses the key revocation data of the key revocation data file 1 when generating and recording the encrypted content file A, and the key revocation when generating and recording the encrypted content file B. This indicates that the key revocation data of the key revocation data file 2 is used when the encrypted content file C is generated and recorded using the key revocation data of the data file 1.

  At this time, for example, when the playback apparatus 1200 decrypts and plays back the encrypted content file B in the recording medium 1300b shown in FIG. 15, the key revocation data identifier of the encrypted content file B is “1”. The key revocation data file 1 having the key revocation data identifier “1” is obtained from the encrypted content file B using the key revocation data included in the earned key revocation data file 1. Decrypt encrypted content stored in.

2.8 Operation of Content Supply System 20 Regarding the operation of the content supply system 20, in particular, the operation of writing data to the recording medium 1300 by the recording device 1100 and the reproduction of data recorded on the recording medium 1300 by the reproducing device 1200. The operation will be described.
(1) Write Operation by Recording Device 1100 An operation of writing data to the recording medium 1300 by the recording device 1100 will be described with reference to flowcharts shown in FIGS.

The transmission / reception unit 1111 of the recording device 1100 receives the key revocation data RDATA and the version number VR from the distribution station device 1400 via the Internet 40, and associates the received key revocation data RDATA and version number VR with each other. And stored in the invalidation data storage unit 1102 (step S1501).
Note that the reception of the key revocation data RDATA and the version number VR in step S1501 is performed when new key revocation data RDATA is issued by the distribution station device 1400. As described above, the version number VR indicating the issuing order is added to the key revocation data RDATA. The recording device 1100 confirms whether or not the received key revocation data RDATA is new based on the version number VR.

  For example, when the revocation data storage unit 1102 of the recording device 1100 holds key revocation data with the version number “1” added, the key revocation with the version number “2” added from the distribution station device 1400 When it is assumed that the activation data has been received, the control unit 1109 of the recording apparatus 1100 displays the version number “2” added to the received key invalidation data and the key invalidation held in the invalidation data storage unit 1102. The version number “1” added to the data is compared. Since the version number “2” added to the received key revocation data is newer, the control unit 1109 determines that the received key revocation data is new and the received key revocation data and the version number “ 2 ”is instructed to store in the invalidation data storage unit 1102. Here, it is assumed that the version number indicates newer as the value is larger.

  Here, the case where the version number is used for comparing the old and new key revocation data has been described, but the present invention is not limited to this method. For example, the issuance date / time is added to the key revocation data instead of the version number, and the new and old key revocation data may be compared using the issuance date / time of the key revocation data. Here, the key revocation data is obtained from the distribution station device 1400, but the method of obtaining the key revocation data is not limited to this configuration. For example, a recording medium in which key revocation data and a version number are recorded may be distributed, and the recording apparatus 1100 may read the key revocation data and the version number from this recording medium.

Next, the comparison unit 1108 of the recording apparatus 1100 confirms whether or not a key revocation data file exists in the recording area 1305 of the recording medium 1300 via the drive unit 1110. If it is confirmed that the key revocation data file does not exist (step S1502), the process proceeds to step S1505a described later.
When it is confirmed that the key revocation data file 310 exists (step S1502), the comparison unit 1108 performs step S1501 on the version numbers recorded in the version number recording units of all the existing key revocation data files. It is checked whether or not there is the same content as the version number added to the obtained key revocation data (step S1503).

In step S1503, when there is no version number that satisfies the above conditions (step S1504), the process proceeds to step S1505a described later.
If there is a version number that satisfies the above condition in step S1504 (step S1504), the control unit 1109 transmits an identifier recording unit of the key revocation data file 1310 including the version number that satisfies the above condition via the drive unit 1110. The key revocation data identifier RID is read from 1312 (step S1505).

The key calculation unit 1103 reads the device key from the device key storage unit 101, reads the key revocation data from the revocation data storage unit 1102 (step S1506), and decrypts the read key revocation data with the read device key. Thus, the media key MK is calculated (step S1507).
Next, the encryption unit 1105 encrypts the content key CK received from the content server device 1500 using the calculated media key, and generates an encrypted content key ECK (step S1508).

  The authenticator generation unit 1104 reads the medium unique number MID from the unique number recording area 1301 of the recording medium 1300 (step S1509), the media key MK calculated by the key calculation unit 1103, and the encryption generated by the encryption unit 1105. The authenticator MAC is generated as an output value when the value obtained by combining the encrypted content key ECK and the read medium unique number MID is used as the input value of the hash function (step S1510). The hash function used here can be realized by a known technique. For example, SHA-1 may be used as a hash function. In addition, it is not limited to SHA-1.

Next, the encryption unit 1106 encrypts the received content CNT using the content key CK received from the content server device 1500 (step S1511).
The recording device 1100 acquires the key revocation data identifier RID acquired in step S1505 or assigned in step S1505a, the authenticator MAC generated in step S1510, the encrypted content key generated in step S1508, and in step S1511. The encrypted content file including the generated encrypted content is recorded in the recording area 1305 of the recording medium 1300 (step S1512), and the process ends.

  If it is confirmed that the key revocation data file 1310 does not exist in the recording medium 1300 (step S1502), and if there is no version number that satisfies the condition in step S1503 (step S1504), the assignment unit 1107 For the key revocation data obtained in S1501, a value different from the key revocation data identifier RID already assigned to all the key revocation data files recorded in the recording area 1305 of the recording medium 1300 is set. It assigns as a digitized data identifier (step S1505a).

  For example, when there is no key revocation data file on the recording medium 1300, the assigning unit 1107 assigns an arbitrary value, for example, “1”. Further, as in the example illustrated in FIG. 14, when the key revocation data files 1 and 2 having the key revocation data identifiers RID “1” and “2” exist on the recording medium 1300 a, the allocation unit 1107 , “1” and “2” are assigned different values, for example, “3”.

  Next, the drive unit 1110 of the recording apparatus 1100 has the key revocation data having the key revocation data obtained in step S1501, the version number of the key revocation data, and the key revocation data identifier assigned in step S1505a. The data file is recorded in the key revocation data file 1302 of the recording medium 1300 (step S1505b). At this time, the key revocation data, version number, and key revocation data identifier RID are recorded in the data recording unit 1313, the version number recording unit 1311, and the identifier recording unit 1312 of the key revocation data file 310, respectively. Next, control is passed to step S1506, and thereafter, steps S1506 to S1512 described above are executed.

(2) Playback Operation by Playback Device 1200 The playback operation of data recorded on the recording medium 1300 by the playback device 1200 will be described with reference to the flowcharts shown in FIGS.
The designation receiving unit 1207 of the playback device 1200 receives a designation of content to be played back (step S1601).

The acquisition unit 1208 finds the encrypted content file corresponding to the content specified in step S1601 from the recording area 1305 of the recording medium 1300 (step S1602).
As a method for specifying the content to be reproduced in the designation receiving unit 1207 and the method for finding the encrypted content file corresponding to the designated content, for example, the playback device 1200 records in the recording area 1305 of the recording medium 1300. Information indicating attributes of all encrypted content files (for example, file name of encrypted content, content title name, content recording date, content summary information, content thumbnail image, content icon, etc.) Is displayed on the display unit 1217 of the playback device 1200, and the user selects the content to be played back from the list, thereby accepting the designation of the content to be played back. Also, the playback device 1200 knows the file name of the encrypted content file storing the specified content from the attribute information of the specified content, and encrypts the corresponding file name from the recording area 1305 of the recording medium 1300. Find content files.

Note that the method for finding the encrypted content file is not limited to the above-described method, and other methods may be used.
The acquisition unit 1208 reads the key revocation data identifier from the identifier recording unit 1321 of the encrypted content file 1320 found in step S1602 (step S1603).
The search unit 1209 finds the key revocation data file 310 in which the same value as the key revocation data identifier RID read in step S1603 is recorded in the identifier recording unit 1312 from the recording area 1305 of the recording medium 1300 (step S1604). ). Next, the search unit 1209 acquires the key revocation data file 1310 found in step S1604 (step S1605).

The key calculation unit 1202 reads the device key from the device key storage unit 1201 and receives key revocation data from the search unit 1209 (step S1606).
The key calculation unit 1202 calculates the decryption media key y by decrypting the key revocation data received in step S1606 using the device key (step S1607).
The authenticator generation unit 1203 reads the medium unique number MID from the unique number recording area 1301 of the recording medium 1300 (step S1608), and obtains the encrypted content key ECK from the key recording unit 1323 of the encrypted content file 1320 found in step S1602. Read (step S1609), a value obtained by combining the decryption media key y acquired in step S1607, the encrypted content key ECK read in step S1609, and the medium unique number MID acquired in step S1608, and the input value of the hash function A decryption authenticator DMAC is generated as an output value at the time (step S1610). The hash function used here is the same hash function SHA-1 as that used in the recording apparatus 1100.

The comparison unit 1206 reads the authenticator MAC from the authenticator recording unit 322 of the encrypted content file 1320 found in step S1602 (step S1611), and the decryption authenticator DMAC calculated in step S1610 and the authentication read in step S1611. It is confirmed whether or not the child MACs match (step S1612).
If the decryption authenticator DMAC and the authenticator MAC do not match (step S1613), the reproduction operation ends.

If the decryption authenticator DMAC and the authenticator MAC match (step S1613), the decryption unit 1204 decrypts the encrypted content key with the decryption media key y calculated in step S1607 to obtain the decrypted content key DCK ( Step S1614).
The decryption unit 1205 reads the encrypted content from the content recording unit 1324 of the encrypted content file 1320 found in step S1602 (step S1615), and decrypts the encrypted content read in step S1615 in step S1614. Using DCK, the content is decrypted and decrypted, and the playback unit 1214 plays back the decrypted content (step S1616).

2.9 Other Modifications The following modifications may be made.
(1) In the second embodiment, the version number indicating the generation of the key revocation data and the key revocation data identifier for identifying the key revocation data are respectively represented by the version number recording unit in the key revocation data file and Although recorded in the identifier recording unit, the present invention is not limited to this method.

  For example, a part of the file name for identifying the key revocation data file may include both the version number of the key revocation data and the key revocation data identifier, or at least one. Specifically, the file name of the key revocation data file may be “KRD_n_m”. Here, n is a version number and m is a key revocation data identifier. In this case, for example, the version number of the key revocation data file identified by the file name “KRD — 0001 — 0002” is “1”, and the key revocation data identifier RID is “2”.

In this way, by including both or at least one of the version number and the key revocation data identifier in the file name, the playback device can check the version number of the key revocation data file and the key revocation data identifier RID by looking at the file name. There is an advantage that processing at the time of searching for a file in the playback apparatus can be reduced.
(2) In the second embodiment, the key revocation data identifier is recorded in the identifier recording unit in the encrypted content file. However, the present invention is not limited to this method.

  For example, the key revocation data identifier may be included in a part of the file name for identifying the encrypted content file. Specifically, the file name for identifying the encrypted content may be “ECNT_m”. Here, m is a key revocation data identifier. For example, the key revocation data identifier RID of the encrypted content file having the file name “ECNT_0002” is “2”.

By including the key revocation data identifier in the file name in this way, the playback device can know the key revocation data identifier by looking at the file name, and can obtain the key revocation data identifier in the playback device. There is an advantage that processing can be reduced.
(3) In the second embodiment, in order to associate the key revocation data with the key revocation data identifier and to associate the encrypted content with the key revocation data identifier RID, the key revocation data file 1310 The version number recording unit 1311 and the identifier recording unit 1312 are provided to record the version number and the key invalidation data identifier, respectively, and the identifier recording unit 1321 is provided to the encrypted content file 1320 to record the key invalidation data identifier. However, the present invention is not limited to this configuration.

  For example, the recording apparatus may record one or more key revocation data files, one or more encrypted content files, and one key revocation data management file on the recording medium 1300. In this key revocation data management file, for each key revocation data file, the version number of the key revocation data, the key revocation data identifier, and the key revocation data file are uniquely specified on the recording medium. Information (for example, a directory name or a file name in which the key revocation data file is recorded) and an encrypted content file encrypted using the key revocation data file are uniquely specified on the recording medium Information (for example, a directory name or a file name in which an encrypted content file is recorded). Based on the information recorded in the key revocation data management file, the playback device acquires a key revocation data file related to the encrypted content designated for playback.

The configuration of the present embodiment may be combined with the configuration in which the key revocation data management file is provided.
(4) In the second embodiment, both the version number of the key revocation data and the key revocation data identifier exist. However, the present invention is not limited to this configuration, and only the key revocation data identifier is included. An existing configuration may be used.

  (5) In the second embodiment, as a key revocation technique, a media key is encrypted using a key revocation data recorded in a rewritable area of a recording medium and a device key held by a device that has not been revoked. And the encrypted content to be recorded in the rewritable area of the recording medium, with a value (for example, “0”) unrelated to the media key encrypted using the device key held by the revoked device. In the above description, the content is encrypted based on the media key. However, the present invention is not limited to this configuration.

For example, in a device that is not revoked as key revocation data and encrypted content to be recorded in a rewritable area of a recording medium, the revoked device can decrypt and reproduce the encrypted content based on the key revocation data. However, any configuration may be used as long as the encrypted content cannot be decrypted and reproduced based on the key revocation data.
(6) In the second embodiment, as a media binding technique, an authenticator MAC is generated using the medium unique number MID in the recording device 1100 and the authenticator MAC is compared in the playback device 1200. It is not limited to this configuration.

For example, the recording device 1100 may encrypt the content using the medium unique number MID and record it on the recording medium, and the playback device 1200 may decrypt the encrypted content using the medium unique number MID.
(7) In the second embodiment, when assigning a key revocation data identifier, a value that is not assigned to key revocation data already recorded in the recording apparatus 1100 is assigned as a key revocation ID. However, it is not limited to this configuration.

For example, the recording apparatus 1100 may store the key revocation data identifier that has already been assigned together with the medium unique number MID and assign the key revocation data identifier based on the information stored in the recording apparatus 1100. good.
2.10 Summary As is apparent from the above description, the recording apparatus according to the present invention includes a key revocation data storage unit that stores key revocation data for revoking a key held by a specific apparatus, and the key. Content encryption means for encrypting the content based on the revocation data, and key revocation data identification information for uniquely identifying the key revocation data in the recording medium for the key revocation data A key revocation data identification information allocating unit for allocating, a key revocation data recording unit for recording the key revocation data in association with the key revocation data identification information on the recording medium, and the encrypted content for the key revocation. Encrypted content recording means for recording in association with the encrypted data identification information.

Further, the key revocation data identification information assigning means in the recording apparatus of the present invention assigns a key invalid value different from the key revocation data identification information already assigned to the key revocation data recorded on the recording medium. Assigned as generalized data identification information information.
Further, the key revocation data identification information allocating means in the recording apparatus of the present invention includes key revocation data recorded on the recording medium and key revocation data stored in the key revocation data storage means. The new and old are compared, and only when the key revocation data stored in the key revocation data storage means is new, the key revocation data identification information is assigned.

Further, the key revocation data identification information allocating means in the recording apparatus of the present invention includes key revocation data recorded on the recording medium and key revocation data stored in the key revocation data storage means. The comparison between old and new is performed based on information related to the date and time when each key revocation data is generated or information related to the order in which each key revocation data is generated.
In addition, the playback device according to the present invention includes, from the recording medium, encrypted content, an encrypted content reading unit that reads out the key revocation data identification information recorded in association with the encrypted content, and the recording medium. Key revocation data reading means for reading the key revocation data recorded in association with the same key revocation data identification information as the key revocation data identification information read by the encrypted content reading means, and the key revocation data Content decrypting means for decrypting the encrypted content read by the encrypted content reading means based on the key revocation data read by the reading means.

Further, the recording medium in the present invention includes key revocation data storage means for recording key revocation data in association with key revocation data identification information for uniquely identifying the key revocation data in the recording medium, Encrypted content storage means for recording encrypted content encrypted based on the key revocation data in association with the revocation data identification information.
The recording medium according to the present invention further records information indicating whether the key revocation data is new or old in association with the key revocation data.

  The copyright protection system according to the present invention includes a recording device, a recording medium, and a playback device, and the recording device stores key invalidation data for invalidating a key held by a specific device. For uniquely identifying the key revocation data in the recording medium with respect to the key revocation data, content encryption means for encrypting the content based on the key revocation data, and the key revocation data Key revocation data identification information assigning means for assigning the key revocation data identification information, and key revocation data recording means for recording the key revocation data in association with the key revocation data identification information on the recording medium, Encrypted content recording means for recording the encrypted content in association with the key revocation data identification information, and the recording medium stores the key revocation data. Key revocation data storage means for recording in association with the key revocation data identification information; and encrypted content storage means for recording the encrypted content in association with the revocation data identification information. Encrypted content, encrypted content reading means for reading out the key revocation data identification information recorded in association with the encrypted content from the recording medium, and key revocation data identification read out by the encrypted content reading means Key revocation data reading means for reading the key revocation data recorded in association with the same key revocation data identification information as the information, and the encryption based on the key revocation data read by the key revocation data read means Content decrypting means for decrypting the encrypted content read by the encrypted content reading means.

  As described above, in the recording device, the recording medium, the reproducing device, and the copyright protection system according to the second embodiment, the key revocation for the key revocation data recorded on the recording medium is performed on the recording medium. A key revocation data ID for uniquely identifying data is assigned, and this key revocation data ID is recorded as a key revocation data file in association with the key revocation data to be recorded on the recording medium. By associating the data ID with the content encrypted using the key revocation data and recording it as an encrypted content file, when reproducing the encrypted content on the playback device, Even when a plurality of encrypted content files and a plurality of key revocation data files are recorded, the encrypted content files The key revocation data file including the same key revocation data ID as the key revocation data ID included in the search can be retrieved and reproduced using the key revocation data file obtained from the encrypted content file. Is possible.

3. Other Modifications Although the present invention has been described based on the above-described embodiments, it is needless to say that the present invention is not limited to the above-described embodiments. The following cases are also included in the present invention.
(1) In each embodiment, the content is data in which video data and audio data are compression-encoded with high efficiency. However, the present invention is not limited to this. For example, the content may be computer data in which novels, still images, sounds, and the like are digitized.

Further, for example, the content may be a computer program composed of a plurality of instructions for controlling the operation of a microprocessor constituting the computer. Further, it may be table data generated by spreadsheet software or a database generated by database software.
(2) Each of the above devices is specifically a computer system including a microprocessor, ROM, RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or the hard disk unit. Each device achieves its function by the microprocessor operating according to the computer program.

(3) The present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal composed of the computer program.
The present invention also provides a computer-readable recording medium such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc). ), Recorded in a semiconductor memory or the like. Further, the present invention may be the computer program or the digital signal recorded on these recording media.

Further, the present invention may transmit the computer program or the digital signal via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like.
The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.

In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, and is executed by another independent computer system. It is good.
(4) The above embodiments and the above modifications may be combined.

Each device and recording medium constituting the present invention can be used in the content distribution industry for producing and distributing content in a business manner, continuously and repeatedly. Further, each device and recording medium constituting the present invention can be manufactured and sold in the electric appliance manufacturing industry in a management manner, continuously and repeatedly.

FIG. 1 is a configuration diagram showing the configuration of the content supply system 10. FIG. 2 is a block diagram illustrating a configuration of the recording apparatus 100. FIG. 3 is a data structure diagram showing the structure of data recorded on the recording medium 120. FIG. 4 is a block diagram showing the configuration of the playback apparatus 200. FIG. 5 is a flowchart showing an operation of writing data to the recording medium 120 by the recording apparatus 100. FIG. 6 is a flowchart showing an operation of reproducing data recorded on the recording medium 120 by the reproducing apparatus 200. Continue to FIG. FIG. 7 is a flowchart showing an operation of reproducing data recorded on the recording medium 120 by the reproducing apparatus 200. Continue from FIG. FIG. 8 is a data structure diagram showing the structure of data recorded on n recording media in a modification of the first embodiment. FIG. 9 is a data structure diagram showing the structure of data recorded on the recording medium in the modification of the first embodiment. FIG. 10 is a configuration diagram showing the configuration of the content supply system 20. FIG. 11 is a block diagram illustrating a configuration of the recording apparatus 1100. FIG. 12 is a data structure diagram showing the structure of data recorded on the recording medium 1300. FIG. 13 is a block diagram showing the configuration of the playback apparatus 1200. FIG. 14 is a data structure diagram showing the structure of data recorded on the recording medium 1300a. FIG. 15 is a data structure diagram showing the structure of data recorded on the recording medium 1300b. FIG. 16 is a flowchart showing an operation of writing data to the recording medium 1300 by the recording apparatus 1100. Continued to FIG. FIG. 17 is a flowchart showing an operation of writing data to the recording medium 1300 by the recording apparatus 1100. Continue to FIG. FIG. 18 is a flowchart showing an operation of writing data to the recording medium 1300 by the recording apparatus 1100. It continues from FIG. FIG. 19 is a flowchart showing an operation of reproducing data recorded on the recording medium 1300 by the reproducing apparatus 1200. Continued to FIG. FIG. 20 is a flowchart showing an operation of reproducing data recorded on the recording medium 1300 by the reproducing apparatus 1200. It continues from FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Content supply system 100 Recording apparatus 200a-200e Playback apparatus 500 Content server apparatus 20 Content supply system 1100 Recording apparatus 1200a-1200e Playback apparatus 1400 Distribution station apparatus 1500 Content server apparatus The recording medium characterized by the above-mentioned.

Claims (42)

A copyright protection system comprising: a recording device that encrypts and writes content to a recording medium; and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium,
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device comprises:
A plurality of encryptions generated by encrypting the media key for each non-invalidated playback device and the predetermined detection information for each disabled playback device using the device key of the playback device. Storage means for storing media key data composed of media keys;
Reading means for reading the medium unique number from the non-rewritable area of the recording medium;
Generating means for generating an encryption key based on the read medium unique number and the media key;
Encryption means for encrypting content that is digital data based on the generated encryption key to generate encrypted content;
Reading means for reading the media key data from the storage means;
Writing means for writing the read media key data and the generated encrypted content into the rewritable area of the recording medium,
Each playback device
Reading means for reading out the encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium;
Decryption means for decrypting the read encrypted media key using the device key of the playback apparatus to generate a decrypted media key;
When it is determined whether the generated decryption media key is the detection information and the detection information is the detection information, the decryption of the encrypted content recorded on the recording medium is prohibited and the detection information is not the detection information Control means for permitting decryption of the encrypted content;
Decryption means for reading the encrypted content from the recording medium and decrypting the read encrypted content to generate the decrypted content based on the generated decryption media key when decryption is permitted. A copyright protection system. The recording device in a copyright protection system comprising a recording device that encrypts and writes content to a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium,
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device comprises:
A plurality of encryptions generated by encrypting the media key for each playback device that has not been invalidated and the predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Storage means for storing media key data composed of media keys;
Reading means for reading the medium unique number from the non-rewritable area of the recording medium;
Generating means for generating an encryption key based on the read medium unique number and the media key;
Encryption means for encrypting content that is digital data based on the generated encryption key to generate encrypted content;
Reading means for reading the media key data from the storage means;
A recording apparatus comprising: writing means for writing the read media key data and the generated encrypted content in the rewritable area of the recording medium. Another recording medium is generated by encrypting the media key for each playback device that has not been invalidated and the predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Storing another media key data composed of a plurality of different encrypted media keys,
The recording device further includes:
Comparison means for comparing the new and old of another media key data stored in the other recording medium and the media key data stored in the storage means;
When it is determined that the other media key data is newer, the other media key data is read from the other recording medium, and the read another media key data is stored in the storage means. Updating means for overwriting the media key data;
The reading means reads the other media key data from the storage means instead of reading the media key data,
The recording apparatus according to claim 2, wherein the writing unit writes the read another media key data in the rewritable area of the recording medium instead of writing the media key data. . The media key data stored in the storage means includes first version information indicating a generation of the media key data,
The another media key data stored in the another recording medium includes second version information indicating a generation of the other media key data,
The said comparison means compares the new and old of said another media key data and said media key data by comparing said 1st version information and said 2nd version information. Recording device. The media key data stored in the storage means includes first date and time information indicating the date and time when the media key data was generated,
The other media key data stored in the other recording medium includes second date and time information indicating the date and time when the other media key data was generated,
The comparison means compares the new and old media key data with the media key data by comparing the first date and time information with the second date and time information. Recording device. The storage means further stores revocation data indicating that a public key assigned to either the recording device or the plurality of playback devices has been revoked,
The recording apparatus further includes signature generation means for generating verification information by applying a digital signature to the invalidated data,
The recording apparatus according to claim 2, wherein the writing unit further writes the generated verification information in the rewritable area of the recording medium. The signature generation means generates the signature data by applying the digital signature of the appendix type to the invalidation data, and generates the verification information composed of the generated signature data and the invalidation data ,
The recording apparatus according to claim 6, wherein the writing unit writes the verification information including the signature data and the invalidation data. The recording apparatus according to claim 6, wherein the signature generation unit generates the verification information by applying the recovery digital signature to the invalidation data. The storage means further stores a secret key and a public key certificate of the recording device,
The signature generation means performs the digital signature using the secret key stored in the storage means,
The reading means further reads the public key certificate from the storage means,
The recording apparatus according to claim 6, wherein the writing unit writes the read public key certificate in the rewritable area of the recording medium. The storage means further stores a public key certificate of the recording device,
The reading means further reads the public key certificate from the storage means,
The recording apparatus according to claim 2, wherein the writing unit writes the read public key certificate in the rewritable area of the recording medium. The storage means further stores revocation data indicating that a public key assigned to either the recording device or the plurality of playback devices has been revoked,
The recording apparatus further includes signature generation means for generating verification information by applying a digital signature to the invalidated data,
The recording apparatus according to claim 2, wherein the writing unit further writes the generated verification information to another recording medium. The storage means further stores revocation data indicating that a public key assigned to either the recording device or the plurality of playback devices has been revoked,
The reading means further reads the invalidation data from the storage means,
The recording apparatus according to claim 2, wherein the writing unit writes the read invalidation data to another recording medium. The storage means further stores a public key certificate of the recording device,
The reading means further reads the public key certificate from the storage means,
The recording apparatus according to claim 2, wherein the writing unit writes the read public key certificate to another recording medium. The storage means further stores a device identifier for identifying the recording device,
The recording device further includes:
An embedding unit that reads the device identifier from the storage unit and embeds the read device identifier as a digital watermark in the content;
The recording apparatus according to claim 2, wherein the encryption unit encrypts the content in which the apparatus identifier is embedded. The media key data stored in the storage means further includes a data identifier for identifying the media key data,
The writing means associates the data identifier with the encrypted content, writes the data identifier in the rewritable area of the recording medium, and writes the media key data including the data identifier in the rewritable area. The recording apparatus according to claim 2. In the recording medium, the media key is further encrypted for each playback device that has not been invalidated, and the predetermined detection information for each playback device that has been invalidated is encrypted using the device key of the playback device. Storing another media key data composed of a plurality of other encrypted media keys generated, the another media key data including another data identifier for identifying the media key data;
The recording device further includes:
The other data identifier for identifying another media key data recorded on the recording medium includes an assigning unit that allocates the data identifier different from the data key stored in the storage unit. The recording apparatus according to claim 15. The recording medium further includes:
A comparison unit that compares the media key data stored in the storage unit with the new and old media key data recorded on the recording medium;
The recording apparatus according to claim 15, wherein the allocating unit allocates the data identifier when it is determined that the media key data stored in the storage unit is newer. The media key data stored in the storage means includes first date and time information indicating the date and time when the media key data was generated,
The other media key data stored in the recording medium includes second date and time information indicating the date and time when the other media key data was generated,
The comparison means compares the new and old media key data with the media key data by comparing the first date and time information with the second date and time information. Recording device. The playback device in a copyright protection system comprising a recording device that encrypts and writes content to a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium,
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Media key data that can be composed of a plurality of encrypted media keys, read the medium unique number from the non-rewritable area of the recording medium, and based on the read medium unique number and the media key, Generate an encryption key, based on the generated encryption key, encrypt content that is digital data to generate encrypted content, read the media key data from the storage means, and read the read Write media key data and the generated encrypted content to the rewritable area of the recording medium,
The playback device
Reading means for reading out the encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium;
Decryption means for decrypting the read encrypted media key using the device key of the playback apparatus to generate a decrypted media key;
When it is determined whether the generated decryption media key is the detection information and the detection information is the detection information, the decryption of the encrypted content recorded on the recording medium is prohibited and the detection information is not the detection information Control means for permitting decryption of the encrypted content;
Decrypting means for reading the encrypted content from the recording medium and decrypting the read encrypted content to generate the decrypted content based on the generated decryption media key when decryption is permitted. A reproducing apparatus characterized by the above. The recording device further stores invalidation data indicating that a public key assigned to any of the recording device and the plurality of playback devices has been invalidated. Applying a digital signature to generate verification information, writing the generated verification information in the rewritable area of the recording medium,
The reading means further reads the verification information written in the rewritable area of the recording medium,
The playback device further includes:
Based on the verification information that has been read, it is provided with verification means for performing signature verification and outputting a verification result indicating the success or failure of verification,
The control means further prohibits the decryption of the encrypted content when the verification result indicates a verification failure, and permits the decryption of the encrypted content when the verification result indicates a successful verification. The playback apparatus according to claim 19. The recording device generates the signature data by applying the appendix type digital signature to the invalidation data, and generates the verification information including the generated signature data and the invalidation data, Write the verification information composed of the signature data and the invalidation data,
The playback apparatus according to claim 20, wherein the verification unit performs the signature verification based on the signature data included in the verification information. The recording device generates the verification information by applying the recovery digital signature to the invalidation data,
The playback device according to claim 20, wherein the verification unit generates the invalidation data from the verification information when a verification result is successful. The recording device further stores a secret key and a public key certificate of the recording device, uses the stored secret key, performs the digital signature, reads the public key certificate, Write the read public key certificate to the rewritable area of the recording medium,
The verification means reads the public key certificate from the recording medium, extracts a public key from the read public key certificate, and performs the signature verification using the extracted public key. Item 21. The playback device according to Item 20. The recording device further stores invalidation data indicating that a public key assigned to any of the recording device and the plurality of playback devices has been invalidated. Applying a digital signature to generate verification information, writing the generated verification information on another recording medium,
The reading means reads the verification information from the other recording medium instead of reading the verification information from the recording medium,
The playback apparatus according to claim 20, wherein the verification unit performs signature verification based on the verification information read from the another recording medium. The recording device further stores the public key certificate of the recording device, reads the public key certificate, writes the read public key certificate to the rewritable area of the recording medium,
The playback device further includes:
Storage means for storing first revocation data indicating that a public key assigned to any of the recording device and the plurality of playback devices has been revoked;
Certificate reading means for reading the public key certificate from the recording medium;
Public key verification means for verifying whether or not the public key included in the read public key certificate indicates that it is revoked by the first revocation data,
The control means further prohibits the decryption of the encrypted content when the public key is invalidated, and permits the decryption of the encrypted content when the public key is not invalidated. The playback apparatus according to claim 19. Another recording medium stores second revocation data indicating that a public key assigned to any of the recording device and the plurality of playback devices has been revoked,
The playback device further includes:
Comparing means for comparing the second invalidation data stored in the other recording medium and the first invalidation data stored in the storage means;
When it is determined that the second invalidation data is newer, the second invalidation data is read from the other recording medium, and the read second invalidation data is stored in the storage means. 26. The playback apparatus according to claim 25, further comprising update means for overwriting the first invalidation data. The comparing means compares the size of the first invalidation data with the size of the second invalidation data to compare the old and new of the first invalidation data and the second invalidation data. The playback device according to claim 26, characterized in that: The comparing means compares the number of revoked public keys indicated by the first revoked data with the number of revoked public keys indicated by the second revoked data. 27. The reproducing apparatus according to claim 26, wherein the invalidation data and the second invalidation data are compared with each other. The second invalidation data stored in the storage means includes second version information indicating a generation of the second invalidation data,
The first invalidation data stored in the another recording medium includes first version information indicating a generation of the first invalidation data,
The comparison means compares the first invalidation data with the second invalidation data by comparing the first version information and the second version information with each other. The reproducing apparatus as described. The second invalidation data stored in the storage means includes second date and time information indicating the date and time when the second invalidation data was generated,
The first invalidation data stored in the another recording medium includes first date and time information indicating the date and time when the first invalidation data was generated,
The comparison means compares the first and second invalidation data with new and old data by comparing the first date and time information with the second date and time information. The reproducing apparatus as described. The recording device further stores second invalidation data indicating that a public key assigned to any of the recording device and the plurality of reproducing devices is invalidated, and the second invalidation Read data, write the read second invalidation data to another recording medium,
The public key verification unit reads the second invalidation data from the other recording medium instead of the first invalidation data, and the public key is invalidated by the read second invalidation data. 26. The reproducing apparatus according to claim 25, wherein it is verified whether or not it is indicated. The recording device further stores the public key certificate of the recording device, reads the public key certificate, writes the read public key certificate to another recording medium,
26. The reproducing apparatus according to claim 25, wherein the certificate reading unit reads the public key certificate from the another recording medium instead of the recording medium. The playback device further includes:
The storage means for storing a device identifier for identifying the playback device;
An embedding unit that reads the device identifier from the storage unit when decryption is permitted, and embeds the read device identifier as an electronic watermark in the encrypted content;
The playback device according to claim 19, wherein the encrypted content in which the device identifier is embedded is written to the recording medium. The media key data stored in the recording device further includes a data identifier for identifying the media key data, and the recording device associates the data identifier with the encrypted content, and The media key data including the data identifier is written to the rewritable area,
The playback device further includes:
Accepting means for accepting designation of the encrypted content recorded in the recording medium;
Reading means for reading from the recording medium the data identifier associated with the encrypted content that has been designated;
Reading means for reading the media key data including the read data identifier from the recording medium,
The playback apparatus according to claim 19, wherein the control unit determines whether or not the encrypted content can be decrypted based on the read media key data. Recording method used by the recording apparatus in a copyright protection system comprising: a recording apparatus that encrypts and writes content on a recording medium; and a plurality of playback apparatuses that attempt to decrypt the encrypted content recorded on the recording medium Because
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Storage means for storing media key data composed of a plurality of encrypted media keys,
The recording method is:
A step of reading the medium unique number from the non-rewritable area of the recording medium;
A generation step of generating an encryption key based on the read medium unique number and the media key;
An encryption step of encrypting content that is digital data based on the generated encryption key to generate encrypted content;
A reading step of reading the media key data from the storage means;
A writing method comprising: writing the read media key data and the generated encrypted content into the rewritable area of the recording medium. For recording used in the recording device in a copyright protection system comprising a recording device that encrypts and writes content to a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium Computer program,
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Storage means for storing media key data composed of a plurality of encrypted media keys,
The computer program for recording is
A step of reading the medium unique number from the non-rewritable area of the recording medium;
A generation step of generating an encryption key based on the read medium unique number and the media key;
An encryption step of encrypting content that is digital data based on the generated encryption key to generate encrypted content;
A reading step of reading the media key data from the storage means;
A computer program comprising: writing the read media key data and the generated encrypted content into the rewritable area of the recording medium. The computer program according to claim 37, wherein the computer program is recorded on a computer-readable recording medium. A playback method used in the playback device in a copyright protection system comprising a recording device that encrypts and writes content to a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium Because
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Media key data that can be composed of a plurality of encrypted media keys, read the medium unique number from the non-rewritable area of the recording medium, and based on the read medium unique number and the media key, Generate an encryption key, based on the generated encryption key, encrypt content that is digital data to generate encrypted content, read the media key data from the storage means, and read the read Write media key data and the generated encrypted content to the rewritable area of the recording medium,
The playback method is:
A reading step of reading out the encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium;
A decryption step of decrypting the read encrypted media key using the device key of the playback apparatus to generate a decrypted media key;
When it is determined whether the generated decryption media key is the detection information and the detection information is the detection information, the decryption of the encrypted content recorded on the recording medium is prohibited and the detection information is not the detection information A control step for permitting decryption of the encrypted content;
A decrypting step of reading the encrypted content from the recording medium and decrypting the read encrypted content based on the generated decryption media key when decryption is permitted. A reproduction method characterized by the above. For playback used in the playback device in a copyright protection system comprising a recording device that encrypts and writes content to a recording medium, and a plurality of playback devices that attempt to decrypt the encrypted content recorded on the recording medium Computer program,
Any one or more of the plurality of playback devices are disabled,
The recording medium includes a read-only non-rewritable area and a rewritable area that can be read and written, and the medium-unique number unique to the recording medium is pre-recorded in the non-rewritable area,
The recording device generates a media key for each playback device that has not been invalidated and predetermined detection information for each playback device that has been invalidated using the device key of the playback device. Media key data that can be composed of a plurality of encrypted media keys, read the medium unique number from the non-rewritable area of the recording medium, and based on the read medium unique number and the media key, Generate an encryption key, based on the generated encryption key, encrypt content that is digital data to generate encrypted content, read the media key data from the storage means, and read the read Write media key data and the generated encrypted content to the rewritable area of the recording medium,
The computer program for reproduction is
A reading step of reading out the encrypted media key corresponding to the playback device from the media key data written in the rewritable area of the recording medium;
A decryption step of decrypting the read encrypted media key using the device key of the playback apparatus to generate a decrypted media key;
When it is determined whether the generated decryption media key is the detection information and the detection information is the detection information, the decryption of the encrypted content recorded on the recording medium is prohibited and the detection information is not the detection information A control step for permitting decryption of the encrypted content;
A decrypting step of reading the encrypted content from the recording medium and decrypting the read encrypted content based on the generated decryption media key when decryption is permitted. A computer program characterized by the above. The computer program according to claim 39, wherein the computer program is recorded on a computer-readable recording medium. A computer-readable recording medium,
It has a read-only non-rewritable area and a rewritable area that can be read and written,
In the non-rewritable area, a medium unique number unique to the recording medium is recorded in advance,
In the rewritable area, media key data and encrypted content are recorded,
The media key data is generated by encrypting the media key for each playback device that has not been invalidated and the predetermined detection information for each playback device that has been invalidated using the device key of the playback device. A plurality of encrypted media keys,
The encrypted content is generated by encrypting content that is digital data based on an encryption key,
The recording medium, wherein the encryption key is generated based on the medium unique number and the media key recorded in the non-rewritable area of the recording medium. A computer-readable recording medium,
It has a read-only non-rewritable area and a rewritable area that can be read and written,
In the non-rewritable area, a medium unique number unique to the recording medium is recorded in advance,
In the rewritable area, media key data and encrypted content are recorded,
The media key data is generated by encrypting the media key for each non-invalidated playback device and the predetermined detection information for each disabled playback device using the device key of the playback device. A plurality of encrypted media keys, including a data identifier for identifying the media key data,
The encrypted content is generated by encrypting content that is digital data based on an encryption key, and includes the data identifier,
The encryption key is generated based on the medium unique number and the media key recorded in the non-rewritable area of the recording medium.

Images