JP4417287B2 - Key management server - Google Patents

Description

  The present invention relates to a key management server that manages a shared key for encrypting content using a tree structure.

  In recent years, high-speed Internet environments and large-capacity media are rapidly spreading. Accordingly, services for distributing digital contents such as movies, music, and software via the Internet are spreading.

  By the way, copyright protection becomes a big problem in these services. Copying digital content is easy and does not cause degradation. For this reason, illegal contents can be widely distributed by illegal copying. For this reason, in order to prevent unauthorized copying and to promote proper use by users, there is a method for encrypting contents at the time of distribution so that only authorized users can use the contents.

With regard to such technology, specifically, many methods for sharing and managing a shared key for encrypting content using a key having a tree structure have been conventionally proposed (for example, Patent Document 1, Non-Patent Document). References 1, 2, 3, 4).
JP 2001-186119 A Mike Burmester and Yvo Desmedt. Assured and effective conference key distribution system (extended abstract). In EUROCRYPT, pages 275-286, 1994. Daisuke Inoue and Masahiro Kuroda. Fdlkh: Fully decentralized key managment scheme on logical key hierarchy. In Proc. of 2nd International Conference on Applied Cryptography and Network Security (LNCS 3089), pages pp. 339-354, 2004. Hyungkyu Yang Junghyun Nam, Seungjoo Kim and Dongho Won. Secure group communica-ions over combined wires / wired / wireless networks. Cryptology ePrint Archive, Report 2004/260, 2004. http: // eprint. iacr. org /. Chung Kei Wong, Mohamed G. Gooda S, Lam. Secure group communications using key graphs. In Proc. of the ACM SIGCOMM '98 conference on Applications, tech-logologies, architectures, and protocols for computer communication, pages 68-79, 1998.

Conventionally, in accordance with the techniques disclosed in Patent Document 1 and Non-Patent Documents 1 to 4 above, devised a shared key design method having a tree structure, a shared key generation method, or a load sharing method between users, The key update has been made more efficient.
However, in these methods, it is necessary to update the shared key every time a user newly joins or unsubscribes. This means that in a service with many users, users who want to join or leave frequently occur, so it is not practical to apply these methods to a service with a large scale.

  To deal with these problems, a method of managing a plurality of users as a group and updating the key is conceivable. However, in the key management method for grouping a plurality of users, the order of the key management tree or the group If the number of people, the group dismantling threshold value, etc. are not appropriately determined, there is a problem that the load on the server increases.

  Therefore, the present invention has been made in view of the above circumstances, and a user who has joined a service wants to immediately obtain a shared key, and a shared key held by a user who has unsubscribed from the service will eventually be unusable. Keys that can reduce the burden on the user, increase convenience, and reduce the load on the server by appropriately determining the order of the key management tree, the number of groups, the threshold for group dismantling, etc. An object is to provide a management server.

In order to solve the above-described problems, the present invention is a shared key that is connected to a content distribution server that distributes content via a network and a user terminal that uses the content, and that encrypts the content using a tree structure. A key management server that manages N users by grouping log N users by log ₄ and assigning the remaining users to groups independent of the respective groups; Generating a group key shared by all users belonging to the group and a shared key having a quaternary tree structure shared among all the groups having the group key, and using the same for each user terminal Encrypted with the personal key of the user and distributed based on the user's request for membership or unsubscription received via the user terminal. Collectively each group to update the shared key, characterized in that the shared key that is the update and a key update processor for providing to the content distribution server.

  In addition, the present invention provides the next time when the key update processing unit receives a withdrawal request via the user terminal and the number of members of the group to which the user to be removed belongs is equal to or less than m−1. Flag information indicating that the group is to be dismantled is enabled when the shared key is updated.

  According to the present invention, by appropriately determining the degree of the key management tree, the number of groups, the threshold for group dismantling, etc., it is possible to reduce the burden on the user, improve convenience, and reduce the load on the server. effective.

FIG. 1 is a diagram cited for explaining a network connection form of a key distribution system in which a key management server according to an embodiment of the present invention is used.
In FIG. 1, a key distribution server 1, a content distribution server 2, and a user terminal 3 are all connected to a network 4 such as an IP network.

As will be described later, the key distribution server 1 groups N users in groups of m, and groups N / m groups and the remaining N mod m users in groups independent of the respective groups. To belong to. Further, for each group, a group key shared by all users belonging to the group and a shared key having the tree structure shared between all groups having the group key are generated, and the user terminal 3 is Encrypt and distribute with each user's personal key, and update the shared key in batches for each group based on the user's new enrollment or withdrawal request received via the user terminal 3 And has the role of providing the updated shared key to the content distribution server 2.
In addition, the content distribution server 2 encrypts content using a shared key shared by users belonging to all groups and a group key of a group to which newly joined users belong, and belongs to each group. It has a role of delivering to the user terminal 3 of the user.

FIG. 2 is a block diagram showing the internal configuration of the key management server according to the embodiment of the present invention.
The key management server 1 according to the embodiment of the present invention includes a key update processing unit 10 and a group configuration unit 11. The group configuration unit 11 groups N users by m, and assigns N / m groups and the remaining N mod m users to groups independent of the respective groups. In addition, the key update processing unit 10 includes the group key shared by all the users having the group key and the group key shared by all the users belonging to the group for each group configured by the group configuration unit 11. A shared key is generated and distributed to the user terminal 3 with each user's personal key encrypted, and based on a user's new membership or unsubscription request received via the user terminal 3, The shared key is updated collectively for each group, and the updated shared key is provided to the content distribution server 2

  The key update processing unit 10 further includes a group key creation unit 12, an encryption processing unit 13, a key management tree configuration unit 14, a shared key distribution unit 15, a user request reception unit 16, and a group key update unit. 17, a group disassembly flag 18, a group management unit 19, a group disassembly processing unit 20, and a group reconfiguration unit 21.

Here, when the user request receiving unit 16 receives the user's membership request via the user terminal 3, the user request receiving unit 16 causes the user to belong to an independent new group, and activates the group key updating unit 17, The group key update unit 17 updates the corresponding group key and supplies it to the group key creation unit 12.
At this time, the encryption processing unit 13 encrypts and distributes the updated group key to the user terminals 3 of all users belonging to the independent group, and also distributes the updated group key to the user terminals 3 of the existing users. Then, the shared key encrypted with the pre-update group key is distributed, and the shared key encrypted with the user's personal key is distributed to the user terminal 3 of the newly joined user.

The user request receiving unit 16 also receives the withdrawal request via the user terminal 3, and when the number of members of the group to which the user to be withdrawn falls below a threshold, the next shared key update The flag information (group disassembly flag 18) that means dismantling the group is validated.
The group disassembly processing unit 20 refers to the group disassembly flag 18 when the group management unit 19 is notified that the number of users belonging to the new group has become m, and the group disassembly flag 18 becomes effective. It has the function of dismantling the group that is present and discarding the group key of the dismantled group.

The group reconfiguration unit 21 controls the group configuration unit 12 to reconfigure the group of m users from the users who belonged to the group dismantled by the group disassembly processing unit 20, and add the remaining users to new groups. It belongs to a group, and the group key creation unit 12 is controlled to generate a new group key for the group, and is encrypted with each user's personal key via the encryption processing unit 13. Distributed to the user terminal 3.
Note that the key management tree construction unit 14 places a new group key preferentially at the node where the group key disassembled by the group disassembly processing unit 20 is arranged, and if there is no such dismantled group, the key management tree construction unit 14 A new node is added to the management tree, and a new group key is placed at the contact point. The shared key distribution unit 15 updates all the shared keys positioned above the newly arranged group key, encrypts all the updated shared keys via the encryption processing unit 13, and Distribute to user terminals 3 of users belonging to the group.

  Next, in the key management method for grouping users as described above, from the viewpoint of reducing the processing load on the key management server and the load on the user, the optimum number of groups m, key management for user N A method for optimizing the tree order d and the threshold t of group members in the case of dismantling the group will be described.

  In order to optimize the above parameters, the server load and the user load are first formulated and evaluated. Here, assuming that an average of one user per unit time participates and an average of one user leaves, the server load S is the average number of messages issued by the server per unit time, the user load. Is evaluated as the maximum number of messages a user will receive per unit time. However, a message is an encrypted key that the server distributes to users.

In the evaluation, first, an interval of the key update process is obtained. The key update process is executed when there are m participants who belong to the group G _new of new participants. Immediately after the key update process is performed, the average number of users belonging to G _new is m / 2, and hence the average interval of the key update process is m / 2 unit time.

  Next, the server sends a message to the user during 1) user participation processing, 2) user withdrawal processing, 3) group reconstruction, and 4) shared key redistribution. Therefore, these processes are evaluated.

<User participation process>
In this case, the server distributes the new key encrypted to the existing user with the old key, and distributes the new key encrypted to the new participant with the private key of the new participant. That is, regarding this processing, the server issues an average of two types of messages per unit time. Further, a user belonging to G _new receives one message per unit time.

<User withdrawal processing>
When the user withdraws from the group G _new to which the new participant belongs, the server updates the secret key, and encrypts and distributes it with the individual key of each remaining user. Here, since the probability that the user leaves the group _Gnew per unit time is m / N, the server issues m ² / N types of messages per unit time. Further, a user belonging to G _new receives one message per unit time.

<Rebuilding the group>
The number of groups disassembled per unit time is 1 / (mlog (m / t)). This can be proved by the following. That is, if the distribution probability of a group of i users in the steady state is p _i , the probability that the number of users in the unit time decreases is i / N. However, t + 1 ≦ i ≦ m.

When the number of groups becomes t or less, the group is dismantled and a new group of m people is generated. For this reason, the distribution probability p _i of a group of i users in a steady state is expressed as follows. In addition, with respect to p _i , since the relationship of Equation 2 is established, p _i can be obtained as shown in Equation 3.

Here, the total number of groups is N / m, and the probability that a group is dismantled per unit time is p _{t + 1} · (t + 1) / N. Therefore, the number of groups disassembled per unit time is It becomes like number 4.

  A new group key is encrypted with each personal key and distributed to users of the dismantled group. For this reason, the server issues 1 / log (m / t) messages per unit time. In addition, since the user of the dismantled group receives one key for the new group, the user receives 2 / m messages per unit time.

<Redistribution of shared key>
When this method is used, the height of the key management tree is as follows. In this process, the server encrypts the updated shared key with the shared key or group key at the position of the key child and distributes it to the user. Here, since the number of newly arranged groups is m / 2, the server needs to distribute the message of the type shown in Equation 6. Also, since the key update process is performed every m / 2 unit time, the server issues a message of the type shown in Equation 7 on average per unit time for this process. Furthermore, since the user receives the message shown in Formula 5 at the maximum, when this is converted into unit time, the number of received messages is as shown in Formula 8. From these, the load on the server is the sum of the number of messages issued by the server in each process, and therefore, the following equation 9 is obtained.

Next, the user's load is obtained. Here, the group G _new of the new participant is not disassembled in the next key update process. Therefore, the larger of the sum of the number of messages received in the user participation process and the withdrawal process of the user and the sum of the number of messages received in the group reconstruction and the shared key redistribution is larger per user time. The maximum number of messages received by. That is, the maximum number of messages received by the user per unit time is as shown in Expression 10.

  Next, a method for optimizing the three parameters of the number m of groups, the degree d of the key management tree, and the threshold t of group members when dismantling the group will be described based on the above contents.

<Optimization of threshold t of group members when dismantling a group>
Load S _N threshold t and server group configuration personnel when dismantling the group _(m, d, t) and the load S _N servers The smaller the t _(m, d, t) have the relationship to decrease . On the other hand, when t is reduced, the period Δ during which the user who withdrew from the service can obtain the shared key is expressed by Equation 11.

In other words, the group of i people, when the period until the i-1 person and _{X i} unit time, since _{X i} is according to the geometric distribution Ge (i / N), E [X i] is, E _{[X i} ] = N / i. Further, since the group is dismantled when the number of group members becomes t, X is expressed as Equation 12 when the group update interval is set to X unit time. From these, E [X] is as shown in Equation 13.

  Next, considering the period in which the user who withdrew from the group first can obtain the shared key, the user who withdrew from the group can obtain the shared key updated by the key renewal process until the group wants to buy it. Since the time at which the user withdraws from N / m to Nlog (m / m−1), the period Δ during which the user who withdrew from the service can obtain the shared key is expressed by the following equation (14).

  When the threshold value t is m−1, Δ = 0. However, when the threshold value t is t <m−1, the relationship is expressed by Equation 15. When N is large, Δ is extremely large. For this reason, the threshold t is most optimally set to t = m-1.

<Optimization of group size>
As shown in Equation 9, the load on the server increases with m. On the other hand, as shown in Equation 10, the user's load decreases as m increases, but does not become smaller than 2. That is, if the minimum m at which the load on the user is 2 is selected, the load on the user is minimized and the burden on the server is not increased. Here, in order for the user's load to be 2, it is necessary to have a relationship as shown in Expression 16, that is, Expression 17. That is, the minimum natural number that satisfies the relationship of Equation 17 is the optimum value of m.

Here, when the minimum natural number satisfying Expression 17 is obtained, f (x) = xd ^X−1 is monotonically increasing when x> 1. In other words, Equation 18 holds for the minimum x = m where f (x) ≧ N. Here, when the logarithm with d as the base is taken for both sides and divided by m, Equation 19 is obtained. Here, when m is set to infinity, both the right side and the left side are close to 1, and therefore, according to the scissors theorem, Equation 20 is obtained. From this, the optimal number m of groups is as shown in Equation 21.

<Optimization of the degree of the key management tree>
Substituting the optimum threshold value t for the group members in the case of disassembling the previously obtained group, that is, t = m−1 and the optimum number of groups m = log _d N into Equation 9, as shown in Equation 22. Become. Differentiating both sides of Equation 22 by d yields Equation 23. If S ′ = 0, Expression 24 is obtained.
Here, d = α satisfying Expression 24 is 3 <α <4, and from S (N, 4) <S (N, 3), the optimum degree d of the key management tree is d = 4.

With reference to the optimized values, calculating the server load _{S N} and the user loading _{U N, S N = 5log 4} N, the _U N = 2. On the other hand, for example, the server load S _N and the user load U _N according to the method shown in Non-Patent Document 1 described above are S _N = N and U _N = 2. been server load _{S N} and load _{U N} of the user by a _method, a _{S N = 7log 5 N, U} N = log 5 N. From these, it can be seen that the method according to the present embodiment is a method for reducing the load on the server and the user as compared with the conventional method.

  As described above, according to the present embodiment, in the key distribution method for grouping users, various parameters (number of groups, order of key management, threshold) for a given number of users N are optimized. And the load on the user can be reduced.

  As described above, the embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes a design and the like within a scope not departing from the gist of the present invention. .

It is the figure quoted in order to demonstrate the network connection form of the key distribution system concerning embodiment of this invention concerning embodiment of this invention. It is the block diagram which showed the internal structure of the key management server concerning embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Key management server, 2 ... Content delivery server, 3 ... User terminal, 4 ... Network, 10 ... Key update process part, 11 ... Group structure part, 12 ... Group key creation part, 13 ... Encryption process part, 14 DESCRIPTION OF SYMBOLS ... Key management tree structure part, 15 ... Shared key distribution part, 16 ... User request | requirement reception part, 17 ... Group key update part, 18 ... Group demolition flag, 19 ... Group management part, 20 ... Group demolition process part, 21 ... Group restructuring department

Claims (2)

A key management server that is connected to a content distribution server that distributes content via a network and a user terminal that uses the content, and that manages a shared key for encrypting content using a tree structure,
A group configuration unit that groups N users by log ₄ N people (however, the decimal part of log ₄ N is rounded down) , and the remaining users belong to a group independent of the respective groups;
For each group, a group key shared by all users belonging to the group and a shared key having a quaternary tree structure shared among all the groups having the group key are generated, and the user terminal The shared key is encrypted and distributed with each user's personal key, and the shared key is updated in batches for each group based on the user's membership request or membership cancellation request received via the user terminal. A key update processing unit for providing the updated shared key to the content distribution server;
A key management server comprising: The key update processing unit
When the member of the group to which the user to be withdrawn belongs becomes m-1 or less when receiving the withdrawal request via the user terminal, the group is to be disassembled at the next shared key update. The key management server according to claim 1, wherein the meaning flag information is validated.

Images