JP2007249999A - Information processor and method, program storage medium, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To distribute rights of use for every detailed content without imposing a large burden on a client. <P>SOLUTION: The right of use of a content holder server 6 is provided to a license server 4. The right of use provided from the content holder server 6 is divided into a right of use only for reproduction and a right of use including reproduction and checkout. The client 1 acquires the right of use for reproduction by paying ¥10. The client 1 acquires the right of use including reproduction and checkout by further paying ¥30. That is, the right of use only for reproduction is upgraded to the right of use including reproduction and checkout. This constitution is applicable to a server for providing contents through a network. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an information processing apparatus and method, a program storage medium, and a program, and in particular, information that can provide a user with a right to use more finely divided content without imposing a burden on the user. The present invention relates to a processing apparatus and method, a program storage medium, and a program.

  Recently, networks typified by the Internet have become widespread, and contents such as audio or video have been distributed through various networks. A user (client) accesses a server via a network and downloads content.

  Also, it has been proposed that the content and the right to use the content are independent. In such a case, the user needs to acquire the usage right separately from the content. Usually, the content is encrypted and provided to the user, and the key for decrypting the content is usually included in the usage right. Alternatively, the content may include a decryption key, and the content may be decrypted by tamper resistant software or the like without knowing the algorithm.

  By doing so, it becomes possible to distribute the content more easily.

  By the way, the usage rights may change depending on the payment status. For example, if you pay 200 yen at the time of registration, you can use up to 10 songs for a month, but if you pay 50 yen for each additional song, you can own that song (there is no time limit) ) If you pay an additional 100 yen, you may be able to check out the song on a portable device.

  When the content of the usage right is complicated as described above, the client that has acquired the usage right needs to manage by itself which state the usage right is in. In other words, if the current state of the usage right is a state in which only 200 yen has been paid, or if 50 yen has been paid for each song after that, It is necessary for the client itself to manage whether he / she has paid, or whether he / she has paid an additional 100 yen and is ready to check out the portable device. Allowing the client to perform such management is a heavy load on the client.

  In addition, if the client performs such management, a malicious user may tamper with the usage right, which is not preferable from the viewpoint of safety.

  The present invention has been made in view of such a situation, and makes it possible to manage usage rights safely without placing a burden on the client.

  An information processing apparatus according to an aspect of the present invention is an information processing apparatus that transmits a usage right that defines usage conditions of content, a receiving unit that receives a usage right transmission request from a client that uses the content, and the client The usage status storage means for storing the usage status corresponding to the usage right for each time, and when the usage right transmission request received by the receiving means is a transmission request for the usage right of the subscription service, is stored in the usage status storage means. Control means for adding the usage state to the requested usage right, and transmission means for transmitting the usage right to which the usage state is added by the control means to the client.

  The control means may request the client to make an AKE (Authentication Key Exchange) process when the subscription service usage right is requested.

  The receiving means can receive a usage state corresponding to a usage right used by the client, identification information of the client, and content information from the client, and the control means receives the received content Information, the usage status stored in the usage status storage means based on the usage status corresponding to the usage right based on the identification information of the client, and the usage status storage means can be updated. The used state of use can be stored.

  The receiving unit may receive a usage state each time processing for using the content is executed by the client from the client.

  The transmission unit may cause the client to transmit the usage state updated by the control unit.

  An information processing method according to an aspect of the present invention is an information processing method for transmitting a usage right that defines usage conditions of content, a reception step of receiving a usage right transmission request from a client that uses the content, and the client A usage state storage step for storing a usage state corresponding to the usage right for each time, and when the usage right transmission request received by the processing in the reception step is a transmission request for a usage right for a subscription service, the usage state storage step A control step of adding the usage state stored in the process to the requested usage right; and a transmission step of transmitting the usage right to which the usage state has been added by the process of the control step to the client.

  A reception step of receiving a usage right transmission request from a client that uses the content to a computer that controls an information processing apparatus that transmits a usage right that defines usage conditions of the content according to one aspect of the present invention; A usage state storage step for storing a usage state corresponding to the right, and when the usage right transmission request received by the processing of the reception step is a transmission request for the usage right of the subscription service, the processing is stored by the processing of the usage state storage step. A control step of adding the used state to the requested usage right, and a transmission step of transmitting the usage right to which the usage state has been added by the processing of the control step to the client.

  The program of the program storage medium according to one aspect of the present invention is a program of an information processing apparatus that distributes a usage right that defines a usage condition of content, and receives a usage right transmission request from a client that uses the content. A usage state storage step for storing a usage state corresponding to a usage right for each client; and when the usage right transmission request received by the processing of the reception step is a transmission request for a usage right for a subscription service, A control step of adding the usage state stored in the processing of the state storage step to the requested usage right; and a transmission step of transmitting the usage right to which the usage state has been added by the processing of the control step to the client. It is characterized by.

  In the information processing apparatus and method, the program storage medium, and the program according to one aspect of the present invention, a usage right transmission request is received from a client that uses content, and a usage state corresponding to the usage right is stored for each client. When the received usage right transmission request is a subscription service usage right transmission request, the stored usage state is added to the requested usage right, and the usage right with the usage state added is transmitted to the client. .

  According to the present invention, it is possible to distribute a usage right without imposing a burden more than necessary on a user who does not want to distribute the usage right in a more secure state. In addition, it is possible to distribute the usage right more safely to a user who wishes to obtain the usage right in a secure environment. As a result, it is possible to prevent the usage right from being stolen by a third party.

  FIG. 1 shows a configuration of a content providing system to which the present invention is applied. Connected to the Internet 2 are clients 1-1 and 1-2 (hereinafter simply referred to as client 1 when these clients do not need to be individually distinguished). Although only two clients are shown in this example, an arbitrary number of clients are connected to the Internet 2.

  The Internet 2 includes a content server 3 that provides content to the client 1, a license server 4 that grants a usage right necessary for using the content provided by the content server 3, and the client When 1 receives a usage right, a charging server 5 is connected to perform charging processing for the client 1.

  A content holder server 6 is further connected to the content server 3 and the license server 4. The content holder server 6 provides content to the content server 3 and provides product information related to the content to the license server 4.

  Any number of these content servers 3, license servers 4, billing servers 5, and content holders 6 are provided and connected to the Internet 2 as necessary.

  FIG. 2 shows the configuration of the license server 4.

  In FIG. 2, a CPU (Central Processing Unit) 21 executes various processes according to a program stored in a ROM (Read Only Memory) 22 or a program loaded from a storage unit 28 to a RAM (Random Access Memory) 23. To do. The timer 20 performs a time measuring operation and supplies time information to the CPU 21. The RAM 23 also appropriately stores data necessary for the CPU 21 to execute various processes.

  The encryption / decryption unit 24 performs a process of encrypting the content data and decrypting the already encrypted content data. The codec unit 25 encodes content data by, for example, ATRAC (Adaptive Transform Acoustic Coding) 3 method, and supplies the encoded data to the semiconductor memory 44 connected to the drive 30 via the input / output interface 32 for recording. Alternatively, the codec unit 25 decodes the encoded data read from the semiconductor memory 44 via the drive 30.

  The semiconductor memory 44 is configured by, for example, a Memory Stick (trademark).

  The CPU 21, ROM 22, RAM 23, encryption / decryption unit 24, and codec unit 25 are connected to each other via a bus 31. An input / output interface 32 is also connected to the bus 31.

  The input / output interface 32 includes an input unit 26 including a keyboard and a mouse, a display including a CRT and an LCD, an output unit 27 including a speaker, a storage unit 28 including a hard disk, a modem, a terminal adapter, and the like. A communicator 29 is connected. The communication unit 29 performs communication processing via the Internet 2. The communication unit 29 also performs communication processing of analog signals or digital signals with other clients.

  A drive 30 is connected to the input / output interface 32 as necessary, and a magnetic disk 41, an optical disk 42, a magneto-optical disk 43, a semiconductor memory 44, or the like is appropriately mounted, and a computer program read from these is loaded. Installed in the storage unit 28 as necessary.

  Although illustration is omitted, the client 1, the content server 3, and the accounting server 5 are also configured by computers having basically the same configuration as the license server 4 shown in FIG. Therefore, in the following description, the configuration of FIG. 2 is also referred to as the configuration of the client 1, the content server 3, the billing server 5, and the like.

  Although illustration is omitted, a PD (Portable Device) is also configured by a computer having basically the same configuration as the license server 4 shown in FIG.

  Next, a process in which the client 1 receives content from the content server 3 will be described with reference to the flowchart of FIG.

  When the user commands access to the content server 3 by operating the input unit 26, the CPU 21 controls the communication unit 29 to access the content server 3 via the Internet 2 in step S 1. In step S2, when the user operates the input unit 26 and designates the content to be provided, the CPU 21 receives this designation information and is designated from the communication unit 29 to the content server 3 via the Internet 2. Notify the content ID of the content. As will be described later with reference to the flowchart of FIG. 4, the content server 3 that has received this notification transmits the content including the encrypted content data. When the content data is received, the encrypted content data is supplied to and stored in the hard disk constituting the storage unit 28 in step S4.

  Next, content providing processing of the content server 3 corresponding to the above processing of the client 1 will be described with reference to the flowchart of FIG. In the following description, the configuration of the license server 4 in FIG. 2 is also referred to as the configuration of the content server 3.

  In step S21, the CPU 21 of the content server 3 stands by until it receives access from the client 2 from the Internet 2 via the communication unit 29. When it is determined that access has been received, the CPU 21 proceeds to step S22 and has been transmitted from the client 1. Capture content ID. This content ID is information that the client 1 has notified in step S2 of FIG.

  In step S23, the CPU 21 of the content server 3 reads out the content data specified by the content ID fetched in step S22 from the content stored in the storage unit 28. In step S24, the CPU 21 supplies the content data read from the storage unit 28 to the encryption / decryption unit 24 and encrypts it using the content key Kc.

  Since the content data stored in the storage unit 28 has already been encoded by the codec unit 25 by the ATRAC3 method, the encoded content data is encrypted.

  Of course, the content data can be stored in the storage unit 28 in a pre-encrypted state. In this case, the process of step S24 can be omitted.

Next, in step S25, the CPU 21 of the content server 3 uses the key information necessary for decrypting the encrypted content in the header constituting the format for transmitting the encrypted content data (see FIG. 5). EKB and K _EKBC (Kc)) to be described later are added. Then, in step S26, the CPU 21 of the content server 3 sends the data obtained by formatting the content encrypted in the process of step S24 and the header added with the key information in the process of step S25 from the communication unit 29 to the Internet 2 To the client 1 that has accessed.

  FIG. 5 shows a format configuration when content is supplied from the content server 3 to the client 1 in this way. As shown in the figure, this format is composed of a header and data.

The header is encrypted using the content information, URL (Uniform Resource Locator), enabling key block (Enabling Key Block) (EKB (Enabling Key Block)), and key K _EKBC generated from EKB. Data K _EKBC (Kc) as content key Kc, content attributes (Attributes), and signatures (Signatures) are arranged. The EKB will be described later with reference to FIGS. 13 and 14.

  The content information includes content ID (CID) as identification information for identifying content data formatted as data, information such as the codec method of the content.

  The URL is address information that is accessed when a usage right necessary to use the content is acquired. In the case of the system of FIG. 1, specifically, the address of the license server 4 required to receive the usage right. It is.

  The content attribute is information related to the content. The content attribute includes a content ID, a record company ID as identification information for identifying the content provider, and an artist ID as identification information for identifying the artist. Etc. are included. In the present embodiment, the attribute is used to specify the content that is the target of the usage right.

  The signature is an electronic signature corresponding to the content attribute.

The data is composed of an arbitrary number of encryption blocks. Each encrypted block includes an initial vector (IV (Initial Vector)), a seed (Seed), and data E _K′c (data) obtained by encrypting content data with a key K′c.

  As shown by the following equation, the key K′c includes a content key Kc and a value calculated by applying a value Seed set by a random number to a hash function.

  K'c ＝ Hash (Kc, Seed)

  The initial vector IV and the seed Seed are set to different values for each encrypted block.

  This encryption is performed every 8 bytes by dividing the content data in units of 8 bytes. The subsequent 8-byte encryption is performed in a CBC (Cipher Block Chaining) mode that is performed using the result of the previous 8-byte encryption.

  In the CBC mode, when encrypting the first 8-byte content data, there is no previous 8-byte encryption result. Therefore, when encrypting the first 8-byte content data, the initial vector IV is set to Encryption is performed as an initial value.

  By performing encryption in the CBC mode, even if one encrypted block is decrypted, the influence is suppressed from affecting other encrypted blocks.

  Further, the encryption method is not limited to this.

  As described above, the client 1 can freely acquire content from the content server 3 free of charge. Accordingly, the content itself can be distributed in large quantities.

  However, each client 1 needs to have a usage right indicating that the use of the acquired content is permitted when the acquired content is used. Therefore, with reference to FIG. 6, processing when the client 1 reproduces content will be described.

  In step S <b> 41, the CPU 21 of the client 1 acquires content identification information (CID) instructed by the user operating the input unit 26. This identification information includes, for example, a content title, a number assigned to each stored content, and the like.

  Then, when the content is instructed, the CPU 21 reads the attribute of the content. This attribute is described in the header of the content as shown in FIG.

  Next, proceeding to step S42, the CPU 21 has already acquired a usage right such that the attributes read in step S41 satisfy the content condition included in each usage right, and the storage unit 28 It is determined whether or not it is stored. If the usage right has not yet been acquired, the process proceeds to step S43, and the CPU 21 executes the usage right acquisition process. Details of this usage right acquisition processing will be described later with reference to the flowchart of FIG.

  If it is determined in step S42 that the usage right has already been acquired, or if the usage right is acquired as a result of executing the usage right acquisition process in step S43, the process proceeds to step S44, and the CPU 21 It is determined whether the acquired usage right is within the expiration date. Whether or not the usage right is within the expiration date is determined by comparing the time limit defined as the content of the usage right (see FIG. 8 described later) with the current date and time counted by the timer 20. The When it is determined that the expiration date of the usage right has already expired, the CPU 21 proceeds to step S45 and executes the usage right update process.

  If it is determined in step S44 that the usage right is still within the expiration date, or if the usage right is updated in step S45, the process proceeds to step S46, and the CPU 21 stores the usage right stored in the storage unit 28. The usage conditions and usage status (described later) included in the right are read, and it is determined whether or not the playback conditions are satisfied.

  If it is determined in step S46 that reproduction is permitted based on the usage conditions and usage status included in the usage right, the process proceeds to step S47, and the CPU 21 stores the encrypted content data in the storage unit 28. Is stored in the RAM 23. In step S48, the CPU 21 supplies the encrypted content data stored in the RAM 23 to the encryption / decryption unit 24 in units of encrypted blocks arranged in the data of FIG. 5, and uses the content key Kc. Decrypt.

A specific example of the method for obtaining the content key Kc will be described later with reference to FIG. 13 and FIG. 14, but the key K _EKBC included in the EKB (FIG. 5) can be obtained using the device node key (DNK). The content key Kc can be obtained from the data K _EKBC (Kc) (FIG. 5) using the key K _EKBC .

  Further, in step S49, the CPU 21 supplies the content data decrypted by the encryption / decryption unit 24 to the codec unit 25 for decoding. Then, the CPU 21 supplies the data decoded by the codec unit 25 to the output unit 27 from the input / output interface 32, performs D / A conversion, and outputs the data from the speaker.

  If it is determined in step S46 that reproduction is not permitted based on the usage conditions and usage status included in the usage right, the processing ends without outputting the content.

  Next, details of the usage right acquisition process performed in step S43 of FIG. 6 will be described with reference to the flowchart of FIG.

  By registering with the license server in advance, the client 1 includes a leaf ID, a DNK (Device Node Key), a private key / public key pair of the client 1, a public key of the license server, and a certificate for each public key. Obtain service data.

  The leaf ID represents identification information assigned to each client, and the DNK is a device node key necessary for decrypting the content key Kc encrypted by the EKB (validation key block) included in the content. (It will be described later with reference to FIG. 10).

  First, in step S61, the CPU 21 acquires a URL described in the content header. As described above, this URL is an address to be accessed when acquiring a usage right necessary for using the content. Therefore, in step S62, the CPU 21 accesses the URL acquired in step S61. Specifically, the license server 4 is accessed via the Internet 2 by the communication unit 29. At this time, the license server 4 transmits a list of usage rights to the client 1, usage right designation information for designating usage rights (usage rights necessary for using the content), and user ID And a password are requested (step S102 in FIG. 9 described later). The CPU 21 displays this request on the display unit of the output unit 27. Based on this display, the user operates the input unit 26 to input usage right designation information, a user ID, and a password. The user ID and password are obtained in advance by the user of the client 1 accessing the license server 4 via the Internet 2.

  In steps S63 and S64, the CPU 21 captures the usage right designation information input from the input unit 26 and also captures the user ID and password. In step S65, the CPU 21 controls the communication unit 29 to send a usage right request including the input user ID and password, including the usage ID specifying information and a leaf ID included in service data (described later) via the Internet 2. The license server 4 is made to transmit.

  As will be described later with reference to FIG. 9, the license server 4 transmits a usage right based on the user ID and password and the usage right designation information (step S109), or when the condition is not satisfied. Does not transmit the usage right (step S112).

  In step S66, the CPU 21 determines whether or not the usage right has been transmitted from the license server 4. If the usage right has been transmitted, the CPU 21 proceeds to step S67 and supplies the usage right to the storage unit 28. , Remember.

  If it is determined in step S66 that the usage right has not been transmitted, the CPU 21 proceeds to step S68 and executes error processing. Specifically, the CPU 21 prohibits the content reproduction process because the right to use the content cannot be obtained.

  As described above, each client 1 can use the content only after acquiring the usage right necessary for using the content.

  Note that the usage right acquisition process in FIG. 7 may be performed in advance before each user acquires content.

  The usage right provided to the client 1 includes, for example, a use condition, a leaf ID, and an electronic signature as shown in FIG.

  The version is information describing the version of the usage right by separating the major version and the minor version with dots.

  The profile is described from a decimal integer value, and is information that defines restrictions on the usage right description method.

  The usage right ID is identification information described by a hexadecimal constant for identifying the usage right.

  The creation date / time indicates the date / time when the usage right was created.

  The expiration date indicates the expiration date of the usage right. An expiration date of 23:59:59 of 9999 indicates that there is no limit on the expiration date.

  The usage conditions include an expiration date for using the content based on the usage rights, a playback expiration date for reproducing the content based on the usage rights, a maximum number of times the content can be played, and the usage rights. Based on the number of times the content can be copied (allowed number of copies), the maximum number of checkouts, and whether or not the content can be recorded on a CD-R based on its usage rights, PD (Portable Device) includes information indicating the number of times that copying can be performed, whether usage rights can be transferred, whether or not there is an obligation to take a usage log, and the like.

  The electronic signature of the use condition is an electronic signature corresponding to the use condition.

  The constant is a constant referred to in the use condition or use state.

  The leaf ID is identification information for identifying the client.

  The electronic signature is an electronic signature corresponding to the entire usage right.

  The certificate is a certificate including the public key of the license server.

  In addition, the storage unit 28 of the client 1 stores a usage state that is information indicating the state of the content and the usage right together with the usage condition of the usage right. The usage status includes the number of times the content has been played based on the corresponding usage rights, the number of times the content has been copied, the number of times the content has been checked out, the date and time the content was first played, the number of times the content has been recorded on the CD-R, and other content Or the information which shows the historical information etc. regarding a use right is contained.

  The determination of the reproduction condition in step S46 in FIG. 6 is performed based on the usage conditions included in the usage right and the usage state stored in the storage unit 28 together with the usage right. For example, when the number of times content stored in the usage state is reproduced is less than the maximum content reproduction number included in the usage condition, it is determined that the reproduction condition is satisfied.

  Next, the usage right providing process of the license server 4 executed in correspondence with the usage right acquisition process of the client 1 of FIG. 7 will be described with reference to the flowchart of FIG.

  In step S101, the CPU 21 of the license server 4 stands by until access is received from the client 1. When access is received, the process proceeds to step S102, and the access right including information on each use right is given to the accessing client 1. And a request for transmission of user ID, password, and usage right designation information. As described above, when a user ID, password, leaf ID, and usage right designation information (which may be a usage right ID) are transmitted from the client 1 in the process of step S65 in FIG. The CPU 21 of No. 4 receives this via the communication unit 29 and executes a process for capturing.

  Then, in step S103, the CPU 21 of the license server 4 accesses the accounting server 5 from the communication unit 29 and requests user credit processing corresponding to the user ID and password. When the billing server 5 receives a request for credit processing from the license server 4 via the Internet 2, the billing server 5 investigates the past payment history of the user corresponding to the user ID and the password, and the user has received the usage right in the past. Check whether or not there is a record of non-payment of the consideration, and if there is no such record, send a credit result that allows the granting of usage rights. If there is a record of non-payment, grant usage rights Send unauthorized credit result of.

  In step S104, the CPU 21 of the license server 4 determines whether or not the credit result from the accounting server 5 is a credit result that allows the usage right to be granted, and when the usage right is allowed to be granted. In step S105, the usage right corresponding to the usage right designation information acquired in step S102 is extracted from the usage rights stored in the storage unit 28. The usage rights stored in the storage unit 28 are preliminarily described with information such as usage rights ID, version, creation date and time, and expiration date. In step S106, the CPU 21 adds the received leaf ID to the usage right. Furthermore, in step S107, the CPU 21 selects a use condition associated with the usage right selected in step S105. Alternatively, when the use condition is designated by the user in the process of step S102, the use condition is added to the use condition prepared in advance as necessary. The CPU 21 adds the selected use condition to the usage right. The use conditions may be added in advance to the usage rights.

  In step S108, the CPU 21 signs the usage right with the private key of the license server and attaches the certificate including the public key of the license server to the usage right, thereby generating the usage right having the configuration shown in FIG. Is done.

  In step S109, the CPU 21 of the license server 4 transmits the usage right (having the configuration shown in FIG. 8) from the communication unit 29 to the client 1 via the Internet 2.

  In step S110, the CPU 21 of the license server 4 stores the usage right (including usage conditions and leaf ID) transmitted in step S109 in correspondence with the user ID and password captured in step S102. The data is stored in the unit 28. Further, in step S111, the CPU 21 executes billing processing. Specifically, the CPU 21 requests the accounting server 5 from the communication unit 29 to perform accounting processing for the user corresponding to the user ID and password. The billing server 5 executes billing processing for the user based on the billing request. As described above, if the user does not pay for this billing process, the user will not be able to receive the usage right even if the user requests to grant the usage right. become.

  That is, in this case, the charging server 5 transmits a credit result that denies the grant of the usage right, so that the process proceeds from step S104 to step S112, and the CPU 21 executes error processing. Specifically, the CPU 21 of the license server 4 transmits a message indicating that the usage right cannot be granted to the client 1 that has accessed by controlling the communication unit 29, and ends the processing.

  In this case, as described above, since the client 1 cannot receive the usage right, the content cannot be used (the encrypted content data can be decrypted and reproduced).

  In the present invention, as shown in FIG. 10, devices and keys are managed based on the principle of the broadcast encryption method. The keys have a hierarchical tree structure, and the bottom leaf corresponds to a key unique to each device. Hierarchical tree structure key management used in the system of the present invention is described in Japanese Patent Publication No. 2001-352321. In the case of the example of FIG. 10, keys corresponding to 16 devices from number 0 to number 15 are generated.

  Each key is defined corresponding to each node of the tree structure indicated by a circle in the figure. In this example, the root key KR corresponds to the root node at the top level, the keys K0 and K1 correspond to the second level node, the keys K00 to K11 correspond to the fourth level node, and the fourth key. Corresponding to the nodes in the tier, keys K000 to K111 are respectively associated. Keys K0000 to K1111 correspond to leaves (device nodes) as the lowermost nodes.

  Because of the hierarchical structure, for example, the upper key of the key K0010 and the key 0011 is K001, and the upper key of the key K000 and the key K001 is K00. Similarly, the upper key of the keys K00 and K01 is K0, and the upper key of the keys K0 and K1 is KR.

  Keys that use content are managed by keys corresponding to the nodes of one path from the lowest device node (leaf) to the highest root node. For example, in the device corresponding to the leaf of number 3, the key for using the content is managed by each key of the path including the keys K0011, K001, K00, K0, and KR.

  In the system of the present invention, as shown in FIG. 11, the key of the device and the key of the content are managed by the key system configured based on the principle of FIG. In the example of FIG. 11, nodes of 8 + 24 + 32 levels have a tree structure, and categories correspond to the nodes from the root node to the lower 8 levels. The category here means a category such as a category of a device that uses a semiconductor memory such as a memory stick and a category of a device that receives a digital broadcast. This system (referred to as a T system) corresponds to one of the category nodes as a system for managing licenses.

  That is, a service provider or a service provided by a service provider is associated with a key corresponding to a node of 24 levels in a lower hierarchy than the node of the T system. In this example, this would define 224 (about 16 mega) service providers or services. Furthermore, 232 (about 4 giga) users (or clients 1) can be defined by the lowest 32 levels. The key corresponding to each node on the path from the lowest 32 nodes to the T system node constitutes a DNK (Device Node Key), and the ID corresponding to the lowest leaf is the leaf ID.

  The content key obtained by encrypting the content is encrypted by the updated root key KR ′, and the update node key of the upper hierarchy is encrypted using the update node key of the immediately lower hierarchy, and EKB (FIG. 13 and FIG. 14 will be described later with reference to FIG. The update node key one level above the end in the EKB is encrypted by the node key or leaf key at the end of the EKB, and placed in the EKB. Using one of the DNK keys described in the service data, the client 1 uses the update node key of the latest higher hierarchy described in the EKB (FIGS. 13 and 14) distributed with the content data. Using the decrypted key, the decrypted node key is further decrypted using the decrypted key. By sequentially performing the above processing, the client 1 can obtain the updated root key KR ′.

  FIG. 12 shows a specific example of category classification of a hierarchical tree structure. In FIG. 12, a root key KR2301 is set at the top level of the hierarchical tree structure, a node key 2302 is set at the intermediate level below, and a leaf key 2303 is set at the bottom level. Each device has an individual leaf key, a series of node keys from the leaf key to the root key, and a device node key (DNK) consisting of the root key.

  A predetermined node from the top level to the M-th level (M = 8 in the example of FIG. 11) is set as the category node 2304. That is, each of the M-th level nodes is a device setting node of a specific category. Nodes and leaves of the M + 1th stage and below with one node of the Mth stage as a vertex are nodes and leaves related to devices included in the category.

  For example, the category [Memory Stick (trademark)] is set in one node 2305 in the M-th stage in FIG. 12, and nodes and leaves connected to this node are nodes dedicated to the category including various devices using the memory stick. Or set as a leaf. That is, nodes 2305 and below are defined as a set of related nodes and leaves of devices defined in the category of the memory stick.

  Furthermore, a stage that is several stages lower than the M stage can be set as the subcategory node 2306. In the example of FIG. 12, a node 2306 of “reproduction-only device” is set as a subcategory node included in the category of the device using the memory stick in a node two steps below the category [memory stick] node 2305. Further, a node 2307 of a telephone with a music playback function included in the category of the playback-only device is set below the node 2306 of the playback-only device that is a subcategory node, and further below that is included in the category of the telephone with a music playback function. A [PHS] node 2308 and a [mobile phone] node 2309 are set.

  Furthermore, categories and subcategories are not limited to device types, for example, nodes managed independently by a certain manufacturer, content provider, payment institution, etc., that is, arbitrary units such as processing units, jurisdiction units, or service units provided (these are (Hereinafter collectively referred to as an entity). For example, if one category node is set as a vertex node dedicated to the game device XYZ sold by the game device manufacturer, the lower node key and leaf key below the vertex node are stored and sold in the game device XYZ sold by the manufacturer. After that, the distribution of encrypted contents or the distribution and update processing of various keys is performed by generating and distributing an enabling key block (EKB) composed of node keys and leaf keys below the vertex node key, and the vertex node Data that can be used only for the following devices can be distributed.

  In this way, by setting one node as a vertex and setting the following nodes as related nodes in the category or subcategory defined in the vertex node, one vertex node in the category stage or subcategory stage is set. It becomes possible for the manufacturer, content provider, etc. to manage to create an enabling key block (EKB) with the node as a vertex and distribute it to devices belonging to the vertex node or lower, and other categories that do not belong to the vertex node The key update can be executed without affecting the devices belonging to this node.

  Further, at a certain point in time t, when it is discovered that the keys K0011, K001, K00, K0, KR owned by the device 3 have been analyzed and exposed by an attacker (hacker), thereafter, the system (devices 0, 1, In order to protect the data transmitted and received in (a few groups), it is necessary to disconnect the device 3 from the system. For this purpose, the node keys K001, K00, K0, KR are updated to new keys K (t) 001, K (t) 00, K (t) 0, K (t) R, respectively, and the devices 0, 1, 2 must be notified of the update key. Here, K (t) aaa represents an update key of the generation (generation) t of the key Kaaa.

  The update key distribution process will be described. The key update is performed by, for example, storing a table composed of block data called an enabling key block (EKB) shown in FIG. 2 is executed. The enabling key block (EKB) is an encryption for distributing a newly updated key to devices corresponding to each leaf (bottom node) constituting the tree structure as shown in FIG. Consists of keys. The enabling key block (EKB) is sometimes called a key renewal block (KRB).

  The enabling key block (EKB) shown in FIG. 13 is configured as block data having a data configuration that can be updated only by a device that needs to update the node key. The example of FIG. 13 is block data formed for the purpose of distributing generation t update node keys in the devices 0, 1, and 2 in the tree structure shown in FIG. As is clear from FIG. 10, device 0 and device 1 require K (t) 00, K (t) 0, and K (t) R as update node keys, and device 2 uses K (t) as an update node key. ) 001, K (t) 00, K (t) 0, K (t) R are required.

  As shown in the EKB of FIG. 13, the EKB includes a plurality of encryption keys. The lowermost encryption key in FIG. 13 is Enc (K0010, K (t) 001). This is an update node key K (t) 001 encrypted with the leaf key K0010 of the device 2, and the device 2 decrypts this encryption key with the leaf key K0010 of the device 2 to obtain an update node key K (t) 001. be able to. Also, using the update node key K (t) 001 obtained by decryption, the encryption key Enc (K (t) 001, K (t) 00) in the second stage from the bottom of FIG. 13 can be decrypted, and the update node key K (t) 00 can be obtained.

  Subsequently, the update node key K (t) 0 is obtained by sequentially decrypting the encryption key Enc (K (t) 00, K (t) 0) in the second stage from the top in FIG. The updated root key K (t) R is obtained by decrypting the encryption key Enc (K (t) 0, K (t) R) in the first stage from the top in FIG.

  On the other hand, the node key K000 is not included in the update target, and the nodes 0 and 1 require K (t) 00, K (t) 0, and K (t) R as update node keys. The nodes 0 and 1 use the device keys K0000 and K0001 to decrypt the encryption key Enc (K000, K (t) 00) in the third row from the top of FIG. 13 to obtain the updated node key K (t) 00. The update node key K (t) 0 is obtained by decrypting the encryption key Enc (K (t) 00, K (t) 0) in the second row from the top in FIG. The updated root key K (t) R is obtained by decrypting the encryption key Enc (K (t) 0, K (t) R) in the first stage from the top. In this way, the devices 0, 1, and 2 can obtain the updated key K (t) R.

  The index in FIG. 13 indicates the absolute address of the node key and leaf key used as the decryption key for decrypting the encryption key on the right side of the diagram.

  When it is not necessary to update the node keys K (t) 0 and K (t) R in the upper level of the tree structure shown in FIG. 10 and only the node key K00 needs to be updated, the activation key block shown in FIG. By using (EKB), the updated node key K (t) 00 can be distributed to the devices 0, 1, and 2.

  The EKB shown in FIG. 14 can be used, for example, when a new content key shared in a specific group is distributed. As a specific example, it is assumed that a recording medium having devices 0, 1, 2, and 3 in a group indicated by a dotted line in FIG. 10 is used and a new common content key K (t) con is required. At this time, data Enc (K (t) obtained by encrypting a new common updated content key K (t) con using K (t) 00 obtained by updating the common node key K00 of the devices 0, 1, 2, 3 00, K (t) con) is distributed together with the EKB shown in FIG. This distribution enables distribution as data that cannot be decrypted by other groups of devices such as the device 4.

  That is, if the devices 0, 1, and 2 decrypt the ciphertext using the key K (t) 00 obtained by processing the EKB, it becomes possible to obtain the content key K (t) con at time t. .

  In FIG. 15, as an example of processing for obtaining the content key K (t) con at time t, data Enc (K (t (t)) is obtained by encrypting a new common content key K (t) con using K (t) 00. ) 00, K (t) con) and EKB shown in FIG. 14 through the recording medium. That is, this example is an example in which the encrypted message data by EKB is the content key K (t) con.

  As shown in FIG. 15, the device 0 uses the EKB at the generation t stored in the recording medium and the node key K000 stored in advance by itself to perform the node key K ( t) 00 is generated. Further, the device 0 decrypts the updated content key K (t) con using the decrypted updated node key K (t) 00, and encrypts and stores the decrypted content key K (t) con using the leaf key K0000 that only the device itself has for later use. To do.

  FIG. 16 shows a format example of the enabling key block (EKB). The version 601 is an identifier indicating the version of the enabling key block (EKB). Note that the version has a function for identifying the latest EKB and a function for indicating a correspondence relationship with the content. The depth indicates the number of hierarchies of the hierarchical tree for the device to which the enabling key block (EKB) is distributed. The data pointer 603 is a pointer indicating the position of the data part 606 in the enabling key block (EKB), the tag pointer 604 is the position of the tag part 607, and the signature pointer 605 is a pointer indicating the position of the signature 608.

  The data unit 606 stores, for example, data obtained by encrypting the node key to be updated. For example, each encryption key related to the updated node key as shown in FIG. 15 is stored.

  A tag unit 607 is a tag indicating the positional relationship between the encrypted node key and leaf key stored in the data unit 606. The tag assignment rule will be described with reference to FIG.

  FIG. 17 shows an example in which the enabling key block (EKB) described above with reference to FIG. 13 is sent as data. The data at this time is as shown in the table indicated by B in FIG. The top node address included in the encryption key at this time is set as the top node address. In this example, since the root key update key K (t) R is included, the top node address is KR. At this time, for example, the uppermost data Enc (K (t) 0, K (t) R) corresponds to the position P0 indicated in the hierarchical tree indicated by A in FIG. The next stage data is Enc (K (t) 00, K (t) 0), and corresponds to the lower left position P00 of the previous data on the tree. When there is data below the predetermined position of the tree structure, the tag is set to 0, and when there is no data, the tag is set to 1. The tags are set as {left (L) tag, right (R) tag}. Since there is data at the lower left position POO of the position PO corresponding to the uppermost data Enc (K (t) 0, K (t) R) in Table B, L tag = 0, there is no data on the right. R tag = 1. Hereinafter, tags are set for all data, and a data string and a tag string indicated by C in FIG. 17 are configured.

The tag is set to indicate where in the tree structure the corresponding data Enc (Kxxx, Kyyy) is located. The key data Enc (Kxxx, Kyyy)... Stored in the data portion 606 is merely enumerated data of encrypted keys, but on the encryption key tree stored as data by the tag described above. The position of can be discriminated. Without using the tag described above, using the node index corresponding to the encrypted data as in the configuration described in FIG. 15, for example,
0: Enc (K (t) 0, K (t) R)
00: Enc (K (t) 00, K (t) 0)
000: Enc (K ((t) 000, K (t) 00)
However, if such an index is used, redundant data is generated and the amount of data increases, which is not preferable in distribution via a network. On the other hand, by using the above-described tag as index data indicating the key position, the key position can be determined with a small amount of data.

  Returning to FIG. 16, the EKB format will be further described. The signature (Signature) 608 is an electronic signature executed by, for example, the key management center (license server 4), content provider (content server 3), settlement organization (billing server 5), etc., which issued the enabling key block (EKB). . The device that has received the EKB confirms that it is an activation key block (EKB) issued by a valid issuer of an activation key block (EKB) by signature verification.

  As described above, the process of using the content supplied from the content server 3 based on the usage right supplied from the license server 4 is summarized as shown in FIG.

That is, content is provided from the content server 3 to the client 1 and a license is given from the license server 4 to the client 1. A combination of service data supplied when the client 1 is registered in the license server 4 and a usage right that is information permitting use of specific content is called a license. The content is encrypted by the content key Kc (Enc (Kc, Content)), and the content key Kc is a key obtained from the update root key KR ′ (EKB and corresponds to the key K _EKBC in FIG. ) Is encrypted (Enc (KR ′, Kc)), and is added to the encrypted content together with EKB and provided to the client 1.

  For example, as shown in FIG. 21, the EKB in the example of FIG. 18 includes an update root key KR ′ that can be decrypted by DNK (Enc (DNK, KR ′)). Therefore, the client 1 can obtain the updated route key KR ′ from the EKB using the DNK included in the service data. Further, the content key Kc can be decrypted from the Enc (KR ′, Kc) using the update root key KR ′, and the content can be decrypted from the Enc (Kc, Content) using the content key Kc. .

  Thus, by assigning the DNK to each device to the client 1, the individual clients 1 can be revoked according to the principle described with reference to FIGS.

  Further, by distributing the license leaf ID with the license leaf ID, the service data and the usage right are associated with each other in the client 1, and unauthorized copying of the usage right can be prevented.

  Also, by distributing the client certificate and private key as service data, the end user can also create content that can prevent unauthorized copying using these.

  In the present invention, as described with reference to FIG. 11, the T system that manages licenses is associated with category nodes and the categories of devices that use various contents, so that a plurality of DNKs can be assigned to the same device. You can have it. As a result, different categories of content can be managed by one device.

  FIG. 22 shows an example of this relationship. That is, DNK1 is allocated to the device D1 based on the T system, and the content 1 including EKB can be reproduced. Similarly, for example, DNK2 is assigned to the device D1, and the content 2 ripped from the CD can be recorded on the memory stick. In this case, the device D1 can simultaneously handle the contents 1 and 2 distributed by different systems (T system and device management system). When assigning a new DNK, such a case cannot be performed when only one DNK is made to correspond to the device by deleting the already assigned DNK.

  Thus, in the present invention, independent key management is possible for each category.

  In addition, a system that allows the user to purchase a key by downloading the DNK to each device or medium when the registration process is performed by the license server 4 instead of embedding in the device or the medium in advance. Can be realized.

  In a system that distributes content and usage rights separately, the content can be used for all purposes, regardless of how it is used, regardless of how it is used after it is created. It is desirable that For example, it is desirable that the same content can be used even when different content distribution services or uses are different. Therefore, in the present invention, as described above, the private key and the corresponding public key certificate are distributed to each user (client 1) from the license server 4 as the certificate authority. Each user can create a signature using the secret key, add it to the content, guarantee the integrity of the content, and prevent falsification of the content.

  Before using the content, the client 1 needs to access the license server 4 and acquire the usage right. When the license server 4 receives access from the client 1, the license server 4 provides a usage right, but before that, it is necessary to obtain product information related to the content from the content holder server 6. Next, processing in this case will be described with reference to the flowcharts of FIGS. 21 and 22.

  In step S201, the CPU 21 of the content holder server 6 creates content product information. In step S 202, the CPU 21 transmits the product information created in step S 201 to the license server 4 via the communication unit 29.

  Corresponding to the processing of the content holder server 6 described above, the license server 4 executes the processing shown in the flowchart of FIG.

  That is, in step S301, the CPU 21 of the license server 4 receives the product information transmitted from the content holder server 6 (transmitted in the process of step S202 in FIG. 21). In step S302, the CPU 21 supplies the product information received in the process of step S301 to the storage unit 28 for storage. Thereafter, in step S303, the CPU 21 executes a process of dividing the product information (use conditions) registered in the process of step S302.

  For example, assume that the product information transmitted from the content holder server 6 has the contents as shown in FIG. In the example of FIG. 23, when the user pays a value of 350 yen, the corresponding content can be played back without limitation on the number of times and the period.

  On the other hand, when the user pays a value of 100 yen, the number of times is not limited, but the period is only one month, and during that time, the user is allowed to reproduce the content.

  If the user pays an additional 50 yen, checkout is allowed only three times. In addition, if a consideration of 50 yen is paid, copying is allowed only once for 10 days. The reproduction at the copy destination in this case does not require payment of the consideration (the consideration is 0 yen), but the number of times is limited to 10 times and the period is limited to 1 day.

  When the license server 4 receives product information as shown in FIG. 23 from the content holder server 6, the license server 4 divides the product information as shown in FIG. 24, for example.

  In the example of FIG. 24, the product information is divided into three. The first product information is for the case where the user pays a value of 350 yen, and the content is the number of reproductions and the reproduction period are infinite.

  The second product information is for the case where the user pays a value of 150 yen, and the number of playbacks is infinite, but the playback period is up to the MM month DD day of YY, and the number of checkouts is 3 The content is allowed up to once.

  The third product information has a consideration of 0 yen, its contents define the use conditions of the copy destination, the number of reproductions is 10, and the reproduction period is 1 day.

  Since the third product information is 0 yen, it is distributed along with the second product information.

  In this way, the license server 4 divides the use condition into a plurality of use conditions within the range of use conditions described in the product information permitted from the content holder server 6, and includes the divided use conditions. The usage right can be provided to the client 1.

  Next, a specific example of the product information (use condition) dividing process in step S303 in FIG. 22 will be described with reference to the flowchart in FIG.

  Note that the processing in FIG. 25 is performed when the usage conditions included in the product information provided from the content holder server 6 and stored in the storage unit 28 of the license server 4 are as shown in FIG. 26, for example. FIG. 4 shows an example of processing for dividing the usage conditions as usage conditions that allow only reproduction.

  In the example of FIG. 26, the number of reproductions is three and the number of checkouts is also three. The reproduction start date is December 1, 2001, and the end date is February 28, 2002.

  In step S <b> 321, the CPU 21 retrieves the “playback” element from the Rule part described in XML (Extensible Markup Language) of the product information received from the content holder server 6 and stored in the storage unit 28.

  Next, in step S322, the CPU 21 determines whether or not “playback” exists. If “playback” exists, the process proceeds to step S323, and the CPU 21 extracts a period from the period restriction option (timespan_id). In the example of FIG. 26, the period from December 1, 2001 to February 28, 2002 is extracted.

  Next, in step S324, the CPU 21 sets date_start (start date) and date_end (end date) of the period extracted in the process of step S323, respectively, a variable resp indicating a reproducible start date and a reep indicating a reproducible end date. Assign to.

  In step S325, the CPU 21 creates divided use conditions based on the data generated based on the processing in step S324. Thereby, for example, a use condition as shown in FIG. 27 is created.

  In the example of FIG. 27, the content can be used during the period from December 1, 2001 to February 28, 2002.

  In step S326, the CPU 21 combines the use condition created in the process of step S325 with the content condition included in the product information, the use right ID, etc., and generates a use right with an added version, expiration date, etc. The usage right is registered in the storage unit 28.

  If it is determined in step S322 that the text “playback” does not exist, the processing in steps S323 to S326 is skipped.

  Next, another example of the use condition dividing process in step S303 in FIG. 22 will be described with reference to the flowchart in FIG.

  In this example, when the usage conditions as shown in FIG. 26 are provided from the content holder server 6 to the license server 4, the usage conditions for reproduction and the usage conditions for checkout are divided into a total of two usage conditions. The example of a process in the case of producing | generating is shown.

  In steps S341 to S345, the same processing as in steps S321 to S325 of FIG. 25 is executed. Thereby, as described above, the usage right including the use condition for reproduction is divided and generated.

  If it is determined in step S342 that the element “PLAYBACK” has not been searched, the processes in steps S343 to S345 are skipped, and the process proceeds to step S346.

  Next, in step S346, the CPU 21 searches for the element “checkout” from the Rule part (FIG. 26) described in XML. In step S347, the CPU 21 determines whether or not “checkout” exists, and if it exists, the process proceeds to step S348 and reads the number of times from the Rule part of the XML. In the case of the example of FIG. 26, 3 times are read as the number of times.

  In step S349, the CPU 21 substitutes the number of times read in step S348 for a variable recc representing the maximum number of checkouts. In step S350, the CPU 21 creates divided use conditions based on the data generated in step S349. In step S <b> 351, the CPU 21 generates a usage right including the use condition created in step S <b> 345 or step S <b> 350 and executes processing for registering it in the storage unit 28.

  If it is determined in step S347 that “checkout” does not exist, the processing in steps S348 to S350 is skipped.

  In this way, the usage right including the usage condition for reproduction as shown in FIG. 29 and the usage right including the usage condition for which the number of checkouts is three are generated.

  As described above, the usage conditions provided by the license server 4 from the content holder server 6 are divided and managed, so that the client 1 can use without being burdened with handling the large usage conditions. Rights can be managed easily.

  In addition, the usage conditions included in the usage right can be upgraded. Processing in this case will be described with reference to FIG.

  That is, in the example of FIG. 30, as the usage right for the content generated by the content holder server 6, one usage right that regulates playback, checkout, and purchase of the content is generated and provided to the license server 4. To do.

  The license server 4 divides this one usage right into two usage rights: a usage right that allows only reproduction and a usage right that allows playback and checkout.

  For example, the client 1 can acquire a usage right only for reproduction by paying 10 yen. After that, the client 1 can acquire a usage right to which not only reproduction but also a check-out right is added by paying an additional 30 yen. That is, the client 1 can upgrade the usage right from the usage right only for reproduction to the usage right including reproduction and check-out.

  In this case, it is not necessary for the client 1 to manage that the usage rights are paid 10 yen and paid 30 yen. The client 1 simply needs to purchase a new usage right. In other words, from the viewpoint of the client 1, the usage right for reproduction and the usage right for reproduction and checkout may be handled as completely separate usage rights.

  The processing in this case will be further described with reference to FIGS. FIG. 31 shows an outline of the usage conditions of the product information provided by the license server 4 from the content holder server 6. In this example, when the Usage Rule ID is set to 1 and a payment of 10 yen is made, a rule that allows playback is allowed, and when payment of 20 yen is made, a rule that allows playback and checkout is allowed. Is described.

  In such a case, the license server 4 divides one usage condition shown in FIG. 31 into two usage conditions, that is, a reproduction-only usage condition and a usage condition that allows reproduction and check-out. Is generated.

  In this case, as shown in FIG. 32, when the client 1 pays 10 yen to the license server 4 in step S371 (note that detailed description is omitted, the specific charging process is This is performed by the server 5. The same applies hereinafter. In step S372, the license server 4 grants the right to use (Usage Right) for reproduction to the client 1. The process in this case is the same as the purchase process.

  Thereafter, in step S373, the client 1 transmits information for permitting further payment of 20 yen to the license server 4, and in step S374, the leaf ID of the client 1 and the ID of the usage right acquired in step S372 are obtained. When the license is transmitted to the license server 4, the license server 4 distributes the usage right including the contents of reproduction and checkout to the client 1 in step S 375. This process is an upgrade process.

  Note that the usage right ID given to the client 1 in step S372 and the usage right ID given to the client 1 in step S375 are the same. That is, this usage right ID corresponds to the usage right ID provided by the license server 4 shown in FIG.

  In other words, although divided, the two usage rights are derived from the usage conditions included in the same product information.

  FIG. 33 shows a display example when the client 1 acquires the usage right from the license server 4. In step S391, the client 1 transmits the leaf ID to the license server 4, and if the usage right has already been acquired, transmits the ID to the license server 4.

  The license server 4 transmits to the client 1 a document describing a list of rights that can be purchased and a price corresponding to the list of rights that can be purchased. When receiving this via the communication unit 29, the CPU 21 of the client 1 outputs it to the monitor of the output unit 27 and displays it.

  In the example of FIG. 33, as a right that can be purchased, a usage right of 100 yen that enables three checkouts, a usage right of 150 yen that makes an already acquired content own, and an already acquired right Three types of usage rights are displayed, a 10-yen usage right that copies the usage right to others.

  The usage right held by the client 1 changes according to the price paid by the client 1, but which state of the usage right the client 1 accessing the license server 4 has acquired now. Is managed by the license server 4. Therefore, based on the leaf ID of the client 1 and the ID of the usage right held by the client 1, the CPU 21 of the license server 4 displays a menu (contents of rights that can be purchased) corresponding to the accessed client 1. be able to.

  In the display example of FIG. 33, the message “Mr. Sato, welcome” is also displayed. Who is the user of the client 1 who has accessed is because the user name is registered when the process of registering the user is performed, so by searching the name of the user corresponding to the leaf ID from the database, It is possible to display.

  Alternatively, the name can be displayed using a cookie.

  In step S392, when the client 1 performs the procedure for purchasing the usage right according to the menu display and processes the payment of the consideration for the usage right, in step S393, the license server 4 sends the usage right corresponding to the consideration ( Usage Right) is distributed.

  Next, with reference to FIG. 34, purchase history management performed in the license server 4 will be described.

  In the example of FIG. 34, the content holder server 6 supplies one product information to the license server 4. This product information includes Usage Rules 1 that can be acquired for a price of 200 yen, Usage Rules 2 that can be acquired by paying 100 yen, Usage Rules 3 that can be acquired by paying 50 yen, and Usage Rules 2 Usage Rules 4 that can be acquired by paying 30 yen for a user who has

  When the license server 4 acquires the product information from the content holder server 6, the license server 4 divides Usage Rules 1 to Usage Rules 4. Then, the license server 4 generates and manages a record of the usage right purchase status corresponding to the Usage Rules 1 to Usage Rules 4 for each LeafID and usage right as the status table.

  That is, in this table, states having Usage Rules 1 to Usage Rules 4 are referred to as states 1 to 4, respectively, and states not having any of these are referred to as state 0.

  In this way, since the license right 4 is managed by the license server 4, the client 1 does not need to manage it. Therefore, the load on the client 1 is reduced.

  In other words, the client 1 only needs to purchase one of the Usage Rules 1 to Usage Rules 4 as appropriate.

  For example, the user of the client 1 can acquire the usage right including Usage Rules 1 by paying 200 yen, and can acquire the usage right including Usage Rules 2 by additionally paying 100 yen. it can.

  The same protocol can be used when the client 1 acquires any usage right, but the protocol to be used can be changed according to the content of the usage right. Next, an example of changing the protocol according to the usage right will be described.

  In this embodiment, as shown in FIG. 35, two types of protocols, a simple purchase protocol and a right update protocol, are prepared as a protocol for distributing usage rights from the license server 4 to the client 1. The simple purchase protocol is a protocol that does not require special authentication, and the right update protocol is a protocol that requires special authentication. That is, the right update protocol is used for communication in a more secure environment compared to the simple purchase protocol.

  In the simple purchase protocol, the usage right is simply downloaded from the license server 4 to the client 1. On the other hand, in the right update protocol, an authentication process is performed in order for the license server 4 to execute a process for updating the usage right of the client 1.

  Next, with reference to the flowchart of FIG. 36, processing in which the client 1 acquires the usage right from the license server 4 using a different protocol according to the content of the usage right will be described.

  In step S461, the CPU 21 of the client 1 accesses the license server 4. In step S <b> 412, the CPU 21 transmits information on the usage right desired by the user to the license server 4 via the communication unit 29 based on a command from the user.

  As will be described later with reference to the flowchart of FIG. 37, when the client 1 desires the right to use the subscription service, the license server 4 requests an AKE (Authentication Key Exchange) process ( Step S448 in FIG. 37). On the other hand, when the usage right to be acquired is not the usage right for the subscription service (when it is for purchase or for listening), the AKE process is not requested. Accordingly, in step S413, the CPU 21 determines whether or not the AKE process is requested from the license server 4. If the AKE process is not requested, the CPU 21 proceeds to step S414, and the leaf stored in the storage unit 28 is determined. The ID is read out and transmitted to the license server 4 via the communication unit 29.

  At this time, the license server 4 adds the digital signature corresponding to the usage right desired by the client 1 and transmits it to the client 1 (step S447 in FIG. 37). Therefore, in step S415, the CPU 21 of the client 1 receives the usage right and the digital signature transmitted from the client server 4. In step S416, the CPU 21 decrypts the digital signature received in step S415 with the public key SP of the license server 4. The public key SP of this license server is acquired in the registration process together with the leaf ID and stored in the storage unit 28 (step S53 in FIG. 6).

  In step S417, the CPU 21 determines whether or not the usage right received in step S415 matches the usage right obtained by decrypting the digital signature in step S416. If the two match, the usage right is appropriate (not tampered), and the CPU 21 stores the usage right in the storage unit 28 in step S418.

  On the other hand, if the two usage rights do not match, the right usage rights are not correct, so the process proceeds to step S426, and the CPU 21 executes error processing.

  On the other hand, if it is determined in step S413 that the AKE process has been requested, the process proceeds to step S419, and the CPU 21 executes the AKE process with the license server 4. That is, as a result, processing for securing a more secure communication path is executed, and the session key is shared.

  In step S420, the CPU 21 determines whether or not a SAC (Secure Authentication Channel) has been formed by the AKE process (whether or not a secure communication channel has been secured). If it is determined that the SAC has been formed, in step S421, the CPU 21 encrypts the leaf ID stored in the storage unit 28 with the session key secured by the AKE process, and transmits the communication ID from the communication unit 29 to the Internet 2 To the license server 4.

  In this case, the use key and the digital signature encrypted with the session key are transmitted from the license server 4 to the client 1 (step S454 in FIG. 37 described later). Therefore, in step S422, the CPU 21 of the client 1 receives the usage right and the digital signature encrypted with the session key. In step S423, the encrypted usage right is acquired by the AKE process in step S419. Decrypt with key.

  In step S424, the CPU 21 decrypts the digital signature received in the process of step S422 with the public key SP of the license server 4. In step S425, the CPU 21 determines whether or not the usage right obtained by decrypting in the process of step S423 matches the usage right obtained by decrypting in the process of step S424. If the two match, it is confirmed that the right of use is correct, and thus the process proceeds to step S418, and the CPU 21 stores the obtained right of use in the storage unit 28.

  If it is determined in step S425 that the two usage rights do not match, the obtained usage rights may not be correct (for example, they have been tampered with). Similarly to the case where it is determined that the image could not be formed, the process proceeds to step S426, and error processing is executed.

  The usage right distribution process of the license server 4 executed in response to the usage right acquisition process of the client 1 will be described with reference to the flowchart of FIG.

  In step S441, the CPU 21 of the license server 4 accepts access from the client 1. In step S442, the CPU 21 receives information regarding the usage right from the client 1. The information on the usage right is transmitted from the client 1 by the process of step S412 in FIG.

  In step S <b> 434, the CPU 21 of the license server 4 acquires the usage right information corresponding to the service desired by the client 1 from the storage unit 28.

  In step S444, the CPU 21 determines whether or not the usage right desired by the client 1 belongs to the usage right for the subscription service. If the right to use is not the right to use the subscription service (if it is for purchase or trial listening), it is not particularly necessary to communicate in a secure environment. At this time, a leaf ID is transmitted from the client 1 (step S414 in FIG. 36). Therefore, in step S445, the CPU 21 of the license server 4 receives the leaf ID transmitted from the client 1, and inserts the leaf ID into the usage right desired by the client 1.

  In step S446, the CPU 21 uses the private key of the license server 4 to create a digital signature of the usage right in which the leaf ID is inserted in the process of step S445.

  Next, in step S447, the CPU 21 transmits to the client 1 the usage right into which the leaf ID has been inserted in the process of step S445 and the digital signature created in the process of step S446.

  In this way, the transmitted usage right and digital signature are received by the client 1 in step S415 of FIG.

  On the other hand, if it is determined in step S444 that the usage right desired by the client 1 is the usage right for the subscription service (not for purchase or trial listening), it is necessary to perform communication in a more secure environment. is there. In step S448, the CPU 21 requests the client 1 to perform an AKE process, and executes the AKE process.

  In step S449, the CPU 21 determines whether or not a SAC has been formed. If the SAC has been formed, the process proceeds to step S451, and the CPU 21 adds a usage status to the usage right desired by the client 1. In step S452, the CPU 21 inserts the leaf ID into the usage right desired by the client 1, and encrypts it with the session key obtained by the AKE process in step S448.

  In step S453, the CPU 21 creates a digital signature of the usage right in which the leaf ID is inserted in the process of step S452 and encrypted with the session key, using its own private key.

  In step S454, the CPU 21 sends the usage right encrypted with the session key in the process of step S452 and the digital signature created in the process of step S453 to the client 1.

  In this way, the sent usage right and digital signature are received by the client 1 in step S422 as described above.

  If it is determined in step S449 that the SAC could not be formed, a secure communication path could not be secured, so the process proceeds to step S450 and error processing is executed.

  That is, in this case, the usage right is not distributed to the client 1.

  A user who does not want to distribute the usage right in a more secure state does not need to be provided with a function for that purpose, and thus the usage right can be distributed without imposing a burden on the user more than necessary. In addition, it is possible to distribute the usage right more safely to a user who wishes to obtain the usage right in a secure environment. As a result, the usage right is prevented from being stolen by a third party.

  As described above, the client 1 that has obtained the content and the usage right executes a process of using (for example, reproducing) the content based on the usage right.

  Next, the processing in this case will be described with reference to the flowchart of FIG.

  In step S471, the CPU 21 of the client 1 accesses the license server 4. In step S472, the CPU 21 executes AKE processing with the license server 4.

  In step S473, the CPU 21 determines whether or not a SAC has been formed. When the SAC can be formed, the license server 4 requests the use state, the leaf ID, and the content information to be transmitted (step S495 in FIG. 39 described later).

  Therefore, in step S475, the CPU 21 of the client 1 receives this request from the license server 4. This request is encrypted with the session key obtained by the AKE process in step S472. Therefore, the CPU 21 decrypts this request using the session key obtained by the AKE process in step S472.

  In step S476, based on this request, the CPU 21 encrypts the usage state, the leaf ID, and the content information corresponding to the usage right to be used from now on with the session key, and transmits it to the license server 4.

  In response to this transmission, the usage state updated from the license server 4 is encrypted with the session key and transmitted (step S498 in FIG. 39).

  Therefore, in step S477, the CPU 21 of the client 1 receives the updated usage state transmitted from the license server 4, decrypts it with the session key, and stores it in the storage unit 28. For example, if the usage right includes a usage count condition, the client 1 will play the content from now on, so the usage count is updated to a value incremented once. In step S478, the CPU 21 executes a process for reproducing the content.

  As described above, since the usage state is managed by the license server 4 instead of the client 1, the usage right is prevented from being tampered with by the client 1 and the content being prevented from being illegally used.

  Further, the license server 4 can appropriately rewrite the usage state as necessary, thereby appropriately prohibiting the use of the content to a predetermined user or providing a flexible service.

  In addition, since the usage state of the usage rights held by the client 1 can be controlled from the license server 4, the license server 4 appropriately determines the increase / decrease of the number of times of use, invalidation for each content, stop of the service itself, etc. Can be done.

  If it is determined in step S473 that the SAC could not be formed, the process proceeds to step S474 and error processing is executed.

  The processing of the license server 4 executed in response to the usage right usage processing of the client 1 will be described with reference to the flowchart of FIG.

  In step S491, the CPU 21 of the license server 4 accepts access from the client 1. In step S492, the CPU 21 executes AKE processing with the client 1. In step S493, the CPU 21 determines whether or not a SAC has been formed as a result of the AKE process.

  If the SAC can be formed, the process proceeds to step S495, and the CPU 21 requests the client 1 to transmit the usage status, the leaf ID, and the content information. This request is encrypted with the session key obtained by the AKE process in step S492 and transmitted to the client 1. As described above, this request is received by the client 1 in the process of step S475, and information corresponding to the request is transmitted from the client 1 in the process of step S476.

  Therefore, in step S496, the CPU 21 of the license server 4 receives the usage state, the leaf ID, and the content information transmitted from the client 1. Since these pieces of information are encrypted with the session key, the CPU 21 decrypts these pieces of information using the session key obtained by the AKE process in step S492.

  In step S497, the CPU 21 updates the usage state transmitted from the client 1 based on the content information. For example, when content is used from now on, the number of uses is changed to a value incremented only once. Alternatively, when the use of the content is prohibited thereafter, the CPU 21 changes the number of uses to a number that can no longer be used.

  In step S498, the CPU 21 encrypts the use state updated in the process of step S497 with the session key, and transmits it to the client 1.

  As described above, this usage state is received by the client 1 in step S477.

  If it is determined in step S493 that the SAC cannot be formed, the process proceeds to step S494, and error processing is executed.

  When describing the use conditions, if only the flags and values are described, it is necessary for the client 1 to know all the meanings of the values. This makes it difficult for the license server 4 to add the condition item.

  Conversely, if it is allowed to flexibly describe the usage conditions, it becomes difficult for the client 1 to express the usage conditions to the user.

  Therefore, by describing the content usage conditions with conditional expressions consisting only of relational expressions and logical expressions, it is not necessary for the client 1 to predetermine the format of each item, and various usage conditions can be described. Can be able to. For this reason, it is possible to describe the use conditions regardless of the implementation in the client 1.

  Further, by limiting the description of Usage Rules depending on the processing capability of the client 1, the client 1 can easily interpret the meaning of the rules. This example will be described below.

  Usage Rules prescribes usage conditions for content, and is included in the usage right (Usage Right) purchased by the user (client 1) as described above. The following can be specified by Usage Rules.

Content playback count Content expiration date Content checkout count Others

  These conditions are described in a dedicated description language, compiled into byte code, and stored in Usage Right.

  The basic description method has a format as shown in FIG. In other words, Usage Rules are described for each domain, that is, the category of content usage.

  One Usage Rule is described in a format as shown in FIG.

  One Usage Rule is a domain_id described at the top and defines a domain to which it is applied. Furthermore, various rules are defined in the following '{'... '}', Which is divided into three sections: a rule section, an invariables section, and an overhead part.

  In the rule section, a plurality of domain_rules can be described at the head of “{”... The invariables section follows the rule section and begins with the keyword 'invariables:'. The overhead part is the part following the invariables section and starts with 'over_head_part:'.

  domain_id is a name indicating a domain, and is one of the following character strings.

drm
renderer
ripper
burner
lcm_1
lcm_2
lcm_3

  The renderer domain is the usage category for content playback and display, the ripper domain is the usage category for reading CD content, the burner domain is the usage category for recording content on CD-R, and the drm domain is all Each category of usage form is represented.

domain_rule is
It is described in the form of '{'<conditionalexpression>'}'.

  Before each rule, a rule number can be specified in the following format.

  '[' <Rule number> ']' {'<conditional expression>'} '

  When specifying a rule number, it is possible to specify a plurality of numbers as follows.

[1] '{'<conditional expression # 1>'}'
[2] '{'<conditional expression # 2>'}'

  The conditional expression is obtained by performing a comparison operation on Chars Code (CC) for referring to the state variables and constants of each domain. An example of the description is as follows.

! 'ee' and! 'pp'
! 'ee' and ('cid>' pp ')

  Available operators are as shown in FIG.

  The operation priorities of the binary operators in FIG. 42 are or, and, and other operators in ascending order. All operators are left associative.

  The invariables section is a part that describes various constants, and defines values in Chars Code in the following format.

  <Chars Code> '=' <value> ';'

  When multiple invariables are defined, they are described by separating them with ',' as shown below.

  <Chars Code> '=' <value> ',' <Chars Code> '=' <value> ... ';'

  <Chars Code> has a predetermined name and meaning.

  The overhead part is a part describing a unique rule for each domain.

  In addition to being defined in the invariables section of Usage Rules, Char Code may be defined in usage rights, content, usage status, and the like.

  An example described in the above rule description language is shown in FIG.

  Note that any two or more of the above-described content server 3, license server 4, billing server 5, and content holder server 6 can be substantially integrated into one server as necessary.

  Further, in this embodiment, the key information for decrypting the encrypted content is included in the content, but the usage right includes the key information or is included in the key information and the usage right included in the content. Decryption may be possible by combining with key information.

  Clients to which the present invention is applied can be PDAs (Personal Digital Assistants), mobile phones, game terminals, etc., in addition to so-called personal computers.

  When a series of processing is executed by software, a program constituting the software executes various functions by installing a computer incorporated in dedicated hardware or various programs. For example, a general-purpose personal computer is installed from a network or a recording medium.

  As shown in FIG. 2, the recording medium is distributed to provide a program to the user separately from the main body of the apparatus, and includes a magnetic disk 41 (including a flexible disk) on which the program is recorded, an optical disk 42 ( CD-ROM (compact disk-including read-only memory), DVD (digital versatile disk)), magneto-optical disk 43 (including MD (mini-disk) (trademark)), or package media including semiconductor memory 44 In addition to being configured, it is configured by a ROM 22 on which a program is recorded and a hard disk included in the storage unit 28 provided to the user in a state of being incorporated in the apparatus main body in advance.

  In the present specification, the step of describing the program recorded on the recording medium is not limited to the processing performed in chronological order according to the described order, but is not necessarily performed in chronological order. It also includes processes that are executed individually.

  In addition, it is desirable that a program for executing a process related to security is encrypted in order to prevent the process from being analyzed. For example, for processing that performs cryptographic processing or the like, the program can be configured as a tamper resistant module.

  In the above embodiment, the content attribute and the content condition of the usage right are used to specify the usage right necessary for using the content. However, the present invention is not limited to this. For example, the content may include a usage right ID of a usage right necessary to use the content. In this case, if the content is specified, the usage right necessary to use the content is uniquely determined. There is no need to perform a process for determining the matching between the two.

It is a figure which shows the structure of the content provision system to which this invention is applied. It is a block diagram which shows the structure of the license server of FIG. 3 is a flowchart for explaining content download processing of the client in FIG. 1. It is a flowchart explaining the content provision process of the content server of FIG. It is a figure which shows the example of the format in step S26 of FIG. 2 is a flowchart for explaining content reproduction processing of the client in FIG. 1. It is a flowchart explaining the detail of the utilization right acquisition process of FIG.6 S43. It is a figure which shows the structure of a usage right. It is a flowchart explaining the use right provision process of the license server of FIG. It is a figure explaining the structure of a key. It is a figure explaining a category node. It is a figure which shows the specific example of a response | compatibility of a node and a device. It is a figure explaining the structure of an enabling key block. It is a figure explaining the structure of an enabling key block. It is a figure explaining utilization of an enabling key block. It is a figure which shows the example of a format of an enabling key block. It is a figure explaining the structure of the tag of an enabling key block. It is a figure explaining the decoding process of the content using DNK. It is a figure which shows the example of an enabling key block. It is a figure explaining assignment with respect to one device of a plurality of contents. It is a figure explaining the category of a license. It is a flowchart explaining the use right provision process of the content holder server of FIG. It is a flowchart explaining the usage right acquisition process of the license server of FIG. It is a figure which shows the example of the usage right which the content holder server of FIG. 1 provides. It is a figure which shows the example which divided | segmented the usage right of FIG. It is a flowchart which shows the example of the usage right division | segmentation process of step S303 of FIG. It is a figure which shows the example of the usage right registered in step S302 of FIG. It is a figure which shows the example of the usage right divided | segmented from the usage right of FIG. It is a flowchart which shows the other example of the usage right division | segmentation process of step S303 of FIG. It is a figure which shows the example of the usage right registered by the process of step S351 of FIG. It is a figure explaining the division | segmentation of a usage right. It is a figure which shows the example of the usage right provided to the license server from the content holder server of FIG. It is a flowchart explaining the purchase and upgrade processing of a usage right. It is a figure which shows the example of a display in the process of a usage right division | segmentation. It is a figure explaining the management of the use condition in the license server of FIG. It is a figure explaining a some protocol. It is a flowchart explaining the usage right acquisition process of the client of FIG. It is a flowchart explaining the usage right distribution process of the license server of FIG. It is a flowchart explaining the use right usage process of the client of FIG. It is a flowchart explaining the use status update process of the license server of FIG. It is a figure explaining the basic description method of Usage Rules. It is a figure which shows the example of the description format of UsageRule. It is a figure which shows the example of an operator. It is a figure which shows the example of the use conditions described in the rule description language.

Explanation of symbols

  1-1, 1-2 client, 2 Internet, 3 content server, 4 license server, 5 charging server, 6 content holder server, 20 timer, 21 CPU, 24 encryption / decryption unit, 25 codec unit, 26 input unit, 27 Output unit, 28 storage unit, 29 communication unit

Claims (8)

In an information processing apparatus that transmits a usage right that defines the usage conditions of content,
Receiving means for receiving a usage right transmission request from a client using the content;
Usage state storage means for storing a usage state corresponding to a usage right for each client;
When the usage right transmission request received by the receiving means is a subscription service usage right transmission request, control means for adding the usage state stored in the usage state storage means to the requested usage right;
An information processing apparatus comprising: a transmission unit that transmits a usage right to which the usage state is added by the control unit to the client. 2. The information processing apparatus according to claim 1, wherein the control unit requests an AKE (Authentication Key Exchange) process from the client when the right to use a subscription service is requested. The receiving means receives a usage state corresponding to a usage right used by the client, identification information of the client, and content information from the client,
The control means updates the use state stored in the use state storage means based on the use state corresponding to the use right based on the received content information and identification information of the client,
The information processing apparatus according to claim 1, wherein the usage state storage unit stores the updated usage state. The information processing apparatus according to claim 3, wherein the reception unit receives a usage state every time processing for using the content is executed by the client from the client. The information processing apparatus according to claim 3, wherein the transmission unit transmits the usage state updated by the control unit to the client. In an information processing method for transmitting a usage right that stipulates the usage conditions of content,
A receiving step of receiving a usage right transmission request from a client using the content;
A use state storage step for storing a use state corresponding to a usage right for each client;
A control step of adding the usage state stored in the processing of the usage state storage step to the requested usage right when the usage right transmission request received by the processing of the reception step is a transmission request for the usage right of the subscription service When,
A transmission step of transmitting a usage right to which the usage state is added by the processing of the control step to the client. To a computer that controls an information processing device that transmits a usage right that defines the usage conditions of content,
A receiving step of receiving a usage right transmission request from a client using the content;
A use state storage step for storing a use state corresponding to a usage right for each client;
A control step of adding the usage state stored in the processing of the usage state storage step to the requested usage right when the usage right transmission request received by the processing of the reception step is a transmission request for the usage right of the subscription service When,
And a transmission step of transmitting a usage right to which the usage state is added by the processing of the control step to the client. A program for an information processing apparatus that distributes usage rights that define usage conditions of content,
A receiving step of receiving a usage right transmission request from a client using the content;
A use state storage step for storing a use state corresponding to a usage right for each client;
A control step of adding the usage state stored in the processing of the usage state storage step to the requested usage right when the usage right transmission request received by the processing of the reception step is a transmission request for the usage right of the subscription service When,
A program storage medium storing a computer-readable program, comprising: a transmission step of transmitting, to the client, a usage right to which a usage state is added by the process of the control step.

Images