WO2009074941A1 - Device keys for nnl encryption of software update applications - Google Patents

Device keys for nnl encryption of software update applications Download PDF

Info

Publication number
WO2009074941A1
WO2009074941A1 PCT/IB2008/055138 IB2008055138W WO2009074941A1 WO 2009074941 A1 WO2009074941 A1 WO 2009074941A1 IB 2008055138 W IB2008055138 W IB 2008055138W WO 2009074941 A1 WO2009074941 A1 WO 2009074941A1
Authority
WO
WIPO (PCT)
Prior art keywords
information processing
key
message data
encrypted
node
Prior art date
Application number
PCT/IB2008/055138
Other languages
French (fr)
Inventor
Wilhelmus P. A. J. Michiels
Clemens C. Wust
Wilhelmus F. J. Fontijn
Paulus M. H. M. A. Gorissen
Norbert C. Esser
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2009074941A1 publication Critical patent/WO2009074941A1/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00217Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source
    • G11B20/00246Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source wherein the key is obtained from a local device, e.g. device key initially stored by the player or by the recorder
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00217Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source
    • G11B20/00253Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source wherein the key is stored on the record carrier
    • G11B20/00369Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier the cryptographic key used for encryption and/or decryption of contents recorded on or reproduced from the record carrier being read from a specific source wherein the key is stored on the record carrier wherein a first key, which is usually stored on a hidden channel, e.g. in the lead-in of a BD-R, unlocks a key locker containing a second
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00485Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier
    • G11B20/00492Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein content or user data is encrypted
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/0021Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier
    • G11B20/00485Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier
    • G11B20/00492Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein content or user data is encrypted
    • G11B20/00514Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving encryption or decryption of contents recorded on or reproduced from a record carrier characterised by a specific kind of data which is encrypted and recorded on and/or reproduced from the record carrier wherein content or user data is encrypted wherein the entire content is encrypted with the same key, e.g. disc key or master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Definitions

  • the present invention relates in general to methods and systems for information processing and in particular to the usage of power set graphs in revocation schemes.
  • Distribution of digital data from, for instance, a central unit to various decentralized receivers can be performed in a variety of ways.
  • the encrypted messages may comprise any form of digital data such as text data, audio data, video data or a computer program.
  • a message can be sent for example by means of a broadcast network, a computer network or an exchangeable storage medium, such as, a CD or DVD.
  • a message from the centre unit may be comprised of two parts, one revocation part and one data part.
  • the revocation part may comprise multiple copies of a key K, where each copy of K is encrypted with a different key.
  • the data part which comprises the actual message to distribute, is encrypted with key K.
  • Each receiver of the message is assumed to store a particular set of keys.
  • a receiver has a key that can be used to decrypt one of the encrypted keys K in the revocation part of a message, then using key K the receiver can also decrypt the data part.
  • the keys that are stored in a receiver are linked to a hierarchical structure.
  • EP 1 187 390 BI a revocation scheme is disclosed, wherein the keys correspond to nodes in a binary tree.
  • the end nodes in the crown of the tree correspond to the individual receivers, and each other node in the tree corresponds to the set of all receivers that can be reached from the node, by only taking edges in direction towards the individual receivers.
  • Each receiver stores a key set comprising all keys on the path from its own node to the root node, where the root node corresponds to all receivers.
  • the revocation messages that comprise copies of keys K encrypted with different keys may need to comprise a relatively large number of copies of keys K.
  • An object of the present invention is to provide an improved way to revoke receivers of messages within a group of receivers.
  • an information processing device in an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, the device comprising a storing unit arranged to store a key set comprising an end node key unique to said device, and keys of any intermediate nodes between the end node and a top node along all shortest paths, and a processing unit arranged to decrypt by using the stored key set, encrypted message data, such that the information processing device can make use of the message data.
  • an information processing method for use in an information processing device of an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, said method comprising receiving encrypted message data, and conditionally decrypting the message data by using a key set stored in the device.
  • an information processing method for processing data in relation to a group of information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, each device corresponding to an end node, there being stored in each device a key set comprising a key unique to that device, and node keys of any nodes in shortest paths between the end node of that device and the top node, comprising the steps of encrypting message data, and distributing the encrypted message data to information processing devices, such that the encrypted message data is conditionally decryptable by information processing devices.
  • an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, each device having storing means for storing a key set comprising a key unique to that device, and node keys of any nodes in shortest paths between the end node of that device and the top node, and processing means arranged to decrypt using said key set, encrypted data distributed to said device, and message distributing means arranged to encrypt message data by using an enabling key, to encrypt the enabling key by using different node keys, and to distribute the encrypted message data and the encrypted enabling keys to information processing devices, such that the encrypted message data can be decrypted by information processing devices that are able to decrypt the enabling key.
  • Figs. IA, IB and 1C are presentations of power set graphs P 2 , P 3 , and P 4 , respectively;
  • Fig. 2 is an illustration of a power set graph P 4 ;
  • Fig. 3 is an illustration of a connected graph
  • Fig. 4 is a schematic illustration of an information processing device according to some embodiments.
  • Figs. 5 and 6 illustrate flowcharts of methods according to some embodiments.
  • ESP Edutainment Sensor Platform
  • the applications can be specified in ESPranto, an in-house programming language, on a response sheet.
  • a compiler may compile the response sheet in binary code that runs on an interpreter, where input data are translated into output data consistent with the application itself and the application flow of the application.
  • the ESP features multiple input options such as motion sensors, table top positioning, RFID detection and multiple output options, for example, audio, LEDs and amBX.
  • a specific set of input data and output data, out of options, are selected, required for the specific application.
  • MahToy is a storytelling application that can use motion sensors to detect manipulation of story objects, for instance farm animals. These manipulations may be translated in cues that can steer the story and select for example which audio to play.
  • the tangible interaction console TIC
  • the TIC is a programmable tangible user interface, which can receive a variety of inputs from sensing motion, detecting of hot spots and 2-dimensional localization of objects.
  • the TIC may trigger a variety of output options comprising audio, LED arrays and amBX. The exact output to be triggered by the input as received may be specified by the users themselves.
  • a description of the desired event can be created by a user using a PC using a special development tool that is based on the ESPranto language.
  • a key feature of product realizations that are based on the ESP is that they are extendable. New objects can be added, new stories can be loaded, new games may be loaded, and new output terminals can be added, to mention a few options. Whereas the ESP platform explicitly allows for addition of items such as objects, stories, games, and the connection of terminals through output options, also by third parties, the owner of any realization of the platform may need to be able to control which items are actually added and used.
  • Power set graph
  • a power set of a set S of n elements is the set of all 2 n subsets of S, including the empty set 0, and full set S itself.
  • the power set of set of ⁇ a, b, c ⁇ is given by ⁇ 0, ⁇ a ⁇ , ⁇ b ⁇ , ⁇ c ⁇ , ⁇ a, b ⁇ , ⁇ a, c ⁇ , ⁇ b, c ⁇ , ⁇ a, b, c ⁇ .
  • the power set graph P n is defined for a set of > 2 elements Je 1 , ...., e n ⁇ .
  • the graph comprises 2" "1 nodes, one nod for each subset of Je 1 , ... , e n ⁇ , except for the empty set.
  • the 2" "1 nodes are divided into n layers 1 , ... , n.
  • the layer i for which 1 ⁇ i ⁇ n, comprises subsets of i elements.
  • the power set graph P n may be denoted a power set graph of the nth order.
  • Figures IA, IB and 1C present power set graphs P 2 , P3 and P 4 , respectively, and illustrate the various layers formed by the comprised nodes.
  • P n for set ⁇ ri, ...., r n ⁇ can be used.
  • a key can be assigned to each node, except to the root node which corresponds to the full subset Jr 1 , ..., r n ⁇ ,
  • Each receiver V 1 stores the key that can be found on the shortest paths from node Jr 1 ⁇ at layer 1 to node Jr 1 , ..., r n ⁇ at layer n. It can be notes that the shortest paths all have a length of n-1 edges.
  • receiver r 2 stores the keys for nodes ⁇ r 2 ⁇ , ⁇ r h r 2 ⁇ , ⁇ r 2 , r 3 ⁇ , ⁇ r 2 , r 4 ⁇ , ⁇ r h r 2 , r 3 ⁇ , ⁇ r h r 2 , r 4 ⁇ , and ⁇ r 2 , r 3 , r 4 ⁇ , as indicated in figure 2.
  • Revocation of receivers may be performed as explained below.
  • key K may be encrypted with a key for the node that corresponds to all receivers that are not revoked. For example, in figure 2, if only receiver r 4 is to be revoked, then key K should b encrypted with the key for node Jr 1 , r 2 , r 3 ⁇ .
  • a connected graph G comprising different levels of connected graphs are used to define a revocation scheme.
  • a key is assigned to each node of the power set graph, except to the top node.
  • the highest level called the top level, comprises a single power set graph, the so called top-level power set graph.
  • a power set graph P n at level k can be connected to zero up to n power set graphs at level k-1.
  • a free end node of P is merged with the top node of P'.
  • the merged node inherits the key that corresponds to the end node of P.
  • the free end nodes of the different power set graphs are associated with individual receivers.
  • any other node in G is associated with the set of all receivers that may be reached from the node, by only using edges in a direction towards individual receivers.
  • Figure 3 shows on example of a graph G that is built up of four power set graphs P 3 .
  • the connected graph G need not to be balanced and it does not have to be built of homogenous power set graphs.
  • each receiver X 1 stores the keys that can be found on all shortest paths from node Jr 1 ⁇ to the top node of the top-level power set graph. It can be noted that the receivers has to store 2 n l -1 keys for each power set graph P n on the shortest paths. For example, in figure 3, the collection of all shortest paths from node Jr 7 ) to node Jr 1 , ..., vg ⁇ are depicted in bold. These shortest paths pass through twp power set graphs P 3 .
  • Revocation of receivers can be performed by encrypting key K several times, using a set of keys that together correspond to the group of receivers that are not revoked.
  • receivers r 2 and rs can be revoked by encrypting key K three times, using the keys for nodes ⁇ x ⁇ , x?, ⁇ , ⁇ r 4 , r 6 ⁇ , and ⁇ r 7 , r 8 , r 9 ⁇ .
  • power set graphs has been presented together with the application of these graphs in revocation schemes.
  • the information processing devices are preferably organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, wherein each information processing device corresponds to an end node.
  • an information processing device 40 may comprise a storing unit 42, a processing unit 44, an input/output unit 46 and a control unit 48.
  • the storing unit 42 is arranged to store a key set comprising an end node key unique to said information processing device, and keys of any intermediate nodes between the end node and a top node along shortest paths.
  • the processing unit 44 is arranged to decrypt an encrypted enabling key by using the stored key set.
  • the processing unit 44 is further arranged to decrypt encrypted message data, received by the input/output unit 46, wherein the encrypted message data is decrypted by using the enabling key.
  • the information processing device 40 can thus make use of the encrypted message data as received by the input/output unit 46.
  • the processing unit 44 that may be realized by a decrypting unit, is arranged to decrypt the message data directly by using the key set stored in the storing unit 42.
  • the message data is preferably encrypted by using one of more keys selected to enabling revocation of compromised information processing devices, such as TICs. Since multiple copies of the encrypted message data need to be distributed, each copy being encrypted with a different key, this encryption method is preferably used for relatively small groups of information processing devices.
  • each power set graph comprises all possible sub-groups, it is enough to encrypt the data by using the key(s) of the particular subgroup ⁇ ) that comprises the device(s) that are not to be revoked.
  • the encrypted enabling key K may be labeled with ⁇ ...., X 1 , ... ⁇ , where the device X 1 is not to be revoked, wherein the setlabel i indicates which key the enabling key K is encrypted with.
  • the keys with which the enabling key K may be encrypted may not be labeled.
  • the decrypted data may starts with a know sentence, for instance the sentence "the used key is a valid key”.
  • the device may receive an indication that the chosen key to decrypt the enabling key K, was the correct one, by finding that the decrypted message data for instance starts with a known passage such as "the used key is a valid key”.
  • the information processing devices that are not compromised need a method to process new data.
  • An information processing method will thus be presented for use in an information processing device of an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node.
  • this method may comprise the step of
  • step 52 which step may be performed by the input/output device 46 of the information processing device 40. Having received encrypted message data, the step of "receiving multiple copies of an enabling key, wherein each copy is encrypted with different node keys", is performed in step 54. This step may also be performed by the input/output unit 46 of the information processing device 40, according to some embodiments.
  • step 56 the step of "decrypting the enabling key by using a key set of stored node keys" in the storing unit 42 may now be performed by the processing unit 44 of the information processing device. Having obtained a decrypted enabling key K, the step of "conditionally decrypting the message data by using the decrypted enabling key” may now be performed in step 58. This step may be performed by the processing unit 44 of the information processing device 40.
  • the non-compromised information processing devices will thus be able decrypt encrypted data messages. It is also presented an information processing method for processing data in relation to a group of information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, each device corresponding to an end node, there being stored in each device a key set comprising a key unique to that device, and node keys of any nodes in a shortest path between the end node of that device and the top node.
  • this method may comprise the step of "encrypting message data by using an enabling key K", step 62.
  • This step may be performed by an encryption unit of a system for processing data.
  • the step of "encrypting the enabling key by using different node keys” may be performed, in step 64.
  • This step can be executed by the encryption unit above.
  • the step of "providing the encrypted message data and the encrypted enabling keys for distribution to information processing devices” is performed in step 66.
  • the encrypted message data can thus be made available to information processing devices and such that the data are decryptable by said information processing devices that are able to decrypt the enabling key.
  • the application design language tool ESPranto was developed in house, and that the response sheet that is used for the compilation of the application is written in ESPranto.
  • the design language tool ESPranto as well as the response sheet are open, the ESPranto compiler is kept proprietary. Only entities that are authorized are therefore allowed and capable to compile ESPranto.
  • compilation applications may be at least partially encrypted by an enabling key, K, preventing easy interpretation by visual inspection of the compiled application code. Moreover, by performing encryption easy decompilation is hindered.
  • Encryption is performed for preventing entirely unencrypted applications to successfully run on consoles or other information processing devices that are authorized. Only authorized consoles will namely have a key set comprising a key required for the decryption to be able to run the applications. In addition, encryption of applications is also performed for the reason to revoke consoles that have been compromised, for which the consoles can not successfully decrypt encrypted applications.
  • console In the case a console is compromised, its key set may be revoked barring the console and any consoles cloned or derived from said console, from running new applications.
  • New applications are typically distributed encrypted by using a novel enabling key K.
  • the console In order to run the application the console has to verify that it can decrypt at least one copy of the enabling key, said key being encrypted by using one key that is present in the authorized console.
  • An authorized console will thus be able to verify that it is authorized by being able to decrypt one copy of the enabling key, and thereafter decrypt the new application by using the newly decrypted enabling key.
  • a compromised console will not be able to show that it is capable to decrypt a copy of the enabling key because the copies of the enabling key were encrypted by using a set of keys that the compromised console has no access to. For this reason the compromised console will fail in decrypting the encrypted enabling key, with the consequence that the no decrypted enabling keys will be available to decrypt the new application to enable running on the compromised console.
  • each message is encrypted with a specific enabling key. For every message a new enabling key is thus used. This enabling key is also long enough such as to make it at least time consuming in practice to guess, or by other means get hold of, the correct decryption key, to decrypt for instance an encrypted application.
  • Sensor types that may be part of realizations of the platform ESP, which are novel but anticipated, may have pre-installed drivers. This is to enable provision of input data according to the available input options. This case is equivalent with the case for existing sensors that just have not been used yet. Sensor events may be presented to the interpreter in the form of tuples such as,
  • Object ID or "Object ID, parameter”.
  • New, unanticipated sensor types may require a new driver that intercepts sensor events and emits them in the form (Object ID, parameter).
  • a new driver may therefore also require a software update.
  • These software updates can be protected in a similar way as the applications are, as described above. In this way drivers may be denied access to software updates. Renewal of drivers which may require software updates, may be denied to some drivers that are compromised and which therefore are to be revoked.
  • driver updates are persistent. Software updates for drivers are accordingly decrypted once only and are thereafter installed.
  • Terminal types may also have to be considered. New, anticipated terminal types that depend on the available output options, may have pre-installed drivers. In this case the situation is the same as with existing terminal types that just have not been used yet.
  • Terminal actions may be presented by the interpreter in the form of tuples such as "Action ID” or "Action ID, parameter".
  • the "Action ID” may implicitly comprise a "Terminal lD”.
  • the action may implicitly define the actor. For instance, suppose the action to be communicated is "to bark", the sound produced by dogs, then there is no need to also communicate that the terminal is a dog and not a cow.
  • New, unanticipated, terminal types may require a new driver that accepts the Action ID and performs the required action.
  • a new driver leads to software updates. These software updates may be protected in a way similar to the on for applications as described above.
  • new terminal types can only be added if the console accepts the driver update, by being able to decrypt an enabling key. Furthermore, only valid non-compromised consoles can decrypt the driver updates.
  • Protection of objects may also comprise herein.
  • a range of "Object lds" is valid to represent a specific object. This is to ensure that multiple tags with different IDs can represent a single object. For instance, to mention one example only, multiple instances of the same physical cow doll may have different "Tag lds" but they may all represent the same cow in, for example, a story.
  • mapping table which ranges of IDs represent which objects may be included in a mapping table.
  • a new application may allow new objects, for instance by the addition of a giraffe, may require a new mapping table.
  • the new mapping table can be protected by the same means as applications may be protected.
  • new objects can only be added if the console accepts the mapping table update in a similar way as described above.
  • only valid consoles can decrypt the mapping table update.
  • Terminal lD For the protection of terminals these may have to register with the driver controlling it. To this end it may have to present a "Terminal lD" to the interpreter of the ESP platform.
  • the "Terminal lD” may be comprised in a mapping table that moreover may be protected by the same means as applications are.
  • Using a non-tree graph structure has the advantage that revocation messages in general are shorter than a corresponding revocation message in a binary tree structure.
  • the message data may be divided into a first part and a second part of which the first part comprises a revocation part and the second part comprises a data part.
  • the embodiments come with a number of advantages of which one is that the revocation message are generally relatively short by comprising at least one power set graph of the third or higher order in the hierarchical graph structure in which information processing devices are organized.
  • the first part of the message part, the revocation part is usually shorter due that the fact that a smaller number of encrypted enabling keys usually need to be distributed for the connected power set graphs as compared with the binary tree structure.
  • the power set graph structure in which the information processing devices are organized are adaptable by using different orders of the power set graphs such that the number of nodes in each layer correspond to a physical group of entities, such as producers of DVD-players, world regions, and so on.
  • Yet another advantage is that using a power set graph for the organization of information processing devices requires no node key for the group comprising all the information processing devices, the reason being that there is no use to decrypt a message in the case it should be accessible to all members.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a device (40), and methods relating to protection schemes. By decrypting (step 56) an enabling key using certain node keys, and decrypting message data (step 58) by using the enabling key, information processing devices that are able to decrypt the enabling key, also become able to decrypt the encrypted message data distributed to said information processing devices. This has the consequence that information processing devices (40) that are unable to decrypt the enabling key fail to read the new data that may comprise new applications or message data, and are therefore in practice revoked. This may be applied to software updates of drivers and terminal types, to mention a few examples.

Description

Methods and system of information processing
FIELD OF THE INVENTION
The present invention relates in general to methods and systems for information processing and in particular to the usage of power set graphs in revocation schemes.
BACKGROUND OF THE INVENTION
Distribution of digital data from, for instance, a central unit to various decentralized receivers can be performed in a variety of ways.
One way is to send encrypted messages from a central unit to a group of receivers. The encrypted messages may comprise any form of digital data such as text data, audio data, video data or a computer program. A message can be sent for example by means of a broadcast network, a computer network or an exchangeable storage medium, such as, a CD or DVD.
In the case a receiver is compromised, this receiver is revoked and thus made unable to decrypt the encrypted messages that may be distributed to it.
In order to target the receivers to be revoked when broadcasting messages, revocation schemes can be used. By using a revocation scheme the receiver to be revoked are made unable to decrypt the message received, whereas other receivers that are not to be revoked remain able to decrypt the message distributed to them. Existing revocation schemes usually work in a way as described below. A message from the centre unit may be comprised of two parts, one revocation part and one data part. The revocation part may comprise multiple copies of a key K, where each copy of K is encrypted with a different key. The data part, which comprises the actual message to distribute, is encrypted with key K. Each receiver of the message is assumed to store a particular set of keys. If a receiver has a key that can be used to decrypt one of the encrypted keys K in the revocation part of a message, then using key K the receiver can also decrypt the data part. Usually, the keys that are stored in a receiver are linked to a hierarchical structure.
In EP 1 187 390 BI a revocation scheme is disclosed, wherein the keys correspond to nodes in a binary tree. The end nodes in the crown of the tree correspond to the individual receivers, and each other node in the tree corresponds to the set of all receivers that can be reached from the node, by only taking edges in direction towards the individual receivers.
To each node in the tree, including the root node, there is a unique key assigned. Each receiver stores a key set comprising all keys on the path from its own node to the root node, where the root node corresponds to all receivers.
If a message only should be available to a first group of receivers, and not to a second group of receivers, it is sufficient to encrypt key K with the key for the node "first group", because only receivers in this first group share this key. By using such a revocation scheme each receiver would have to store Plog
10,000,000] + 1 = 25 keys, for a set of 10 million receivers. In addition, the nodes of the binary tree would then form 25 layers of nodes.
Due to the inherent structure of the binary tree, in which each node is split into two other nodes in the direction towards nodes that correspond to individual receivers, the revocation messages that comprise copies of keys K encrypted with different keys, may need to comprise a relatively large number of copies of keys K.
There is hence a demand for an improved way to revoke receivers of messages within a group of receivers.
SUMMARY OF THE INVENTION
An object of the present invention is to provide an improved way to revoke receivers of messages within a group of receivers.
According to one aspect of the present invention, there is provided an information processing device in an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, the device comprising a storing unit arranged to store a key set comprising an end node key unique to said device, and keys of any intermediate nodes between the end node and a top node along all shortest paths, and a processing unit arranged to decrypt by using the stored key set, encrypted message data, such that the information processing device can make use of the message data.
According to another aspect of the present invention, there is provided an information processing method for use in an information processing device of an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, said method comprising receiving encrypted message data, and conditionally decrypting the message data by using a key set stored in the device.
According to another aspect of the present invention, there is provided an information processing method for processing data in relation to a group of information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, each device corresponding to an end node, there being stored in each device a key set comprising a key unique to that device, and node keys of any nodes in shortest paths between the end node of that device and the top node, comprising the steps of encrypting message data, and distributing the encrypted message data to information processing devices, such that the encrypted message data is conditionally decryptable by information processing devices.
According to yet another aspect of the present invention, there is provided an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, each device having storing means for storing a key set comprising a key unique to that device, and node keys of any nodes in shortest paths between the end node of that device and the top node, and processing means arranged to decrypt using said key set, encrypted data distributed to said device, and message distributing means arranged to encrypt message data by using an enabling key, to encrypt the enabling key by using different node keys, and to distribute the encrypted message data and the encrypted enabling keys to information processing devices, such that the encrypted message data can be decrypted by information processing devices that are able to decrypt the enabling key.
It should be emphasized that the term "comprises/comprising" when being used in the specification is taken to specify the presence of the stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps or components or groups thereof. BRIEF DESCRIPTION OF THE DRAWINGS
In order to explain the invention and the advantages and features thereof in more detail, embodiments will be described below, references being made to the accompanying drawings, in which
Figs. IA, IB and 1C are presentations of power set graphs P2, P3, and P4, respectively;
Fig. 2 is an illustration of a power set graph P4;
Fig. 3 is an illustration of a connected graph; Fig. 4 is a schematic illustration of an information processing device according to some embodiments; and
Figs. 5 and 6 illustrate flowcharts of methods according to some embodiments.
DETAILED DESCRIPTION OF THE EMBODIMENTS In an attempt to circumvent that toys in general only can perform one or at most a few actions, which in the long run easily becomes boring to children playing with the toys and annoying to their parents, a platform for enabling creation of interactive toys has been created.
This platform called the Edutainment Sensor Platform (ESP) is a platform that enables a fast and easy creation of self-contained educational and/or entertaining applications based on tangible user interfaces. The applications can be specified in ESPranto, an in-house programming language, on a response sheet. A compiler may compile the response sheet in binary code that runs on an interpreter, where input data are translated into output data consistent with the application itself and the application flow of the application. The ESP features multiple input options such as motion sensors, table top positioning, RFID detection and multiple output options, for example, audio, LEDs and amBX.
For each product derived from ESP, a specific set of input data and output data, out of options, are selected, required for the specific application. One typical example of such a realization of the platform is the so called "StoryToy", which is a storytelling application that can use motion sensors to detect manipulation of story objects, for instance farm animals. These manipulations may be translated in cues that can steer the story and select for example which audio to play. Another example of a realization of the platform is the tangible interaction console (TIC) that comprises the feature table top positioning technology based on RFID. In essence, the TIC is a programmable tangible user interface, which can receive a variety of inputs from sensing motion, detecting of hot spots and 2-dimensional localization of objects. On the basis of such inputs, the TIC may trigger a variety of output options comprising audio, LED arrays and amBX. The exact output to be triggered by the input as received may be specified by the users themselves.
A description of the desired event can be created by a user using a PC using a special development tool that is based on the ESPranto language.
These tools are easy enough to operate for an eight-year-old, but also rich enough to satisfy professional content creators. All description creators - whether professionals or children - may use the same core tool, albeit optionally with a graphical user interface tailored to their specific circumstances.
A key feature of product realizations that are based on the ESP is that they are extendable. New objects can be added, new stories can be loaded, new games may be loaded, and new output terminals can be added, to mention a few options. Whereas the ESP platform explicitly allows for addition of items such as objects, stories, games, and the connection of terminals through output options, also by third parties, the owner of any realization of the platform may need to be able to control which items are actually added and used.
There is thus a need to ensure that the addition of items such as objects, stories, and games, can be verified and that new ones can only be used if they are authorized. At the same time authorized items can only be used on authorized non-revoked consoles or realizations of the ESP, such as "StoryToy".
To this end a revocation scheme is presented based on so called power set graphs. In the following power set graphs will be introduced. Power set graph
A power set of a set S of n elements is the set of all 2n subsets of S, including the empty set 0, and full set S itself. For example, the power set of set of {a, b, c} is given by {0, {a}, {b}, {c}, {a, b}, {a, c}, {b, c}, {a, b, c}}. The power set graph Pn is defined for a set of > 2 elements Je1 , ...., en} . The graph comprises 2""1 nodes, one nod for each subset of Je1 , ... , en} , except for the empty set. The 2""1 nodes are divided into n layers 1 , ... , n. The layer i, for which 1< i < n, comprises subsets of i elements. In the graph there are only edges between successive layers. There is an edge from a node u at layer i, for which 1< i < n-1, to a node v at layer i+1 if and only if the set of elements corresponding to node u is a subset of the set of elements corresponding to node v. The power set graph Pn may be denoted a power set graph of the nth order. Figures IA, IB and 1C present power set graphs P2, P3 and P4, respectively, and illustrate the various layers formed by the comprised nodes.
Revocation scheme To define a revocation scheme for n receivers x\ to rn, a power set graph
Pn for set {ri, ...., rn} can be used. In the graph a key can be assigned to each node, except to the root node which corresponds to the full subset Jr1 , ..., rn}, Each receiver V1 stores the key that can be found on the shortest paths from node Jr1 } at layer 1 to node Jr1 , ..., rn} at layer n. It can be notes that the shortest paths all have a length of n-1 edges. For example, for n=4, receiver r2, stores the keys for nodes {r2}, {rh r2}, {r2, r3}, {r2, r4}, {rh r2, r3}, {rh r2, r4}, and {r2, r3, r4}, as indicated in figure 2.
Revocation of receivers may be performed as explained below. Given a nonempty set of receivers to be revoked, key K may be encrypted with a key for the node that corresponds to all receivers that are not revoked. For example, in figure 2, if only receiver r4 is to be revoked, then key K should b encrypted with the key for node Jr1 , r2, r3} .
If no receivers are to be revoked, key K does not have to b encrypted with any key. For this reason thee is no key assigned to the top node of the power set graph.
According to some embodiments, a connected graph G comprising different levels of connected graphs are used to define a revocation scheme. For every power set graph comprised in the connected graph G, a key is assigned to each node of the power set graph, except to the top node. The highest level, called the top level, comprises a single power set graph, the so called top-level power set graph. In G, a power set graph Pn at level k can be connected to zero up to n power set graphs at level k-1. To connect a power set graph P at level k, to a power set graph P' at level k-1, a free end node of P is merged with the top node of P'. The merged node inherits the key that corresponds to the end node of P. In G, the free end nodes of the different power set graphs are associated with individual receivers. In addition, any other node in G is associated with the set of all receivers that may be reached from the node, by only using edges in a direction towards individual receivers.
Figure 3 shows on example of a graph G that is built up of four power set graphs P3. However, the connected graph G need not to be balanced and it does not have to be built of homogenous power set graphs.
In the revocation scheme of connected power set graphs, as illustrated in figure 3, each receiver X1 stores the keys that can be found on all shortest paths from node Jr1 } to the top node of the top-level power set graph. It can be noted that the receivers has to store 2n l -1 keys for each power set graph Pn on the shortest paths. For example, in figure 3, the collection of all shortest paths from node Jr7) to node Jr1 , ..., vg} are depicted in bold. These shortest paths pass through twp power set graphs P3. Hence the receiver r7, has to store in total 23"1 -1 + 23"1 -1 = 6 keys that are associated with nodes {r7},{r7, r8},{r7, r9},{r7, r8, r9},{ri, X2, r3, r7, r8, r9}, and {r4, ..., r9}.
Revocation of receivers can be performed by encrypting key K several times, using a set of keys that together correspond to the group of receivers that are not revoked. For example, in figure 3, receivers r2 and rs can be revoked by encrypting key K three times, using the keys for nodes {x\, x?,}, {r4, r6}, and {r7, r8, r9}. Above, a brief explanation of power set graphs has been presented together with the application of these graphs in revocation schemes.
In the following the application of revocation schemes for information processing devices related to the Edutainment Sensor Platform (ESP) and to the tangible interaction console (TIC) will be presented. As mentioned earlier, the owner of any realization of the ESP may need to be able to control which items, such as objects, stories and games, are actually added and used. For this reason there is a need that these items can be verified and that new items can be used only on authorized non-revoked consoles or realizations of the ESP.
In order to be able to efficiently verify and revoke information processing devices such as the tangible interaction console (TIC), the information processing devices are preferably organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, wherein each information processing device corresponds to an end node. With reference to figure 4 an information processing device 40 according to some embodiments is schematically illustrated. Such an information processing device 40 may comprise a storing unit 42, a processing unit 44, an input/output unit 46 and a control unit 48. The storing unit 42 is arranged to store a key set comprising an end node key unique to said information processing device, and keys of any intermediate nodes between the end node and a top node along shortest paths. The processing unit 44 is arranged to decrypt an encrypted enabling key by using the stored key set. The processing unit 44 is further arranged to decrypt encrypted message data, received by the input/output unit 46, wherein the encrypted message data is decrypted by using the enabling key. The information processing device 40 can thus make use of the encrypted message data as received by the input/output unit 46.
According to some embodiments the processing unit 44, that may be realized by a decrypting unit, is arranged to decrypt the message data directly by using the key set stored in the storing unit 42. In this case, there may be no enabling key present. For this reason the message data is preferably encrypted by using one of more keys selected to enabling revocation of compromised information processing devices, such as TICs. Since multiple copies of the encrypted message data need to be distributed, each copy being encrypted with a different key, this encryption method is preferably used for relatively small groups of information processing devices.
In order to revoke an electronic processing device X1, arranged to receive message data, data are distributed to all devices, whereas the data or at least part of the data is encrypted by using a key of a sub group that does not involve device T1. For this reason device X1 will be unable to decrypt the new message. Since each power set graph comprises all possible sub-groups, it is enough to encrypt the data by using the key(s) of the particular subgroup^) that comprises the device(s) that are not to be revoked.
In the case when message data is distributed encrypted by using an enabling key K, and the new enabling key K is encrypted by using one or several keys corresponding to specific nodes of a power set graph Pn or a connected graph G, the encrypted enabling key K may be labeled with {...., X1, ...}, where the device X1 is not to be revoked, wherein the setlabel i indicates which key the enabling key K is encrypted with.
Alternatively, the keys with which the enabling key K may be encrypted, may not be labeled. In this case, the decrypted data may starts with a know sentence, for instance the sentence "the used key is a valid key". When the device uses all its keys to decrypt the enabling key K, after which the message data is decrypted using the decrypted enabling key, the device may receive an indication that the chosen key to decrypt the enabling key K, was the correct one, by finding that the decrypted message data for instance starts with a known passage such as "the used key is a valid key".
The information processing devices that are not compromised need a method to process new data.
In figure 5 a flow chart comprising method steps of a method presented to this end is now described, to which reference will be made.
An information processing method will thus be presented for use in an information processing device of an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node. In the case an enabling key is used, this method may comprise the step of
"receiving message data encrypted by an enabling key", step 52, which step may be performed by the input/output device 46 of the information processing device 40. Having received encrypted message data, the step of "receiving multiple copies of an enabling key, wherein each copy is encrypted with different node keys", is performed in step 54. This step may also be performed by the input/output unit 46 of the information processing device 40, according to some embodiments.
Thereafter, in step 56 the step of "decrypting the enabling key by using a key set of stored node keys" in the storing unit 42 may now be performed by the processing unit 44 of the information processing device. Having obtained a decrypted enabling key K, the step of "conditionally decrypting the message data by using the decrypted enabling key" may now be performed in step 58. This step may be performed by the processing unit 44 of the information processing device 40.
The non-compromised information processing devices will thus be able decrypt encrypted data messages. It is also presented an information processing method for processing data in relation to a group of information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, each device corresponding to an end node, there being stored in each device a key set comprising a key unique to that device, and node keys of any nodes in a shortest path between the end node of that device and the top node.
In figure 6 a flow chart comprising method steps of a method presented to this end is described in the following, to which reference will be made.
In the case an enabling key is used, this method may comprise the step of "encrypting message data by using an enabling key K", step 62. This step may be performed by an encryption unit of a system for processing data. Thereafter, the step of "encrypting the enabling key by using different node keys" may be performed, in step 64. This step can be executed by the encryption unit above. Finally, the step of "providing the encrypted message data and the encrypted enabling keys for distribution to information processing devices", is performed in step 66. The encrypted message data can thus be made available to information processing devices and such that the data are decryptable by said information processing devices that are able to decrypt the enabling key.
Returning to the Edutainment Sensor Platform, it should be pointed out the application design language tool ESPranto was developed in house, and that the response sheet that is used for the compilation of the application is written in ESPranto. Whereas the design language tool ESPranto as well as the response sheet are open, the ESPranto compiler is kept proprietary. Only entities that are authorized are therefore allowed and capable to compile ESPranto. By compilation applications may be at least partially encrypted by an enabling key, K, preventing easy interpretation by visual inspection of the compiled application code. Moreover, by performing encryption easy decompilation is hindered.
Encryption is performed for preventing entirely unencrypted applications to successfully run on consoles or other information processing devices that are authorized. Only authorized consoles will namely have a key set comprising a key required for the decryption to be able to run the applications. In addition, encryption of applications is also performed for the reason to revoke consoles that have been compromised, for which the consoles can not successfully decrypt encrypted applications.
In the case a console is compromised, its key set may be revoked barring the console and any consoles cloned or derived from said console, from running new applications.
New applications are typically distributed encrypted by using a novel enabling key K. In order to run the application the console has to verify that it can decrypt at least one copy of the enabling key, said key being encrypted by using one key that is present in the authorized console.
An authorized console will thus be able to verify that it is authorized by being able to decrypt one copy of the enabling key, and thereafter decrypt the new application by using the newly decrypted enabling key.
A compromised console, however, will not be able to show that it is capable to decrypt a copy of the enabling key because the copies of the enabling key were encrypted by using a set of keys that the compromised console has no access to. For this reason the compromised console will fail in decrypting the encrypted enabling key, with the consequence that the no decrypted enabling keys will be available to decrypt the new application to enable running on the compromised console. It should be emphasized that each message is encrypted with a specific enabling key. For every message a new enabling key is thus used. This enabling key is also long enough such as to make it at least time consuming in practice to guess, or by other means get hold of, the correct decryption key, to decrypt for instance an encrypted application.
Sensor types that may be part of realizations of the platform ESP, which are novel but anticipated, may have pre-installed drivers. This is to enable provision of input data according to the available input options. This case is equivalent with the case for existing sensors that just have not been used yet. Sensor events may be presented to the interpreter in the form of tuples such as,
"Object ID", or "Object ID, parameter". New, unanticipated sensor types may require a new driver that intercepts sensor events and emits them in the form (Object ID, parameter). A new driver may therefore also require a software update. These software updates can be protected in a similar way as the applications are, as described above. In this way drivers may be denied access to software updates. Renewal of drivers which may require software updates, may be denied to some drivers that are compromised and which therefore are to be revoked.
The use of revocation schemes applying a graph G of connected power set graphs in an Edutainment Sensor Platform for the renewal of drivers is considered within this document.
One difference between applications and drivers is that whereas applications are transient in nature, driver updates are persistent. Software updates for drivers are accordingly decrypted once only and are thereafter installed.
Thus, new sensor types can only be added if the console accepts the driver update, by being able to decrypt the update. Revoked consoles will therefore be unable to decrypt the update. Furthermore, only valid non-compromised consoles can decrypt the driver updates since their own keys are disjoint form the key of the revoked drivers.
Terminal types may also have to be considered. New, anticipated terminal types that depend on the available output options, may have pre-installed drivers. In this case the situation is the same as with existing terminal types that just have not been used yet.
Terminal actions may be presented by the interpreter in the form of tuples such as "Action ID" or "Action ID, parameter". The "Action ID" may implicitly comprise a "Terminal lD". In other words, the action may implicitly define the actor. For instance, suppose the action to be communicated is "to bark", the sound produced by dogs, then there is no need to also communicate that the terminal is a dog and not a cow.
New, unanticipated, terminal types may require a new driver that accepts the Action ID and performs the required action. As was described earlier a new driver leads to software updates. These software updates may be protected in a way similar to the on for applications as described above.
Thus, new terminal types can only be added if the console accepts the driver update, by being able to decrypt an enabling key. Furthermore, only valid non-compromised consoles can decrypt the driver updates.
Protection of objects may also comprise herein. Typically a range of "Object lds" is valid to represent a specific object. This is to ensure that multiple tags with different IDs can represent a single object. For instance, to mention one example only, multiple instances of the same physical cow doll may have different "Tag lds" but they may all represent the same cow in, for example, a story.
Which ranges of IDs represent which objects may be included in a mapping table. A new application may allow new objects, for instance by the addition of a giraffe, may require a new mapping table. The new mapping table can be protected by the same means as applications may be protected. Thus, new objects can only be added if the console accepts the mapping table update in a similar way as described above. Furthermore, only valid consoles can decrypt the mapping table update.
For the protection of terminals these may have to register with the driver controlling it. To this end it may have to present a "Terminal lD" to the interpreter of the ESP platform. The "Terminal lD" may be comprised in a mapping table that moreover may be protected by the same means as applications are.
It can be easily understood that protection of extendible realizations of the ESP platform in general may be comprised by at least some embodiments hereof.
Considering the power set graphs again for instance using a structure of power set graphs of the third order P3, the overall structure is a graph, but not a tree. If the number of devices is say 10,000,000, the number or levels is Plog(10,000,000)l = 15. By using 15 levels OfP3 each device has to store 15-(23^ -1) = 45 keys. Similarly, if case P4 were to be used throughout the graph would comprise 12 levels of connected power set graphs, each device storing 84 keys. Using a non-tree graph structure has the advantage that revocation messages in general are shorter than a corresponding revocation message in a binary tree structure.
The larger the power set graphs that are being used, the shorter the revocation messages that are sent. This is due to that the key for a node can be shared by a larger number of entities in the connected graph G.
The message data may be divided into a first part and a second part of which the first part comprises a revocation part and the second part comprises a data part.
It is thus easy to understand that the embodiments come with a number of advantages of which one is that the revocation message are generally relatively short by comprising at least one power set graph of the third or higher order in the hierarchical graph structure in which information processing devices are organized.
Whereas the number of node keys that need to be stored by each receiver may be higher when using connected power set graphs as compared with the binary tree structure, the first part of the message part, the revocation part, is usually shorter due that the fact that a smaller number of encrypted enabling keys usually need to be distributed for the connected power set graphs as compared with the binary tree structure.
Another advantage of at least some embodiments is that the power set graph structure in which the information processing devices are organized are adaptable by using different orders of the power set graphs such that the number of nodes in each layer correspond to a physical group of entities, such as producers of DVD-players, world regions, and so on.
Yet another advantage is that using a power set graph for the organization of information processing devices requires no node key for the group comprising all the information processing devices, the reason being that there is no use to decrypt a message in the case it should be accessible to all members.

Claims

CLAIMS:
1. An information processing device (40) in an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, the device comprising: a storing unit (42) arranged to store a key set comprising an end node key unique to said device, and keys of any intermediate nodes between the end node and a top node along all shortest paths, and a processing unit (44) arranged to decrypt by using the stored key set, encrypted message data, such that the information processing device can make use of the message data.
2. The information processing device (40) according to claim 1, where the processing unit (44) further is arranged to decrypt, by using the stored key set, an encrypted enabling key, and to decrypt encrypted message data by using the decrypted enabling key.
3. The information processing device (40) according to claim 1, wherein the processing unit (44) further is arranged to decrypt the encrypted enabling key by using one key of a plurality of keys of the stored key set.
4. The information processing device (40) according to claim 1, wherein the device further is arranged such that the device can make use of a driver when said driver is comprised in the message data, when the message data is decrypted by the device.
5. An information processing method for use in an information processing device
(40) of an information processing system having information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a top node via one or more intermediate nodes, each device corresponding to an end node, said method comprising: receiving encrypted message data (step 52), and conditionally decrypting the message data (step 58) by using a key set stored in the information processing device (40).
6. The information processing method according to claim 5, in which the step of receiving (step 52) comprises receiving message data encrypted by an enabling key, and where the method further comprises the step of receiving multiple copies of the enabling key (step 54), each copy encrypted with different node keys, and the step of conditionally decrypting the enabling key (step 58) by using a key set stored in the device, and wherein the step of conditionally decrypting the message data comprises decrypting the message data by using the enabling key (step 56).
7. The information processing method according to claim 5, in which the message data comprises a driver for the device for enabling running Edutainment Sensor Platform realizations.
8. An information processing method for processing data in relation to a group of information processing devices organized in a hierarchical graph structure comprising at least one power set graph of at least the third order, said graph structure having a plurality of end nodes connected to a root node via one or more intermediate nodes, each device corresponding to an end node, there being stored in each device a key set comprising a key unique to that device, and node keys of any nodes in shortest paths between the end node of that device and the top node, comprising the steps of: encrypting message data (step 62), and - providing the encrypted message data for distribution to information processing devices (step 66), such that the encrypted message data is conditionally decryptable by information processing devices.
9. The information processing method according to claim 8, wherein the step of encrypting message data (step 62) comprises encrypting message data by using an enabling key, and wherein the method further comprises the step of encrypting the enabling key (step 64) by using different node keys, and wherein the step of providing (step 66) further comprises providing the encrypted enabling keys for distribution to information processing devices, such that the encrypted message data is conditionally decryptable by information processing devices that are able to decrypt the enabling key.
10. The information processing method according to claim 8, wherein the step of encrypting message data (step 62) comprises encrypting driver data, such that the encrypted driver data is conditionally decryptable by information procession devices for enabling running Edutainment Sensor Platform realizations.
PCT/IB2008/055138 2007-12-12 2008-12-08 Device keys for nnl encryption of software update applications WO2009074941A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07122965 2007-12-12
EP07122965.2 2007-12-12

Publications (1)

Publication Number Publication Date
WO2009074941A1 true WO2009074941A1 (en) 2009-06-18

Family

ID=40524721

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/055138 WO2009074941A1 (en) 2007-12-12 2008-12-08 Device keys for nnl encryption of software update applications

Country Status (1)

Country Link
WO (1) WO2009074941A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013179316A1 (en) * 2012-05-29 2013-12-05 Power-One Italy S.P.A. A method and system for transferring firmware or software to a plurality of devices
US10467384B2 (en) 2016-05-18 2019-11-05 International Business Machines Corporation Subset-difference broadcast encryption with blacklisting

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187390B1 (en) * 2000-04-06 2007-02-28 Sony Corporation Information processing system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187390B1 (en) * 2000-04-06 2007-02-28 Sony Corporation Information processing system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
NAOR D ET AL: "Revocation and Tracing Schemes for Stateless Receivers", 1 July 2001, XP002203174 *
WEI ET AL: "Knowledge reduction based on the equivalence relations defined on attribute set and its power set", INFORMATION SCIENCES, AMSTERDAM, NL, vol. 177, no. 15, 11 May 2007 (2007-05-11), pages 3178 - 3185, XP022071479, ISSN: 0020-0255 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013179316A1 (en) * 2012-05-29 2013-12-05 Power-One Italy S.P.A. A method and system for transferring firmware or software to a plurality of devices
US9425956B2 (en) 2012-05-29 2016-08-23 Abb Technology Ag Method and system for transferring firmware or software to a plurality of devices
US10467384B2 (en) 2016-05-18 2019-11-05 International Business Machines Corporation Subset-difference broadcast encryption with blacklisting
US11526583B2 (en) 2016-05-18 2022-12-13 International Business Machines Corporation Subset-difference broadcast encryption with blacklisting

Similar Documents

Publication Publication Date Title
US7272229B2 (en) Digital work protection system, key management apparatus, and user apparatus
ES2327273T3 (en) RENEWABLE TRAITORS TRACKING.
KR100846787B1 (en) Method and apparatus for importing transport stream
KR100781532B1 (en) System and Method for providing DRM license
JP5314016B2 (en) Information processing apparatus, encryption key management method, computer program, and integrated circuit
EP1354444B1 (en) Method for tracing traitor receivers in a broadcast encryption system
AU779440B2 (en) Information recording/reproducing apparatus and method
US20020076204A1 (en) Key management device/method/program, recording medium, reproducing device/method, recording device, and computer-readable, second recording medium storing the key management program for copyright protection
CN102160071B (en) Technique for content management using group rights
US20080152134A1 (en) Efficient revocation of receivers
US20020150250A1 (en) System and method for processing information using encryption key block
US20080199007A1 (en) Identification of a compromised content player
KR20050028244A (en) Method for drm license supporting plural devices
US20060262927A1 (en) System and method for managing encrypted content using logical partitions
US8180059B2 (en) Management apparatus, terminal apparatus, and copyright protection system
US20060059104A1 (en) Rent component, program, and rent component method
US20100153724A1 (en) System and method for a key block based authentication
KR20060097514A (en) Method and apparatus for providing encrypted content according to broadcast encryption scheme at local server
WO2005074186A1 (en) Method of assigning user keys for broadcast encryption
WO2009074941A1 (en) Device keys for nnl encryption of software update applications
KR101213160B1 (en) Method of updating group key and group key update device using the same
US8515074B2 (en) User key allocation method for broadcast encryption
KR20090001973A (en) Method for license management in a contents-sharing user domain
WO2007093925A1 (en) Improved method of content protection
US20100125916A1 (en) Apparatus and method for controlling content

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08860660

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08860660

Country of ref document: EP

Kind code of ref document: A1