JP2002236622A - Device for regenerating information device for recording information, method of regenerating information, method of recording information, recording medium for information, and medium for recording program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information recording and regenerating device and a method therefor having a constitution wherein whether legal record content is recorded or not is determined to conduct regeneration, in content regeneration. SOLUTION: A digital signature and a public key certificate are recorded when a data is recorded in an information recording medium, to allow a recorder recorded with a content to be specified. Even when a recording medium containing the data recorded illegally is distributed, the recorder is specified to be eliminated from a system. An information regenerator confirms the reasonability of the signature and the public key certificate when reading out the data, specifys a content recoring person, confirms no presence of altering in the public key certificate and the digital signature, and regenerates thereafter the data. Use (regeneration) of the record content by the illegal recorder is efficiently eliminated by this constitution.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an information reproducing apparatus, an information recording apparatus, an information reproducing method, an information recording method, an information recording medium, and a program storage medium. When recording, the digital signature and the public key certificate are recorded together with the data, and when the information reproducing device reads the data, the validity of the digital signature and the public key certificate is confirmed, and the information recording device is revoked. Information reproducing device, information recording device,
The present invention relates to an information reproducing method, an information recording method, an information recording medium, and a program storage medium.

[0002]

2. Description of the Related Art With the progress and development of digital signal processing technology, in recent years, recording apparatuses and recording media for digitally recording information have become widespread. According to such a digital recording device and recording medium, recording and reproduction can be repeated without deteriorating images and sounds, for example. In this way, digital data can be copied over and over again while maintaining image quality and sound quality. Therefore, when a recording medium on which copying is illegally enters the market, various contents such as music, movies, etc. The interests of the copyright holder or legitimate sales right holder will be harmed. In recent years, in order to prevent such illegal copying of digital data, various mechanisms (systems) for preventing illegal copying on digital recording devices and recording media.
Has been introduced.

For example, in an MD (Mini Disc) (MD is a trademark) device, SCMS (Serial Copy Management System) is employed as a method for preventing illegal copying. The SCMS outputs an SCMS signal together with audio data from a digital interface (DIF) on the data reproducing side, and outputs the SCMS signal on the data recording side.
This system prevents illegal copying by controlling recording of audio data from the reproducing side based on the SCMS signal from the reproducing side.

[0004] Specifically, the SCMS signal is a copy free (co
This signal indicates whether the data is “py free” data, data that is permitted to be copied only once (copy once allowed), or data that is prohibited from being copied (copy prohibited). On the data recording side, DI
When audio data is received from F, an SCMS signal transmitted together with the audio data is detected. If the SCMS signal is copy free, the audio data is recorded on the mini-disc together with the SCMS signal. If the SCMS signal permits copying once (copy once allowed), the SCMS signal is prohibited from being copied (copy p.
rohibited), along with the audio data,
Record on a mini-disc. Further, when the SCMS signal is copy prohibited,
Does not record audio data. Such SCM
By performing control using S, in the mini disc device, the copyrighted audio data is prevented from being illegally copied by the SCMS.

[0005] However, SCMS, as described above,
Since it is premised that the device that records data itself has a configuration for controlling recording of audio data from the playback side based on the CMS signal, a mini-disc device that does not have a configuration for performing control of SCMS is available. If manufactured, it will be difficult to deal with. So, for example, DVD
The player employs a content scramble system to prevent illegal copying of copyrighted data.

In the content scramble system,
Video data, audio data and the like are encrypted and recorded on a DVD-ROM (Read Only Memory), and a key (decryption key) used to decrypt the encrypted data is a licensed DVD. Given to the player. The license is given to a DVD player designed to comply with a prescribed operation rule such as not to perform unauthorized copying. Therefore, the licensed DVD player decrypts the encrypted data recorded on the DVD-ROM by using the given key, thereby obtaining the DVD.
-Images and sounds can be reproduced from the ROM.

[0007] On the other hand, a DVD player without a license does not have a key for decrypting encrypted data, and therefore cannot decrypt encrypted data recorded on a DVD-ROM. Thus, in the content scramble system configuration, a DVD player that does not satisfy the conditions required at the time of licensing is:
Since the DVD-ROM on which digital data is recorded cannot be reproduced, illegal copying is prevented.

However, the content scramble system adopted in DVD-ROM is intended for a recording medium on which data cannot be written by a user (hereinafter referred to as ROM media as appropriate). No consideration is given to application to a possible recording medium (hereinafter, appropriately referred to as a RAM medium).

That is, even if the data recorded on the ROM medium is encrypted, if the entire encrypted data is directly copied to the RAM medium, the data can be reproduced by a valid licensed device. You can create so-called pirated copies.

Accordingly, the present applicant has filed an earlier patent application, Japanese Patent Application Laid-Open No. H11-224461 (Japanese Patent Application No. 10-25310).
), Information for identifying each recording medium (hereinafter, referred to as medium identification information) is recorded on the recording medium together with other data, and it is determined that the device is a device licensed with this medium identification information. As a condition, a configuration has been proposed in which access to the medium identification information of a recording medium is possible only when the condition is satisfied.

In this method, the data on the recording medium is encrypted with the medium identification information and a secret key (master key) obtained by receiving a license, and an unlicensed device can use the encrypted data. Is read, meaningful data cannot be obtained. When a device receives a license, its operation is specified so that unauthorized duplication (illegal copying) cannot be performed.

An unlicensed device cannot access the medium identification information, and the medium identification information has an individual value for each medium. Even if all of the recorded and encrypted data is copied to a new recording medium, the data recorded on the recording medium created in this manner is, of course, unlicensed, as well as the unlicensed device. Even the receiving apparatus cannot correctly decode the data, so that illegal copying is substantially prevented.

By the way, in the above configuration, the master key stored in the licensed device is generally common to all devices. Storing a common master key for a plurality of devices in this way is a condition necessary to enable a medium recorded on one device to be played back on another device (to ensure interoperability). Because there is.

However, in this method, one attacker
If one device is successfully attacked and the master key is extracted, the encrypted data recorded in the entire system can be decrypted and the entire system collapses. To prevent this, if it is discovered that a master device has been exposed due to an attack on a device, the master key is updated to a new one, and the master key is updated to all devices other than the device that yielded to the attack. Need to be given. The simplest way to achieve this configuration is
Give a unique key (device key) to each device,
It is possible to prepare a value in which a new master key is encrypted with each device key and transmit it to the device via the recording medium, but the total message volume to be transmitted increases in proportion to the number of devices. There's a problem.

As a configuration for solving the above problem, the present applicant uses a key distribution method having a configuration in which each information recording / reproducing device is arranged on each leaf of an n-ary tree, and via a recording medium or a communication line. By distributing a key (master key or media key) necessary for recording or reproducing content data on a recording medium, and by using this, each device records and reproduces the content data. A configuration in which a master key or a media key can be transmitted with a small message amount to a legitimate device (to which a secret is not disclosed) has been previously proposed, and a patent application (Japanese Patent Application No. 2000-105328) has already been filed. In particular,
A key required for generating a key required for recording on or reproducing from the recording medium, for example, a node key assigned to a node configuring each leaf of the n-ary tree is set as an update node key; An activation key block (EKB) containing information that has been encrypted in a form that can be decrypted with a leaf key and a node key that only an authorized node has an updated node key is delivered to each information recording / reproducing device, and the activation key block (EKB) is E of each received information recording / reproducing device
Each device can acquire a key necessary for recording or reproduction from a recording medium by a KB decryption process.

[0016]

In the above configuration, it is possible to exclude a device whose secret has been exposed from the system, but for this purpose, it is necessary to specify which device has the secret exposed. . For example, if a clone device containing a secret stolen from a certain device is created and can be identified as being sold in a black market, the stolen device is identified and removed from the system.

By the way, in view of an attack on the system, a cloned device is not created as described above, but a certain information recording device is modified so that, for example, data which should be originally encrypted and recorded is written in plain text. It is conceivable to perform an illegal recording such as recording, and to sell a recording medium containing the illegally recorded data created as a result. In this case, if a device that has illegally recorded data on the recording medium can be specified, the device can be removed from the system and new content data can be distributed so that the device does not decrypt the content data.

The present invention solves the above-mentioned problem. When an information recording apparatus records data on an information recording medium, the information recording apparatus records its own digital signature and public key certificate together with the data. A system that allows data to be read out after confirming the validity of the digital signature and the public key certificate when reading out the data, so that the content can be reproduced on condition that it was properly recorded. The purpose is to provide.

[0019]

According to a first aspect of the present invention, there is provided:
In an information reproducing apparatus for reproducing information from a recording medium, a verification process of a public key certificate of an encrypted content recording entity stored in the recording medium is performed, and the content recording is performed from the public key certificate whose validity is confirmed. The public key of the subject is acquired, and based on the acquired public key, a process of verifying the digital signature of the content recording subject is executed. As a result of the verification,
An information reproducing apparatus is characterized in that a decryption process of an encrypted content is executed on condition that the validity of the signature is confirmed.

Further, in one embodiment of the information reproducing apparatus of the present invention, the encryption processing means verifies a digital signature of a content recording subject generated with the content of the encrypted content stored in the recording medium as a signature target. It is characterized in that the processing is executed, and the decryption processing of the encrypted content is executed on condition that the validity of the signature is confirmed as a result of the verification.

Further, in one embodiment of the information reproducing apparatus of the present invention, the encryption processing means includes a content generated with a title key set corresponding to the encrypted content stored in the recording medium as a signature target. The digital signature of the recording subject is verified, and the encrypted content is decrypted on condition that the validity of the signature is confirmed as a result of the verification.

Further, in one embodiment of the information reproducing apparatus of the present invention, the information reproducing apparatus includes a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information reproducing apparatuses as leaves, and each information reproducing apparatus. The encryption processing means has an apparatus-specific leaf key, and the encryption processing means includes an activation key block (EKB) comprising encryption processing data of an upper key by a lower key on a key tree path based on a key built in the information reproducing apparatus. ) To obtain the decryption key generation data required for the decryption processing of the encrypted data stored in the recording medium.

Further, in one embodiment of the information reproducing apparatus of the present invention, the decryption key generation data is a master key common to a plurality of information reproducing apparatuses or a media key unique to a recording medium. I do.

According to a second aspect of the present invention, there is provided an information recording apparatus for recording information on a recording medium, comprising encryption processing means for executing encryption processing of contents stored on the recording medium, The processing means is configured to generate a digital signature of the recording entity of the stored content, and execute a process of storing the encrypted content, the digital signature, and the public key certificate of the encrypted content recording entity in a recording medium in association with each other. An information recording apparatus characterized by having:

Further, in one embodiment of the information recording apparatus of the present invention, the information recording apparatus generates a management table in which storage contents, a digital signature, and an address of a public key certificate are associated with each other, and stores the management table in the recording medium. It is characterized by having a configuration for executing the processing to be performed.

Further, in one embodiment of the information recording apparatus of the present invention, the encryption processing means executes a process of generating a digital signature of the content recording subject with the content of the encrypted content stored in the recording medium as a signature target. ,
It is characterized in that the generated signature is stored in association with the stored content.

Further, in one embodiment of the information recording apparatus of the present invention, the encryption processing means sets a title key set corresponding to the encrypted content stored in the recording medium as a signature target and performs a digital recording of a content recording subject. Signature generation processing is performed, and the generated signature is stored in association with stored content.

Further, in one embodiment of the information recording device of the present invention, the information recording device includes a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information recording devices as leaves and each information recording device. The encryption processing means has a device-specific leaf key, and the encryption processing means includes an enabling key block (EKB) comprising encryption processing data of an upper key by a lower key on a path of a key tree based on a key built in the information recording apparatus. ) Is decrypted to obtain encryption key generation data necessary for encryption processing of data stored in the recording medium.

Further, in one embodiment of the information recording apparatus of the present invention, the encryption key generating data is a master key common to a plurality of information recording apparatuses or a media key unique to a recording medium. And

[0030] Furthermore, a third aspect of the present invention relates to an information reproducing method for reproducing information from a recording medium, wherein a public key for executing a process of verifying a public key certificate of an encrypted content recording subject stored in the recording medium. A key certificate verification step;
A signature verification step of obtaining a public key of the content recording subject from the public key certificate whose validity has been confirmed, and executing a digital signature verification process of the content recording subject based on the obtained public key; Executing a process of decrypting the encrypted content on condition that the validity of the signature has been confirmed as a result of the signature verification.

Further, in one embodiment of the information reproducing method of the present invention, the signature verifying step in the information reproducing method is characterized in that the content of the encrypted content stored in the recording medium is a content recording entity generated as a signature target. Executing the verification process of the digital signature, and performing the decryption process of the encrypted content on condition that the validity of the signature is confirmed as a result of the verification.

Further, in one embodiment of the information reproducing method of the present invention, in the signature reproducing step in the information reproducing method, the title key set corresponding to the encrypted content stored in the recording medium is a signature target. Performing a verification process of the digital signature of the content recording subject generated as described above, and performing a decryption process of the encrypted content on condition that the validity of the signature is confirmed as a result of the verification. I do.

Further, in one embodiment of the information reproducing method of the present invention, the information reproducing method further includes a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information reproducing devices as leaves. Based on the leaf key unique to the information reproducing apparatus, the activation key block (EK
B) is performed, and a process of obtaining decryption key generation data required for a decryption process of the encrypted data stored in the recording medium is performed.

Further, according to a fourth aspect of the present invention, in an information recording method for recording information on a recording medium, an encryption processing step of executing an encryption processing of a content stored in the recording medium; An information recording method comprising: generating a digital signature of a recording subject; and storing the encrypted content, the digital signature, and the public key certificate of the encrypted content recording subject in a recording medium in association with each other. In the way.

Further, in an embodiment of the information recording method of the present invention, the information recording method further generates a management table in which stored contents, a digital signature, and an address of a public key certificate are associated with each other. Is executed.

[0036] Further, in one embodiment of the information recording method of the present invention, the information recording method further includes a process of generating a digital signature of the content recording subject for the content of the encrypted content stored in the recording medium. The signature generated and executed is stored in association with the stored content.

[0037] Further, in one embodiment of the information recording method of the present invention, the information recording method further includes the step of signing a title key set corresponding to the encrypted content stored in the recording medium with the content key as a signature target. The digital signature generation processing is performed, and the generated signature is stored in association with the stored content.

Further, in one embodiment of the information recording method of the present invention, the information recording method further comprises a hierarchical key tree structure having a plurality of different information recording devices built in the information recording device as leaves. Based on the node key unique to the node and the leaf key unique to each information recording device, decryption of an activation key block (EKB) is performed to generate encryption key generation data necessary for encryption processing of data stored in the recording medium. It is characterized by executing a process of acquiring.

Further, a fifth aspect of the present invention is an information recording medium storing an encrypted content, wherein identification data of a recording entity recording the encrypted content, a public key certificate of the recording entity, An information recording medium storing the digital signature of the recording subject.

Further, in one embodiment of the information recording medium of the present invention, the information recording medium further stores a management table in which stored contents, a digital signature, and an address of a public key certificate are associated with each other. I do.

A sixth aspect of the present invention is a program storage medium storing a computer program for causing a computer system to execute an information reproducing process for reproducing information from a recording medium.
The program includes a public key certificate verification step of performing a verification process of a public key certificate of the encrypted content recording subject stored in the recording medium, and a public key certificate of the content recording subject based on the verified public key certificate. Get the public key,
A signature verification step of performing a verification process of a digital signature of the content recording entity based on the obtained public key;
Executing a decryption process of the encrypted content on condition that the validity of the signature is confirmed as a result of the signature verification.

Further, according to a seventh aspect of the present invention, an information recording process for recording information on a recording medium is performed by a computer.
A program storage medium storing a computer program to be executed on a system, the computer program comprising: an encryption processing step of performing encryption processing of content stored in a recording medium; A program storage medium comprising: generating a signature; and storing the encrypted content, the digital signature, and the public key certificate of the encrypted content recording subject in a recording medium in association with each other.

[0043]

In the present invention, when the information recording apparatus records data on the information recording medium, it records its own digital signature and public key certificate together with the data. In this way, when recording information, the proof that which recording device has recorded is always recorded together with the data, so that even if a recording medium containing illegally recorded data is distributed. Since it is possible to specify which recording device has recorded it, it can be excluded from the system.

Further, when the information reproducing apparatus reads out the data, the data is read out after confirming the validity of the digital signature and the public key certificate. As a result, an attack that prevents an unauthorized recording device from recording a digital signature on unauthorized recording data is rendered useless. That is, if there is no valid digital signature for the recorded data, a valid reproducing apparatus does not reproduce the data.

[0045]

DESCRIPTION OF THE PREFERRED EMBODIMENTS [System Configuration] FIG. 1 is a block diagram showing the configuration of an embodiment of a recording / reproducing apparatus 100 to which the present invention is applied. The recording / reproducing device 100 has an input / output I / F
(Interface) 120, MPEG (Moving Picture Experts
Group) codec 130, input / output I / F (Interface) 140 having A / D, D / A converter 141, encryption processing means 150, ROM (Read Only Memory) 160,
CPU (Central Processing Unit) 170, memory 18
0, the recording medium interface (I /
F) 190, and further, a transport stream processing means (TS processing means) 300,
Interconnected by

The input / output I / F 120 receives digital signals constituting various contents such as images, sounds, and programs supplied from the outside, outputs the digital signals on the bus 110, and receives the digital signals on the bus 110. Output to the outside. The MPEG codec 130 converts the MPEG encoded data supplied via the bus 110 into an MPE.
The G signal is decoded and output to the input / output I / F 140, and the digital signal supplied from the input / output I / F 140 is MPEG-encoded and output to the bus 110. The input / output I / F 140 has an A / D and D / A converter 141 built-in. The input / output I / F 140 receives an analog signal as content supplied from the outside, and
A / D (Analog Digital) by D, D / A converter 141
By conversion, the digital signal is output to the MPEG codec 130 as a digital signal.
The digital signal from 30 is subjected to D / A (Digital Analog) conversion by an A / D, D / A converter 141, and is output to the outside as an analog signal.

The encryption processing means 150 is composed of, for example, a one-chip LSI (Large Scale Integrated Circuit), and encrypts or decrypts a digital signal as content supplied via the bus 110 and outputs the digital signal on the bus 110. Have a configuration to do. Note that the encryption processing means 150
The present invention is not limited to the chip LSI, and can be realized by a configuration in which various kinds of software or hardware are combined. The configuration as the processing means by the software configuration will be described later.

The ROM 160 stores, for example, a leaf key which is a device key unique to each recording / reproducing device or a group of a plurality of recording / reproducing devices, and a device key shared by a plurality of recording / reproducing devices or a plurality of groups. Is stored. Further, a private key of a public key cryptosystem, a public key certificate, and a public key of a trusted center, which are unique to the recording / reproducing apparatus, are stored.

Here, as shown in FIG. 2, the public key certificate includes the certificate user, for example, the ID of the recording / reproducing apparatus, and
This is data in which a public key of the user is stored, and other data is used as a message and a digital signature is given by a reliable center (certificate authority). The verification process of the digital signature of the center is executed using the public key of the center that has been acquired in advance, the validity of the public key certificate can be confirmed, and the stored public key can be taken out and used.

The CPU 170 executes the program stored in the memory 180 to execute the MPEG codec 1
30 and the cryptographic processing means 150 are controlled. Memory 180
Is, for example, a non-volatile memory that stores programs executed by the CPU 170 and data necessary for the operation of the CPU 170. The recording medium interface 190 reads (reproduces) digital data from the recording medium 200 by driving the recording medium 200 capable of recording and reproducing digital data, outputs the digital data to the bus 110, and
Digital data supplied via the recording medium 2
00 for recording. Also, the program is stored in ROM
The device key may be stored in the memory 180 in the memory 180.

The recording medium 200 is, for example, a DVD, CD
And the like can store digital data such as an optical disk such as an optical disk, a magneto-optical disk, a magnetic disk, a magnetic tape, or a semiconductor memory such as a RAM. Suppose there is. However, the recording medium 200 is the recording / reproducing device 1
00 may be incorporated.

The transport stream processing means (T
The S processing means) 300 will be described in detail later with reference to the drawings. For example, a transport packet corresponding to a specific program (content) is extracted from a transport stream in which a plurality of TV programs (contents) are multiplexed. Then, data processing for storing the appearance timing information of the extracted transport stream together with each packet in the recording medium 200 and appearance timing control processing during reproduction processing from the recording medium 200 are performed.

The transport stream includes ATS as appearance timing information of each transport packet.
(Arrival Time Stamp) is set, and this timing is determined by T-STD (Transpo) which is a virtual decoder defined by MPEG2 Systems.
(rt stream System Target Decoder) is determined at the time of encoding so as not to break down, and at the time of transport stream reproduction, the appearance timing is controlled by the ATS added to each transport packet. Transport stream processing means (TS processing means) 300
These controls are executed. For example, when a transport packet is recorded on a recording medium, it is recorded as a source packet with the interval of each packet shortened. By storing the appearance timing of each transport packet on the recording medium together, The output timing of the packet can be controlled. The transport stream processing means (TS processing means) 300 is an ATS (ArrivalTime) indicating the input timing of each transport packet when data is recorded on the recording medium 200 such as a DVD.
(Stamp: arrival time stamp).

The data processed in the processing system of the present invention is not limited to the format data according to the transport stream. Therefore, when processing relating to data other than the transport stream is executed, the TS processing means shown in FIG. 1 is not always necessary.

[Data Recording Processing and Data Reproduction Processing]
Next, data recording processing on a recording medium and data reproduction processing from a recording medium in the recording / reproducing apparatus of FIG. 1 will be described with reference to the flowcharts of FIGS. When recording the content of an external digital signal on the recording medium 200, a recording process is performed according to the flowchart of FIG. That is, the contents of digital signals (digital contents) are, for example, IEEE (Institute of Electrical and Electronics).
Engineers) Input / output I / O via 1394 serial bus etc.
When supplied to F120, in step S11, the input / output I / F 120 receives the supplied digital content and outputs it to the TS processing means 300 or the encryption processing means 150 via the bus 110.

When the received data requires the transport stream processing, the TS processing means 300 executes the transport stream processing. In step S12, the TS processing means 300 assigns A to each transport packet forming the transport stream.
The block data to which the TS is added is generated, and
Is output to the cryptographic processing means 150 via This processing will be described later in detail.

In step S13, the encryption processing means 150 executes an encryption process on the received digital content, and outputs the resulting encrypted content to the recording medium I / F 190 via the bus 110.
The encrypted content is recorded on the recording medium 200 via the recording medium I / F 190 (S14), and the recording process ends.

As a standard for protecting digital contents when digital contents are transmitted between devices connected via an IEEE1394 serial bus,
Five companies, including Sony Corporation, the assignee of the present patent, provide 5CDTCP (Five Company Digital Transmission).
Content Protection) (hereinafter referred to as DTCP as appropriate)
According to the DTCP, when digital content that is not copy-free is transmitted between devices, is it necessary for the transmitting side and the receiving side to correctly handle copy control information for controlling copying before data transmission? Mutual authentication, and then on the sending side,
The digital content is transmitted after being encrypted, and the receiving side decrypts the encrypted digital content (encrypted content).

In data transmission / reception based on the DTCP standard, the input / output I / F 120 on the data receiving side receives the encrypted content via the IEEE1394 serial bus in step S11, and transmits the encrypted content to the DTC.
Decrypt in accordance with the P standard, and as plaintext content,
After that, it outputs to the encryption processing means 150.

The encryption of digital contents by DTCP is performed by generating a key that changes over time and using the key. The encrypted digital content, including the key used for the encryption, is transmitted on the IEEE1394 serial bus, and the receiving side decrypts the encrypted digital content using the key included therein.

According to DTCP, more precisely, the initial value of the key and the flag indicating the timing of changing the key used for encrypting the digital content are included in the encrypted content. Then, on the receiving side, the key used for encryption is generated by changing the initial value of the key included in the encrypted content again at the timing of the flag included in the encrypted content, The encrypted content is decrypted. However, in this case, it can be considered that the encrypted content includes a key for decrypting the encrypted content, which is equivalent. Therefore, the following description is made as such. Here, for DTCP, for example, the URL of http://www.dtcp.com (Uniform Resou
rce Locator), the informational version (Informational Version)
Can be obtained.

Next, processing for recording the content of an external analog signal on the recording medium 200 will be described.
This will be described with reference to the flowchart of FIG. When the content of the analog signal (analog content) is supplied to the input / output I / F 140, the input / output I / F 140
In step S21, the analog content is received, and the process proceeds to step S22, where the built-in A / D, D / A
A / D conversion is performed by the converter 141 to obtain digital signal contents (digital contents).

This digital content is supplied to the MPEG codec 130, and in step S23,
PEG encoding, that is, encoding processing by MPEG compression is executed, and the
50.

Hereinafter, in steps S24, S25 and S26, steps S12, S13 and S14 in FIG.
The same processing as the processing in is performed. That is, if necessary, an ATS is added to the transport packet by the TS processing means 300, and the encryption processing is performed by the encryption processing means 150. The resulting encrypted content is recorded on the recording medium 200, and the recording processing is performed. finish.

Next, the process of reproducing the content recorded on the recording medium 200 and outputting it as digital content or analog content will be described with reference to the flow of FIG. The process of outputting the digital content to the outside is executed as a reproduction process according to the flowchart of FIG. That is, first, in step S31, the encrypted content recorded on the recording medium 200 is read by the recording medium I / F 190, and output to the encryption processing unit 150 via the bus 110.

In the encryption processing means 150, step S32
, The encrypted content supplied from the recording medium I / F 190 is decrypted, and if the data is a transport stream, the decrypted data is output to the TS processing unit 300 via the bus 110, and the TS processing is unnecessary. Is supplied to the input / output I / F 120.

In step S 43, the TS processing means 300 determines the output timing from the ATS of each transport packet constituting the transport stream, executes control according to the ATS, and performs input / output via the bus 110. Supply it to I / F120. Input / output I / F12
0 outputs the digital content from the TS processing means 300 to the outside and ends the reproduction processing. The processing of the TS processing means 300 and the decryption processing of the digital content by the encryption processing means 150 will be described later.

Further, the data is supplied to the input / output I / F 120, and in step S34,
Outputs the digital content to the outside and ends the reproduction process.

It should be noted that the input / output I / F 120 is used in step S
In the case where digital contents are output via the IEEE1394 serial bus at 34, in accordance with the DTCP standard,
As described above, mutual authentication is performed with the partner device, and then the digital content is encrypted and transmitted.

When the content recorded on the recording medium 200 is reproduced and output to the outside as analog content, a reproduction process according to the flowchart of FIG. 4B is performed.

That is, in steps S41, S42 and S43, steps S31, S32 and S33 of FIG.
Are performed, and the decrypted digital content obtained by the encryption processing means 150 is supplied to the MPEG codec 130 via the bus 110.

In the MPEG codec 130, in step S44, the digital content is subjected to MPEG decoding, that is, decompression processing, and the input / output I / F 140
Supplied to The input / output I / F 140 determines in step S44
, The digital contents MPEG-decoded by the MPEG codec 130 are stored in A / D, D /
D / A conversion is performed by the A converter 141 (S45) to obtain analog contents. Then, the process proceeds to step S46, where the input / output I / F 140 outputs the analog content to the outside, and ends the reproduction process.

[Transport Stream] Next, FIG.
The data format on the recording medium when processing the transport stream data will be described with reference to FIG. The minimum unit for reading and writing data on the recording medium is called a block. One block is 192 *
The size is X (X) bytes (for example, X = 32).

For example, an ATS is added to a TS (transport stream) packet (188 bytes) of MPEG2 to make 192 bytes, and X pieces are collected to form one block of data. The ATS is 24- to 32-bit data indicating the arrival time, and is an abbreviation of Arrival Time Stamp. The ATS is configured as data having randomness according to the arrival time of each packet.
In one block (sector) of the recording medium, X TS (Transport Stream) packets to which ATS is added are recorded. In the configuration of the present invention, a block (sector) of each block constituting the transport stream is formed by using the ATS added to the first TS packet of the block.
Generate a block key to encrypt the data of

By generating a block key for encryption using an ATS having randomness, a unique key different for each block is generated. The encryption processing for each block is executed using the generated block unique key. Also,
With the configuration in which the block key is generated using the ATS, an area on the recording medium for storing the encryption key for each block becomes unnecessary, and the main data area can be used effectively. Further, there is no need to access data other than the main data portion when recording and reproducing data, and the processing becomes more efficient.

The block seed (Bloc) shown in FIG.
k Seed) is additional information including the ATS. block·
The seed includes not only the ATS but also copy control information (CCI: Copy Control Information) as shown in the middle part of the figure.
Is also possible. In this case, ATS and CC
It is possible to adopt a configuration in which a block key is generated using I.

In the structure of the present invention, when data is stored on a recording medium such as a DVD, most of the data of the content is encrypted. However, as shown in the lowermost part of FIG. M at the beginning (for example, m = 8 or 1
6) Unencrypted data with unencrypted bytes
The data is recorded as it is, and the remaining data (m + 1 bytes and thereafter) is encrypted. This is because the encryption process is a process in units of 8 bytes, so the encrypted data length (Encrypted data)
This is because restrictions are imposed on If the encryption process can be performed not in units of 8 bytes but in units of 1 byte, for example, m = 4 and all parts other than the block seed may be encrypted.

[Process in TS processing means] Here, A
The function of the TS will be described in detail. The ATS is an arrival time stamp added to save the appearance timing of each transport packet in the input transport stream as described above.

That is, for example, when one or several TV programs (contents) are extracted from a transport stream in which a plurality of TV programs (contents) are multiplexed, the transports constituting the extracted transport stream are extracted. Port packets appear at irregular intervals (see FIG. 7A). The transport stream has an important meaning in the appearance timing of each transport packet, and this timing is based on MPEG2.
T-STD (Transport stream Syst.) Which is a virtual decoder specified by Systems (ISO / IEC 13818-1)
em Target Decoder) is determined at the time of encoding so as not to break down.

When reproducing the transport stream,
The appearance timing is controlled by the ATS added to each transport packet. Therefore, when recording a transport packet on a recording medium, it is necessary to preserve the input timing of the transport packet. When recording the transport packet on a recording medium such as a DVD, the input timing of each transport packet must be preserved. The ATS is added and recorded.

FIG. 6 is a block diagram for explaining a process executed by the TS processing means 300 when recording a transport stream input via a digital interface on a storage medium such as a DVD. From the terminal 600, a transport stream is input as digital data such as digital broadcast. In FIG. 1, a transport stream is input from a terminal 600 via an input / output I / F 120 or via an input / output I / F 140 and an MPEG codec 130.

The transport stream is input to a bit stream parser 602. The bit stream parser 602 detects a PCR (Program Clock Reference) packet from the input transport stream. Here, the PCR packet is an MPEG packet.
This is a packet in which a PCR defined by 2 Systems is encoded. PCR packet is 100msec
Are encoded within the time interval of The PCR sets the time at which the transport packet arrives at the receiving side to 27 MHz.
Expressed with the precision of

Then, in the 27 MHz PLL 603, the 27 MHz clock of the recording / reproducing device is locked to the PCR of the transport stream. The time stamp generation circuit 604 generates a time stamp based on the count value of the 27 MHz clock. Then, the block seed adding circuit 605 adds the time stamp at the time when the first byte of the transport packet is input to the smoothing buffer 606 as the ATS, and adds the ATS to the transport packet.

The transport packet to which the ATS has been added passes through the smoothing buffer 606 and is supplied to the terminal 60.
7 is output to the encryption processing means 150, and after the encryption processing described later is executed, the storage medium 200 as a storage medium is output via the storage medium I / F 210 (FIG. 1).
Will be recorded.

FIG. 7 shows an example of processing when an input transport stream is recorded on a recording medium. FIG. 7 (a)
Indicates an input of a transport packet constituting a specific program (content). Here, the horizontal axis is a time axis indicating the time on the stream. In this example, the input of the transport packet appears at irregular timing as shown in FIG.

FIG. 7B shows a block seed (Block
Seed) shows the output of the additional circuit 605. The block seed adding circuit 605 provides, for each transport packet, A indicating the time on the stream of the packet.
The source packet is output by adding a block seed (Block Seed) including the TS. FIG. 7C shows a source packet recorded on a recording medium. The source packets are recorded on the recording medium at shorter intervals as shown in FIG. By recording at shorter intervals in this manner, the recording area of the recording medium can be used effectively.

FIG. 8 shows TS processing means 3 for reproducing the transport stream recorded on the recording medium 200.
00 shows a block diagram of the processing configuration of 00. From the terminal 800, the transport packet with the ATS decrypted by the encryption processing means described later is input to the block seed separation circuit 801 and the ATS
And the transport packet are separated. The timing generation circuit 804 has a 27 MHz clock 80 of the regenerator.
Calculate the time based on the clock counter value of 5.

At the start of reproduction, the first ATS is set in the timing generation circuit 804 as an initial value. The comparator 803 compares the ATS with the current time input from the timing generation circuit 804. The time generated by the timing generation circuit 804 and the ATS
Are equal, the output control circuit 802 outputs the transport packet to the MPEG codec 130 or the digital input / output I / F 120.

FIG. 9 shows an example in which an input AV signal
2 shows a configuration in which the MPEG codec 130 performs MPEG encoding and the TS processing means 300 encodes a transport stream. Therefore, FIG.
FIG. 3 is a block diagram showing both processing configurations of the MPEG codec 130 and the TS processing means 300 in FIG. 1. A video signal is input from a terminal 901.
It is input to the MPEG video encoder 902.

The MPEG video encoder 902 encodes an input video signal into an MPEG video stream and outputs it to a buffer video stream buffer 903. In addition, the MPEG video encoder 902
The access unit information on the G video stream is output to the multiplexing scheduler 908. The access unit of the video stream is a picture, and the access unit information is a picture type, a coded bit amount, and a decode time stamp of each picture. here,
The picture type is information of an I / P / B picture. The decode time stamp is
This is information defined by G2 Systems.

An audio signal is input from a terminal 904, which is an MPEG audio encoder 90.
5 is input. MPEG audio encoder 905
Encodes the input audio signal into an MPEG audio stream and outputs it to the buffer 906. In addition, the MPEG audio encoder 905 uses the MPEG
The access unit information about the audio stream is output to the multiplexing scheduler 908. The access unit of the audio stream is an audio frame, and the access unit information is a coded bit amount and a decode time stamp of each audio frame.

The multiplexing scheduler 908 receives video and audio access unit information. The multiplexing scheduler 908 controls a method for encoding the video stream and the audio stream into transport packets based on the access unit information. The multiplexing scheduler 908 internally has a clock for generating a reference time of 27 MHz accuracy, and has a T-ST which is a virtual decoder model defined by MPEG2.
The packet encoding control information of the transport packet is determined so as to satisfy D. The packet encoding control information is the type of stream to be packetized and the length of the stream.

When the packet encoding control information is a video packet, the switch 976 is set to the position a, and video data having the payload data length indicated by the packet encoding control information is read from the video stream buffer 903, and the transport packet It is input to the encoder 909.

When the packet encoding control information is an audio packet, the switch 976 is set to the b side, and the audio data of the designated payload data length is read from the audio stream buffer 906 and input to the transport packet encoder 909. Is done.

When the packet encoding control information is a PCR packet, the transport packet encoder 909 takes in the PCR input from the multiplexing scheduler 908 and outputs the PCR packet. If the packet encoding control information indicates that the packet is not encoded, nothing is input to the transport packet encoder 909.

The transport packet encoder 909
Does not output a transport packet when the packet encoding control information indicates that the packet is not encoded. Otherwise, a transport packet is generated based on the packet encoding control information and output. Therefore, transport packet encoder 909 outputs a transport packet intermittently. Arrival (Arri
val) time stamp calculating means 910
Calculates the ATS indicating the time when the first byte of the transport packet arrives at the receiving side based on the PCR input from the multiplexing scheduler 908.

The PCR input from the multiplexing scheduler 908 indicates the time of arrival of the 10th byte of the transport packet specified by MPEG2 on the receiving side.
The value of the ATS is the time at which the byte 10 bytes before the time of the PCR arrives.

The block seed adding circuit 911 adds an ATS to the transport packet output from the transport packet encoder 909. The transport packet with the ATS output from the block seed adding circuit 911 is
Through the smoothing buffer 912, the encryption processing unit 1
The data is input to the storage medium 50, and after the encryption processing described later is executed, it is stored in the recording medium 200 which is a storage medium.

The transport packet with the ATS stored in the recording medium 200 is input at a narrow interval as shown in FIG. 7C before being encrypted by the encryption processing means 150, and then recorded. It is stored in the medium 200. Even if transport packets are recorded at short intervals, A
By referring to the TS, the input time of the transport packet to the receiving side can be controlled.

The size of the ATS is not limited to 32 bits, but may be 24 bits to 31 bits. The longer the bit length of the ATS, the longer the cycle in which the ATS time counter goes around. For example, A
When the TS is a binary counter with a precision of 27 MHz, the time required for a 24-bit ATS to make one round is about 0.6.
Seconds. This time interval is sufficiently large for a general transport stream. This is because the packet interval of the transport stream is determined at a maximum of 0.1 second according to MPEG2 regulations. However, the ATS may be set to 24-bit or more with a sufficient margin.

As described above, when the bit length of the ATS is set to various lengths, several configurations are possible as the configuration of the block seed which is the additional data of the block data.
FIG. 10 shows a configuration example of the block seed. Example 1 in FIG. 10 is an example in which ATS is used for 32 bits. FIG.
Example 2 is an example in which the ATS is 30 bits and the copy control information (CCI) is used for 2 bits. The copy control information is information indicating a copy control state of data to which the copy control information is added, and is SCMS: Serial Copy Management Sys.
tems and CGMS: Copy Generation Management System are famous. In these pieces of copy control information, data to which the information is added is copy free (Copy Free), which indicates that copying is permitted without restriction, and one generation copy permission (One Generation Copy A), which permits copying of only one generation.
llowed), Copy Prohibition (Copy Prohibition)
ted).

Example 3 shown in FIG. 10 is an example in which the ATS has 24 bits, the CCI uses 2 bits, and the other information uses 6 bits. As other information, for example, when this data is output in analog form, Macrovision (Macrovisio), which is a copy control mechanism for analog video data
Various information such as information indicating on / off of n) can be used.

[Regarding Tree Structure as Key Distribution Configuration] Next, the recording and reproducing apparatus shown in FIG. 1 records keys on a recording medium or reproduces data from the recording medium, for example, a key such as a medium. A configuration for distributing a key to each device will be described. FIG. 11 is a diagram showing a key distribution configuration of a recording / reproducing apparatus in a recording system using this method. Numbers 0 to 15 at the bottom of FIG. 11 are individual recording / reproducing devices. That is, each leaf of the tree structure shown in FIG. 11 corresponds to each recording / reproducing device.

Each device 0 to 15 is manufactured (at the time of shipment).
Then, a key (node key) assigned to a node from its own leaf to the root in a predetermined initial tree and a leaf key of each leaf are stored by itself. K0000 to K1 shown at the bottom of FIG.
Reference numeral 111 denotes a leaf key assigned to each of the devices 0 to 15, and keys from the topmost KR in the second node (node) from the bottom: KR to K111 are used as node keys.

In the tree structure shown in FIG. 11, for example, device 0 has a leaf key K0000 and a node key: K
000, K00, K0, KR. Device 5 owns K0101, K010, K01, K0, and KR. The device 15 includes K1111, K111, K11,
Owns K1 and KR. Note that only 16 devices 0 to 15 are described in the tree of FIG.
Although shown as a balanced bilaterally symmetric configuration of stages, more devices can be configured in the tree and each section of the tree can have a different number of stages.

Each recording / reproducing device included in the tree structure in FIG. 11 has various recording media, for example, DVD, CD,
Various types of recording / reproducing devices using MD, Memory Stick (trademark) and the like are included. Further, it is assumed that various application services coexist. The key distribution configuration shown in FIG. 11 is applied on such a coexistence configuration of different devices and different applications.

In a system in which these various devices and applications coexist, for example, a portion surrounded by a dotted line in FIG. 11, that is, devices 0, 1, 2, and 3 are set as one group using the same recording medium. For example, for the devices included in the group surrounded by the dotted line, common contents are collectively encrypted and sent from the provider, a master key commonly used is sent, or the provider Alternatively, a process of encrypting and outputting payment data of the content fee to a settlement institution or the like is also executed. An organization that transmits and receives data to and from each device, such as a content provider or a settlement processing institution, sends data collectively as a group surrounded by a dotted line in FIG. 11, that is, devices 0, 1, 2, and 3. Execute the process. A plurality of such groups exist in the tree of FIG.

Note that the node key and leaf key have a certain 1
May be managed by one key management center,
A configuration may be adopted in which the management is performed for each group by a provider, a settlement institution, or the like that performs various data transmissions and receptions for each group. These node keys and leaf keys are updated in the event of, for example, leakage of keys, and this update processing is executed by a key management center, a provider, a payment institution, or the like.

In this tree structure, as is apparent from FIG. 11, three devices 0, 1, 2, 3 included in one group have a common key K00 as a node key.
It owns K0 and KR. By using this node key sharing configuration, for example, a common master key can be provided only to the devices 0, 1, 2, and 3. For example, if the commonly owned node key K00 itself is set as a master key, only the devices 0, 1, 2, and 3 can set a common master key without sending a new key. Also, a new master key Kmaster
Enc (K00, K) obtained by encrypting with a node key K00
is distributed to the devices 0, 1, 2, and 3 via a network or in a recording medium, only the devices 0, 1, 2, and 3 use the shared node key K00 held in each device. Enc (K
00, Kmaster) to obtain a master key: Kmaster. Note that Enc (Ka, Kb) is K
b is data encrypted by Ka.

At a certain time t, if it is discovered that the key: K0011, K001, K00, K0, KR possessed by the device 3 has been analyzed and revealed by an attacker (hacker), the system (device) 0,1,
In order to protect data transmitted / received in the group (2, 3), it is necessary to disconnect the device 3 from the system. For that purpose, node keys: K001, K00, K0, KR
With new keys K (t) 001, K (t) 00, K
It is necessary to update to (t) 0, K (t) R and to inform the devices 0,1,2 of the updated key. Here, K (t) a
“aa” indicates that the key is an update key of the generation of the key Kaaaa: t.

The update key distribution process will be described. The key is updated, for example, by storing a table composed of block data called an enabling key block (EKB) shown in FIG.
This is performed by supplying the signals 1 and 2.

The activation key block (EKB) shown in FIG. 12A is configured as block data having a data structure that can be updated only by a device that needs to update the node key. The example in FIG. 12 is block data formed for the purpose of distributing the updated node key of the generation t in the devices 0, 1, and 2 in the tree structure shown in FIG. As is clear from FIG. 11, device 0 and device 1 use K (t) 00, K
(T) 0 and K (t) R are required, and the device 2 uses K (t) 001, K (t) 00, and K as update node keys.
(T) 0 and K (t) R are required.

As shown in the EKB of FIG.
The KB includes a plurality of encryption keys. The encryption key at the bottom is Enc (K0010, K (t) 001). This is the updated node key K (t) 001 encrypted by the leaf key K0010 of the device 2, and the device 2 can decrypt this encrypted key by its own leaf key to obtain K (t) 001. . Also, using K (t) 001 obtained by decryption, the encryption key Enc (K
(T) 001, K (t) 00) can be decrypted, and an updated node key K (t) 00 can be obtained. Thereafter, the encryption key Enc in the second stage from the top in FIG.
(K (t) 00, K (t) 0), the updated node key K (t) 0, the encryption key Enc (K (t) 0, K ( t) Decode R) and K (t)
Get R. On the other hand, the devices 0 and 1 have the node key K00
0 is not included in the object to be updated, and K (t) 00, K (t) 0, and K (t) are required as updated node keys.
R. The devices 0 and 1 are 3 from the top in FIG.
The encryption key Enc (K (t) 00) of the second stage is decrypted to obtain K (t) 00, and the encryption key Enc (K (K (2) of the second stage from the top in FIG. t) 00, K
(T) 0), the updated node key K (t) 0, FIG.
2 (A), the first-stage encryption key Enc (K (t)
0, K (t) R) to obtain K (t) R. Thus, the devices 0, 1, and 2 can obtain the updated key K (t) R. Note that the index in FIG. 12A indicates the absolute addresses of the node key and leaf key used as the decryption key.

In the case where it is not necessary to update the node keys K (t) 0 and K (t) R in the upper stage of the tree structure shown in FIG. 11 and it is necessary to update only the node key K00,
The enabling key block (EKB: Enabling) shown in FIG.
Key Block), the updated node key K (t)
00 can be distributed to devices 0, 1, and 2.

The EKB shown in FIG. 12B can be used, for example, when distributing a new master key shared by a specific group or a media key unique to a recording medium. As a specific example, it is assumed that devices 0, 1, 2, and 3 in a group indicated by a dotted line in FIG. 11 use a certain recording medium, and a new common master key K (t) master is required. At this time, data Enc (K (t (t)) obtained by encrypting a new common updated master key: K (t) master using K (t) 00 obtained by updating the common node key K00 of devices 0, 1, 2, 3 ) And K (t) master) are distributed together with the EKB shown in FIG. This distribution makes it possible to distribute data that cannot be decrypted to devices in other groups such as the device 4.
The same applies to the media key.

That is, if the devices 0, 1, and 2 decrypt the ciphertext using K (t) 00 obtained by processing the EKB, the master key at time t: K (t) master or the media key : K (t) media can be obtained.

[Acquisition of Media Key Using EKB]
FIG. 13 shows the applicant's earlier patent application, Japanese Patent Application No.
Media key K at time t proposed in 0-105328
As an example of processing for obtaining (t) media, data Enc (K (t) 00, K (t) media) obtained by encrypting a new common media key K (t) media using K (t) 00 is shown. 12 shows the processing of the device 2 that has received the EKB shown in FIG. 12 (B) via the recording medium.

As shown in FIG. 11, a certain recording / reproducing system has four devices 0, 1, 2, 3 surrounded by a dotted line.
Assume that one device is included. FIG. 13 shows that when the device 3 is revoked, when a media key assigned to each recording medium is used, the recording / reproducing apparatus (device 2) needs to encrypt or decrypt contents on the recording medium. It shows a process for obtaining a media key using an EKB (Enabling Key Block) stored in a recording medium and a device key stored in a recording / reproducing apparatus.

In the memory of the device 2, the leaf key K_0010 assigned only to itself and the node keys (K_001, K_00, K_0, K_R, respectively) of the nodes 001, 00, 0, R from the leaf key to the root of the tree are secured. Is stored in The device 2 has an index (index) of the EKB stored in the recording medium of FIG.
Is the leaf key K_001 that owns the ciphertext of 0010
0 and decrypted with node key K (t) _00 of node 001
Calculate 1 and then use it to index
Decrypts the ciphertext of 001 and the node key K of node 00
It is necessary to calculate (t) _00 and finally use it to decrypt the ciphertext to calculate the media key K (t) _media. The number of calculations increases in proportion to the depth from the leaf to the node that encrypts the media key. That is, in a large system in which many recording / reproducing devices exist, many calculations are required. The mode of encryption and decryption of data using the media key calculated and obtained as described above will be described below.

[Content Recording Processing Using Media Key] According to the processing block diagram of FIG.
An example of the data encryption processing and the recording processing on the recording medium executed by 50 will be described.

The recording / reproducing apparatus 100 shown in FIG. 14 obtains the media key by the above-described calculation processing based on the EKB.

Next, the recording / reproducing apparatus 100 checks whether or not a disc ID (Disc ID) as identification information has already been recorded on the recording medium 200 such as an optical disc. If it is recorded, the disc ID (Disc ID) is read out. If not, the encryption processing means 150 generates the disc ID (Disc ID) at random or by a predetermined method such as random number generation. To record on a disc. Since only one disc ID (Disc ID) is required for the disc, it can be stored in a lead-in area or the like.

The recording / reproducing apparatus 100 then uses the media key and the disc ID to set a disc unique key (Disc Uniqu
e Key). Disc Unique K
As a specific generation method of ey), as shown in FIG. 15, a method of Example 1 using a result obtained by inputting a media key and a disc ID (Disc ID) into a hash function using a block cipher function Also, the media key and the disk I have been added to the hash function SHA-1 defined in FIPS 180-1.
The method of Example 2 in which data generated by bit concatenation with D (Disc ID) is input and only the required data length is used as a disc unique key (Disc Unique Key) from the output of 160 bits can be applied.

Next, a title key (Title Key), which is a unique key for each record, is randomly generated by the encryption processing means 150 (see FIG. 1) or by a predetermined method such as random number generation. To record.

Next, a disc unique key (Disc Unique Ke)
y) and a title key (Title Key), a title unique key (Title Unique Key) is generated.

The title unique key (Title Unique Ke)
y) A specific method of generation is, as shown in FIG. 16, a method of Example 1 using a result obtained by encrypting a title key using a disk unique key as a key using a block cipher function, or a method of FIPS 180- The hash function SHA- defined in 1
1, the data generated by bit concatenation of the media key and the disc ID (Disc ID) is input, and 160
The method of Example 2 using only the required data length from the bit output as a title unique key (Title Unique Key) can be applied.

In the above description, the disc unique key (Disc Und) is obtained from the media key and the disc ID (Disc ID).
Generate a unique key and this and a title key (Title Ke)
y), a title unique key (Title Unique Key) is generated, but the disc unique key (Di
The title unique key (Title Unique Key) may be directly generated from the media key, disc ID (Disc ID) and title key (Title Key) without using the sc Unique Key, or the title key (Title Key) may be used. Media key (Master Key) and disc ID (Disc ID)
, A key equivalent to a title unique key (Title Unique Key) may be generated.

Next, the subsequent processing will be described with reference to FIG. The first to fourth bytes of the block data input as the data to be encrypted are separated and output from the block seed (Block Seed) and the previously generated title unique key (Title Unique Key). Block key (BlockKe)
y) is generated.

FIG. 17 shows an example of a method for generating a block key. FIG. 17 shows two examples in which a 64-bit block key (Block Key) is generated from a 32-bit block seed (Block Seed) and a 64-bit title unique key (Title Unique Key). I have.

Example 1 shown in the upper part uses a cryptographic function having a key length of 64 bits and inputs and outputs of 64 bits each. A title unique key (Title Unique Key) is used as a key of this cryptographic function, and a value obtained by concatenating a block seed (Block Seed) and a 32-bit constant (constant) is input as a block key (Block Key). I have.

Example 2 shows a hash function SHA-1 of FIPS 180-1.
This is an example using. Title Unique K
ey) and the value obtained by concatenating the block seed (Block Seed)
The block key is input to the HA-1, and the 160-bit output is reduced to 64 bits, for example, using only the lower 64 bits, and is used as a block key.

In the above description, the disc unique key (Disc U)
nique key), Title Unique Ke
y), an example of generating a block key has been described. For example, a disc unique key (Disc Uni
que Key) and title unique key (Title Unique Key) without generating a media key, disc ID (Disc ID) and title key (Title Ke
A block key (Block Key) may be generated using y) and a block seed (Block Seed).

When a block key is generated, block data is encrypted using the generated block key. As shown in the lower part of FIG. 14, the first to first data of the block data including the block seed (Block Seed) are displayed.
m bytes (for example, m = 8 bytes) are separated (selector 1
608) The data from the (m + 1) th byte to the final data is encrypted without being subjected to encryption. In addition, m which is not encrypted
The bytes include the first to fourth bytes as a block seed. The block data after the (m + 1) th byte separated by the selector is encrypted according to an encryption algorithm preset in the encryption processing means 150. As the encryption algorithm, for example, DES (Data Encryption Standard) defined in FIPS 46-2 can be used.

By the above processing, the content is encrypted in units of blocks using the generation-managed media key, the block key generated based on the block seed, and the like, and stored in the recording medium.

Next, the recording / reproducing apparatus calculates a digital signature for the recorded encrypted content data by using the private key (signature generation key) of the public key cryptosystem assigned to the recording / reproducing apparatus. It is recorded on a recording medium together with the public key certificate and the content data. As a method of generating a digital signature, for example, the EC which is being established in IEEE P1363
−DSA (Elliptic Curve Digital Signature Algorithm)
m) can be used. FIG. 18 is a flowchart illustrating the outline of the content recording process.

First, in step S101, the recording / reproducing apparatus executes a process of encrypting the content to be recorded. As described with reference to FIG. 14, content encryption is performed as block data encryption processing using a block key.

Further, in step S102, the recording / reproducing apparatus calculates a digital signature for the encrypted content using the private key (signature generation key) of the public key cryptosystem assigned to itself. As a method of generating a digital signature, for example, EC-DS which is being standardized in IEEE P1363
A (Elliptic Curve Digital Signature Algorithm) is applicable.

Next, in step S103, the recording / reproducing apparatus records the generated digital signature and public key certificate on the recording medium in association with the recorded content.
In step 04, a process of recording the encrypted data on the recording medium (S102) is executed.

Further, FIG. 19 shows a detailed processing flow in the case where a digital signature is executed on the encrypted content and recording is executed.

In step S201, the recording / reproducing device acquires a media key by the above-described EKB process (see FIG. 13).

At S202, it is checked whether or not a disc ID (Disc ID) as identification information has already been recorded on the recording medium. If it is recorded, this disk ID is read in S203, and if it is not recorded, S204
Then, a disk ID is generated at random or by a predetermined method and recorded on the disk. Next, S
At 205, a disk unique key is generated using the media key and the disk ID. As described above, for example, a method using a hash function SHA-1 defined in FIPS 180-1 or a method using a hash function based on a block cipher (see FIG. 15) is applied to the disk unique key. Ask by that.

Then, the process proceeds to S206, in which a title key (Title Key) is generated as a unique key for each recording, and the generated title key is recorded on a disk (recording medium). Next, in S207, a title unique key is generated from the disc unique key and the title key (see FIG. 16).

In S208, the recording / reproducing apparatus receives the encrypted data of the content data to be recorded in the form of a TS packet. In step S209, the TS processing unit 300
ATS, which is time information when the S packet is received, is added. Alternatively, a value obtained by combining the copy control information CCI, the ATS, and other information is added. Next, S210
Then, the TS packets to which the ATS is added are sequentially received, and it is determined whether or not X = 32 forming one block has been reached, or whether identification data indicating the end of the packet has been received. If any of the conditions is satisfied, step S21
Proceeding to 1, the X packets or the packets up to the end of the packet are arranged to form one block data.

Next, the encryption processing means 150 executes S212
Then, a block key, which is a key for encrypting the data of the block, is generated from the first 32 bits (block seed including ATS) of the block data and the title unique key generated in S207 (see FIG. 17).

In S213, S2 is executed using the block key.
The block data formed in step 11 is encrypted. As described above, the data to be encrypted is from the (m + 1) th byte of the block data to the last data.
As the encryption algorithm, for example, DES (Data Encryption Standard) specified in FIPS 46-2 is applied.

In S214, it is determined whether or not the recording block is the first block.
In step 215, a digital signature is generated using the block data as digital signature target data, and is recorded on a recording medium together with a public key certificate. The digital signature generation process is performed, for example, by EC-DSA (Elliptic Cube), which is being standardized in IEEE P1363.
rve Digital Signature Algorithm).

In step S216, the encrypted block data is recorded on a recording medium. In S217, it is determined whether all the data has been recorded. If all the data has been recorded, the recording process ends. If not, the process returns to S208 to execute the processing of the remaining data.

By the above processing, the content is encrypted and recorded on the recording medium, and the digital signature for the block data of the encrypted content and the public key certificate are recorded on the recording medium.

The contents stored on the recording medium,
The title key, digital signature, public key certificate, and other content-related data are recorded in such a manner that their correspondence can be identified. For example, the correspondence can be established by recording the management data as a table on a recording medium. FIG. 20 shows an example of a table configuration when address data of corresponding data relating to recorded content is recorded as a table.

As shown in FIG. 20, each content is managed as a file together with content-related data.
A table in which contents data addresses, title key addresses, digital signature addresses, public key certificate addresses, and other file information are recorded is generated and stored in a recording medium.

Next, when recording the encrypted content on the recording medium, instead of executing the signature on the encrypted content, the digital signature is executed on the title key generated corresponding to the content to record the content. The processing to be executed will be described with reference to the flow in FIG.

In step S301, the recording / reproducing apparatus acquires a media key by the above-described EKB process (see FIG. 13).

In S302, it is checked whether a disc ID (Disc ID) as identification information has already been recorded on the recording medium. If it is recorded, this disk ID is read in S303, and if it is not recorded, S304
Then, a disk ID is generated at random or by a predetermined method and recorded on the disk. Next, S
In 305, a disc unique key is generated using the media key and the disc ID. As described above, for example, a method using a hash function SHA-1 defined in FIPS 180-1 or a method using a hash function based on a block cipher (see FIG. 15) is applied to the disk unique key. Ask by that.

Then, the flow advances to S 306 to generate a title key (Title Key) as a unique key for each recording, and execute a digital signature for the generated title key. The digital signature generation process is performed, for example, by an EC-DSA (Elliptic Curve Digital Sign) which is being standardized in IEEE P1363.
ature Algorithm). Further, the generated title key, digital signature, and public key certificate are stored in a recording medium (disk).

Next, in S307, a title unique key is generated from the disc unique key and the title key (FIG. 1).
6).

At S308, the recording / reproducing apparatus receives the encrypted data of the content data to be recorded in the form of a TS packet. In step S309, the TS processing unit 300
ATS, which is time information when the S packet is received, is added. Alternatively, a value obtained by combining the copy control information CCI, the ATS, and other information is added. Next, S310
Then, the TS packets to which the ATS is added are sequentially received, and it is determined whether or not X = 32 forming one block has been reached, or whether identification data indicating the end of the packet has been received. If any of the conditions is satisfied, step S31
Proceeding to 1, the X packets or the packets up to the end of the packet are arranged to form one block data.

Next, the encryption processing means 150 determines in S312
Then, a block key, which is a key for encrypting the data of the block, is generated from the first 32 bits (block seed including ATS) of the block data and the title unique key generated in S307 (see FIG. 17).

In S313, S3 is executed using the block key.
The block data formed in step 11 is encrypted. As described above, the data to be encrypted is from the (m + 1) th byte of the block data to the final data.
As the encryption algorithm, for example, DES (Data Encryption Standard) specified in FIPS 46-2 is applied.

In S314, the encrypted block data is recorded on a recording medium. In S315, it is determined whether all data has been recorded. If all the data has been recorded, the recording process ends. If not, the process returns to S308 to execute the processing of the remaining data.

By the above processing, the content is encrypted and recorded on the recording medium, and the digital signature for the title key corresponding to the encrypted content and the public key certificate are recorded on the recording medium.

In the above example, the title key is digitally signed. However, the title key and the disc ID may be digitally signed. By doing this,
It can be made clear that the data has been recorded on the disk, and it can be easily determined that the data copied to another disk is an illegal copy.

[Content Reproduction Processing Using Media Key] Next, the decryption and reproduction processing of the encrypted content data stored in the recording medium will be described with reference to FIG.

In the reproducing process, the reproducing apparatus first reads the public key certificate and digital signature of the recording apparatus recorded together with the content data to be reproduced, and confirms their validity.

That is, the validity of the public key certificate is checked using the public key (signature verification key) of the trusted center held by the playback device, and if this is successful, the public key certificate is included in the public key certificate. The digital signature created and recorded by the recording device is inspected using the public key (signature verification key) of the recording device. As a method for checking a digital signature, for example, the above-described EC-DSA can be used.

Next, the reproducing device reads the identification information (ID) of the recording device from the recorded public key certificate, and from this and the revocation information that the recording device is not revoked (excluded) from the system. Check.

(Revocation Test Using Revocation List) As the revocation information, for example, a revocation list shown in FIG. 23 can be used. As shown in the figure, the revocation list is data in which the ID of the device to be revoked (excluded) is written together, and the version number of the list is digitally signed by the center. This revocation list is, for example, 1) stored in the memory of the manufactured device (recording / reproducing device).
Further, 2) it is distributed together with the content data via a network or a recording medium. By distributing the information in the system in such a manner as described above, the reproducing apparatus can obtain newer revocation information during the reproducing process.

When the revocation list is used, a process of verifying the signature of the center stored in the revocation list is executed to check that the list is not forged or falsified. The signature verification process
Similar to the signature verification of the public key certificate, the inspection can be performed using the public key (signature verification key) of the center of the device (recording / reproducing apparatus) in advance.

(Revoked test using EKB)
Instead of distributing the revocation information as a list as shown in FIG. 23 to each device, a configuration may be used in which whether or not revocation has been performed is determined using the EKB. For example, in the system in which devices are arranged in a tree shape as shown in FIG. 11, it is assumed that the EKB shown in (A) Example 1 of FIG. 12 is stored in a recording medium. At this time, each device
When the index of the KB is sequentially examined, it can be understood that the node key updated by the EKB is represented in a tree shape as a thick line in FIG.

It can be understood that the updated node key can be obtained only from the devices located below the leaves (leaves) of the tree indicated by the thick lines, that is, only the devices 0, 1, and 2. The other devices can be determined to have been revoked from the system, and the process of prohibiting the reproduction of the content data recorded by the device having these IDs is executed at the time of executing the reproduction process. The redistribution of the recorded content by the device can be stopped. In this example, it is assumed that the positions of the leaves in FIG. 11 correspond to the device IDs. That is, the activation key block (E
The presence / absence of revocation is determined by executing a trace process of the index KB) based on the ID.

The revoke inspection by the trace processing will be described in detail. First, FIG. 25 shows a format example of the enabling key block (EKB). Version 100
1 is an identifier indicating the version of the activation key block (EKB). The version has a function of identifying the latest EKB and a function of indicating the correspondence between the content and the content. The depth 1002 is an activation key block (EKB)
Shows the number of layers in the hierarchical tree for the distribution destination device. The data pointer 1003 is a pointer indicating the position of the data part in the enabling key block (EKB).
The tag pointer 1004 is the position of the tag portion, the signature pointer 1
005 is a pointer indicating the position of the signature.

The data section 1006 stores, for example, data obtained by encrypting a node key to be updated. For example, each encryption key related to the updated node key as shown in FIG. 13 is stored.

A tag section 1007 is a tag indicating the positional relationship between the encrypted node key and leaf key stored in the data section. The tag assignment rule will be described with reference to FIG. FIG. 26 shows an example in which the activation key block (EKB) described above with reference to FIG. The data at this time is as shown in Table (b) of FIG. The address of the top node included in the encryption key at this time is set as the top node address. In this case, since the update key K (t) R of the root key is included, the top node address is KR. At this time, for example, data Enc (K (t) 0, K
(T) R) is at the position shown in the hierarchical tree shown in FIG. Here, the next data is Enc (K (t)
00, K (t) 0), which is at the lower left position of the previous data on the tree. If there is data, the tag is set to 0, and if not, 1 is set. The tag is set as {left (L) tag, right (R) tag}. Data Enc at the top
Since there is data on the left of (K (t) 0, K (t) R), the L tag = 0, and on the right there is no data, so the R tag = 1
Becomes In the following, tags are set for all data, and FIG.
The data string and the tag string shown in FIG.

The tag is composed of data Enc (Kxxx, Kyy).
y) is a key arrangement identification tag set to indicate where in the tree structure it is located. Key data Enc (Kxxx, Kyyy) stored in the data section. . .
Is simply a series of data of the encrypted key, so that the position of the encryption key stored as data on the tree can be determined by the above-described tag.
Instead of using the tag described above, using the node index corresponding to the encrypted data as in the configuration described in FIG. 12, for example, 0: Enc (K (t) 0, K (t) root ) 00: Enc (K (t) 00, K (t) 0) 000: Enc (K ((t) 000, K (T) 00) ... ,
Such a configuration using an index results in redundant data and an increased data amount, which is not preferable for distribution over a network. On the other hand, by using the above-described tag as index data indicating the key position, the key position can be determined with a small data amount.

Returning to FIG. 25, the EKB format will be further described. The signature is an electronic signature executed by an EKB issuing authority that has issued the validation key block (EKB), for example, a certificate authority, a key management center, a content provider, a payment institution, or the like. The device receiving the EKB verifies the validity of the activation key block (EK
B) Confirm that it is an activation key block (EKB) issued by the issuer.

As can be understood from the description related to FIG. 26, the tags stored in the EKB indicate the presence or absence of key data of the left and right nodes of the own node by 0 and 1. That is, 0 is set when there is data, and 1 is set when there is no data. The tracking process of the EKB based on the leaf ID, that is, the tracing method, is performed using the tag based on the condition setting.

The following describes how an EKB is traced (followed) based on a leaf ID, with reference to FIG. FIG. 27 (a)
The device having the leaf key K1001 as shown in FIG. At this time, EKB
Has a configuration of an encryption key and a tag as shown in FIG. The EKB in FIG. 27B is used to revoke one device [1001] in FIG.
1, K10 and K100 are updated EKB.

By processing this EKB, all the leaves other than the revoke device [1001] can acquire the updated root key K (t) R. In other words, the leaf below the node key K0 holds the node key K0 that has not been updated in the device.
By decrypting nc (K0, K (t) R) with K0, an updated root key K (t) R can be obtained. Also,
Leafs below K11 use the unupdated K11 to decrypt Enc (K11, K (t) 1) by K11 to obtain an updated node key K (t) 1, and further, Enc (K (t ) 1, K (t) R) to K (t) 1
By decrypting, the updated root key can be obtained.
For the lower leaf of K101, the updated root key can be obtained in the same manner only by adding one decryption step.

Also, the leaf key K that has not been revoked
The device [1000] having 1000 decrypts Enc (K1000, K (t) 100) using its own leaf key, obtains K (t) 100, and sequentially decrypts the upper node keys to update the updated root key. Can be obtained.

Only the revoked device [1001] has the updated node key K (t) 1 one level above its own leaf.
Since 00 cannot be obtained by the EKB process, the updated root key K (t) R cannot be obtained after all.

A valid device that has not been revoked has a data part shown in FIG.
B is distributed from the EKB issuing authority and stored in the device.

The device to be revoked is the revoked device [ID = 100 in FIG.
After verifying the public key certificate of [1], the ID is obtained from the public key certificate.
To get. This ID is [1001] and indicates the leaf position of the EKB distribution tree configuration.

The device from which the ID [1001] is taken out is the device corresponding to the leaf of ID = 1001,
It is verified whether the device is set as a valid leaf device in KB. This verification is based on the leaf [10
01] is executed as a process of determining whether or not the updated root key K (t) R can be obtained.

For example, a non-updated node key (ex. FIG. 27)
If it is a leaf belonging to a lower level of (K0, K11, etc. in (a)), it is clear that it has not been revoked, it can be determined to be a valid device, and if it is a leaf belonging to a lower level of the updated node key, Whether or not the entity has been revoked can be determined based on whether or not the encrypted data from which the updated node key can be obtained is stored in the EKB.

As an example of the determination processing, an example in which the EKB tracking processing is performed based on the tag stored in the EKB will be described. The EKB tracing process is a process for determining whether or not the key distribution tree can be traced from a higher root key. For example, assuming that the ID [1001] of the leaf [1001] in FIG. 27 is [1], [0], [0], and [1], the tree is traversed in order from the most significant bit to the least significant bit.
If the bit is 1, it goes to the right, and if it is 0, it goes to the left.

From the route shown in FIG. 27A, the ID [100
1] is 1 and goes to the right. The first tag in the EKB is 0: {0, 0}, it is determined that both branches have data, and it proceeds to the right to reach K1. Next, the process proceeds to a node below K1. ID [1001]
Is the 0th bit and goes to the left. The tag indicating the presence / absence of data below K1 is 2: {0, 0} in FIGS. 27A and 27B, and it is determined that both branches have data, so that it proceeds to the left and reaches K10. Furthermore, ID [1
001] is 0 and proceeds to the left. K
The tag indicating the presence / absence of data lower than 10 is shown in FIG.
(B) 3: {0, 0}, it is determined that both branches have data, and the vehicle proceeds to the left to reach K100. Further, the least significant bit of ID [1001] is 1, and the process proceeds to the right. The tag indicating the presence / absence of data below K100 is 5: {0, 1} in FIGS. 27A and 27B, and has no data on the right side. Accordingly, it is determined that the device cannot be reached to the node [1001], and the device with the ID [1001] is determined to be a device that cannot acquire the updated root key by the EKB, that is, a revoked device.

For example, leaf key K100 shown in FIG.
The device ID having 0 is [1000]. When the EKB tracking process based on the tag in the EKB similar to the above, that is, the process of tracing the tree is executed, the node [1000]
Can be reached, so that the device is determined to be a valid device that has not been revoked and can acquire an updated root key by EKB.

In addition, for example, a node key that has not been updated, such as a lower leaf such as K0 or K11, cannot reach the leaf itself. In this case, it is possible to reach a terminal node that has not been updated. It is. A leaf below a node that has not been updated can perform EKB processing by using a node key that has not been updated, and can obtain an updated root key, so that it is a valid device. Whether or not the node key has not been updated can be determined by the tag corresponding to the node. The tags corresponding to the node keys K0, K11, and K101 that have not been updated are 1: {1, 1}, 4: {1, 1}, 6 ｛1,
1}, indicating that there are further lower nodes or leaves, but that there is no encryption key data in the EKB. These lower leaf devices are valid non-revoked valid devices. It is determined that there is.

The example shown in FIG. 27 is a revocation mode for only one device. However, as shown in FIG. 28, all leaf devices below a certain node can be revoked collectively. The EKB data (encryption key) and tag in this case are as shown in FIG.

For example, K10 whose device has been revoked
ID from public key certificate of leaf device corresponding to 00
If [1000] is acquired, this ID [100]
0] based on the EKB tag.

From the route shown in FIG.
0] is 1 and goes to the right. It is the first tag 0 in the EKB: {0, 0}, it is determined that both branches have data, and it proceeds to the right to reach K1. Next, the process proceeds to a node below K1. The second bit of ID [1000] is 0, and proceeds to the left. Tags indicating the presence / absence of data below K1 are shown in FIG. 13A and FIG.
{1, 0}, with no data on the left. Therefore, it cannot reach the node [1000]. At this time, the tag corresponding to the terminal node K1 is {1, 0}, not {1, 1} having no lower-order data.

The tag {1,0} has an updated K that can be decoded only at a lower node or leaf on the right side of K1.
This indicates that the encryption key data for obtaining 1 (t) is stored in the EKB.

As described above, when the last point reached based on the leaf ID is a node, and the corresponding tag of the last node has a value other than {1, 1}, the lower-order encryption key data In the EKB. In this case, the leaf device with that ID is EK
Since the root key updated by the process B cannot be obtained, it is determined that the device is a revoked device.

In this way, it is possible to determine whether or not the communication partner has been revoked, based on the leaf ID stored in the public key certificate obtained from the communication partner in the authentication processing.

FIG. 29 shows a processing flow of the revoke device determination processing using the EKB. Each step of the flow will be described. In step S351,
An ID is obtained from the public key certificate to be inspected. In step S352, based on the EKB tag using the acquired ID, a tracking process targeting the leaf or lead indicated by the ID is executed.

The tracking process is executed according to the procedure described with reference to FIGS. 27 and 28. As a result of the tracking processing, whether the leaf or the node indicated by the ID has been reached, or whether the EKB processing can be performed on the leaf or the node indicated by the ID even if the leaf or the node indicated by the ID cannot be reached, that is, the acquisition of the updated root key It is determined whether or not is possible (S35)
3).

If it is determined that the ID is at a position where EKB processing is possible, the process advances to step S354 to determine that the device corresponding to the ID is a valid device that has not been revoked. On the other hand, if it is determined that the ID is at a position where the EKB process cannot be performed, the process proceeds to step S355, and it is determined that the device corresponding to the ID is a revoked unauthorized device.

In the above tracking process, the tag portion of the EKB is used, but the data portion is not used. By using this, the size of the EKB for the revocation information can be reduced by using an EKB without a data part instead of the normal EKB shown in FIG. Of course, the normal EKB shown in FIG. 25 for protecting the content can be used to represent the revocation information.

As described above, it is verified whether or not the device that has recorded the content on the recording medium has been revoked by the revocation check according to the revocation list or the trace process of the EKB tree. The playback device continues the playback process of the content data on condition that it is verified that the device that recorded the content has not been revoked. In the reproduction process, as in the encryption and recording processes described with reference to FIG. 14, a disc unique key is generated from the media key and the disc ID, a title unique key is generated from the disc unique key and the title key. A block key is generated from the key and the block seed read from the recording medium, and decryption processing of the encrypted data read in blocks from the recording medium 200 is executed using the block key as a decryption key.

The outline of the reproduction process will be described with reference to the flowchart in FIG. First, in step S401, the playback device verifies the public key certificate and digital signature of the content recording device stored in the recording medium on which the content to be played is recorded. In the verification, first, the center signature of the public key certificate is executed using the public key of the center, and after the validity of the public key certificate is confirmed, the content recording device stored in the public key certificate is released. The key is taken out and the digital signature of the content recorder is verified. If all verifications are OK, the process proceeds to the next step. If any verification is NG, the subsequent steps are prohibited and the reproduction process is stopped.

Next, in step S402, a revocation check of the content recording device is executed. This revocation inspection is performed, for example, by checking the device I stored in the revocation list shown in FIG.
This is performed by checking whether there is a device that matches D and the device ID in the public key certificate. Alternatively, a tree search process using the above-described EKB tree configuration may be executed. If it is determined in step S402 that the content recording device has not been revoked, the process proceeds to the next step.
Subsequent step execution is prohibited, and the reproduction process is stopped.

If it is determined in step S402 that the content recording apparatus has not been revoked in step S402, the encrypted content is read from the recording medium in step S403.
At 404, decryption processing of the encrypted content is executed, and the content is reproduced.

As described above, in the process of reproducing the content stored in the recording medium, the revocation status of the content recording device is determined, and only the content recorded by the non-revoked device is reproduced.
It is possible to prevent illegally recorded contents from being distributed and used in a random manner. Also, the revocation determination is made based on the ID stored in the public key certificate, and its reliability is maintained.

Next, a detailed process in the case where the recorded content in which the digital signature is executed on the encrypted content is reproduced will be described with reference to FIG.

[0204] In step S501, the playback device reads the media key and the disc ID from the recording medium, and in step S502, reads the title key, digital signature, and public key certificate. If the signature and the public key certificate do not exist (S503: No), it is determined that the content is not a content obtained by a legitimate recording process, and the subsequent processes are stopped and the reproduction process ends.

When a signature and a public key certificate exist (S5
03: Yes), the public key certificate is verified in step S504. Verification of the public key certificate is executed using the public key of the center (certificate authority) that manages the issuance of the public key certificate held by the playback device. If the verification of the public key certificate is OK and its validity is confirmed, the process proceeds to the next step. If the validity verification is NG, the execution of the subsequent processing is stopped and the reproduction processing ends.

Next, in step S505, the identifier (I
D) is taken out and a revoke test is performed. The revoke inspection is executed by either the revoke list or the tree search process in FIG. If it is determined that there is no revocation of the content recording device, the process proceeds to the next step. If it is determined that there is revocation, execution of the subsequent processing is stopped and the reproduction processing ends.

Next, in S506, a disk unique key is generated using the media key and the disk ID. The disk-specific key is, for example, FIPS 180
-1 and a method using a hash function based on a block cipher (see FIG. 15).

Next, the flow advances to step S507, where the title key (Title) is set.
Key), and generates a title unique key from the read title key and the disc unique key (see FIG. 16).
I do.

[0209] In S508, the reproducing device reads the block data of the content data to be reproduced. In step S509, it is determined whether the read block is the first block. If the read block is the first block, the digital signature of the content recorder (recording device) generated for the first block is verified in step S510. Execute Verification of the digital signature is executed using the public key of the content recording device extracted from the public key certificate whose validity has been verified. If the verification of the digital signature is OK and its validity is confirmed, the process proceeds to the next step. When the validity verification is NG, the subsequent processing is stopped and the reproduction processing ends.

In step S511, a block key as a key for decrypting the data of the block is generated from the first 32 bits (block seed including ATS) of the block data and the title unique key generated in S507 (FIG. 17). refer.

At S512, block data is decrypted using the block key. The decoding algorithm is, for example,
DES (Data Encryption Stand) specified in FIPS 46-2
ard) applies.

At S513, it is determined whether all data has been read. If all data has been read, the reproduction process ends. If all data has not been read, the process returns to S508 to execute the processing of the remaining data.

As described above, the verification of the public key certificate, the determination of revocation of the content recording apparatus, and the verification of the digital signature for the block data of the encrypted content are sequentially executed. The validity is determined, and the decryption and reproduction processing of the encrypted content from the recording medium is executed.

Next, referring to FIG. 32, a detailed process in the case of reproducing recorded content in which a digital signature has been executed on a title key will be described.

[0215] In step S601, the playback device reads the media key and the disc ID from the recording medium, and in step S602, reads the title key, digital signature, and public key certificate. If the signature and the public key certificate do not exist (S603: No), it is determined that the content is not a content obtained by a legitimate recording process, and the subsequent processes are stopped and the reproduction process ends.

When the signature and the public key certificate exist (S6
03: Yes), the public key certificate is verified in step S604. Verification of the public key certificate is executed using the public key of the center (certificate authority) that manages the issuance of the public key certificate held by the playback device. If the verification of the public key certificate is OK and its validity is confirmed, the process proceeds to the next step. If the validity verification is NG, the execution of the subsequent processing is stopped and the reproduction processing ends.

Next, in step S605, the identifier (I) of the recording device that has executed the content recording from the public key certificate.
D) is taken out and a revoke test is performed. The revoke inspection is executed by either the revoke list or the tree search process in FIG. If it is determined that there is no revocation of the content recording device, the process proceeds to the next step. If it is determined that there is revocation, execution of the subsequent processing is stopped and the reproduction processing ends.

Next, the content recorder (recorder) executed for the title key in step S606
Performs digital signature verification for. Verification of the digital signature is executed using the public key of the content recording device extracted from the public key certificate whose validity has been verified. If the verification of the digital signature is OK and the validity is confirmed, the process proceeds to the next step. If the validity verification is NG, the execution of the subsequent processing is stopped and the reproduction processing ends.

Next, in S607, a disk unique key is generated using the media key and the disk ID. The disk-specific key is, for example, FIPS 180
-1 and a method using a hash function based on a block cipher (see FIG. 15).

Next, the flow advances to S 608 for title key (Title).
Key), and generates a title unique key from the read title key and the disc unique key (see FIG. 16).
I do.

In S609, the reproducing device reads out the block data of the content data to be reproduced. Step S
In 610, the first 32 bits (AT
From the block seed including S and the title unique key generated in S608, a block key that is a key for decrypting the data of the block is generated (see FIG. 17).

At S611, block data is decrypted using the block key. The decoding algorithm is, for example,
DES (Data Encryption Stand) specified in FIPS 46-2
ard) applies.

In S612, it is determined whether all data has been read. If all data has been read, the reproduction process ends. If all data has not been read, the process returns to S609 to execute processing of the remaining data.

As described above, the verification of the public key certificate, the judgment of revocation of the content recording device, and the verification of the digital signature for the title key of the encrypted content are sequentially executed. The validity is determined, and the decryption and reproduction processing of the encrypted content from the recording medium is executed.

As described above, in the encryption processing at the time of recording content data on the recording medium and the decryption processing at the time of reproduction from the recording medium, the media key is calculated based on the EKB, and the calculated media key is Based on another identifier or the like, a key for content encryption processing or a key for decryption processing is generated.

In the above-described example, a configuration has been described in which a key used for encryption processing and decryption processing of content data is generated using a media key. Master key,
Alternatively, a configuration may be adopted in which a device key unique to a recording / reproducing device is acquired from the EKB, and a key used for encrypting and decrypting content data is generated based on the device key. Further, a media key obtained from the EKB,
It is also possible to apply the master key or the device key itself as a key used for encrypting and decrypting content data.

As described above, in the present invention, the recording / reproducing apparatus records its own digital signature and public key certificate together with the data when recording the data on the information recording medium. This ensures that when recording information,
Since the proof of which recording device was recorded is always recorded together with the data, even if a recording medium containing illegally recorded data is distributed, it is possible to specify which recording device recorded it. Therefore, it can be excluded from the system.

Further, when the recording / reproducing apparatus reads out the data, it checks the validity of the digital signature and the public key certificate, and reads out the data after confirming that the recording apparatus has not been revoked from the system. .
As a result, an attack that prevents an unauthorized recording device from recording a digital signature on unauthorized recording data is made useless, and data recorded by an unauthorized device is not reproduced by an authorized device. By doing so, the removal of unauthorized devices from the system is performed more strongly.

[Copy Control in Recording Process] In order to protect the interests of the copyright holder of the content, it is necessary to control the copy of the content in the licensed device.

That is, when recording contents on a recording medium, it is necessary to check whether the contents can be copied (copiable) and record only the contents that can be copied. is there. When reproducing and outputting the content recorded on the recording medium, it is necessary to prevent the output content from being illegally copied later.

Therefore, the processing of the recording / reproducing apparatus shown in FIG. 1 when recording and reproducing the content while performing such copy control of the content will be described with reference to FIGS. 33 and 34.
This will be described with reference to the flowchart of FIG.

First, when recording the content of a digital signal from the outside on a recording medium, FIG.
A recording process is performed according to the flowchart of FIG. The processing in FIG. 33A will be described. The recording / reproducing apparatus 100 of FIG. 1 will be described as an example. If the content of the digital signal (digital content) is, for example, IEEE13
When supplied to the input / output I / F 120 via a serial bus or the like, in step S701, the input / output
20 receives the digital content, and proceeds to step S702.

In the step S702, the input / output I / F 12
0 determines whether the received digital content can be copied. That is, for example, the input / output I / F
If the content received by the H.120 is not encrypted (for example, if the plaintext content is supplied to the input / output I / F 120 without using the DTCP described above),
The content is determined to be copyable.

[0234] Further, it is assumed that the recording / reproducing apparatus 100 is an apparatus conforming to DTCP, and the processing is executed according to DTCP. In DTCP, 2-bit EMI (Encryption) as copy control information for controlling copying is used.
ion Mode Indicator) is defined. EMI is 00
If the content is B (B indicates that the previous value is a binary number), the content is copy-free.
ly), and if the EMI is 01B, it indicates that the content cannot be copied any more (No-more-copies). further,
If the EMI is 10B, it indicates that the content can be copied only once (Copy-one-generation), and if the EMI is 11B, the content is prohibited from being copied. This is a thing (Copy-never).

An input / output I / F 120 of the recording / reproducing apparatus 100
EMI is included in the signal supplied to the
If it is py-freely or Copy-one-generation, the content is determined to be copyable. Also, EMI
Is No-more-copies or Copy-never, it is determined that the content cannot be copied.

If it is determined in step S702 that the content cannot be copied, step S703 is performed.
Steps S705 to S705 are skipped, and the recording process ends. Therefore, in this case, the content is not recorded on the recording medium 10.

If it is determined in step S702 that the content can be copied, the process proceeds to step S702.
Proceeding to step 703, in steps S703 to S705, processing similar to the processing in steps S12, S13, and S14 in FIG. 3A is performed. That is, A for the transport packet by the TS processing means 300
The encryption processing in the TS addition and encryption processing means I50 is executed, and the encrypted content obtained as a result is recorded on the recording medium 195, and the recording processing ends.

The EMI is included in the digital signal supplied to the input / output I / F 120. When the digital content is recorded, the EMI is copied together with the digital content in the same manner as the EMI or EMI. Information indicating the control state (for example, embedded CCI in DTCP) is also recorded.

At this time, generally, Copy-One-Generatio
The information indicating n should be No-
Converted to more-copies and recorded.

In the recording / reproducing apparatus of the present invention, the EMI or
Copy control information such as embedded CCI is recorded in a form added to the TS packet. That is, as shown in Example 2 and Example 3 of FIG. 10, the ATS is for 24 to 30 bits, and 32 bits including the copy control information are added to each T as shown in FIG.
Add to S packet.

The contents of the analog signal from the outside are
When recording on a recording medium, a recording process is performed according to the flowchart of FIG. FIG.
The process (B) will be described. When the content of the analog signal (analog content) is supplied to the input / output I / F 140, the input / output I / F 140 executes the processing in step S71.
In step 1, the analog content is received, and the process advances to step S712 to determine whether the received analog content can be copied.

Here, the determination processing in step S712 is as follows.
For example, a signal received by the input / output I / F 140 includes a Macrovision signal or a CGMS-A (Copy Gen.
eration Management System-Analog) signal. That is, when a macro vision signal is recorded on a VHS video cassette tape,
This is a signal that causes noise, and this is the input / output I / F
If it is included in the signal received at 140, it is determined that the analog content is not copyable.

For example, the CGMS-A signal is a CGMS signal used for digital signal copy control.
A signal applied to analog signal copy control, whose content is copy-free (Copy-free), which can be copied only once (Copy-one-generation), or whose copy is prohibited (Copy-free). never).

Therefore, the CGMS-A signal is input / output I / O
Included in the signal received at F140 and the CGMS
If the -A signal indicates Copy-freely or Copy-one-generation, it is determined that the analog content can be copied. Also, the CGMS-A signal is used for Copy-n
If it represents ever, it is determined that the analog content cannot be copied.

Further, for example, the macro vision signal also
If the CGMS-A signal is not included in the signal received at the input / output I / F 4, it is determined that the analog content can be copied.

If it is determined in step S712 that analog content cannot be copied, steps S713 to S717 are skipped, and the recording process ends. Therefore, in this case, the content is not recorded on the recording medium 10.

If it is determined in step S712 that analog content can be copied, the flow advances to step S713.
At 717, steps S22 to S2 in FIG.
6, the contents are converted into digital data, MPEG encoded, TS processed,
The data is encrypted and recorded on the recording medium, and the recording process ends.

When the analog signal received by the input / output I / F 140 includes the CGMS-A signal,
When recording analog content on a recording medium, the CGMS-A signal is also recorded on the recording medium. That is,
In the CCI or other information part shown in FIG.
This signal is recorded. At this time, generally, Copy-One
-Generation information is converted to No-more-copies and recorded so that no further copying is allowed. However, in the system, for example, "Copy-one-generation
Is recorded without being converted to No-more-copies, but is not limited to this rule when a rule such as "handle as No-more-copies" is determined.

[Copy Control in Reproduction Processing] Next, in the case where the content recorded on the recording medium is reproduced and output to the outside as digital content, FIG.
The reproduction process is performed according to the flowchart of FIG. The processing in FIG. 34A will be described. First, in steps S801, S802, and S803,
Processing similar to the processing in steps S31, S32, and S33 of FIG. 4A is performed, whereby the encrypted content read from the recording medium is decrypted by the encryption processing unit 150, and the TS processing is performed. You. The digital content subjected to each process is supplied to the input / output I / F 120 via the bus 110.

The input / output I / F 120 determines in step S804
In, the digital content supplied there,
It is determined whether or not it can be copied later. That is, for example, when the digital content supplied to the input / output I / F 120 does not include EMI or information (copy control information) indicating a copy control state like EMI, the content is copied later. It is determined that it is possible.

Further, for example, when the digital content supplied to the input / output I / F 120 includes EMI,
Therefore, when the EMI is recorded in accordance with the DTCP standard when recording the content, if the EMI (Recorded EMI) is Copy-freely, the digital content is copied later. It is determined that it is possible. Also, EMI is No-more-
When the content is a copy, it is determined that the content cannot be copied later.

Generally, the recorded EMI is
There is no copy-one-generation or copy-never. C
opy-one-generation EMI recorded No-more-copies
This is because digital content that has been converted to EMI and has Copy-never EMI is not recorded on the recording medium.
However, in the system, for example, "Copy-one-generat
The copy control information of the ion is recorded without being converted to No-more-copies, but is not limited to this rule if a rule such as "handle as No-more-copies" is determined.

If it is determined in step S804 that the content can be copied later, the process proceeds to step S805, where the input / output I / F 120 outputs the digital content to the outside and ends the reproduction process. I do.

If it is determined in step S804 that the content cannot be copied later, the process advances to step S806, where the input / output I / F 120
For example, in accordance with the DTCP standard or the like, the digital content is output to the outside in such a manner that the digital content will not be copied later, and the reproduction process ends.

That is, for example, as described above, when the recorded EMI is No-more-copies (or in the system, for example, “Copy-one-generation copy control information is stored in No-more-copies. Record without conversion,
No-more-copies are handled, and the EMI recorded under that condition is Copy-one-gener
), the content is not allowed to be copied further.

Therefore, the input / output I / F 120 has the DTC
In accordance with the P standard, mutual authentication is performed with the partner device, and when the partner is a legitimate device (here, DTC
If the device complies with the P standard), the digital content is encrypted and output to the outside.

Next, when the content recorded on the recording medium is reproduced and output as analog content to the outside, a reproduction process according to the flowchart of FIG. 34B is performed. The processing in FIG. 34B will be described. In steps S811 to S815, processing similar to the processing in steps S41 to S45 in FIG. 4B is performed. That is, reading of encrypted contents, decryption processing, TS processing, MPEG decoding, D /
A conversion is performed. The analog content thus obtained is received by the input / output I / F 140.

The input / output I / F 140 performs the processing in step S816
In, it is determined whether or not the content supplied thereto can be copied later. That is, for example, when copy control information such as EMI is not recorded in the recorded content, it is determined that the content can be copied later.

When recording content, for example, DT
When EMI or copy control information is recorded in accordance with the CP standard and the information is Copy-freely, it is determined that the content can be copied later.

If the EMI or copy control information is No
-more-copies, or in the system, for example, "Copy-one-generation copy control information is N
Record without converting to o-more-copies, but no-more-copies
EMI or copy control information recorded under that condition
If the content is ne-generation, it is determined that the content cannot be copied later.

Further, for example, when the CGMS-A signal is included in the analog content supplied to the input / output I / F 140, and therefore, when the CGMS-A signal is recorded together with the content at the time of recording the content,
When the CGMS-A signal is Copy-freely, it is determined that the analog content can be copied later. In addition, the CGMS-A signal is a Copy-nev
When it is er, it is determined that the analog content cannot be copied later.

If it is determined in step S816 that the content can be copied later, the process proceeds to step S817, where the input / output I / F 140 outputs the analog signal supplied thereto as it is to the outside and reproduces it. The process ends.

If it is determined in step S 816 that the content cannot be copied later, the process proceeds to step S 818, where the input / output I / F 140 converts the analog content in such a manner that the analog content is not copied later. To output to the outside and end the reproduction process.

That is, for example, as described above, when the recorded copy control information such as EMI is No-more-copies (or in the system, for example, “Copy-one-g
Eneration copy control information is recorded without conversion to No-more-copies, but it is treated as No-more-copies. "
If the copy control information such as I is Copy-one-generation), further copying of the content is not allowed.

For this reason, the input / output I / F 140 adds analog content to the analog content, for example, a GCMS-A signal indicating Copy-never, and outputs the analog content to the outside. Also, for example, the recorded CGMS-A
Even if the signal is copy-never, no further copying of the content is allowed. Therefore, the input / output I / F
140 changes the CGMS-A signal to Copy-never,
Output to the outside together with analog content.

As described above, by recording and reproducing the content while controlling the copy of the content,
It is possible to prevent a copy (illegal copy) out of the range permitted for the content from being made.

[Configuration of Data Processing Means] The above-described series of processing can be performed not only by hardware but also by software. That is, for example, the encryption processing unit 150 can be configured as an encryption / decryption LSI, but can also be configured to execute a program by a general-purpose computer or a one-chip microcomputer. . Similarly, the TS processing means 300 can execute the processing by software. When a series of processing is performed by software, a program constituting the software is installed in a general-purpose computer, a one-chip microcomputer, or the like. FIG. 35 illustrates a configuration example of an embodiment of a computer on which a program for executing the above-described series of processes is installed.

The program is stored in a hard disk 2005 or a ROM as a recording medium built in the computer.
2003 can be recorded in advance. Or,
Program is floppy (registered trademark) disk, CD-
ROM (Compact Disc Read Only Memory), MO (Magnet
o optical) Disc, DVD (Digital Versatile Dis)
c) It can be temporarily or permanently stored (recorded) in a removable recording medium 2010 such as a magnetic disk or a semiconductor memory. Such a removable recording medium 2010 can be provided as so-called package software.

The program can be installed in the computer from the removable recording medium 2010 as described above, can be wirelessly transferred from the download site to the computer via a digital satellite broadcasting artificial satellite, or can be transmitted to a LAN (Local Area Network). ), Via a network such as the Internet, by wire to a computer, the computer can receive the transferred program in the communication unit 2008 and install it on the built-in hard disk 2005.

The computer has a CPU (Central Process).
ing Unit) 2002. The CPU 2002 has an input / output interface 20 via a bus 2001.
11 is connected, and the CPU 2002 operates the input unit 2007 including a keyboard and a mouse by the user via the input / output interface 2010 to input a command.
A program stored in a ROM (Read Only Memory) 2003 is executed.

Alternatively, the CPU 2002 executes a program stored in the hard disk 2005, a program transferred from a satellite or a network, received by the communication unit 2008 and installed in the hard disk 2005, or a removable recording medium 2010 mounted in the drive 2009. The program read from the hard disk 2005 and installed in the hard disk 2005 is stored in the RAM (R
andom Access Memory) 2004 and executed.

As a result, the CPU 2002 performs the processing according to the above-described flowchart or the processing performed by the configuration of the above-described block diagram. And C
The PU 2002 transmits the processing result to the LCD (L / L) via the input / output interface 2011 as needed, for example.
output from an output unit 2006 composed of an Id CryStal Display) and a speaker, or transmitted from the communication unit 2008, and further recorded on the hard disk 2005.

Here, in this specification, processing steps for writing a program for causing a computer to perform various processing do not necessarily have to be processed in chronological order in the order described in the flowchart, and may be performed in parallel. Alternatively, it also includes processing executed individually (for example, parallel processing or processing by an object).

The program may be processed by one computer or may be processed by a plurality of computers in a distributed manner. Further, the program may be transferred to a remote computer and executed.

In the present embodiment, the block for encrypting / decrypting the content has been mainly described by way of an example in which one chip of an encryption / decryption LSI is used. Can be realized as, for example, one software module executed by the CPU 170 shown in FIG. Similarly, the processing of the TS processing unit 300 can be realized as one software module executed by the CPU 170.

The present invention has been described in detail with reference to the specific embodiments. However, it is obvious that those skilled in the art can modify or substitute the embodiment without departing from the spirit of the present invention. That is, the present invention has been disclosed by way of example, and should not be construed as limiting. In order to determine the gist of the present invention, the claims described at the beginning should be considered.

[0277]

As described above, according to the configuration of the present invention, the information recording apparatus records its own digital signature and public key certificate together with the data when recording the data on the information recording medium. Thus, when information is recorded, evidence of which recording device has recorded the information is always recorded together with the data. The information reproducing apparatus checks the validity of the signature and the public key certificate before the decryption processing of the content, specifies the content recorder, and sets the public key certificate,
Check that the digital signature has not been tampered with. With this configuration, the use (reproduction) of the recorded content by an unauthorized recording device can be efficiently excluded. Further, even if a recording medium containing illegally recorded data is distributed, it is possible to specify which recording device has recorded the recording medium, and thus it is possible to exclude the recording medium from the system.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration example of an information recording / reproducing apparatus according to the present invention.

FIG. 2 is a diagram showing an example of a public key certificate applied in the information recording / reproducing apparatus of the present invention.

FIG. 3 is a diagram showing a data recording processing flow of the information recording / reproducing apparatus of the present invention.

FIG. 4 is a diagram showing a data reproducing process flow of the information recording / reproducing apparatus of the present invention.

FIG. 5 is a diagram illustrating a data format processed in the information recording / reproducing apparatus of the present invention.

FIG. 6 is a block diagram showing a configuration of a transport stream (TS) processing means in the information recording / reproducing apparatus of the present invention.

FIG. 7 is a diagram illustrating a configuration of a transport stream processed in the information recording / reproducing device of the present invention.

FIG. 8 is a block diagram showing a configuration of a transport stream (TS) processing means in the information recording / reproducing apparatus of the present invention.

FIG. 9 is a block diagram showing a configuration of a transport stream (TS) processing means in the information recording / reproducing apparatus of the present invention.

FIG. 10 is a diagram showing a configuration example of block data as additional information of block data processed in the information recording / reproducing apparatus of the present invention.

FIG. 11 is a tree configuration diagram illustrating an EKB distribution process for the information recording / reproducing device of the present invention.

FIG. 12 is a diagram showing an example of an EKB used for key distribution to the information recording / reproducing device of the present invention.

FIG. 13 is a diagram illustrating an example of distribution and an example of decryption processing using an EKB of a media key in the information recording / reproducing apparatus of the present invention.

FIG. 14 is a block diagram illustrating encryption processing during data recording processing using a media key in the information recording / reproducing apparatus of the present invention.

FIG. 15 is a diagram illustrating an example of generating a disc-specific key applicable to the information recording / reproducing apparatus of the present invention.

FIG. 16 is a diagram showing an example of processing for generating an applicable title unique key in the information recording / reproducing apparatus of the present invention.

FIG. 17 is a diagram illustrating a method of generating a block key applicable to the information recording / reproducing apparatus of the present invention.

FIG. 18 is a block diagram illustrating encryption processing during data recording processing in the information recording / reproducing apparatus of the present invention.

FIG. 19 is a flowchart illustrating a process of generating a signature for encrypted content and recording data in the information recording / reproducing apparatus of the present invention.

FIG. 20 is a diagram showing a configuration example of a table for managing correspondence between encrypted content recorded in the information recording / reproducing apparatus of the present invention, a public key certificate, a signature, and the like.

FIG. 21 is a flowchart illustrating a process of generating a signature for a title key and recording data in the information recording / reproducing apparatus of the present invention.

FIG. 22 is a block diagram illustrating decoding processing during data reproduction processing in the information recording / reproducing apparatus of the present invention.

FIG. 23 is a diagram showing a configuration example of a revocation table used in the information recording / reproducing apparatus of the present invention.

FIG. 24 is a diagram for explaining processing when an EKB distribution tree is applied to an inspection of a revoked device in the information recording / reproducing apparatus of the present invention.

FIG. 25 is a diagram showing a format example of an enabling key block (EKB) applicable to the information recording / reproducing apparatus of the present invention.

FIG. 26 is a diagram illustrating a configuration of a tag of an enabling key block (EKB).

FIG. 27 is a diagram (Example 1) for describing an EKB tracking process for revolute ity determination.

FIG. 28 is a diagram (example 2) illustrating an EKB tracking process for revolute ity determination.

FIG. 29 is a flowchart illustrating an EKB tracking process for determining a revoluteness.

FIG. 30 is a flowchart illustrating processing for verifying a signature and reproducing data in the information recording / reproducing apparatus of the present invention.

FIG. 31 is a flowchart illustrating processing for verifying a signature on an encrypted content and reproducing data in the information recording / reproducing apparatus of the present invention.

FIG. 32 is a flowchart illustrating processing for verifying a signature for a title key and reproducing data in the information recording / reproducing apparatus of the present invention.

FIG. 33 is a flowchart illustrating copy control processing during data recording processing in the information recording / reproducing apparatus of the present invention.

FIG. 34 is a flowchart illustrating copy control processing during data reproduction processing in the information recording / reproducing apparatus of the present invention.

FIG. 35 is a block diagram showing a configuration of a processing unit when executing data processing by software in the information recording / reproducing apparatus of the present invention.

[Explanation of symbols]

 Reference Signs List 100 recording / reproducing device 110 bus 120 input / output I / F 130 MPEG codec 140 input / output I / F 141 A / D, D / A converter 150 encryption processing means 160 ROM 170 CPU 180 memory 190 drive 200 recording medium 210 recording medium I / F F 300 TS processing means 600,607 terminal 602 bit stream parser 603 PLL 604 time stamp generation circuit 605 block seed addition circuit 606 smoothing buffer 800,806 terminal 801 block seed separation circuit 802 output control circuit 803 comparator 804 timing generation circuit 805 27MHz Clock 901, 904, 913 Terminal 902 MPEG video encoder 903 Video stream buffer 905 MPEG audio encoder 9 6 Audio stream buffer 908 Multiplexing scheduler 909 Transport packet encoder 910 Arrival time stamp calculating means 911 Block seed adding circuit 912 Smoothing buffer 976 Switch 1001 Version 1002 Depth 1003 Data pointer 1004 Tag pointer 1005 Signature pointer 1006 Data part 1007 Tag part 1008 signature 2001 bus 2002 CPU 2003 ROM 2004 RAM 2005 hard disk 2006 output unit 2007 input unit 2008 communication unit 2009 drive 2010 Removable recording medium 2011 input / output interface

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] February 5, 2002 (2002.2.5)

[Procedure amendment 1]

[Document name to be amended] Drawing

[Correction target item name] Fig. 1

[Correction method] Change

[Correction contents]

FIG.

Claims (24)

[Claims] An information reproducing apparatus that reproduces information from a recording medium, executes a process of verifying a public key certificate of an encrypted content recording entity stored in the recording medium, and confirms the validity of the public key certificate. That the public key of the content recording subject is obtained from the certificate, the digital signature of the content recording subject is verified based on the obtained public key, and as a result of the verification, the validity of the signature is confirmed. An information reproducing apparatus characterized in that a decryption process of an encrypted content is executed on condition of: 2. The cryptographic processing means executes verification processing of a digital signature of a content recording subject generated with the content of the encrypted content stored in the recording medium as a signature target, and as a result of the verification, 2. The information reproducing apparatus according to claim 1, wherein a decryption process of the encrypted content is executed on condition that the validity is confirmed. 3. The cryptographic processing means executes a verification process of a digital signature of a content recording subject generated with a title key set corresponding to the encrypted content stored on the recording medium as a signature target,
2. The information reproducing apparatus according to claim 1, wherein the decryption processing of the encrypted content is executed on condition that the validity of the signature is confirmed as a result of the verification. 4. The information processing apparatus has a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information reproducing apparatuses as leaves and a leaf key unique to each information reproducing apparatus. The means executes decryption of an activation key block (EKB) composed of encryption processing data of an upper key by a lower key on a path of a key tree based on a key built in the information reproducing apparatus, and stores the data in the recording medium. 2. The information reproducing apparatus according to claim 1, wherein the information reproducing apparatus has a configuration for acquiring decryption key generation data necessary for decryption processing of the encrypted data. 5. The decryption key generation data is a master key common to a plurality of information reproducing devices or a media key unique to a recording medium.
An information reproducing apparatus according to claim 1. 6. An information recording apparatus for recording information on a recording medium, comprising encryption processing means for executing encryption processing of content stored in the recording medium, wherein the encryption processing means records the stored content. An information recording apparatus having a configuration for generating a digital signature of a subject and executing a process of storing the encrypted content, the digital signature, and the public key certificate of the encrypted content recording subject in a recording medium in association with each other. . 7. The information recording apparatus according to claim 1, wherein the information recording apparatus generates a management table in which stored contents, a digital signature, and an address of a public key certificate are associated with each other, and stores the management table in the recording medium. The information recording apparatus according to claim 6, wherein: 8. The encryption processing means executes a digital signature generation process of a content recording subject with the content of the encrypted content stored in the recording medium as a signature target, and stores the generated signature in association with the storage content. 7. The configuration according to claim 6, wherein
An information recording device according to claim 1. 9. The cryptographic processing means executes a process of generating a digital signature of a content recording subject with a title key set corresponding to the encrypted content stored in the recording medium as a signature target, and executes the generated signature. The information recording apparatus according to claim 6, wherein the information recording apparatus is configured to store the content in association with the stored content. 10. The information recording apparatus has a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information recording apparatuses as leaves and a leaf key unique to each information recording apparatus. The means executes decryption of an enabling key block (EKB) composed of encryption processing data of an upper key by a lower key on a path of a key tree based on a key built in the information recording device, and stores the data in the recording medium. 7. The information recording apparatus according to claim 6, wherein the information recording apparatus has a configuration for acquiring encryption key generation data necessary for encrypting data to be encrypted. 11. The information recording apparatus according to claim 10, wherein said encryption key generation data is a master key common to a plurality of information recording apparatuses or a media key unique to a recording medium. 12. An information reproducing method for reproducing information from a recording medium, comprising: a public key certificate verifying step of executing a process of verifying a public key certificate of an encrypted content recording entity stored in the recording medium; A signature verification step of acquiring the public key of the content recording subject from the confirmed public key certificate, and executing a digital signature verification process of the content recording subject based on the acquired public key; Executing a decryption process of the encrypted content on condition that the validity of the signature is confirmed as a result of the above. 13. The signature verifying step in the information reproducing method includes a step of performing a process of verifying a digital signature of a content recording subject generated with the content of the encrypted content stored in the recording medium as a signature target. 13. The information reproducing method according to claim 12, wherein the decryption processing of the encrypted content is executed on condition that the validity of the signature is confirmed as a result of the verification. 14. The signature verifying step in the information reproducing method, wherein the digital signature of the content recording entity generated using the title key set corresponding to the encrypted content stored in the recording medium as a signature target is verified. 13. The information reproducing method according to claim 12, further comprising a step of executing a process, wherein the decryption process of the encrypted content is executed on condition that the validity of the signature is confirmed as a result of the verification. 15. The information reproducing method according to claim 1, further comprising the steps of: 2. A process for executing decryption of a key block (EKB) to acquire decryption key generation data necessary for decryption of encrypted data stored in the recording medium.
2. The information reproducing method according to 2. 16. An information recording method for recording information on a recording medium, comprising: an encryption processing step of performing an encryption processing of a content stored in the recording medium; and a step of generating a digital signature of a recording entity of the stored content. And storing the encrypted content, the digital signature, and the public key certificate of the encrypted content recording subject in a recording medium in association with each other. 17. The information recording method further includes a step of generating a management table in which stored contents, a digital signature, and an address of a public key certificate are associated, and storing the management table in the recording medium. The information recording method according to claim 16. 18. The information recording method according to claim 1, further comprising: generating a digital signature of the content recording subject with the content of the encrypted content stored in the recording medium as a signature target, and associating the generated signature with the stored content. 17. The information recording method according to claim 16, wherein the information is stored. 19. The information recording method according to claim 1, further comprising: executing a digital signature generation process of the content recording subject with a title key set corresponding to the encrypted content stored in the recording medium as a signature target. 17. The information recording method according to claim 16, wherein the signature is stored in association with the stored content. 20. The information recording method, further comprising: a node key unique to each node constituting a hierarchical key tree structure having a plurality of different information recording devices built in the information recording device as leaves; Performing a process of decrypting an activation key block (EKB) based on the leaf key to obtain encryption key generation data necessary for an encryption process of data stored in the recording medium. Item 16. An information recording method according to Item 16. 21. An information recording medium storing an encrypted content, wherein identification data of a recording entity recording the encrypted content, a public key certificate of the recording entity, and a digital signature of the recording entity are stored. An information recording medium characterized in that: 22. The information recording medium according to claim 21, wherein said information recording medium further stores a management table in which stored contents, a digital signature, and an address of a public key certificate are associated with each other. 23. A program storage medium storing a computer program for causing a computer system to execute an information reproduction process for reproducing information from a recording medium, wherein the computer program comprises an encryption program stored in the recording medium. A public key certificate verifying step of performing a verification process of the public key certificate of the encrypted content recording subject; and acquiring the public key of the content recording subject from the public key certificate whose validity has been confirmed. A signature verification step of executing a digital signature verification process of the content recording entity based on the key; and a decryption process of the encrypted content on condition that the signature is verified as a result of the signature verification. And a program storage medium comprising: 24. A program storage medium storing a computer program for causing an information recording process for recording information on a recording medium to be executed on a computer system, wherein the computer program comprises a content stored on the recording medium. Encrypting the stored content, generating a digital signature of the recording entity of the stored content, and recording the encrypted content, the digital signature, and the public key certificate of the encrypted content recording entity in association with each other. Storing on a medium, the program storage medium.