JP2002278447A - Enciphering method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible for a viewer to view 'copy-inhibited' contents only once when he/she desires. SOLUTION: The seed of a cryptographic key for enciphering a specified unit block is based on the information in which one or a plurality of unit blocks precedent to a specified block in the order of reproduction or one or a plurality of unit blocks precedent to the specified block are ciphered, and the head of the unit block is at least one of the GOP(Group of Picture) of MPEG video, a single audio frame of MPEG audio, a PES packet of an MPEG system layer, a TS packet group of the MPEG system layer, an information group recorded in a single track of a tape medium, an information group recorded in a single sector of a disk medium, and an information group recorded in an ECC block of media constituting the ECC.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption method for encrypting content having a parental level.

[0002]

2. Description of the Related Art Conventionally, contents such as video and audio are recorded on a tape recording medium such as a video tape or an audio tape, or recorded on a disk recording medium such as a CD or DVD. There has been a problem that contents recorded on the medium are illegally copied by dubbing or the like.

[0003] In addition, a digital system has been adopted when recording contents such as video and audio, and in addition to the above-described recording on a medium, contents have been distributed by data distribution or the like. Prevention of unauthorized copying is becoming more important.

Next, a method of restricting copying of digital content data will be described. In recent years, as described above, digital distribution of video and audio has become widespread, and content providers that distribute content have placed restrictions on digital content data, such as “copy prohibited” and “copy once”. . In such digital content data, by inserting a copy guard signal into the content, when copying is attempted, the effect is obtained that the video of the copied content is disturbed.

As a typical copy guard adopting such a method, there is a so-called macro vision system (pseudo sync pulse system, color stripe system). This is because even if this content is recorded by recording a certain signal in a specific part of the analog signal of the content that is restricted by "copy prohibition", the recording device recognizes the signal incorporated in the specific part and records it. To do
This is a method in which when the screen after copying is reproduced, the screen becomes unbearable due to the influence of the signal described above. In addition, even if a digital recording device attempts to record a content that adopts this type of copy guard, the recording device recognizes this signal and cannot record. This method is adopted for digital broadcast PPV (Pay Per View) programs.

However, in this type of copy guard, copying can be performed in a normal state only by removing a signal that disturbs the screen, and devices for avoiding the copy guard have been commercially available.

[0007] In addition, with respect to contents which are restricted to "copy once", copy generation is managed to prevent copying more than a specified number of times. A representative example of this method is CGMS (Copy Generation).
Management System). this is,
A specific digital signal (1. copy not allowed, 2. copy one generation allowed,
3. In this method, the digital recording device identifies this signal and restricts copying so as to indicate a specific digital signal incorporated in the content. The CGMS method is also used for copy generation management of MD (mini disc).

However, in the CGMS system, the copy guard can be released by rewriting the flag relating to the copy generation from "copy impossible" to "copy permitted".

[0009] In view of the above, in a DVD, digital content data itself is encrypted and recorded on a medium. Therefore, even if the data is to be taken out as it is, the encrypted content is taken out. Further, since it is difficult to take out the encryption key, it is difficult to copy the digital signal which is not actually encrypted. It became difficult.

[0010] One such encryption method, DE
The S (Data Encryption Standard) will be described.
DES is a block cipher that has a 64-bit size for plaintext (original text), ciphertext, and encryption key. However, since the encryption key uses 8 bits out of 64 bits for parity, the substantial length of the encryption key is 56 bits.

FIG. 1 shows the basic configuration of the DES. After the bits are exchanged so that each adjacent bit of the plaintext is substantially 32 bits apart, the same conversion of 16 stages is repeatedly applied. In each stage, the upper 32
L _n-1 of bits and R _n-1 of lower 32 bits are grouped together, and converted into L _n and R _n using a 48-bit key K _n input from the key generation unit. Output to the next stage. Then, after exchanging L ₁₆ and R ₁₆ of the output of the 16th stage, each bit is replaced by IP- ¹ , and the ciphertext is output. On the other hand, the key is
The parity pits of the bits are removed, and the remaining 56 bits are replaced.

Thereafter, the upper 28 bits C _n and the lower 28 bits are used.
The shift is set to 1 with D _n of the bits as a unit.
While repeating the six steps, a key _Kn is created for each step. Figure 1
The conversion unit of 16 stages which is a basic unit of DES shown in FIG. 2 has a structure shown in FIG. 2 in each stage, and the input (L
_{n-1, R n-1} ) and the next stage output (L _n, R _n) satisfy the following relationship. L = R _n-1 , R _n = L _n-1 EXORf (R _n-1 , K _n ) Here, EXOR indicates an exclusive OR, and the function f (R _n-1 , K _n ) is , And the structure shown in FIG.

The input R _n-1 to the f function consists of 32 bits, but is expanded to 48 bits by the expansion permutation E. Then, after taking an exclusive OR in bits of its 48-bit and K _n, is divided into eight 6-bit units, each of which is input to the S boxes S ₁ to S _8. In each S box, a 6-bit input is nonlinearly converted into a 4-bit output. Finally, the bit position of 32 bits obtained by combining eight 4 bits of the output is replaced by the replacement P, and f
(R _n−1 , K _n ).

Solving the equation Ln = R _n−1 , R _n = L _n−1 EXORf (R _n−1 , K _n ), which is the basic conversion of DES, yields (L _n−1 , R _n−1 ). When represented by (L _n , R _n ), the following expression is obtained. R _n-1 = L _n , L _n-1 = R _n EXORf (R _n-1 , K _n ) = R
_n EXORf (L _n , K _n ) The operation of obtaining (R _n−1 , L _n−1 ) from (R _n , L _n ) by this means that (L _n−1 , R _{n− 1} ) to (L _n , R _n ) have the same structure. This property means that decryption can be performed by the same conversion as encryption.

[0015]

However, for example, a digital broadcast PPV program is restricted by "copy prohibition", so that the content can be viewed only once, but the viewer cannot broadcast the PPV program. I had to watch it at a fixed time. As described above, even if the copyright owner intends to permit the content to be viewed only once for the content of “copy prohibition”, the viewing time is actually limited. Was. Also, when recording “copy prohibited” content on a recording medium and permitting viewing only once,
A method has not been established that makes it impossible to reproduce the content once the content is viewed. Further, in order to realize this, it is difficult to perform the process of erasing the data at the end of viewing while reproducing the content, which is difficult to realize. For example, deleting data on a hard disk in a personal computer or the like only deletes the FAT of the file system, and thus does not actually delete the data.

On the other hand, the content of "copy once" is
For example, even in the case of recording with a recording / reproducing apparatus in which a VTR and an HDD (hard disk drive) are combined, recording once on one of the media cannot be performed because a second copy is made. Therefore, it was not possible to re-record only the desired program on the storage medium after viewing once. Thus, "copy once"
Regarding the content of, even though the copyright owner intends to limit the medium on which the content is recorded, in practice, once recorded content is recorded on another medium, The so-called content movement for erasing the recorded portion has not been permitted.

Also, regarding encryption, it is easy to know the encryption key by improving the performance of the computer.
Using a fixed key for one piece of content means that if the key is known, the entire content has been decrypted, and as a result, it is expected that the digital content will be copied illegally . To avoid this, there is a method of changing the encryption key every time. Thus, even if the encryption key used to encrypt a part of the content is known, the entire content is not decrypted, and the security is increased as compared with the case where a fixed key is used. In addition, when a plurality of encryption keys are generated at the time of decryption, the encryption key used for encryption is calculated. It is necessary to separately store the encryption key or the seed of the encryption key. There is a disadvantage that the amount increases in proportion to the number of keys. Here, the “key seed” indicates information that is a basis for generating an encryption key.

Further, regarding the encryption, Japanese Patent Application Laid-Open No. 9-107
As described in Japanese Unexamined Patent Application Publication No. 536/536, as an encryption process in the block chain method, P (1) is encrypted using an encryption function E1 depending on an encryption key K and an initial value IV, and P (i) is encrypted. ) (2 ≦ i ≦ n) are the encryption keys K and P (i−
1), the data is sequentially encrypted using the encryption function E2, and the encrypted data blocks (C (1), C (1),
(2),..., C (n)). However, in this case, since the encryption key K is fixed and the data on which the encryption is based is the data before the data to be encrypted, there is a problem that the encryption is highly likely to be broken. .

[0019]

SUMMARY OF THE INVENTION In order to solve the above-mentioned problem, when a plurality of unit blocks having a reproduction order are encrypted for each unit block, a predetermined unit block is encrypted. The encryption key seed is information obtained by encrypting one or more unit blocks before the predetermined unit block in the reproduction order, or one or more unit blocks before the predetermined unit block. An encryption method characterized in that the unit block starts with an MPEG video GO.
P, head of one audio frame of MPEG audio, head of PES packet of MPEG system layer, random access indicato of MPEG system layer
The next random access indic from the TS packet with r = 1
The head of the group of TS packets up to just before the TS packet whose ator is 1, the payload unitstar of the MPEG system layer
The next payload u from the TS packet whose t indicator is 1
T before the TS packet with nit indicator of 1
The head of the S packet group, the head of the information group recorded in one track of the tape medium, the head of the information group recorded in one sector of the disk medium, and the information recorded in the ECC block of the medium constituting the ECC An encryption method is provided, which is at least one of the heads of a group.

When a plurality of unit blocks in a reproduction order encrypt continuous information for each unit block, a seed of an encryption key for encrypting a predetermined unit block is set in the reproduction order. One or more unit blocks before a predetermined unit block, or one or more unit blocks before the predetermined unit block, based on encrypted information, and a seed of the encryption key Is an encryption method characterized by being chained two or more times, wherein when the chain is reset a predetermined number of times, the beginning of a unit block in which the chain is reset is a GOP of an MPEG video. The beginning, the beginning of one audio frame of MPEG audio, the beginning of the PES packet of the MPEG system layer, and the random access indicator of the MPEG system layer T is the head of the TS packets from the TS packet to the front of the TS packet following random access indicator is 1, the payload Unit start indicator of the MPEG system layer 1 is
The head of a group of TS packets from the S packet to the position immediately before the next TS packet with a payload unit indicator of 1; the head of a group of information recorded in one track of the tape medium;
An encryption method is provided, which is at least one of a head of an information group recorded in one sector of a disk medium and a head of an information group recorded in an ECC block of a medium constituting an ECC.

[0021]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the encryption method according to the present invention will be described below with reference to the drawings. If the digital content data is AV data sent from a broadcasting station and "copy prohibited", the hard disk is used as a recording / reproducing device that allows the user to view the program only once at any time after the broadcast time zone. This will be described using a recorder as an example.

In this embodiment, such a hard disk recorder is realized by making it possible to view the content of "copy prohibited" only once. A transport stream (TS) of MPEG (Motion Picture Expert Group) is recorded on the hard disk. In addition,
DES is used for encryption / decryption.

FIG. 4 is a diagram showing a recording unit of a hard disk recorder incorporating an encryption unit to which the encryption method according to the present invention is applied. An MPEG TS is input by the tuner 1 or the external signal input unit 2 and sent to the switch circuit unit 3. Here, a signal is sent from the tuner 1 or the external signal input unit 2 to the recording signal processing unit 4 in accordance with an instruction issued by the user interface 200. For the signal sent to the recording signal processing unit 4, a time code, an absolute track number, and the like are generated there. Thereafter, the signal is sent to the encryption unit 5 where the data is encrypted. Then, the data is recorded on the disk 100 in the recording unit 6.
In addition, on the disc 100, a time code and the like in addition to the video signal and the audio signal are recorded in, for example, a subcode area.

FIG. 5 is a diagram showing a reproducing unit of a hard disk recorder incorporating a decryption device for decrypting a signal encrypted by the encryption method according to the present invention.
First, the signal of the disc 100 is read by the reproducing unit 10, and the read signal is sent to the decoding unit 9. Then, after the data is decoded, it is sent to the reproduction signal processing unit 8, and after error correction and the like, it is output to the monitor 300 via the external signal output unit 7.

As described above, in the hard disk recorder having the configuration shown in FIGS. 4 and 5, when digital content data of "copy prohibition" is recorded, a signal indicating "copy prohibition" is recorded by the above-described CGMS.
For example, in digital broadcasting, digital copy contr
ol descriptor, and digit
There is a 2-bit field called al recording control data (digital copy control information). In the field, for example, "copy permitted" = 00, "copy once"
= 10, "copy prohibited" = 11. When the hard disk recorder detects 2 bits “11” in the input signal, the same content is converted to a constant Const _i by the initial vector generation function h _i.
Calculate the initial value IV = h _i (Const _i ).

The initial value IV serves as a seed of an encryption key for encrypting the first unit block of the input content. Therefore, if the initial value IV is easily known, the encrypted content may be decrypted. Therefore, the initial value IV may be recorded on a medium that is difficult to analyze outside the hard disk or may be the same in a state where security is enhanced. Record on the medium. In this embodiment, a flash memory which is difficult to remove is used as a medium. In this case, assuming that the unit block is 184 bytes, the initial value IV is used as the input of the encryption key generation function g and the encryption key K ₁ = g
(IV, Const) is calculated. Hereinafter, K _i indicates an encryption key used when encrypting / decrypting the i-th block. Also, Const represents other information that is a source of encryption key generation. Where Const
Assuming that this information changes over time within the same content, the information of Const must be stored. If such information changes over time, a large-capacity flash memory must be used to store all the changed information. And certain parameters within the content. Since the encryption / decryption you use DES, it is necessary encryption key K _i is 56 bits. Therefore, it is preferable that the total number of bits of the initial value IV and Const be 56 bits or more. because,
The initial value IV and Const from the encryption key K _i When the cryptographic key generating function g is a one-to-one function is because the easily guessed.
Therefore, the encryption key generation function g is set to be n (n ≧ 2) to one.

Next, an encryption method according to the present invention will be described with reference to FIG. A value of 184 bytes of a unit block excluding 4 bytes of a header out of 188 bytes of one TS packet is the number of bytes of an area where AV data is recorded. In the 184 bytes of AV data of the TS packet P (1), there are 23 DES encrypted blocks of 64 blocks. Then, encrypted with the encryption key K ₁ of each TS packet P (1) with respect to the 23 blocks. Note that the encrypted P (1) is described as C (1). The same operation is performed for the TS packets P (2), P (3),.

Next, an encryption key used for encrypting P (2)
K_TwoA method for creating a file will be described. Encryption key K_Two= G (S₁, Co
nst). Where S₁Is the seed of the encryption key
Assuming that the generation function is h, S_i= H (P (i))
Shall be. That is, the plaintext of the previous unit block
Is the seed of the encryption key. With this, the encryption key is one unit
Variable for each block, even if one encryption key is known
However, it is difficult to decipher all plaintext. Also this
By preparing multiple seeds for the encryption key,
There is a method to make the key variable, but the seed of all encryption keys
Had to be stored separately. However, in the case of the present invention
Method, the variable part of the encryption key seed is hard-
It is a plaintext that is a decryption of the ciphertext recorded on the disk
Is difficult to analyze and must be stored in another area.
No need. K_ThreeK afterwards_Three= G (S _Two, Const), K_Four
= G (S_Three, Const),.

On the other hand, at the time of reproduction, the encryption key K ₁ is generated by reading the initial value IV on the flash memory, and C (1)
Is decrypted. At that time, S ₁ be kept simultaneously generated from P (1). Next, a key K ₂ is generated from the S ₁ , and C (2)
Is decrypted. FIG. 7 shows an outline of encryption and decryption. In the above-described embodiment, the seed of the encryption key is generated from the immediately preceding unit block. However, the seed of the encryption key of the unit block may be, for example, the unit block two before.

Next, the contents of "copy prohibited" are copied in the middle.
I can't see the part I played once
The following describes a method for performing the operation. As shown in FIG.
Packets C (1) to C (4) shall be reproduced.
You. As described above, first, the initial value IV is read, and C is read.
Decoding is started from (1). And decryption of C (4)
The reproduction ends when the conversion ends. Here, next time C
Prevent data from (1) to C (4) from being reproduced
In order to perform the initial
Clear the value IV. This decrypts C (1)
Key K for ₁Cannot be generated. Only
Then, in order to start reproduction from C (5) next time, C
Encryption key K for decrypting (5)_FiveSeed S_FourRecord
Must be kept. Therefore, when playback starts
To erase the initial value IV from the flash memory, or
After that, move to the buffer if necessary. And play
S when finished_FourIs recorded in the flash memory.
As a result, C (1) to C (4) cannot be decoded next time.
Can not be reproduced. On the other hand,
Molly to S_FourTogether with the start address of P (5)
By doing so, playback from C (5) onwards is possible from the next time
become. In this example, S_iIs used to decode C (i + 1).
Encryption key K to use_{i + 1}Seeds, but two first
Period IV₁And IV_TwoBy having_iTo C (i +
Encryption key K used for decryption in 2)_{i + 2}Even if you seed
good. Similarly, having three, four,... Initial values IV
By S _iDecodes the unit block three or four ahead
It can be used as a seed for Also, the encryption key
K_{i + 2}The seed of S_iAnd S_{i + 1}Like, multiple
That is, an encryption key may be generated based on two or more plaintexts in the past.
No. Thus S_iIs K_{i + 1}, S _{i + 1}Is K_{i + 2}, ... seed
Is referred to as "chained"
And

Originally, "copy prohibited" contents are broadcasted to the effect that they can be viewed only once during broadcasting. Therefore, rewinding and viewing a part that has been reproduced once is likely to be contrary to the intention of the copyright owner, and thus may not be permitted. However, it is natural that the current “copy prohibited” content cannot be rewound and viewed, but it is possible to view it from the middle. Therefore, there is a possibility that the content of “copy prohibition” is recorded on the hard disk recorder, and only fast forward is permitted. Therefore, when fast-forwarding by the method described above,
Despite being a hard disk that is excellent in random access, decoding must always start from C (1). Therefore, if the content is viewed from the latter half of the content, it takes much time to access the content. Therefore, the following configuration is conceivable.

FIG. 9 shows the outline. The arrow in the figure indicates that the information at the starting point of the arrow serves as a key seed for encrypting the information pointed to. A chain of adjacent blocks is frequently reset, and a block P (2-1) is provided next after the reset. P (2-
1) is encrypted with a key using the initial value IV as a seed.
Then, P (2-1) becomes a seed for the encryption keys of P (2-2) and P (3-1). With such a configuration, for example, when it is desired to access P (3-4), the initial value IV →
P (2-1) → P (3-1) → P (3-2) → P (3-
If decoding is performed in the order of 3) → P (3-4), access can be made in a short time. Such a configuration is hereinafter referred to as two “layers”. And P
(2-1), P (3-1), P (4-1),... Will be referred to as “second hierarchy”. In the above-described embodiment, the case where the number of layers is two has been described, but the number of layers may be three or more. However, when the number of hierarchies is three or more, there is an advantage that the time required for random access is reduced, but there is a disadvantage that the encryption / decryption method becomes complicated. Note that from now on, a function for generating a key seed for encrypting / decrypting the unit block of the first layer is h ₁ , and a function for generating a key seed for encrypting / decrypting the unit block of the second layer. Are described as h ₂ ,. The seed of the key K _3-1 generated by P (2-1) of the second hierarchy is T _2-1 , and the seed of the key K _4-1 generated by P (3-1) is T _{3- 1} , ...

Next, a description will be given of a method of making a once reproduced portion of a content unviewable when there are a plurality of layers. As shown in FIG.
It is assumed that (1-1) to C (2-3) are reproduced. At the start of playback, the initial value I is stored in the flash memory.
V is recorded. Then, when the reproduction is started, the initial value IV is erased from the flash memory or, if necessary, moved to a buffer, and when the reproduction is completed up to C (2-3), _T2-1 and _S2- Record ₃ in flash memory. The reason for recording the S _2-3 in order to produce a K _2-4 as if it did not have multiple hierarchies, that is, to be able to play from C (2-4).
On the other hand, the reproduction is ended up to C (2-3), and the next time C (4-3)
-1), to reproduce from C (4-
To make random access to 1) as fast as possible,
_It is the fastest to go in the order of _2-1 → C (3-1) → C (4-1). Therefore, _T2-1 is also recorded in the flash memory for random access. Further, reproduction from C (2-4) and random access become possible.

The above description has been given of the case where digital content of “copy prohibition” is recorded by the hard disk recorder. In the present embodiment, 184 bytes corresponding to the digital content data of the MPEG TS packet are taken as the unit block size, but this can take various sizes depending on the application. When a chain as shown in FIGS. 7 and 9 is performed through one content, data may not be correctly reproduced due to erroneous reading or erroneous recording on the way. In this case, since an error at one place occurs afterwards, it is possible to adopt a method of resetting the chain starting from the initial value IV a plurality of times in the same content in order to prevent this. For example, FIG.
By preparing a plurality of initial values IV as shown in FIG. 1, the chain is reset a plurality of times, so that error propagation can be prevented.

In the present embodiment, only the hard disk recorder has been described. However, in the case of "copy prohibited" content, it can be realized by an optical disk recorder or the like, and random access cannot be performed.
When the content is reproduced from the beginning, it can be realized by a tape recorder.

The case where the content is "copy prohibited" has been described above. However, when the digital content data transmitted from the broadcasting station is "copy once", the program is divided into one As an example of a recording / reproducing device capable of recording only on a medium, a recording / reproducing device combining a hard disk recorder and a digital VTR will be described. In the embodiment of the present invention, a recording / reproducing apparatus combining such a hard disk recorder and a digital VTR has been realized by allowing the content of "copy once" to be recorded on another medium only once. . MPEG TS is recorded on the hard disk of the hard disk recorder and the video tape of the VTR.
DES is used for encryption / decryption.

FIG. 12 is a block diagram of a recording section of a recording / reproducing apparatus in which a hard disk recorder and a digital VTR according to one embodiment of the present invention are combined. In FIG. 1, a tuner 1 and an external signal input unit 2
Is input and sent to the switch circuit unit 3. Here, a signal is sent to the tape recording signal processing unit 12 or the disk recording signal processing unit 14 according to an instruction issued from the user interface 200. For the signal sent to the tape recording signal processing unit 12, a time code, an absolute track number and the like are generated. Thereafter, the data is sent to the tape recording unit 13 and digitally recorded on the tape 300. On the tape 300, in addition to the video signal and the audio signal, a time code, an absolute track number, and the like are recorded in, for example, a subcode area. Further, a time code or the like is generated for the signal sent to the disk recording signal processing unit 14. Thereafter, the data is sent to the disk recording unit 15 and digitally recorded on the disk 100. Then, similarly to the tape, a time code, an absolute track number, and the like are recorded on the hard disk in addition to the video signal and the audio signal. Disc playback signal processing unit 1
Numeral 7 reproduces a signal recorded by the hard disk recorder. By transmitting the reproduced signal to the tape recording signal processing unit 12, data can be copied.

FIG. 13 is a block diagram of a reproducing section of the digital signal recording / reproducing apparatus according to the present invention. At the time of tape reproduction, the signal of the tape 300 is read by the tape reproduction unit 19. Then, the signal is output to the tape reproduction signal processing unit 18.
The data is sent to the switch circuit unit 3 after error correction and the like are performed there. At the time of disk reproduction, the signal of the disk 100 is read by the disk reproduction unit 21. Then, the signal is sent to the disk reproduction signal processing unit 20, where error correction and the like are performed, and then sent to the switch circuit unit 3 and the tape recording signal processing unit 17. Then, according to the instruction issued by the user interface 200, the reproduction signal of the tape 300 or the disc 1
00 is output to the monitor 4 via the external signal output unit 16.
Output to 00.

Next, a description will be given of a case where digital content data of "one-time copying permitted" is recorded by a recording / reproducing apparatus in which a hard disk recorder having the configuration shown in FIGS. 12 and 13 is combined with a digital VTR. The signal indicating "copy once" is recorded by the CGMS similarly to the signal indicating "copy prohibited". For example, in digital broadcasting, TS has a descriptor called digital copy control descriptor, and further includes a digital recording control descriptor.
There is a 2-bit field called rol data (digital copy control information). In the field, for example, “copy permitted” = 00, “copy once” = 10, and “copy prohibited” = 11 are described. On the input signal, the recording and reproducing apparatus detects the two bits of the "10", the same contents with constant Const _i and the input of the initial vector generation function h _i, the initial value IV = h _i
(Const _i ). Hereinafter, encryption is performed in the same manner as in the case of “copy prohibited”. Also, the content of “copy once” is different from the content of “copy prohibition”, and the content may be reproduced any number of times. Therefore, the content of “copy once” is limited to recording on another medium. The key shall be deleted. For example, as shown in FIG. 8, when recording from C (1) to C (4) recorded on the hard disk is started on the tape, the initial value IV is erased from the flash memory, and recording to C (4) is started. the seed S ₄ When you are finished be recorded in the flash memory. Therefore, at the time of reproduction, the initial value IV of the flash memory is referred to, but recording or erasing is not performed on the flash memory.

In addition, regarding contents of “copy prohibited”,
Originally, digital broadcast PPV content was once
Because it is broadcast with the intention of being able to view only
When playing from the next block, play the previous data
Was not allowed and did not need to be considered. I
However, viewers can copy only the desired parts,
Divide one content and copy it to multiple tapes
You can also. For example, as shown in FIG.
3) Copy the following to a tape, and before that,
You can also make it playable on a disc. That
First, copy from C (2-3) to tape.
When starting and copying the unit block C (2-3)
At this point, the data of C (2-3) is deleted or C (2--3) is deleted.
Rewrite the data of 3) with unrelated data. Soshi
Do not rewrite data in flash memory.
No. Thus, when the copy is completed, C (2-3) becomes
Since the data itself does not exist, decoding cannot be performed.
_2-4Also cannot be generated. However, the initial value IV and
Since C (2-1) remains, the initial value IV → C
(2-1) → C (3-1) → C (3-1)
Thereafter, decoding becomes possible. Therefore, to avoid this
When copying is completed up to C (3-1), C (2-
C (3-1) is also erased as in 3). Now C (3-
After 2), reproduction becomes impossible. Also, for example, C (2-
When copying from 3) to C (3-3),
C (2-3) and C (3
-1) _3-1And S_3-3And flash memory
Just record it.

As described above, the recording of the "one-time copy permitted" digital content by the recording / reproducing apparatus in which the hard disk recorder and the digital VTR are combined has been described. A hard disk recorder and a digital VTR
Although only the recording / reproducing apparatus combined with the above has been described, in the case of the content of "copy once", the hard disk drive can be replaced with a random accessible recording apparatus such as an optical disk recorder,
The VTR section can be replaced with any recording device.

Next, the beginning of the unit block described so far is a GOP of MPEG video, one audio frame of MPEG audio, and a P of MPEG system layer.
ES packet, random acces of MPEG system layer
From the TS packet whose s indicator is 1, the next random ac
T up to just before the TS packet whose cess indicator is 1
S packet group, payload unit of MPEG system layer
The next pay from the TS packet whose start indicator is 1
oad unit A group of TS packets up to just before a TS packet with a start indicator of 1, a group of information recorded in one track of a tape medium, a group of information recorded in one sector of a disk medium, and a group of media forming an ECC. EC
The effect when the information is at least one of the information groups recorded in the C block and their syntax will be described.

MPEG is created by combining several technologies. The input image is reduced in time redundancy by taking the difference between the image decoded by the motion compensator and the input image. There are three modes of prediction from the past, the future, and both. These are 16 pixel × 16 pixel MB.
(Macro block) can be switched and used. Although the prediction direction is determined by the picture type given to the input image, the prediction from the past and the M
A P-picture has two modes for independently encoding B. A B-picture has four modes for prediction from the future, prediction from the past, prediction from both, and independent encoding. It is an I picture that all MBs are independently encoded. In motion compensation, a motion vector is detected by half-pel accuracy by performing pattern matching on a motion area for each MB, and is predicted after shifting by the amount of motion. There are horizontal and vertical motion vectors,
MC (Motion Compensation) indicating where the prediction is from
It is transmitted as the MB additional information together with the mode. A GOP (Group Of Picture) is referred to as a GOP (Group Of Picture) from the I picture to the picture before the next I picture. In general, about 15 pictures are used. If the head of the unit block is recorded in synchronization with the data at the head of this GOP (the head of the sequence header when the sequence header is described before the GOP), for example, access is performed halfway. In the case where decoding is not possible up to that point, it is possible to make decoding impossible up to that GOP, and it is possible to avoid an inefficient state in which the next GOP cannot be decoded halfway. . Note that a GOP may include a plurality of I pictures.

Although one audio frame of MPEG audio depends on the sampling frequency and pit rate of the audio of MPEG, the number of samples corresponding to one second is collectively compressed, and the unit of SYNC defined by MPEG is compressed for each unit. Words and headers, CRC for error checking, etc. are described. The main parameters necessary for decoding are described in this header. If the head of the unit block of the present invention is recorded in synchronization, for example,
Even when accessing halfway and making it impossible to decode up to that point, it is possible to make it impossible to decode up to the audio frame up to that point. Efficient situations can be avoided.

The PES packet of the MPEG system layer has a structure common to both the transport stream and the program stream in the MPEG system layer, and a DTS (Decoding Time Stam) indicating the decoding timing for the data of the PES packet.
p) and PTS (Presentatio) indicating the timing of playback display
n Time Stamp) and other important time information and various parameters are described. If the head of the unit block of the present invention is recorded in synchronization with the unit of this PES packet,
For example, even if access is made halfway and decoding is not possible up to that point, it is possible to make decoding up to that PES packet impossible, so that the next PES packet cannot be decoded halfway. Inefficient situations can be avoided.

MPEG system layer random access
There is an adaptation layer in the syntax of the transport stream of the system layer of the next EG from the TS packet whose indicator is 1, and a bit indicating whether random access is possible is described therein. . The fact that random access is possible means that video data has a video sequence header described in the transport packet, and in the case of audio data, the head data of an audio frame is described. To indicate that If the head of the unit block of the present invention is recorded in synchronization with a group of TS packets from the TS packet whose random access indicator is 1 to a position immediately before the next TS packet whose random access indicator is 1, For example, even when accessing halfway and making it impossible to decode, random access in
The next random access from the TS packet whose dicator is 1
It is possible to make it impossible to decode up to a group of TS packets up to the TS packet whose indicator is 1 and halfway, the next random access indicator is 1 from the next TS packet whose random access indicator is 1 TS
It is possible to avoid an inefficient state in which all the TS packets up to the packet cannot be decoded.

The payload unit s of the MPEG system layer
The next payloa from the TS packet whose tart indicator is 1
The TS packet group up to the TS packet before the d unit start indicator is 1 is defined in the transport stream syntax of the MPEG system layer as T
It has an S header area and indicates whether or not the PES packet is described in the payload of the TS packet. As in the case of the PES packet,
From the TS packet whose payload unit start indicator is 1, the next TS whose payload unit start indicator is 1
If the head of the unit block of the present invention is recorded in synchronization with the unit of the TS packet group up to the TS packet up to the packet, for example, if it is accessed halfway,
Even if it makes it impossible to decrypt it,
It is possible to make decoding impossible from a TS packet with an oad unit start indicator of 1 to a group of TS packets up to a position immediately before the next TS packet with a payload unit start indicator of 1, and halfway through the next payload unit start ind
The next payload unit s from the TS packet whose icator is 1
T up to before the TS packet with tart indicator of 1
It is possible to avoid an inefficient state in which all the S packets cannot be decoded.

The information group recorded in one track of the tape medium, the information group recorded in one sector of the disk medium, and the information group recorded in the ECC block of the medium constituting the ECC are respectively It is a unit of access depending on the medium or a unit of error correction, and when accessing or editing each data, it is very efficient to access each unit. Therefore, if these access units and the beginning of the unit block of the present invention are recorded synchronously, for example, even if access is performed halfway and decoding is not possible up to that point, the access unit up to that point Can not be decoded, and an inefficient state in which the next access unit cannot be decoded halfway can be avoided.

Next, the head of the unit block having a plurality of chained hierarchies described above is the GO of the MPEG video.
P, one audio frame of MPEG audio, MP
From the PES packet of the EG system layer and the TS packet of which the random access indicator of the MPEG system layer is 1, the T whose next random access indicator is 1
A group of TS packets up to the S packet, a group of TS packets from the MPEG system layer with a payload unit start indicator of 1 to a TS packet up to the next TS packet with a payload unit start indicator of 1, and one track of tape media Group, information group recorded in one sector of the disk medium, ECC
The effect when the information is at least one of the information groups recorded in the ECC block of the medium configuring the above will be described.

As described above, synchronizing each unit with the unit block of the present invention is very efficient even when accessing halfway and making decoding impossible up to that point. Can be designed. However, in the encryption / decryption method and apparatus that are chained at least twice, the first layer when the previous unit block is a seed and the two or more layers The n-th layer (where n is an integer of 2 or more) is combined to form a plurality of chained layers, and one or more of the unit blocks at the beginning of the unit block have a GOP, One audio frame of MPEG audio,
MPEG system layer PES packet, MPEG system layer random access indicator is 1
A group of TS packets from an S packet to a position immediately before the next TS packet having a random access indicator of 1, MPEG
The next payload unit start indicat from the TS packet with the payload unit start indicator of 1 in the system layer
A group of TS packets up to the TS packet before or is 1, a group of information recorded in one track of a tape medium, a group of information recorded in one sector of a disk medium, and an ECC block of a medium constituting an ECC By synchronizing with the information group recorded in the compressed data, the head of the access unit of the compressed data can be efficiently accessed immediately from the chained block.

Next, in the chain of unit blocks described so far, if the chain is reset a predetermined number of times, the head of the unit block to be reset will be MPEG
GOP of video, one audio frame of MPEG audio, PES packet MP of MPEG system layer
From the TS packet in which the random access indictor of the EG system layer is 1, the next random access indicator is 1
, A group of information to be recorded in one track of the tape medium,
The effect when the information is at least one of the information groups recorded in the ECC block of the medium configuring the above will be described.

As described above, synchronizing each unit with the unit block according to the present invention means that even if access is made halfway and decoding is impossible up to that point,
Although it has been described that the function of the present invention can be designed very efficiently, in an encryption / decryption method and apparatus that are chained at least twice, when the chain is reset at a predetermined number of times, The head of the unit block to be reset includes a GOP of the MPEG video, one audio frame of MPEG audio, a PES packet of the MPEG system layer, and a random number of the MPEG system layer.
The next ran from the TS packet whose access indicator is 1
TS packet group up to just before the TS packet whose dom access indicator is 1, payloa of MPEG system layer
d A group of TS packets from a TS packet with a unit start indicator of 1 to a position immediately before the next TS packet with a payload unit start indicator of 1, or 1 of tape media
Information group recorded in a track, 1 of disk media
By synchronizing with the information group recorded in the sector and the information group recorded in the ECC block of the medium constituting the ECC, the entry is directly made to the reset chain block, and the compressed data of the compressed data is immediately transmitted from the unit block. The head of the access unit can be efficiently accessed.

[0053]

As described above in detail, according to the encryption method of the present invention, the content of "copy prohibition" can be viewed only in the broadcast only until now. Now, it is possible to watch the content only once at the time when the user wants to watch it. Also, "copy once"
Can be copied and edited on another medium only once after being recorded on the medium. At this time, the security of the data on the hard disk is ensured by being encrypted. Furthermore,
If the content is viewed partway with respect to the “copy prohibited” content, a function of making it impossible to play back to the halfway point by a method of deleting the seed of the decryption key up to that point can also be realized. . Similarly, the content of "copy once" can be made unreproducible in a portion copied to another medium. Further, when the seed of the encryption key is plaintext or ciphertext other than the predetermined unit block, a function of making it impossible to reproduce a desired block or later can be realized. By adopting the chaining method, the capacity of the key seed information to be recorded can be extremely small.

Also, MPEG video GOP, MPE
One audio frame of G audio, a PES packet of the MPEG system layer, and a PES packet of the MPEG system layer
A group of TS packets from a TS packet with a random access indicator of 1 to a position immediately before the next TS packet with a random access indicator of 1, and a next payload unit start indicator from a TS packet with a payload unit start indicator of 1 in the MPEG system layer T that is 1
A group of TS packets up to the S packet, a group of information recorded in one track of a tape medium, a group of information recorded in one sector of a disk medium, and information recorded in an ECC block of a medium constituting an ECC When the group is an access unit, by recording this access unit in synchronization with the unit block of the present invention, for example, even if an access is made halfway and decoding is not possible up to that point, It is possible to make it impossible to decode even the access unit, and it is possible to avoid an inefficient state in which the next GOP cannot be decoded halfway.

Further, by synchronizing and recording the access unit at the head of a unit block having a plurality of chained hierarchies, the head of the compressed data access unit can be efficiently accessed immediately from the chained block. Becomes
Further, in a case where the chain is reset a predetermined number of times in the chained unit block, the access unit is synchronously recorded at the head of the unit block to be reset, so that the entry can be directly made in the chain block reset. Then, the head of the compressed data access unit can be efficiently accessed immediately from the unit block.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating a basic configuration of a DES.

FIG. 2 is a diagram showing a structure of a 16-stage conversion unit which is a basic unit of DES.

FIG. 3 is a diagram showing a structure of a function f used in DES.

FIG. 4 is a block diagram showing a configuration of a recording unit of the hard disk recorder to which the encryption method according to the present invention is applied.

FIG. 5 is a block diagram showing a configuration of a reproducing unit of a hard disk recorder that reproduces a signal recorded by applying the encryption method according to the present invention.

FIG. 6 shows the MPEG T in the encryption method according to the present invention.
FIG. 3 is a diagram illustrating a configuration of S and an outline of encryption.

FIG. 7 is a diagram showing an encryption and decryption method according to the encryption method according to the present invention and decryption by the decryption device.

FIG. 8 is a diagram showing a method of reproducing content encrypted by the encryption method according to the present invention.

FIG. 9 is a diagram showing an example of encryption by the encryption method according to the present invention.

FIG. 10 is a diagram showing another method of reproducing content encrypted by the encryption method according to the present invention.

FIG. 11 is a diagram showing another example of encryption by the encryption method according to the present invention.

FIG. 12 is a block diagram showing a recording unit of a recording / reproducing apparatus in which a hard disk recorder to which the encryption method according to the present invention is applied and a digital VTR are combined.

FIG. 13 is a block diagram showing a reproducing unit of a recording / reproducing apparatus in which a hard disk recorder to which the encryption method according to the present invention is applied and a digital VTR are combined.

FIG. 14 is a diagram showing a reproducing method of a recording / reproducing apparatus in which a hard disk recorder to which the encryption method according to the present invention is applied and a digital VTR are combined.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Tuner 2 External signal input part 3 Switch circuit part 4 Recording signal processing part 5 Encryption part 6 Recording part 7 External signal output part 8 Reproduction signal processing part 9 Decryption part 10 Reproduction part

──────────────────────────────────────────────────の Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04N 7/24 H04N 7/13 Z (72) Inventor Seiji Higurashi 3-chome 12 Moriyacho, Kanagawa-ku, Yokohama-shi, Kanagawa Address Victor Company of Japan, Ltd. (72) Inventor Toshio Kuroiwa 3-12 Moriyacho, Kanagawa-ku, Yokohama-shi, Kanagawa Prefecture F-term (reference) 5B017 AA03 BA07 CA09 5C053 FA13 FA20 FA21 FA23 GA11 GB05 GB08 GB11 GB15 GB29 GB37 JA22 5C059 KK43 MA00 MA31 PP05 PP06 PP07 RB02 RB10 RC02 RC32 RC35 RF04 UA05 5D044 AB07 BC04 CC06 DE28 DE50 EF05 FG18 GK12 GK17 HL08 5J104 AA01 JA13 NA02 PA14

Claims (2)

[Claims] When encrypting continuous information for a plurality of unit blocks in a reproduction order for each unit block, a seed of an encryption key for encrypting a predetermined unit block is determined by the reproduction order in the reproduction order. An encryption method based on information obtained by encrypting one or more unit blocks before a predetermined unit block or one or more unit blocks before the predetermined unit block. Wherein the beginning of the unit block is the beginning of a GOP of MPEG video, the beginning of one audio frame of MPEG audio, the beginning of a PES packet of the MPEG system layer,
The next random access indicato from the TS packet whose random access indicator of the MPEG system layer is 1
The beginning of the group of TS packets up to the position before the TS packet in which r is 1, the payload unit start of the MPEG system layer
The next payload unload from the TS packet whose indicator is 1
TS up to just before the TS packet whose it indicator is 1
The head of the packet group, the head of the information group recorded in one track of the tape medium, the head of the information group recorded in one sector of the disk medium, and the information group recorded in the ECC block of the medium constituting the ECC Encryption method, which is at least one of the first characters. 2. When a plurality of unit blocks having a reproduction order encrypt continuous information for each unit block, a seed of an encryption key for encrypting a predetermined unit block is set in the reproduction order. One or more unit blocks before a predetermined unit block, or one or more unit blocks before the predetermined unit block, based on encrypted information, and a seed of the encryption key Is an encryption method characterized by being chained two or more times, wherein when the chain is reset a predetermined number of times, the beginning of a unit block in which the chain is reset is a GOP of an MPEG video. Head, head of one audio frame of MPEG audio, head of PES packet of MPEG system layer, random acces of MPEG system layer
From the TS packet whose s indicator is 1, the next random ac
T up to just before the TS packet whose cess indicator is 1
The beginning of the S packet group, payolaa of the MPEG system layer
d The head of a group of TS packets from a TS packet with a unit start indicator of 1 to a position immediately before the next TS packet with a payload unit indicator of 1, the head of a group of information recorded in one track of a tape medium, and the head of a disk medium. An encryption method characterized by being at least one of a head of an information group recorded in one sector and a head of an information group recorded in an ECC block of a medium constituting an ECC.