JP2003087237A - Contents utilization management system, its method, information processor, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize a contents utilization management system excluding the necessity of managing the contents utilization right of each user by a service provider as to a system for delivering ciphered contents. SOLUTION: A system for delivering ciphered contents and allowing only a legal user to utilize the contents ciphers a contents key stores the ciphered key in a contents utilization right certificate and stores and delivers the ciphered key together with contents utilization conditions such as a contents utilization period, utilization frequency, on-line processing, and off-line processing. Since the satisfaction of the contents utilization conditions is set as a condition for starting contents key deciphering processing, the legal user can acquire the various contents key different by user only when the utilization conditions are satisfied without managing contents utilization rights by the service provider for each user.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a content usage management system, a content usage management method, an information processing apparatus, and a computer program. In particular, in a system that distributes encrypted content, content content authorization certificates including content usage authorization information, such as attribute keys, are used to deliver content keys to prevent unauthorized use of the content and The present invention relates to a content use management system, a content use management method, an information processing device, and a computer program capable of managing the use of a computer.

[0002]

2. Description of the Related Art Recently, various software data such as music data, image data, game programs, etc. (hereinafter referred to as “contents”) are communicated via the Internet, satellites, various wired and wireless. Services for delivering via communication networks have become popular. Also,
Content distribution through a distributable storage medium such as a DVD, a CD, and a memory card has become popular. These distribution contents are owned by the user, such as a TV,
It is reproduced and used in a PC (Personal Computer), a reproduction-only device, a game machine, or the like.

The contents distributed via the communication network are
For example, it is received by a set-top box having a communication function, converted into data that can be reproduced by a reproducing device such as a TV and reproduced, or by an information device such as a TV, a reproducing device, a game machine, or a PC having a communication interface. Received and played.

Many software contents such as game programs, music data, image data, etc. are generally owned by their creators and sellers. Therefore, when distributing these contents, certain usage restrictions, that is, only authorized users are permitted to use the software and unauthorized copying is not performed, that is, security is considered It is common to adopt the above configuration.

[0007] One method of realizing usage restrictions on users is encryption processing of distributed contents. For example, when content for which copyright protection is requested is distributed via satellite communication or Internet communication, or is stored in a medium such as a DVD and distributed, the content is encrypted and distributed or stored, and only for authorized users. Distribute the decryption key that can be used to decrypt the content. The authorized user decrypts the encrypted content using the distributed decryption key and reproduces the content.

The encrypted data can be returned to the decrypted data (plain text) by the decryption process using the decryption key. Data encryption and decryption methods that use an encryption key for the data encryption process and a decryption key for the decryption process have been well known.

There are various types of data encryption / decryption methods using an encryption key and a decryption key, and one example thereof is a so-called common key encryption method. In the common key encryption method, the encryption key used for the data encryption process and the decryption key used for the data decryption are common, and the common key used for the encryption process and the decryption is given to the authorized user. Then, data access by an unauthorized user who does not have a key is excluded. A typical method of this method is DES (Data encryption standard: Data encry
ption standard).

The encryption key and the decryption key used for the above-mentioned encryption processing and decryption can be obtained by applying a one-way function such as a hash function based on a certain password or the like. A one-way function is a function that makes it very difficult to find an input from its output. For example, a one-way function is applied with a password determined by the user as an input, and an encryption key and a decryption key are generated based on the output. From the encryption key and the decryption key obtained in this way, it is virtually impossible to find the password that is the original data.

A system in which a process using an encryption key used for encryption and a process for a decryption key used in decryption are performed with different keys is a so-called public key cryptosystem. The public key cryptosystem is a method of using a public key that can be used by an unspecified user, and encrypts an encrypted document for a specific individual using the public key generated by the specific individual. The document encrypted by the public key can be decrypted only by the private key corresponding to the public key used for the encryption process. Since the private key is owned only by the individual who generated the public key, the document encrypted by the public key can be decrypted only by the individual who has the private key. Elliptic curve cryptography or RSA (Rivest-Shape) is a typical public key cryptosystem.
mir-Adleman) There is a cipher. By using such an encryption method, it becomes possible to provide a system in which the encrypted content can be decrypted only by the authorized user.

[0010]

In the content use management system as described above, the content is encrypted and provided to the user by being stored in a network or a recording medium such as a DVD or a CD, and the encrypted content is decrypted. Many configurations have been adopted in which the key is provided only to authorized users. It is possible to use the content key by encrypting the content key to prevent unauthorized use of the content key itself and providing it to the legitimate user, and decrypting the encrypted content key using the decryption key that only the legitimate user has. A configuration to do so has been proposed.

The determination as to whether or not the user is a legitimate user is generally performed by executing an authentication process between the content provider, which is the sender of the content, and the user device before the distribution of the content or the content key. . In a general authentication process, while confirming the other party, a session key valid only for the communication is generated, and when the authentication is established, the generated session key is used to transmit data such as content or content key. Encrypt and communicate.

However, in the configuration in which the user is confirmed and the content or the content key is distributed based on such an authentication process, the content key distribution side may manage the content use authority information for each user. Will be needed. That is, in order to determine whether or not the user has the proper content use authority, it is necessary to store the content use authority information of all users in the database and distribute the content or the content key based on the authority information. Becomes

Such a process, that is, the process of confirming the user's content usage authority, is not problematic if the number of users who use the content is a small number within a limited range, but if the number of users becomes enormous, the processing load will increase. Therefore, the efficiency of the content distribution or the content key distribution processing is reduced.

The present invention has been made in view of the above-mentioned problems, and enables the use of contents only by a legitimate user without managing the contents use authority of the user for each user on the service provider side, further,
A content usage management system, a content usage management method, and an information processing apparatus capable of setting various usage restrictions corresponding to a user such as a time limit and a number of times limit
It is also intended to provide a computer program.

[0015]

According to a first aspect of the present invention, there is provided a user device that uses content encrypted with a content key: Kc, and an encrypted content key obtained by encrypting the content key: Kc. A service provider that distributes the stored content usage right certificate to the user device, wherein the user device stores the encrypted content key stored in the content usage right certificate received from the service provider in the user device. The content key: Kc is obtained by executing either the decryption process to which the storage key is applied or the decryption process in the service provider, and the obtained content key: K
The content usage management system is characterized by having a configuration for executing a decryption process of encrypted content to which c is applied to acquire the content.

Further, in one embodiment of the content use management system of the present invention, content use conditions are recorded in the content use authority certificate, and the user device is content use that satisfies the content use conditions. The encrypted content key stored in the content usage right certificate is subjected to a determination process as to whether or not the content usage condition recorded in the content usage right certificate is satisfied. Is characterized in that the decryption process is performed by applying the storage key in the user device.

Further, in one embodiment of the content use management system of the present invention, content use conditions are recorded in the content use authority certificate, and the service provider is content use that satisfies the content use conditions. It is determined whether or not the content usage satisfies the content usage conditions recorded in the content usage authorization certificate,
It is characterized in that the decryption process is executed for the encrypted content key stored in the content usage right certificate.

Further, in an embodiment of the content use management system of the present invention, a service in which a key for decrypting the encrypted content key stored in the content use authority certificate is stored in the memory in the user device. The management area for each provider is set and registered, and the user device applies the decryption key to execute the decryption processing of the encrypted content key stored in the content usage right certificate to obtain the content key: Kc. Is obtained.

Further, in one embodiment of the content use management system of the present invention, a service provider is provided in a memory in the user device as a key for decrypting the encrypted content key stored in the content use authority certificate. The management area for each service provider storing the corresponding private key is set and registered, and the encrypted content key stored in the content usage right certificate is encrypted by the public key generated corresponding to the service provider corresponding private key. The encrypted content key is the encrypted content key, and the user device applies the service provider compatible private key to execute the decryption processing of the encrypted content key stored in the content usage right certificate to execute the content key. : K
It is characterized in that it is configured to acquire c.

Furthermore, in one embodiment of the content use management system of the present invention, the memory in the user device has a management area for each service provider, which stores authentication processing application data necessary for mutual authentication with the service provider. The user device, which has been set and registered, acquires the authentication processing application data, authenticates with the service provider, sends the content usage authorization certificate to the service provider, and decrypts the encrypted content key by the service provider. Content key: Kc
Is obtained.

Furthermore, in one embodiment of the content usage management system of the present invention, the encrypted content key stored in the content usage authorization certificate is encrypted by a common key system key held by the service provider. Encrypted content key, the service provider receives the content usage right certificate from the user device, and the service provider holds the encrypted content key stored in the received content usage right certificate. The content key: Kc is acquired by executing the decryption process to which the key of the common key system is applied, and the acquired content key: Kc is sent to the user device.

Further, in one embodiment of the content use management system of the present invention, the content use right certificate is an online use process or service in which a use right judgment process in a service provider is an essential condition as a content use condition. The user device has data in which any one of offline usage processing that does not require usage authority determination processing is set, and the user device uses online or offline as content usage conditions recorded in the content usage certificate when using the content. The feature is that the usage is selectively executed.

Further, in one embodiment of the content use management system of the present invention, the content use authority certificate is, as content use conditions, a period limit that limits the content use period, a number limit that limits the number of times of content use, and use. Having any of the data set to unlimited purchase, the user device, when using the content, the period limit as the content use condition recorded in the content use authority certificate, or the number of times limit, or according to the purchase, Content is executed by determining whether the content usage satisfies the usage condition, and decrypting the encrypted content key stored in the content usage right certificate is executed on condition that the usage condition is satisfied. It is characterized in that the key: Kc is acquired.

Furthermore, in one embodiment of the content usage management system of the present invention, the content usage authority certificate is configured such that an electronic signature of the issuing entity of the content usage authority certificate is added to the content usage authority certificate. The decryption process of the encrypted content key in the certificate is executed under the condition that the verification of the electronic signature confirms that the data has not been tampered with.

Further, in an embodiment of the content use management system of the present invention, the content use authority certificate has a configuration in which link information regarding a public key certificate corresponding to the content use authority certificate is stored. The decryption process of the encrypted content key in the content usage right certificate is executed on condition that the validity of the content usage right certificate is confirmed by the verification of the public key certificate acquired by the link information. It is characterized by

Further, in one embodiment of the content use management system of the present invention, the content use authority certificate is an attribute certificate issued by an attribute certificate certificate authority, and the encrypted content key is an attribute certificate. It is characterized in that it is stored in the attribute information field inside.

Further, in one embodiment of the content use management system of the present invention, the content use authority certificate is an attribute certificate issued by an attribute certificate certification authority, and the attribute information field in the attribute certificate contains: It is characterized in that it has a configuration in which content usage conditions are stored.

Further, a second aspect of the present invention is an information processing apparatus for utilizing the content encrypted by the content key: Kc, wherein the encrypted content key obtained by encrypting the content key: Kc is stored. Decryption processing for receiving a content usage right certificate from a service provider and applying a storage key in an information processing device for an encrypted content key stored in the received content usage right certificate, or the content for the service provider The content key: Kc is obtained by the decryption process in the service provider by sending the usage right certificate, and the decryption process of the encrypted content to which the obtained content key: Kc is applied is executed to obtain the content. An information processing device characterized by the above.

Further, in one embodiment of the information processing apparatus of the present invention, content usage conditions are recorded in the content usage authorization certificate, and the information processing apparatus is content usage that satisfies the content usage conditions. The encrypted content key stored in the content usage right certificate is subjected to a determination process as to whether or not the content usage condition recorded in the content usage right certificate is satisfied. It is characterized in that it is configured to execute a decryption process to which a storage key in the information processing apparatus is applied.

Further, in one embodiment of the information processing apparatus of the present invention, a service in which a key for decrypting the encrypted content key stored in the content usage right certificate is stored in the memory in the information processing apparatus. The management area is set and registered for each provider, and the information processing apparatus applies the decryption key and executes the decryption processing of the encrypted content key stored in the content usage right certificate to execute the content key. : Kc is acquired.

Further, in an embodiment of the information processing apparatus of the present invention, the memory in the information processing apparatus has a service provider as a key for decrypting the encrypted content key stored in the content usage right certificate. The management area for each service provider storing the corresponding private key is set and registered, and the encrypted content key stored in the content usage right certificate is encrypted by the public key generated corresponding to the service provider corresponding private key. The encrypted content key that has been encrypted, and the information processing apparatus applies the service provider-corresponding private key to execute decryption processing of the encrypted content key stored in the content usage right certificate, It is characterized in that the key: Kc is acquired.

Further, in one embodiment of the information processing apparatus of the present invention, the memory in the information processing apparatus has a management area for each service provider that stores authentication processing application data necessary for mutual authentication with the service provider. Registered by setting, the information processing apparatus acquires the authentication processing application data, authenticates with the service provider, sends the content usage authorization certificate to the service provider, and then the encrypted content key by the service provider. The content key: Kc is obtained by the decryption process of.

Further, in one embodiment of the information processing apparatus of the present invention, the content usage right certificate is an online usage process which requires a usage right determination process in a service provider as a content usage condition, or a service provider. The information processing apparatus has data in which any one of the offline usage processing that does not require the usage authority determination processing is set, and when the content is used, the information processing apparatus uses the online usage as the content usage condition recorded in the content usage authority certificate. Alternatively, the configuration is characterized in that the offline use is selectively executed.

Further, in one embodiment of the information processing apparatus of the present invention, the content usage right certificate is, as content usage conditions, a time limit that limits a content usage period, a number restriction that limits the number of times of content usage, a usage restriction In the case of using the content, the information processing apparatus has data in which any one of the following items is set to be used, and in response to the content use condition recorded in the content use authority certificate, a period limit, a number limit, or a use-out. , Executing a determination process of whether or not the content usage satisfies the usage condition, and performing a decryption processing of the encrypted content key stored in the content usage right certificate on condition that the usage condition is satisfied. Content key:
It is characterized in that it is configured to acquire Kc.

Further, in an embodiment of the information processing apparatus of the present invention, the content usage right certificate is a structure to which a digital signature of an issuing entity of the content usage right certificate is added, and the content usage right certificate The decryption process of the encrypted content key in the document is configured to be executed on condition that the verification of the electronic signature does not result in data tampering.

Further, in an embodiment of the information processing apparatus of the present invention, the content usage right certificate is a structure in which link information relating to a public key certificate corresponding to the content usage right certificate is stored. The decryption process of the encrypted content key in the usage right certificate is executed on condition that the validity of the content usage right certificate is confirmed by verifying the public key certificate acquired by the link information. Is characterized by.

Furthermore, a third aspect of the present invention is a content usage management method for managing content usage by decrypting encrypted content, wherein a user who uses content encrypted with a content key: Kc. A device and a service provider that distributes a content usage authorization certificate storing an encrypted content key obtained by encrypting the content key: Kc to the user device, wherein the user device uses the content from the service provider. A step of receiving the authority certificate, and a decryption processing in which a storage key in the user device is applied to the encrypted content key stored in the content usage authority certificate, or a decryption processing in the service provider. Content key by executing the encryption process:
Step of acquiring Kc and acquired content key: K
and a step of executing a decryption process of the encrypted content to which c is applied to acquire the content, the content usage managing method.

Further, in one embodiment of the content usage management method of the present invention, content usage conditions are recorded in the content usage authorization certificate, and the user device is content usage that satisfies the content usage conditions. The encrypted content key stored in the content usage right certificate is subjected to a determination process as to whether or not the content usage condition recorded in the content usage right certificate is satisfied. Is characterized by executing the decryption process to which the storage key in the user device is applied.

Furthermore, in one embodiment of the content usage management method of the present invention, content usage conditions are recorded in the content usage authorization certificate, and the service provider is content usage that satisfies the content usage conditions. The encrypted content key stored in the content usage right certificate is subjected to a determination process as to whether or not the content usage condition recorded in the content usage right certificate is satisfied. The decoding process is executed.

Further, in an embodiment of the content usage management method of the present invention, a service in which a key for decrypting the encrypted content key stored in the content usage authorization certificate is stored in the memory in the user device. The management area for each provider is set and registered, and the user device
It is characterized in that the decryption key is applied to execute the decryption processing of the encrypted content key stored in the content usage right certificate to obtain the content key: Kc.

Furthermore, in one embodiment of the content usage management method of the present invention, the memory in the user device has a service provider as a key for decrypting the encrypted content key stored in the content usage authorization certificate. The management area for each service provider storing the corresponding private key is set and registered, and the encrypted content key stored in the content usage right certificate is encrypted by the public key generated corresponding to the service provider corresponding private key. An encrypted encrypted content key, wherein the user device applies the service provider compatible private key,
The content key: Kc is obtained by executing the decryption process of the encrypted content key stored in the content usage right certificate.

Further, in one embodiment of the content use management method of the present invention, the memory in the user device has a management area for each service provider, which stores authentication processing application data necessary for mutual authentication with the service provider. The user device, which has been set and registered, acquires the authentication processing application data, authenticates with the service provider, sends the content usage authorization certificate to the service provider, and decrypts the encrypted content key by the service provider. The content key: Kc is obtained by the encryption processing.

Further, in one embodiment of the content usage management method of the present invention, the encrypted content key stored in the content usage authorization certificate is encrypted by a common key system key held by the service provider. Encrypted content key, the service provider receives the content usage right certificate from the user device, and the service provider holds the encrypted content key stored in the received content usage right certificate. The content key: Kc is acquired by executing the decryption process to which the key of the common key system is applied, and the acquired content key: Kc is sent to the user device.

Furthermore, in one embodiment of the content usage management method of the present invention, the content usage authorization certificate is an online usage processing or service that requires usage authorization judgment processing at a service provider as a content usage requirement. The user device has data in which any one of offline usage processing that does not require usage authority determination processing is set, and the user device uses online or offline as content usage conditions recorded in the content usage certificate when using the content. It is characterized in that usage is selectively executed.

Further, in one embodiment of the content usage management method of the present invention, the content usage authorization certificate includes, as content usage conditions, a term restriction that limits the content usage period, a frequency restriction that limits the number of times of content usage, and usage. Having any of the data set to unlimited purchase, the user device, when using the content, the period limit as the content use condition recorded in the content use authority certificate, or the number of times limit, or according to the purchase, Content is executed by determining whether the content usage satisfies the usage condition, and decrypting the encrypted content key stored in the content usage right certificate is executed on condition that the usage condition is satisfied. The key is to obtain Kc.

Further, in an embodiment of the content usage management method of the present invention, the content usage authority certificate is a structure to which an electronic signature of the issuing entity of the content usage authority certificate is added. The decryption process of the encrypted content key in the certificate is executed on condition that the verification of the electronic signature confirms that there is no data tampering.

Further, in an embodiment of the content usage management method of the present invention, the content usage authorization certificate has a configuration in which link information regarding a public key certificate corresponding to the content usage authorization certificate is stored. The decryption process of the encrypted content key in the content usage right certificate is executed on condition that the validity of the content usage right certificate is confirmed by the verification of the public key certificate acquired by the link information. And

Further, a fourth aspect of the present invention is a computer program for causing a computer system to execute a content use management process for managing content use by decrypting an encrypted content,
A step of receiving a content usage right certificate from a service provider, a decryption processing applying a storage key in a user device to an encrypted content key stored in the content usage right certificate, or a decryption processing in the service provider And performing a decryption process to obtain the content key: Kc, and performing a decryption process on the encrypted content to which the obtained content key: Kc is applied to obtain the content. It is in a computer program characterized by that.

The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format for a computer system capable of executing various program codes, such as a CD or F.
It is a computer program that can be provided by a recording medium such as D or MO or a communication medium such as a network. By providing such a program in a computer-readable format, processing according to the program is realized on the computer system.

Still other objects, features and advantages of the present invention are as follows.
It will be clarified by a more detailed description based on embodiments of the present invention described below and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to a device in which each configuration is provided in the same housing.

[0051]

DESCRIPTION OF THE PREFERRED EMBODIMENTS [System Outline] FIG. 1 shows each entity in the content use management system of the present invention.
9A and 9B are diagrams illustrating an outline of processing of each entity.

The user device 101 is a terminal of each user who uses the content, specifically, a PC, a game terminal, a reproducing device such as a DVD or a CD, a recording / reproducing device, or the like. These terminals are equipped with a tamper-proof security chip having control means for controlling encryption processing and content usage processing described later. Content distribution entity (content distributor)
Most of the secure processing on the user device 101 side in the data transfer executed between the user device 101 and the service provider (SP-CD) 102 as another entity is controlled in the security chip.
To be executed.

The service provider (content distributor) (SP-CD) 102 is a service provider that provides contents to the user device 101 having a security chip. The content creator 103 provides the service provider (content distributor) (SP-CD) 102 with the content to be used for the service. The user device manufacturer (Manufacturer) 104 is the user device 10
It is an entity that manufactures 1.

The support center 105 is a center for executing support for various processes in the user device attached to the user device 101. For example, a password recovery process when the user forgets the password used as the authentication information, Alternatively, various support processes for the user device are executed, such as a restore (recovery) process using backup data of the content generated by the user device. Certification Authority (CA)
Authority) 106 issues a public key certificate (PKC) to each entity.

The user device 101, the service provider (content distributor) (SP-C)
D) 102, content creator 103, user device manufacturer (Manufacturer) 104, support center 1
05, Certification Authority (CA) 10
6. The number of each entity is arbitrary. In particular, in FIG. 1, a certification authority (CA) 10
Although only one 6 is shown, the certificate authority may include a plurality of certificate authorities that issue public key certificates necessary for processing in each entity.

The user device 101 receives the encrypted content from the service provider (content distributor) 102 via satellite communication, Internet communication, or other wired or wireless data communication network and uses the content. Key for decrypting encrypted content: Content key: Kc is encrypted and is a content usage right certificate as an authority information certificate indicating the content usage right, for example, an attribute certificate (A
C: Attribute Certificate) 110, and in order for the user terminal 101 to decrypt and use the content, an attribute certificate (AC: Attribute Ce) from the service provider (content distributor) 102.
rtificate) 110, the user device having the security chip needs to extract the key from the attribute certificate and decrypt it.

In the content use authority certificate as an authority information certificate indicating the content use authority, for example, the attribute certificate (AC: Attribute Certificate) 110, in addition to the encrypted content key: Kc, content use restriction Content usage restriction information such as the number of times and the expiration date is recorded, and the user device 101 can use the content according to the content usage restriction recorded in the attribute certificate (AC) 110 as the content usage authorization certificate. It will be possible.

In the following description of the embodiment, the attribute certificate (AC: Attribute Certificate) 110 stores the content usage information and the encrypted content key. However, the content usage information and the encrypted content key are stored. The certificate in which the key is stored is not limited to the attribute certificate (AC) according to the so-called regulation, but can be configured as a certificate of any data format. That is, if the configuration is such that data for certifying content usage authority is stored and signature data of the issuing entity for data tampering verification is added, a content usage authority certificate of any data format can be used.

The content distribution from the service provider to the user device or the attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible.

During each entity shown in FIG. 1, the certificate authority 10
Entities other than 6, ie user device 10
1. Service provider (content distributor) (SP-CD) 102, content creator 10
3 and user device manufacturer (Manufacturer) 10
4. The support center 105 entity executes the processing in each entity according to a predetermined rule in order to use and distribute the content according to the predetermined rule. As an entity for setting and managing this rule, a system holder (SH: System Ho
lder). Each of the entities 101 to 105 in FIG. 1 executes the process in each entity under the content use infrastructure and rules set by the system holder (SH).

For example, a user device manufacturer (Manufactur
er) 104 stores a device identifier (ID) applied in content distribution and various cryptographic processing keys in a security chip having a tamper resistant structure in a user device to be manufactured. User device 101, service provider (content distributor) 102,
In content transfer between the content creator (CC) 103 and the support center 105, attribute certificate transfer, and other data transfer processing, the system holder (S
For example, mutual authentication processing and data encryption processing are executed based on the rule set in H).

When using the content in the user device 101, the content is used in compliance with the usage restrictions recorded in the attribute certificate. For example, under the control of the control unit of the security chip in the device when using the content for which the number of times limitation is set, a process of updating a counter that counts the number of times the content can be used is executed. The system holder (SH) is an entity that constructs and manages the platform that defines the processing rules of each entity.

[Public Key Certificate, Attribute Certificate] The public key certificate and attribute certificate used in the configuration of FIG. 1 will be briefly described.

(Public Key Certificate (PKC)) The public key certificate will be described with reference to FIGS. 2, 3 and 4. The public key certificate is a certificate issued by a certification authority (CA), and the user and each entity submit their own ID, public key, etc. to the certification authority so that the certification authority side can identify the certification authority ID. The certificate is created by adding information such as the expiration date and the expiration date, and also by adding a signature from the certificate authority.

Format examples of the public key certificate are shown in FIGS. This is the public key certificate format ITU-
T X. This is an example based on 509.

The version indicates the version of the certificate format. Serial N
umber) is the serial number of the public key certificate set by the public key certificate issuing authority (CA). Signature is a signature algorithm of a certificate. Note that there are elliptic curve cryptography and RSA as the signature algorithm, and the parameter and the key length are recorded when the elliptic curve cryptography is applied, and the key length is recorded when the RSA is applied. Issuer
Is a format in which the name of the issuer of the public key certificate, that is, the name of the public key certificate issuing authority (IA) can be identified (Distinguished Na
It is a field recorded by me). Expiration date
In y), the start date and time and the end date and time, which are the expiration dates of the certificate, are recorded. Subject public key information
y Info) stores the key algorithm and key as the public key information of the certificate holder.

Certificate Authority Key Identifier
er−key Identifier, authority Cert Issuer, authori
ty Cert Serial Number) is information that identifies the key of the certificate issuer used for signature verification, and stores the key identifier, the name of the issuer of the institutional certificate, and the serial number of the institutional certificate.
The subject key identifier is
Stores an identifier for identifying each key when certifying multiple keys in a public key certificate. Purpose of key usage (key us
age) is a field that specifies the purpose of use of the key,
(0) Digital signature, (1) Non-repudiation, (2) Key encryption, (3) Message encryption, (4) Common key delivery, (5) Authentication signature confirmation, ( 6) Each purpose of use for signature confirmation of the revocation list is set. The private key usage period records the expiration date of the private key corresponding to the public key stored in the certificate. The Certificate Policies record the certificate issuing policy of the public key certificate issuer. For example ISO / I
It is a policy ID and authentication standard based on EC9384-1. The policy mapping is a field that stores information regarding policy-related restrictions in the certification path, and is required only for a certificate authority (CA) certificate. The subject alternative name (subject Alt Name) is a field for recording the alternative name of the certificate owner. The issuer alias (issuer Alt Name) is a field for recording the alias of the certificate issuer. Subject directory
The attribute (subject Directory Attribute) is
A field that records the attributes of the directory needed for the certificate owner. Basic constraints
aint) is a field for distinguishing whether the public key to be certified is for the signature of the certificate authority (CA) or for the certificate owner. Allowable subtree constraint names (name Constraints per
Committed Subtrees) is a field for storing restriction information on the name of the certificate issued by the issuer. The constraint policy (policy Constraints) is a field that stores the constraint information of the relationship between the policies in the authentication path. CRL Reference Point (Certificate Revocation List Distribution
Points), when the certificate holder uses the certificate,
This is a field that describes the reference point of the revocation list for confirming whether the certificate has been revoked.
Signature algorithm (Signature Algotithm) is a field that stores an algorithm used for signing a certificate. The signature is the signature field of the public key certificate issuer. The electronic signature is data generated by applying a hash function to the entire certificate to generate a hash value and using the private key of the issuer for the hash value. It is possible to tamper with just by adding a signature or hashing, but if it can be detected, it has the same effect as being virtually untamperable.

The certificate authority issues the public key certificate shown in FIGS. 2 to 4, updates the expired public key certificate, and revokes a list of revoked users who have committed fraud. (Revocation List) is created, managed, and distributed (this is called revocation: Revocation). It also generates public and private keys as needed.

On the other hand, when using this public key certificate, the user verifies the electronic signature of the public key certificate using the public key of the certificate authority held by the user and succeeds in verifying the electronic signature. After that, the public key is extracted from the public key certificate and the public key is used. Therefore, all users who use the public key certificate must hold the public key of the common certificate authority.

(Attribute Certificate (AC)) The attribute certificate will be described with reference to FIG. There are roughly two types of attribute certificates, and one is a certificate that includes the attribute information of the owner regarding the right and authority such as content usage right. The other is a service provider (SP) area securing or deleting attribute certificate (AC), which secures or deletes a service provider (SP) information storage area in the memory of the user device. It is an attribute certificate (AC) including deletion permission information.

The attribute certificate format is defined by ITU-T X.509, and the IETF PKIX WG defines the Profile. Unlike the public key certificate, it does not include the owner's public key. However, Attribute Certificate A
It is the same as a public key certificate in that it can be judged whether it has been tampered with by verifying this signature because it has a signature of (uthority).

In the configuration of the present invention, the attribute certificate (A
C) Issuing management of Attribute Certificate Authority (Attribute C
The service provider (content distributor) (SP-CD) 102 can also serve as an ertificate authority. It may be configured differently. The attribute certificate is always used in association with the public key certificate. That is, the identity of the owner is confirmed by the public key certificate, and the attribute certificate shows only what authority the owner has. When verifying the attribute certificate, the signature of the certificate is verified and then the public key certificate associated with it is also verified.

At that time, in principle, it is preferable to carry out the verification in sequence up to the highest public key certificate following the certificate chain. In a hierarchical certificate authority configuration in which there are a plurality of certificate authorities (CAs), the public key certificate of the lower certificate authority itself is signed by the higher certificate authority that issues the public key certificate. That is, a chained public key certificate issuing configuration in which the upper public key certificate issuing authority (CA-High) issues a public key certificate to the lower layer public key certificate issuing authority (CA-Low). To take. Chain verification of public key certificates is the chain of public key certificates up to the highest level (root CA) obtained by tracing the certificate chain from the lower level to the higher level to obtain chain information up to the highest level public key certificate. Means to verify the signature of.

By making the validity period of the attribute certificate short, it is possible not to perform the revocation process. In this case, it is possible to omit the certificate revocation procedure, the revocation information reference procedure, and the like, which has the advantage of simplifying the system. However, it is necessary to take sufficient precautions against illegal use of certificates, as some measures other than revocation are required. In this authentication system, in addition to the authority to use the content, the content key for decrypting the content is embedded in the attribute certificate. The content is available by receiving the document.

The structure of the attribute certificate shown in FIG. 5 will be described. The certificate version number indicates the version of the certificate format. AC holder public key certificate information,
This is information about the public key certificate (PKC) corresponding to the issuer of the attribute certificate (AC), the PKC issuer name,
It is information such as a PKC serial number and a PKC issuer unique identifier, and has a function as link data for associating a corresponding public key certificate. The name of the issuer of the attribute certificate is a field in which the name of the issuer of the attribute certificate, that is, the name of the attribute certificate authentication authority (AA) is recorded in a distinguishable format (Distinguished Name). The signature algorithm identifier is a field for recording the signature algorithm identifier of the attribute certificate. As the certificate expiration date, the start date and time and the end date and time, which are the certificate expiration date, are recorded. The attribute information field stores either (1) memory area reservation, deletion information or (2) content usage condition related information, depending on the usage form of the attribute certificate. The content usage condition related information includes an encrypted content key.

(1) Memory area reservation / deletion information is recorded in an attribute certificate issued for the purpose of registering or setting a management area for each service provider in the memory in the security chip of the user device by the service provider or deleting the information. To be done. The record information is, for example, the following information. Service provider identifier (ID) Service provider name processing: Memory area secured or memory area deleted Either area size: Memory area size

The service provider sends an attribute certificate in which the above items are stored in the attribute information field to the user device, and after the user device verifies the attribute certificate, the user device receives it in the memory in its own security chip. The memory area securing process or the secured memory region deleting process is executed according to the recording of the attribute information field of the attribute certificate.

(2) The content usage condition related information is information stored in the attribute information field of the attribute certificate issued corresponding to the content provided by the service provider, such as the number of times of usage limitation of the content and the usage deadline. It includes various usage conditions and further includes encrypted data of a content key obtained by encrypting the content. The record information is, for example, the following information. Service Provider Identifier (ID) Service Provider Name Application Identifier (ID): Content identification information. Condition: This is information indicating whether the content is an online usage content, an offline usage content, a purchased content, a period limited content, an online number limited content, or an offline number limited content. Expiration date: Expiration date information when the period is limited Number of times usage is limited: Number of times when the number of times is limited Payment conditions: Record payment conditions for content consideration Content key: Store encrypted content key with encryption algorithm information

As to the usage mode of the content, as described in the above condition field, (1) online usage,
(2) Distinguishing whether to use offline, (a) a mode in which content is bought out and content usage after purchase is free, (b) a mode in which a content use period is set by setting a period limit, and (c) the number of times There are various modes of restricting the number of times the content is used. There is also a combination restriction mode involving both a time restriction and a frequency restriction. In the user device, the content is used according to these aspects recorded in the attribute certificate.
These specific processing modes will be described later.

Further, an encrypted content key obtained by encrypting a content key Kc applied as a decryption key for encrypted content is stored. The main types of keys that are directly or indirectly applied to the encryption processing of the content key: Kc are as follows. (A) Service provider (SP) compatible storage public key corresponding to the SP compatible storage private key stored in each service provider management area of the security chip of the user device: SC. Stoppub. SP. K, (public key method) (b) SP compatible storage key stored in each service provider management area of the security chip of the user device (common key method) (c) Private key held by the service provider: SP. S
to. K (d) Global common key generated as a key shared by the system holder (SH) and the user device: Kg The process to which these keys are applied will be described in detail later.

The attribute certificate further has a signature algorithm recorded therein, and is signed by the attribute certificate authority (AA) which is the issuer of the attribute certificate. The digital signature applies a hash function to the entire attribute certificate to generate a hash value, and the attribute certificate issuer (A
This is data generated using the secret key of A).

[Security Chip Configuration] Next, the configuration of the security chip formed in the user device as the information processing apparatus using the contents will be described with reference to FIG. The user device is constituted by a CPU as a data processing unit, a PC having a communication function, a game terminal, a reproducing device such as a DVD and a CD, a recording / reproducing device, and the like. A security chip having a tamper resistant structure will be mounted. An example configuration of the user device itself is described at the end of this specification. The user device having the security chip is manufactured by the user device manufacturer 104 in FIG.

As shown in FIG. 6, the user device 200
The security chip 210 is built in the user device side control unit 221 as a structure capable of mutually transferring data. The security chip 210 has a CPU (Central Pr
a communication interface 202 having a data communication interface function, and a CPU
ROM (Read Only Memory) storing various programs executed by 201, for example, a cryptographic processing program, a master key: Km stored at the time of manufacturing the device, etc.
203, an execution program load area, and a RAM (Ra that functions as a work area in each program process).
ndom Access Memory) 204, authentication processing with external devices,
A cryptographic processing unit 205 that executes cryptographic processing such as generation of a digital signature, verification processing, encryption of stored data, and decryption processing, information for each service provider described above, and device-specific information including various key data are stored. EEPROM (Ele
The memory unit 206 includes a ctrically erasable programmable ROM). Details of the stored information will be described later.

The user device 200 has an external memory section 222 composed of an EEPROM, a hard disk, etc. as an area for storing encrypted contents and the like. The external memory unit 222 can be used as a storage area for a public key certificate and an attribute certificate, and also as a storage area for a content usage number management file described later.

When the user device equipped with the security chip is connected to an external entity, for example, a service provider and executes data transfer processing, mutual authentication between the security chip 210 and the external entity is performed as necessary. Also, the transfer data is encrypted. Details of these processes will be described later.

FIG. 7 shows an example of data to be processed by the security chip of the user device. Most of these are EEPROM (Electrically Erasable Programmable) such as flash memory which is a form of non-volatile memory.
ROM (Read Only Memory) stores data that is stored in a memory unit 206 configured by a ROM but is not rewritable at the time of manufacture, for example, a master key: Km.
It is stored in 203. The public key certificate and the attribute certificate may be stored in the memory in the security chip or the external memory.

Each data will be described. Public Key Certificate (PKC): A public key certificate is a certificate that indicates to a third party that it is a legitimate public key, and the certificate contains the public key that you want to distribute. It is digitally signed. In the user device, the public key certificate of the highest-level certificate authority (root CA) in the hierarchical structure described above, the service provider registered in the user device, that is, the service provider in which the memory area is secured in the user device is disclosed. Key certificate,
Stores the public key certificate of the support center that executes support such as password recovery processing.

Attribute certificate (AC): The public key certificate shows the "personality" of the certificate user (owner), while the attribute certificate shows the usage authority of the certificate user. . By presenting the attribute certificate, the user can use the application and secure the area based on the right / authority described in the attribute certificate. less than,
Indicates the type of attribute certificate and the role played by each.

(A) Attribute certificate for application use management (AC): An application is an expression in which a generally-used content is used in a broad sense, and types of applications include games, music, movies, financial information, etc. There are various applications. The application usage management attribute certificate (AC) has a description regarding application usage authority, and the attribute certificate (AC)
Is presented to the service provider (SP) for verification,
Alternatively, by performing verification locally, the application license within the usage authority range described in the attribute certificate (AC) can be obtained. As for the description about the application usage authority, whether the application can be used online or offline,
Furthermore, in the case of content available online,
There is information on usage period restrictions and usage number restrictions, and in the case of content that can be used offline, there is a description indicating usage number restrictions and purchase-out.

(B) Service Provider (SP) Memory Area Management (Secure) Attribute Certificate (AC): When registering the service provider (SP) in the user device, S
It is necessary to secure an information storage area for P in the user device. The permission information for securing the area at this time is stored in the attribute certificate (AC), and the user device secures the SP area in the user device according to the information stored in the attribute certificate (AC).

(C) Attribute certificate for memory area management (deletion) for service provider (SP) (AC): Attribute certificate (AC) storing permission information for erasing SP area secured in the user device is there. The user device executes the process of deleting the SP area in the user device according to the information stored in the attribute certificate (AC).

Key data: As key data, a public key set for the device, a secret key pair, a storage key used as an encryption key when storing data such as contents, and a random number generation key. , Mutual authentication keys, etc. are stored.

The storage key is a key applied to at least one of encryption and decryption processing of the content key stored in the device. The storage key includes a device-compatible storage key and a service provider-compatible storage key, and the service provider-compatible storage key is a key stored in each service provider management area for each individual service provider registered in the device. It is applied according to the content key provided by the corresponding service provider. The device compatible storage key includes a system holder and a global common key configured as a key shared only by devices.
It is used when executing the distribution process of the encrypted content key that prevents the decryption process in the service provider.
Details of the processing to which these keys are applied will be described later.

Identification information: As the identification information, a device ID as an identifier of the user device itself, a service provider ID as an identifier of a service provider (SP) registered in the user device, and a user given to a user who uses the user device As the ID, the user ID may be different for each external entity such as a service provider. The application ID is
It is an ID as identification information corresponding to the service and content provided by the service provider (SP).

Others: The user device further stores, as the authentication information, authentication information (for example, a password) for obtaining the use permission of the service provider (SP) information registered in the user device. By entering the password, it becomes possible to acquire the service provider (SP) information registered in the user device, and after the information is acquired, the application provided by the service provider,
Use of content is permitted. When the authentication information (password) is forgotten, the master password can be used to initialize (reset) the authentication information (password).

Further, seed information for random number generation is stored. Random numbers can be used, for example, in
Generate according to SI X9.17.

Further, the content usage count information or a hash value calculated based on the content usage count information is stored. This is information that is necessary to strictly use the content within the usage count limit stored in the attribute certificate corresponding to the application and content, and is used as identification information of the attribute certificate corresponding to the content. The application ID, the serial number of the attribute certificate, and the number of times the content can be used are saved. It is possible to tamper with just by adding a signature or hashing, but if it can be detected, it has the same effect as being virtually untamperable.

[Memory Configuration in User Device] EEPR such as a flash memory which is a form of non-volatile memory
At least a part of the various data described above is stored in the memory unit 206 configured by an OM (Electrically Erasable Programmable ROM). These are divided into three regions in the memory unit 206, that is,
(1) device management area, (2) system management area,
(3) Stored in a service provider management area. The stored data for each of these areas will be described below.

(1) Device Management Area The device management area holds information that does not depend on the system specific to the device. This area is an area that is initially secured at the time of manufacturing the device and occupies a plurality of leading blocks of the nonvolatile memory. The device management area holds and manages at least the following data. Device ID Random number generation seed Random number generation encryption key Mutual authentication key Device compatible storage key

The mutual authentication key is a key for authentication with the entity which is the output destination when the data in the security chip is output to the outside of the security chip. The entity also includes a user device such as a game terminal, a reproducing device such as a DVD, a CD, etc., and a recording / reproducing device equipped with a security chip. Data is transferred between the security chip and a user device having the security chip, and mutual authentication processing is performed by applying a mutual authentication key when data is communicated with an external service provider via the user device. On condition that mutual authentication is established, data is encrypted by the session key generated at the time of mutual authentication, and data is transferred between the inside and outside of the security chip.

The device-corresponding storage key is a key for encrypting the data inside the security chip to prevent the data from being browsed or tampered when the data is held outside. The device storage key may be either a public key system or a common key system. The random number generation seed is data used as an initial seed when a pseudo random number is obtained by arithmetic operation. A pseudo random number is arithmetically operated using the random number generation encryption key to generate a random number.

The common key type device-compatible storage key is
The system holder and the global common key configured as a key shared only by the devices are included, and the global common key is used when executing the distribution process of the encrypted content key that prevents the decryption process in the service provider. The global common key will be described in detail later.

(2) System Management Area The system management area is secured in the memory area like the device management area. The system management area holds and manages the following data. Root Certificate Authority (CA) public key certificate device public key certificate device private key

The root certificate authority (CA) public key certificate is a root certificate of all the authentication systems in the security chip. When the chain verification described above is performed by tracing the signature verification of other certificates, the To get to the public key certificate of the root certificate authority (CA).

The device public key certificate is a public key certificate used at the time of mutual authentication with the service provider. To generate and import the device private key externally,
A device public key certificate is also generated at the same time. When the device private key / public key is generated on the device side, after the device private key / public key is generated in the device, the device public key is read from the device and the process of issuing the device public key certificate is performed. Then, the issued device public key certificate is imported.

The device private key is a key for signing and authenticating data. The private key is generated as a pair with the public key, but it is either generated externally in advance and securely imported to the device, or it is generated internally in the device and never sent out. The configuration is as follows.

(3) Service Provider Management Area The service provider (SP) management area is a service provider (SP) management table and a service provider (S).
P) management information. Service Provider (SP)
The management table is a table for indicating the location of each service provider (SP) information in the service provider (SP) management area, and storage location information of each service provider (SP) information in the memory in association with the identifier of the service provider. have.

In the service provider (SP) management area, the user device is the service provider (SP).
By registering each member, an area for each service provider (SP) is secured in the memory area in the device. The area reservation or deletion processing is executed based on the description of the attribute certificate. Service provider (S
P) The management area holds the following information.

Service Provider (SP) Compatible Private Key Service Provider (SP) Compatible Storage Private Key (Public Key Method) Service Provider (SP) Compatible Storage Key (Common Key Method) External Management Information Hash Value Content Usage Count Management Data Authentication Information user information

The private key corresponding to the service provider (SP) is a public key applied to mutual authentication processing with the registered service provider (SP) generated for each registered service provider (SP) or encrypted data transfer processing. It is the private key of a private key pair. Registered service provider (S
This is a key required when P) and the security chip mutually authenticate.

The service provider (SP) compliant storage secret key (public key method) is used when the content usage provided by the service provider can be used offline, that is, each time the acquired content is used, connection with the service provider is made. If the content does not require, it is a key for decrypting the encrypted content key corresponding to the content. The encrypted content key is encrypted at the service provider by the service provider (SP) compatible storage public key corresponding to the service provider (SP) compatible storage private key, and then the attribute certificate (A
It is stored in C) and transmitted to the user device, and the content key can be obtained by decrypting it with the service provider (SP) compatible storage secret key in the security chip of the user device.

The service provider (SP) -compatible storage key (common key method) is used when the use of the content provided by the service provider can be used offline, that is, each time the acquired content is used, a connection with the service provider is made. When the content is not required, it is a key for decrypting the encrypted content key corresponding to the content, and is a key commonly applicable to the encryption / decryption processing. It should be noted that the storage private key (public key method) compatible with the service provider (SP) and the service provider (S
P) Only one of the corresponding storage keys (common key method) may be stored and applied. .

Regarding the hash value of the external management information, by outputting the data which is too large to be managed inside the security chip to a specific area of the external memory and managing the hash value of the area within the security chip,
It prevents tampering. For example, when a content usage restriction is applied, the remaining number of times is subject to management by hash value. In the case of the number-of-times management content, browsing of the number-of-times information is not a problem, but tampering must be prevented. It is possible to tamper with just by adding a signature or hashing, but if it can be detected, it has the same effect as being virtually untamperable.

Content Usage Count Management In some cases, the security chip locally manages the number of times the data application (content) can be used. At this time, inside the security chip, application I
Holds and manages D, serial of attribute certificate (AC), and usable count. The management process of the content usage count management data will be described in detail later.

Authentication Information Authentication information is information for the purpose of protecting the management information managed in the service provider (SP) management area. The user needs mutual authentication with the service provider (SP) when connecting to the service provider (SP), and the information necessary for the mutual authentication is stored in the service provider (SP) management area. Authentication information is used to acquire necessary information from this management area. Specifically, the authentication information is, for example, a password. Authentication information (password)
If the user forgets the service provider (S
P) The license for the management information in the management area cannot be obtained.
In this case, the authentication information itself can be reset or changed by inputting the master password. These processing configurations will be described in detail later.

User Information User information is user-specific information such as a user ID assigned by the service provider (SP).

[Password Management] Hereinafter, a process in which the user device 101 shown in FIG. 1 receives the content provided by the service provider (content distributor) 102 and uses the content under the usage restriction according to the attribute certificate, The details of various processes necessary for using the content will be described. First, the authentication information (password) for controlling access to the service provider management area in the memory area in the user device that stores information about the service provider that provides the content will be described.

(1) Authentication Information (Password) Registration Processing In order for a user who has purchased a user device to purchase content from various service providers under the control of the system holder or to use the purchased content. Requires a process of setting a service provider management area in the memory area in the user device and storing management information for each service provider in this service provider management area. The service provider in which the service provider management area is set in the memory area in the user device is hereinafter referred to as a registered service provider. The above-mentioned attribute certificate is applied to the setting of the service provider management area, and the service provider according to the recording of the attribute certificate in the memory area in the user device based on the attribute certificate received by the user device from the service provider. Executes management area setting processing.

In order for a user device to access a registered service provider having a service provider management area to purchase or use contents, first, information in the service provider management area in the user device is acquired. Will be required. This is because the service provider management area stores information necessary for mutual authentication processing between the user device and the service provider, and it is necessary to acquire this information and perform mutual authentication with the service provider. .

In order to access the service provider management area, the user needs to input the authentication information (password) set for each registered service provider through the input means of the user device. In the following description, the description “for each service provider” is synonymous with “for each registered service and for each user”. The security chip performs verification of the match between the input password and the registered password, and only if they match, information in the service provider management area formed in the memory of the security chip can be acquired, and mutual authentication with the service provider thereafter. Access to the process.

The authentication information (password) is set for each service provider registered in the user device. The initial registration of these passwords is performed by the user himself. Initial password registration processing will be described with reference to FIG. In the sequence diagram of FIG. 8, the left side is the security chip and the right side is the user interface side processing in the user device having the security chip.

First, (1) the user inputs the authentication information (password) initial registration processing start request by designating the corresponding service provider to be password-registered.
(2) On the security chip side, the service confirmation service specified by the user is a registered service provider whose management area has already been set in the memory of the security chip, and the status confirmation processing such as whether the password is not set is checked. When these are confirmed, (3) authentication information (password) initial registration processing is permitted.

Next, the user inputs (4) the password from the user interface side through the input means such as the keyboard, and (5) the control unit of the security chip temporarily stores the input authentication information (password) in the memory. Retain, (6) Request re-entry of the same password,
(7) When the user re-enters the authentication information (password), (8) the control unit of the security chip collates the re-input authentication information (password) with the authentication information (password) temporarily stored in the memory. When the collation is established, (9) the writing process of the authentication information (password) is executed, (10) the writing result is notified to the user, and if OK, the process ends. (11) In case of NG,
Return to the process of (1).

(2) Authentication Information (Password) Change Process FIGS. 9 and 10 show sequence diagrams of the password change process. The password change has two processing modes: a change process using a registered password (normal time) and a change process using a master password (emergency time).

First, the password changing process in the normal state, that is, the changing process using the registered password will be described with reference to the sequence diagram of FIG. The left side is the security chip, and the right side is the user interface side processing of the user device having the security chip.

First, (1) the user inputs the authentication information (password) change process start request by designating the corresponding service provider as the password change process target.
(2) On the security chip side, the service provider specified by the user is a registered service provider (SP) whose management area is set in the memory, and the status check is performed to determine whether the service provider (SP) has the password set. On the condition that these are confirmed, (3) the registered authentication information (password) input request is made. The user inputs the registered password from the user interface side through the input means such as a keyboard, (4)
(5) Upon confirming the input, the control unit of the security chip executes the collation process with the registration authentication information (password) written in the service provider management area.

When the collation is established, (6) change processing permission is notified. The user inputs (7) new authentication information (password) from the user interface side via an input means such as a keyboard, and (8) the control unit of the security chip temporarily stores the input authentication information (password) in the memory. When it is held, (9) the same password is requested again, and (10) the user re-enters the authentication information (password), (11) the control unit of the security chip stores the re-input authentication information (password). The authentication information (password) stored in the memory is temporarily verified, and if the verification is successful, (12) the authentication information (password) write processing is executed, and (13) the write result is sent to the user. Notify and if OK, end. (14) N
In the case of G, the process returns to (1).

(3) Authentication Information (Password) Reset Processing Using Master Password Next, based on the sequence diagram of FIG. 10, the authentication information (password ) The reset process will be described. The left side is the security chip, and the right side is the user interface side processing in the terminal in which the user device having the security chip is mounted.

First, (1) the user inputs the authentication information (password) reset process start request by designating the corresponding service provider as the password change process target.
(2) On the security chip side, the service provider specified by the user is a registered service provider (SP) whose management area is set in the memory, and the status check is performed to determine whether the service provider (SP) has the password set. When these conditions are satisfied, (3) a master password input request is issued. The user inputs (4) the master password from the user interface side via the input means such as a keyboard, and (5) the control unit of the security chip executes the collation process of the input master password, and the correct master password is input. If it is determined whether there is a correct master password input as a result of verification, (6) initialization of registration authentication information (password) written in the service provider management area, that is, registered authentication information ( Password) reset process is executed.

After the reset processing, the control unit of the security chip notifies (7) the processing result notification to the user, and OK.
If so, for example, the user executes the above-described authentication information (password) registration processing. Since these processes are similar to the processes described above with reference to FIG. 8, description thereof will be omitted. (8) If the reset process result is NG, the process returns to (1).

As described using the processing sequence of FIG. 10, the master password is applied when initializing the registered authentication information (password) for each registered service provider, that is, when resetting. The authentication information initialization (reset) process using the master password is effective for all the authentication information of the service providers registered in the security chip.

FIG. 11 shows the relationship between the master password and the authentication information (password) of each registered service provider. As shown in FIG. 11, the master password exists as a higher-level password for each service provider corresponding authentication information, and by inputting the master password, the authentication information (password) of each registered service provider is initialized (reset), It becomes possible to re-register new authentication information as authentication information (password) of each registered service provider.

As shown in FIG. 12, the master password is distributed, for example, with a printed sheet attached to the device when the user device is purchased. The master password is written at the factory when the device is manufactured, but the user cannot read the master password from the device. The master password is
It is generated based on the device ID, which is a unique identifier of the device, and the master key. The master key is a key set corresponding to each information processing device or a group of information processing devices.

If the user forgets the master password, the master password can be reissued on condition that the user has registered with the support center. FIG. 13 shows a sequence diagram of a user registration process to the support center and a master password reissue process.

The upper part of FIG. 13 shows a user registration processing sequence diagram for the support center. The user can perform the user registration by mailing the registration form attached to the purchased device or connecting to the support center via the terminal in which the device is set. User registration is performed as a process of registering data such as a user address, a telephone number, and a device ID in the support center. When the user registration is completed in the support center, a user registration completion notification is sent or transmitted from the support center to the user. It

The lower part of FIG. 13 shows a sequence of master password reissue processing executed between the user and the support center when the user forgets the master password. The user sends a request for reissue of the master password to the support center together with the user information data accompanied by the device ID. When the support center receives the request, the support center matches the user information and the user ID with the registered data. If they match, if they match,
A master password search process based on the user device ID or a master password generation process using a master key is executed. The support center has a master password storage database in which a device ID as a device identifier set corresponding to a user device as an information processing device and a master password are associated with each other. Alternatively, a device has a master key storage database in which a device ID is associated with a key unique to each device or a master key set as a key common to a group of devices, and a master password storage database is provided. First, a database search is executed based on the device ID to acquire the master password. In the case of having a master key storage database, a master password generation process is executed by a cryptographic process to which a master key is applied to the device ID, and a process of sending the generated master password to the user device is executed.

FIG. 14 shows a processing flow for generating a master password by using a master key based on a user device ID. The flow of FIG. 14 will be described. First, in step S101, device ID encryption processing is executed using the master key Km1. The result is set to MPa in step S102. In addition, the result MPa
The master key Km2 is subjected to an encryption process to obtain a password MP, and the password is converted into an ASCII code in step S103. For the encryption process, an encryption algorithm such as DES or triple DES can be applied. The master keys Km1 and Km2 are keys commonly set for a plurality of devices, and the support center selects a master key to be applied from the plurality of keys held by the support center based on the user device ID. use.

Returning to the sequence diagram of FIG. 13, the description will be continued. When the support center performs the master password generation, the support center sends or sends the master password to the user or the user device online or offline.

According to the above sequence, the user can perform the master password reissue process using the support center. In addition, between the user device and the support center, mutual authentication processing is executed as a pre-processing of data transmission / reception, and secret data to be transmitted / received, such as user ID and master password, is encrypted with the session key generated at the time of mutual authentication. It is preferable to generate and verify a signature to prevent data tampering.
Details of the mutual authentication processing, signature generation, verification processing, and the like will be described in detail in the item of content distribution processing.

The user can also perform the master password reissue processing using the support center offline. In this case, processing such as filling in information for personal identification on a postcard and sending it will be performed.

[Content Distribution Processing] When the management area of the service provider is registered in the memory area of the security chip in the user device, and the information necessary for authentication with the service provider and the password and the like are registered, these information are stored. It is possible to purchase contents by communicating with a service provider using. The details of the content purchase process will be described below.

FIG. 15 shows a sequence diagram for explaining the outline of the content purchase processing. The left side is the processing on the user device side having the security chip, and the right side is the processing on the service provider side.

The user device first outputs a content purchase request to the service provider. When the service provider receives the content purchase request, mutual authentication is performed between the user device and the service provider. When mutual authentication is established and the legitimacy of both parties is confirmed, the service provider generates an attribute certificate (AC: Attribute Certificate) corresponding to the purchase request content and sends it to the user device. In the attribute certificate, a content key: Kc for decrypting the content is encrypted and stored, and content usage conditions such as the number of times of use and the expiration date are recorded. For the stored data, the attribute certificate authority (AA: Attri
bute Certificate Authority) has been signed,
It is designed to prevent falsification.

The user device receiving the attribute certificate
The signature verification process of the attribute certificate is executed, and the attribute certificate is stored in the memory based on the determination of no tampering. Further, the user device makes a request for the content to the service provider, and the service provider sends the content encrypted with the content key: Kc stored in the attribute certificate previously sent to the user device to the user device. To do. On the user device side, the encrypted content key extracted from the attribute certificate is decrypted, the content key is extracted, and the content is acquired by decrypting the encrypted content to which the extracted content key is applied. To use. There is also a mode (online decryption) in which the service provider side executes the decryption process of the content key stored in the attribute certificate. Specific examples of these processes will be described later.

The general flow of content distribution is as described above with reference to FIG. The details of each process will be described below. In the processing sequence shown in FIG. 15, the attribute certificate corresponding to the content is executed at the destination of the encrypted content, but either the encrypted content or the attribute certificate may be delivered first. , And may be simultaneously delivered. Further, it is also possible to adopt a configuration in which each of them is stored in a recording medium such as a disk and is distributed for offline distribution.

In addition, content distribution from the service provider to the user device or attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance.

(1) Mutual authentication processing is first performed between the user device that is the content purchase request entity and the service provider that is the content provider. Between the two means for executing data transmission / reception, it is mutually confirmed whether or not the other party is a correct data communication party, and then necessary data transfer is performed. The process of confirming whether or not the other party is a correct data communicator is the mutual authentication process.
One preferable data transfer method is a configuration in which the session key is generated during the mutual authentication process, and the generated session key is used as the shared key to perform the encryption process and the data is transmitted. As the mutual authentication method, each method such as public key encryption method and common key encryption method can be applied.

Here, the handshake protocol (TLS1.
0) will be described with reference to the sequence diagram of FIG.

In FIG. 16, the left side is the user device.
(Client) processing, the right side shows the service provider (server) side processing. First, (1) a service provider (server) transmits a negotiation start request for determining an encryption specification to a user device (client) as a hello request. (2) When the user device (client) receives the hello request, it sends the encryption algorithm, session ID, and protocol version candidate to be used as the client hello to the service provider (server) side.

(3) The service provider (server) side uses the encryption algorithm, session I
D, the protocol version is transmitted to the user device (client) as a server hello. (4) The service provider (server) has its own root CA
The set of public key certificates (X.509v3) up to is transmitted to the user device (client) (server certificate). When the certificate chain is not followed and the verification is not performed up to the highest level public key certificate, it is not always necessary to send the set of public key certificates (X.509v3) up to the root CA. (5) The service provider (server) uses the RSA public key or Diffie & He
The llman public key information is transmitted to the user device (client) (server key exchange). This is public key information that is temporarily applied when the certificate cannot be used.

(6) Next, service provider (server)
The side requests the certificate of the user device (client) as a certificate request to the user device (client), and (7) notifies the end of the negotiation process by the service provider (server) (end of server hello). ).

(8) The user device (client) which has received the server hello end notices the root C owned by itself.
A set of public key certificates (X.509v3) up to A is transmitted (client certificate) to the service provider (server). If the chain verification of public key certificates is not performed, sending the set of public key certificates is not essential. (9) The user device (client) encrypts the 48-byte random number with the public key of the service provider (server) and sends it to the service provider (server). Based on this value, the service provider (server) and user device (client) use the message authentication code: MAC (Message Authenti
cation code) Generate a master secret that includes data for generation.

(10) User device (client)
Confirms the correctness of the client certificate by encrypting the message digest up to this point with the client's private key and sending it to the service provider (server) (confirming the client certificate), and (11)
The start of the encryption algorithm and the key use determined previously (change cipher specification) is notified, and (12) the end of the authentication is notified. On the other hand, (13) the service provider (server) side also notifies the user device (client) of the previously determined encryption algorithm and start of key usage (change cipher specifications), and (1
4) Notify the end of authentication.

Data transfer between the user device (client) and the service provider (server) is executed according to the encryption algorithm determined in the above processing.

Verification of data tampering is performed by the message authentication code: MAC calculated from the master secret generated under the agreement between the user device (client) and the service provider (server) in the above-mentioned authentication processing.
(Message Authentication Code) is added to the transmission data of each entity to verify the tampering of the message.

FIG. 17 shows the message authentication code: MAC
The generation structure of (Message Authentication Code) is shown.
The data transmission side adds a MAC secret generated based on the master secret generated in the authentication process to the transmission data, calculates a hash value from these entire data, and further calculates the MAC secret, padding, and hash value. Based on the hash calculation, a message authentication code (MAC) is generated. When the generated MAC is added to the transmitted data and the MAC generated on the receiving side based on the received data and the received MAC match, it is determined that there is no data tampering. It is determined that there has been tampering with.

(2) Generation of Content Utilization Authority Information Certificate (Attribute Certificate) and Transmission The content provider requests the content from the service provider. The service provider encrypts the content key Kc applicable to the decryption processing of the requested content. The content usage authority information certificate that stores the content usage restriction information, for example, an attribute certificate (AC) is generated and transmitted to the user.

The entity that generates the content use authority information certificate, for example, the attribute certificate (AC) may be the service provider itself or an external entity that executes content management. When an external entity generates an attribute certificate (AC), the external entity will generate the attribute certificate (A) according to the request from the service provider.
C) is generated.

In the attribute certificate, a content key: Kc applicable to decrypt the corresponding encrypted content is encrypted and stored. The key applied to the encryption of the content key Kc is
For example, (a) Service provider (SP) compatible storage public key corresponding to the SP compatible storage private key stored in each service provider management area of the security chip of the user device: SC. Stoppub. SP. K (b) Private key (common key system) held by the service provider: SP. Sto. K (c) There are various modes of global common key: Kg generated as a key shared by the system holder (SH) and the user device. In addition to this, several modes are possible. For example, it is possible to encrypt with a public key held by the service provider. In this case, the attribute certificate (AC) is received from the user device and decrypted with the private key held by the service provider.

Note that whichever encryption mode is applied, content distribution or attribute certificate (AC: Attribute) from the service provider to the user device is performed.
As a delivery form of a Certificate), a form executed according to a request from the user side to the service provider, and a unilateral way from the service provider to a user who has a subscriber contract regardless of the user's request Either form of so-called push type (push type model) of transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance. Hereinafter, details of the processing in the above modes (a) to (c) will be described.

(A) SP-compatible storage public key corresponding to SP-compatible storage private key:
SC. Stoppub. SP. When K is applied As described above in the description of the memory area of the security chip of the user device, each registered service provider registered in the user device has an SP in each service provider management area formed in the memory.
Corresponding storage secret key: SC. Stopri. SP. K
Is stored. In the security chip of the user device, the service provider (SP) storage public key corresponding to the SP corresponding storage secret key in the attribute certificate corresponding to the content provided by the service provider: SC. Stoppub. SP. Content key encrypted with K: Kc, that is, [SC. Stoppub.
SP. K (Kc)], and SP compatible storage secret key: SC. Stopri. SP. By executing the decryption process with K, the content key: Kc is acquired.
Note that [A (B)] indicates data composed of B encrypted with A. In this embodiment, the user device can perform content decryption, that is, offline decryption, as processing in the user device without connecting to the service provider when using the content, that is, decryption.

In the above example, the public key cryptosystem is applied, and the SP compatible storage public key: SC. Stoppub. SP. K, using SP compatible storage secret key: SC. Stop
ri. SP. Although the configuration example using K has been described, it is also possible to apply the common key method, and when the common key method is applied, the SP compatible storage key ( Common key): SC. St
o. SP. K is used. In this case, SP compatible storage key (common key): SC. Sto. SP. K is stored in the service provider management area of the corresponding service provider in the memory of the security chip.

(B) Private key (common key system) held by the service provider: SP. Sto. When K is applied, the service provider stores the content key: Kc stored in the attribute certificate set corresponding to the content provided to the user device: the private key held by the service provider: SP. Sto. Apply K to encrypt. Even if the user device receives the attribute certificate, the encrypted content key stored in the attribute certificate: [SP. Sto. K
(Kc)] cannot be decrypted. Private key held by the service provider: SP. Sto. This is because K has no user device.

Therefore, in order to use (decode) the content, the following processing is required. First, the user device sends an attribute certificate to the service provider to request decryption of the content key, and in the service provider, the private key held by the service provider:
SP. Sto. The content key: Kc is decrypted by K. The user device acquires the decrypted content key: Kc from the service provider, and decrypts the encrypted content with the content key: Kc. In the present mode, unlike the above-described mode (a), the user device is
It is essential to connect to the service provider when using the content, that is, when decrypting it. That is, online processing is required.

(C) When a global common key: Kg generated as a key shared by the system holder (SH) and the user device is applied. This global common key is used in a service provider that executes content distribution. This is a configuration for preventing contents from being distributed and used without permission of the system holder, and performing managed contents distribution by the system holder (SH). A global creator generated as a content creator key of a content creator that provides content to a service provider, a content distributor key of a service provider that distributes content, and a key shared by a system holder (SH) and a user device. By storing the encrypted key data that has been encrypted by combining each key of the key: Kg in the attribute certificate and distributing it to the user device that is the end entity as the content user, the service provider itself Prevents the key from being extracted, and only on the user device the content key: K
This is a configuration that enables the removal of c.

Each of these forms will be described in detail below. First, the attribute certificate issuing processing sequence common to the above (a) to (c) will be described with reference to FIG.

The processing sequence of FIG. 18 is a detailed description of the generation and transmission processing of the attribute certificate that is configured as a part of the content purchase processing sequence of FIG. 15 described above. It is assumed that the user device has a built-in security chip, a service provider management area has been created in the memory in the security chip, and the service provider management information has been stored.

The processing of FIG. 18 will be described. After mutual authentication between the user device and the service provider is established,
(1) A user device having a security chip makes a request for an attribute certificate (AC) to a service provider. In the attribute certificate (AC) request, the user ID registered in the service provider management area, the application ID as the designated identifier of the content, and the user's private key (private key corresponding to the service provider) in the usage condition data selected by the user. The user's public key certificate (PKC) is attached to the data signed in step 1 and sent. The usage condition data is, for example, designation data such as the number of times content is used and the expiration date, and is included as user designation data when it can be selected by the user.

The signature is added to enable verification of data tampering, the MAC value described above can be used, and the electronic signature using the public key cryptosystem can also be applied. Is.

A method of generating an electronic signature using the public key cryptosystem will be described with reference to FIG. The process shown in FIG. 19 is performed by EC-DSA ((Elliptic Curve Digital Signa
tureAlgorithm), IEEE P1363 / D3) is used to generate digital signature data. In addition, here, as the public key cryptosystem, Elliptic Curve Cryptosystem
(Hereinafter, referred to as ECC)) will be described. In addition, in the data processing device of the present invention, in addition to the elliptic curve cryptosystem, for example, RS
A encryption ((Rivest, Shamir, Adleman), etc. (ANSI X9.3
It is also possible to use 1)).

Each step of FIG. 19 will be described. In step S1, p is a characteristic, a and b are coefficients of an elliptic curve (elliptic curve: y ² = x ³ + ax + b, 4a ³ + 27b ² ≠ 0
(Mod p)), G is the base point on the elliptic curve, r
Is the order of G and Ks is the secret key (0 <Ks <r). In step S2, the hash value of the message M is calculated to be f = Hash (M).

Here, a method of obtaining a hash value using a hash function will be described. The hash function is a function that receives a message, compresses the message into data having a predetermined bit length, and outputs the data as a hash value. It is difficult for the hash function to predict the input from the hash value (output). When one bit of the data input to the hash function changes, many bits of the hash value change and the same hash value is changed. It has a feature that it is difficult to find out different input data. MD4, MD5, SHA-1, etc. may be used as the hash function, and DES-CBC may be used in some cases. In this case, the final output value MAC (check value: IC
(Corresponding to V) becomes the hash value.

Succeedingly, in a step S3, a random number u (0 <u
<R) is generated, and the coordinate V (Xv, Yv) obtained by multiplying the base point by u is calculated in step S4. The addition and doubling on the elliptic curve are defined as follows.

[0174]

## EQU1 ## P = (Xa, Ya), Q = (Xb, Yb), R = (Xc, Y
c) = P + Q, when P ≠ Q (addition), Xc = λ ² −Xa−Xb Yc = λ × (Xa−Xc) −Ya λ = (Yb−Ya) / (Xb−Xa) When P = Q (doubled), Xc = λ ² −2Xa Yc = λ × (Xa−Xc) −Ya λ = (3 (Xa) ² + a) / (2Ya)

These are used to calculate u times point G (the speed is slow, but the easiest way to calculate is as follows: G, 2 × G, 4 × G ... 2 ⁱ × G (where G is i
The value twice multiplied (i is the bit position when counting from the LSB of u) is added.

In step S5, c = Xvmod r is calculated, and in step S6 it is determined whether or not this value becomes 0. If it is not 0, d = [(f + cKs) in step S7.
/ U] mod r is calculated, and it is determined in step S8 whether or not d is 0. If d is not 0, c and d are output as electronic signature data in step S9. If r
Is 160 bits long, the electronic signature data has a length of 320 bits.

If c is 0 in step S6, the process returns to step S3 to regenerate a new random number. Similarly, if d is 0 in step S8, the process returns to step S3 to regenerate a random number.

Next, a method of verifying an electronic signature using the public key cryptosystem will be described with reference to FIG. Step S11
Where M is a message, p is a characteristic, a and b are coefficients of an elliptic curve (elliptic curve: y ² = x ³ + ax + b, 4a ³ + 27b ² ≠ 0
(Mod p)), G is the base point on the elliptic curve, r
Is the order of G, G and Ks × G are public keys (0 <Ks <
r). In step S12, it is verified whether the electronic signature data c and d satisfy 0 <c <r and 0 <d <r. If this is satisfied, in step S13, the message M
The hash value of is calculated to be f = Hash (M). Next, in step S14, h = 1 / d mod r is calculated, and in step S15, h1 = fh mod r and h2 = chmod.
Calculate r.

In step S16, h already calculated
1 and h2, the point P = (Xp, Yp) = h1 × G
Calculate + h2 · Ks × G. Since the electronic signature verifier knows the base points G and Ks × G, FIG.
Similar to step S4 of step 1, the scalar multiplication of the point on the elliptic curve can be calculated. Then, in step S17, it is determined whether the point P is the point at infinity, and if it is not the point at infinity, step S18.
(In practice, the point at infinity can be determined in step S16. That is, P = (X, Y), Q = (X,-
(Y) is added, λ cannot be calculated, and it is known that P + Q is the point at infinity). Xp in step S18
The mod r is calculated and compared with the electronic signature data c. Finally, when the values match, the process proceeds to step S19, and it is determined that the electronic signature is correct.

When it is determined that the electronic signature is correct, it is understood that the data has not been tampered with and the person who holds the private key corresponding to the public key has generated the electronic signature.

If the electronic signature data c or d does not satisfy 0 <c <r and 0 <d <r in step S12, the process proceeds to step S20. In addition, step S17
If the point P is the point at infinity in step S2, step S2
Go to 0. Furthermore, in step S18, Xp
Even when the value of mod r does not match the electronic signature data c, the process proceeds to step S20.

If it is determined in step S20 that the digital signature is not correct, is the data falsified?
It can be seen that the person holding the private key corresponding to the public key did not generate the digital signature. As described above, the tampering can be performed only by taking a signature or hashing, but it has the same effect as that the tampering cannot be substantially performed by the detection.

When the service provider receiving the attribute certificate (AC) request confirms that the request data has not been tampered with by the above-mentioned signature verification process, etc., the content key corresponding to the content specified by the application ID:
Encrypt Kc. The key applied to the encryption of this content key: Kc is the SP-compatible storage secret key: SC.0 stored in each service provider management area of the above-described (a) user device security chip. Stopri. S
P. K, (b) Private key held by the service provider:
SP. Sto. K, (c) a global common key: Kg generated as a key shared by the system holder (SH) and the user device.

Further, the service provider stores the content use condition data and other necessary data, and generates the above-mentioned attribute certificate shown in FIG. An electronic signature using the private key of the service provider is added to the generated attribute certificate. The electronic signature generation process is executed according to the same process as the process flow of FIG. The attribute certificate generated by the service provider is sent to the user device, and the user device executes the signature verification process according to the same sequence as the process flow of FIG. 20 described above.

Further, if necessary, the user device
It is preferable to obtain a public key certificate linked according to the public key certificate information of the AC holder in the attribute certificate (AC) and verify the public key certificate. For example, when the reliability of the issuer of the attribute certificate (AC) is uncertain, the public key certificate of the certificate authority is verified by verifying the public key certificate of the issuer of the attribute certificate (AC). It is possible to judge whether or not the user has it legally. When the public key certificate has the hierarchical structure as described above, the route certification is performed by tracing the route to the upper level and executing the chain verification.
It is preferable to execute the verification of the public key certificate issued by A). In some cases, this chain verification is essential.

Attribute certificate (AC) and public key certificate (PK
The details of the relationship confirmation processing with C) and the verification processing of each certificate will be described with reference to the drawings. The flow of FIG. 21 is the public key certificate (PK) related to the attribute certificate (AC), which is performed when the verification of the attribute certificate (AC) is executed.
This is the confirmation processing of C).

When the attribute certificate (AC) to be confirmed is set (S21), the public key certificate information (holder) field of the AC holder of the attribute certificate is extracted (S2).
2) Then, the issuer information (P) of the public key certificate stored in the extracted public key certificate information (holder) field
KC issuer, public key certificate serial number (P
KC serial) is confirmed (S23), the public key certificate (PKC) is searched based on the public key certificate issuer information (PKCissuer) and public key certificate serial number (PKC serial) (S24), A public key certificate (PKC) associated with the attribute certificate (AC) is acquired (S25).

As shown in FIG. 21, the attribute certificate (AC)
And the public key certificate (PKC) are the public key certificate issuer information (PKC issuer) in the public key certificate information (holder) field stored in the attribute certificate, and the public key certificate serial number (PKC). serial)
Is associated with.

Next, referring to FIG. 22, the public key certificate (P
The verification process of KC) will be described. The verification of the public key certificate (PKC) shown in FIG. 22 is performed by tracing the certificate chain from the lower level to the upper level to obtain chain information up to the highest level public key certificate, and then up to the highest level (root CA). 5 is a chain verification processing flow for verifying the signature of the public key certificate. First, set the public key certificate (PKC) to be verified (S31)
Then, based on the information stored in the public key certificate (PKC), the signer of the public key certificate (PKC) is specified (S32). Further, it is determined whether the certificate is the highest public key certificate in the certificate chain to be verified (S33), and if it is not the highest, the highest public key certificate is obtained directly or from a repository or the like (S34). . When the highest level public key certificate is acquired and set (S35), the verification key (public key) required for signature verification is acquired (S36), and it is determined whether the signature to be verified is a self-signature. (S37) If it is not a self-signature, the lower PKC is set (S39), and signature verification is executed based on the verification key (public key) obtained from the upper public key certificate (S40). In the self-signature determination in step S37, in the case of a self-signature, verification using the public key of the self is executed as a verification key (S38),
Proceed to 41.

When the signature verification is successful (S41: Ye
In step s), it is determined whether the verification of the target PKC is completed (S42), and if it is completed, the PKC verification is terminated. If not completed, the process returns to step S36, and the verification key (public key) necessary for signature verification and the signature verification of the lower public key certificate are repeatedly executed. If the signature verification fails (S41: No), the step S
In step 43, an error process, for example, a process of stopping the subsequent procedure is executed.

Next, referring to FIG. 23, the attribute certificate (A
The verification process (example 1) of C) will be described. First, set the attribute certificate (AC) to be verified (S51),
The owner and the signer of the attribute certificate (AC) are specified based on the attribute certificate (AC) storage information (S52).
Furthermore, the public key certificate of the owner of the attribute certificate (AC) is obtained directly or from a repository or the like (S53),
A verification process of the public key certificate is executed (S54).

When verification of the public key certificate fails (S5
If No in 5), the process proceeds to step S56, and error processing is performed. For example, the subsequent processing is stopped. When the verification of the public key certificate is successful (Yes in S55), the public key certificate corresponding to the signer of the attribute certificate (AC) is acquired directly or from a repository or the like (S57), and the public key certificate is acquired. The verification process of is executed (S58). If the verification of the public key certificate fails (No in S59), step S60
Go to and perform error handling. For example, the subsequent processing is stopped. If the verification of the public key certificate is successful (Yes in S59), the public key is extracted from the public key certificate corresponding to the signer of the attribute certificate (AC) (S61), and the extracted public key is used. Signature verification processing of the attribute certificate (AC) is executed (S62). If signature verification fails (S6
If No in 3), the process proceeds to step S64 and error processing is performed. For example, the subsequent processing is stopped. When the signature verification is successful (Yes in S63), the attribute certificate verification is terminated, and the process proceeds to the subsequent process, for example, acquisition of the encrypted content key in the attribute certificate.

Next, referring to FIG. 24, the attribute certificate (A
The verification process (example 2) of C) will be described. In this example, it is determined whether or not the public key certificate necessary for the verification process of the attribute certificate (AC) is stored in the device itself, and if the public key certificate is stored, the verification is performed. Is an example in which is omitted. First, the attribute certificate (AC) to be verified is set (S71), and the owner and signer of the attribute certificate (AC) are specified based on the attribute certificate (AC) storage information (S72). Furthermore, the attribute certificate (A
It is searched whether the public key certificate (PKC) of the owner of C) is stored and saved in the memory of the own device (S73). If it is stored (Yes in S74), the public key certificate of the owner of the attribute certificate (AC) is taken out (S7).
5) Then, the process proceeds to step S81.

When the public key certificate (PKC) of the owner of the attribute certificate (AC) is not stored in the memory of the device itself (No in S74), the owner of the attribute certificate (AC) is disclosed. The key certificate (PKC) is acquired directly or from a repository or the like (S76), and the verification process of the public key certificate (PKC) of the owner of the attribute certificate (AC) is executed (S7).
7) Do. If the verification of the public key certificate fails (S78
No), the process proceeds to step S79 and error processing is performed. For example, the subsequent processing is stopped. If the verification of the public key certificate is successful (Yes in S78), the verification result of the public key certificate is saved (S80), and then the attribute certificate (A
It is searched whether the public key certificate (PKC) corresponding to the signer of (C) is stored and saved in the memory of the self device (S).
81) If saved (Yes in S82)
Takes out the public key certificate of the signer of the attribute certificate (AC) (S83) and proceeds to step S88.

When the public key certificate (PKC) of the signer of the attribute certificate (AC) is not stored in the memory of the device itself (No in S82), the signer of the attribute certificate (AC) is disclosed. The key certificate (PKC) is obtained directly or from a repository or the like (S84), and the verification process of the public key certificate (PKC) of the signer of the attribute certificate (AC) is executed (S8).
5) Do. If the verification of the public key certificate fails (S86
No), the process proceeds to step S87 to perform error processing. For example, the subsequent processing is stopped. When the verification of the public key certificate is successful (Yes in S86), the key (public key) applied to the signature verification of the attribute certificate (AC) is extracted from the public key certificate (S88), and the attribute certificate (AC The signature verification process of () is executed (S89). If the signature verification fails (No in S90), the process proceeds to step S91 and error processing is performed. For example, the subsequent processing is stopped. If the signature verification is successful (Yes in S90), the attribute certificate verification is terminated, and the process proceeds to the subsequent process, for example, acquisition of the encrypted content key in the attribute certificate.

When the attribute certificate is verified by the user device, the attribute certificate is stored in the memory of the security chip inside the user device or in the external memory under the control of the user device control unit outside the security chip, and the attribute certificate is stored. At the time of use, acquisition and decryption processing of the encrypted content key in the attribute certificate will be executed. The process of acquiring the encrypted content key from the attribute certificate and decrypting it will be described below.

(A) SP-compatible storage public key corresponding to SP-compatible storage private key:
SC. Stoppub. SP. When K is applied First, the service provider (SP) compatible storage public key corresponding to the above-mentioned (a) SP compatible storage private key:
SC. Stoppub. SP. K is applied to the encryption of the content key: Kc, and [SC. Stoppub. SP. K (K
The content usage process based on the attribute certificate storing c)] will be described.

Storage secret key corresponding to SP: SC. Sto
pri. SP. K is stored in the service provider management area, and the user can retrieve and use this key by inputting the authentication information (password) described above. Therefore, the content key: Kc can be acquired as offline processing without connecting to the service provider, and the content can be decrypted.

FIG. 25 is a diagram for explaining the sequence of acquisition of encrypted content key from the attribute certificate, decryption, and content decryption processing using the content key.

Description will be given according to the sequence diagram of FIG.
FIG. 25 shows the processing of the memory inside the security chip, the security chip control unit, and the user device control unit from the left. First, the application I as content identification information input by the user to the user device
D is transmitted to the security chip control unit, and the attribute certificate (AC) corresponding to the application ID is acquired from the memory. The user device verifies whether the attribute certificate corresponds to the application ID, sets the attribute certificate in the security chip control unit, and requests acquisition (decryption) processing of the content key: Kc.

The security chip control unit executes signature verification of the attribute certificate and confirms that there is no data tampering.
Encrypted content key stored in the attribute certificate: [S
C. Stoppub. SP. K (Kc)],
SP compatible storage secret key stored in the service provider management area: SC. Stopri. SP. The decryption process is executed by applying K to obtain the content key: Kc. When the content key: Kc is successfully obtained, the security chip control unit notifies the user device control unit that the preparation for decrypting the content is completed.

Next, the user device control section applies the acquired content key to the encrypted content to be decrypted,
It is acquired from the memory via the security chip controller. When the encrypted content is stored in an external memory (for example, a hard disk) instead of the memory in the security chip, the encrypted content is acquired from the external memory. Further, the acquired encrypted content is transmitted to the security chip, the decryption process applying the content key: Kc is performed on the encrypted content in the security chip, and the content obtained as the decryption process result is controlled by the user device. Output to the department.

In the above configuration example, the public key cryptosystem is applied, and the SP compatible storage public key: SC. Stoppub. SP. K.K., the SP compatible storage secret key: SC.
Stopri. SP. Although the configuration using K is used, it is also possible to apply the common key method. When the common key method is applied, the SP compatible storage key (common key) is used for both encryption and decryption processing of the content key. ): SC. Sto. S
P. K is used. In this case, SP compatible storage key (common key): SC. Sto. SP. K is stored in the service provider management area of the corresponding service provider in the memory of the security chip.

(B) Private key (common key system) held by the service provider: SP. Sto. When K is applied: Next, the private key held by the above-mentioned (b) service provider: SP. Sto. K is applied to the encryption of the content key: Kc, and [SP. Sto. The content usage process based on the attribute certificate storing K (Kc)] will be described.

Private key held by the service provider: S
P. Sto. K is a key held by the service provider and not stored in the user device. Therefore, in order for the user device to obtain the content key: Kc, it is necessary to connect to the service provider and request the service provider to decrypt the content key, and execute the content decryption by online processing. It will be.

FIG. 26 is a diagram for explaining the sequence of content key acquisition from the attribute certificate, decryption, and content decryption processing using the content key.

Description will be given according to the sequence diagram of FIG.
FIG. 26 shows the processing in the memory inside the security chip, the security chip controller, the user device controller, and the service provider from the left.

First, the application I as the content identification information input by the user to the user device is input.
D is transmitted to the security chip control unit, and the attribute certificate (AC) corresponding to the application ID is acquired from the memory. The user device verifies whether the attribute certificate corresponds to the application ID, sets the attribute certificate in the security chip control unit, and requests acquisition (decryption) processing of the content key: Kc.

After verifying the attribute certificate, the security chip control unit connects to the service provider, which is the issuer of the attribute certificate, through the user device, and executes mutual authentication processing between the security chip and the service provider. To do. This mutual authentication process is performed by the T of FIG.
It is executed as a mutual authentication process by the LS1.0 process or another system, for example, a public key system. In this mutual authentication process, mutual public key certificate verification is performed,
The public key certificate up to the root certificate authority (CA) is chain-verified as necessary. In this authentication process, the security chip and the service provider share the session key (Kses).

When mutual authentication is established, the control unit of the security chip sends the attribute certificate to the service provider. The attribute certificate contains the private key of the service provider: SP. Sto. The content key data encrypted with K, that is, [SP. Sto. K (K
c)] is stored.

Upon receiving the attribute certificate from the security chip, the service provider executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, the service provider determines that the private key owned by the service provider: SP. Sto. Encrypted content key stored in the attribute certificate: [SP. Sto. K
(Kc)] decryption process is performed, and the content key: Kc
Take out. Furthermore, the extracted content key: Kc is used as the session key (K
ses) and transmits to the security chip of the user device.

When the control unit of the security chip receives the content key encrypted with the session key, that is, [Kses (Kc)], from the service provider,
The decryption process is executed using the session key held at the time of mutual authentication to obtain the content key: Kc.

When the content key: Kc is successfully obtained,
The security chip control unit notifies the user device control unit that the content is ready for decryption. Next, the user device control unit acquires the encrypted content to be decrypted by applying the acquired content key from the memory via the security chip control unit. If the encrypted content is stored in an external memory (eg hard disk) instead of the memory in the security chip,
Get encrypted content from external memory. further,
The acquired encrypted content is transmitted to the security chip, the decryption process applying the content key: Kc is performed on the encrypted content in the security chip, and the content obtained as the decryption process result is sent to the user device controller. Output.

(C) When a global common key: Kg generated as a key shared by the system holder (SH) and the user device is applied Next, it is generated as a key shared by the system holder (SH) and the user device. A processing mode in which the global common key: Kg is indirectly applied to the encryption of the content key: Kc and stored in the attribute certificate will be described. This form using the global common key enables the content key: Kc to be retrieved only by the user device, and the service provider executing the content distribution cannot retrieve the content key. It is possible to prevent the content from being distributed and used, and to perform the managed content distribution by the system holder (SH).

[0215] Specifically, the content creator key of the content creator who provides the content to the service provider, the content distributor key of the service provider who distributes the content, and the system holder (SH) shared by the user device. A global common key: Kg generated as a key to be encrypted is stored in the attribute certificate.

FIG. 27 shows the details of the process of indirectly applying the global common key: Kg to the encryption of the content key: Kc to store the encrypted data of the content key: Kc in the attribute certificate and distribute it. Fig.

FIG. 27 shows a system holder 301 for constructing and managing a content distribution platform, a service provider (CD: content distributor) 302 for executing content distribution, a content generating or managing content, and an encryption for the service provider 302. The content creator 303 that provides the encoded content and the user device 304 as the end entity that receives the content from the service provider 302 are illustrated. It should be noted that the user device 304 includes the above (a),
Similar to the example of (b), it has a security chip, and a service provider management area is generated in the memory area in the security chip.

The processing of FIG. 27 will be described. First, the content creator 303 generates a key: Kc for encrypting the content to be distributed by, for example, a random number, and (1) encrypts the content using the generated content key (common key system): Kc. To the service provider 302.

Further, the system holder 301 is (2)
The content creator key (common key system): Kcc held by the content creator 303 is received from the content creator 303, and (3) the service provider (C
D: A service provider key (common key system): Kcd held by the service provider 302 is received from the content distributor 302. Note that these keys may be delivered in advance.

The system holder 301 encrypts the content creator key: Kcc with the service provider key: Kcd, and further encrypts this encrypted data with the global common key: Kg. That is, encrypted key data: [K
g ([Kcd (Kcc)])] is generated, and (4) this is sent to the content creator 303. In addition, [Kg
([Kcd (Kcc)])] may be handed over in advance. Global common key: Kg is a key shared by the system holder 301 and the user device 304.
The user device 304 includes (5) one or more global common keys: Kg1 to before device manufacturing, device sales, or at least before the start of content purchase.
Kgn is stored, and these are updated under the control of the system holder. The update process will be described later.

The content creator 303 generates data: [Kcc (Kc)] obtained by encrypting the content key: Kc with the content creator key: Kcc, and (6) transmits this to the service provider 302, and at the same time, the system The content creator key: Kcc received from the holder 301 is encrypted with the service provider key: Kcd, and this encrypted data is further encrypted with the global common key: Kg. Encryption key data: [Kg ([Kc ([Kc
d (Kcc)])] to the service provider 302. Note that [Kg ([Kcd (Kcc)])]
May be handed over in advance.

When the user device 304 makes a (7) content purchase request to the service provider 302, the (8) service provider generates an attribute certificate corresponding to the requested content and sends it to the user device 304. In the generated attribute certificate (AC), the above-mentioned encryption key data: [Kg ([Kcd (Kcc)])], that is, the content creator key: Kcc is encrypted with the service provider key: Kcd, and this encryption is performed. Encrypted data with global common key: Kg, and content key: Kc with content creator key: K
Data encrypted by cc: [Kcc (Kc)] is stored. In addition, data such as content usage conditions are stored, and an electronic signature of the service provider 302 is made and transmitted to the user device 304. User device 3
04 stores the received attribute certificate (AC) in the memory.

When using the content, the user device 304 (9) performs mutual authentication with the service provider 302, and then (10) transmits the attribute certificate (AC) already received to the service provider 302. To do. The mutual authentication process is executed as a mutual authentication process between the security chip of the user device and the service provider. This mutual authentication processing is performed by the TLS of FIG. 16 described above.
1.0 processing or other methods, for example, mutual authentication processing using a public key method. In this mutual authentication processing, mutual public key certificates are verified, and public key certificates up to the root certificate authority (CA) are verified in a chained manner, if necessary. In this authentication process, the security chip and the service provider use the session key (Ks
es) share.

In the attribute certificate, the above-mentioned content creator key: Kcc is encrypted with the service provider key: Kcd, and this encrypted data is global common key:
Data encrypted with Kg: [Kg ([Kcd (Kc
c)])], and data obtained by encrypting the content key: Kc with the content creator key: Kcc: [Kcc
(Kc)] is stored.

Upon receiving the attribute certificate from the security chip, the service provider executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, (11) the service provider encrypts the service provider key: Kcd owned by itself with the session key: Kses generated during mutual authentication,
The encrypted key data [Kses (Kcd)] is generated and transmitted to the user device.

The security chip controller of the user device 304 (12) executes the decryption process using the session key on the encrypted key data [Kses (Kcd)] received from the service provider 302, and the service provider key: Get Kcd. The service provider key: Kcd may be stored in the service provider memory area in advance.

The security chip control unit of the user device 304 then (13) replaces the content creator key: Kcc in the attribute certificate with the service provider key: Kcd.
And encrypted with the global common key: Kg: [Kg ([Kcd (K
[ccd]])] is first decrypted with its own global common key: Kg to obtain [Kcd (Kcc)]. Further, (14) the content creator key: Kcc is obtained by the decryption processing to which the service provider key: Kcd obtained by decrypting the encrypted key data received from the service provider 302 is applied.

(15) The security chip control unit of the user device 304 takes out the data: [Kcc (Kc)] obtained by encrypting the content key: Kc in the attribute certificate with the content creator key: Kcc, The content creator key: Kcc obtained by the process is decrypted to obtain the content key: Kc.

[0229] When the content key: Kc is successfully obtained,
The security chip controller of the user device 304
Notify the user device control unit that the content is ready for decryption.

The user device 304 transmits the encrypted content (processing of (16)) acquired from the service provider 302 to the security chip, and the content key: Kc for the encrypted content in the security chip.
Execute the decryption process to which is applied.

Before data transmission / reception of keys, encryption keys, etc. between the above-mentioned entities, mutual authentication is executed between the entities executing data transmission / reception, and data transmission / reception is performed on condition that the authentication is established. Is preferred,
Further, it is preferable that the transmitted / received data is encrypted with a session key and is given a signature.

As described above, the global common key is configured as a key that is owned only by the user device and the system holder, does not hold other entities, and cannot be acquired by other entities. Therefore, even the service provider cannot obtain the content key, and the distribution of the content key without the permission of the system holder,
Distribution of contents can be prevented.

The global common key is updated as needed. It is the support center under the control of the system holder that performs the update. FIG. 28 shows a global common key update processing sequence executed between the support center and the user device. Two global common keys Kg are stored in the memory area of the security chip of the user device.
It is assumed that 1 and Kg2 are stored. The key data in the attribute certificate is encrypted using any of these, and the decryption process is executed. Alternatively, for example, the triple DES algorithm may be applied to encrypt the key data in the attribute certificate using two keys, and the decryption process using the two keys may be performed.

Each process shown in the process sequence of FIG. 28 will be described. FIG. 28 shows processing from the left in the security chip control unit, the user device control unit, and the support center under the control of the system holder.

First, when the user device controller sends a global common key: Kg update request to the security chip controller, the security chip controller connects to the support center under the control of the system holder via the user device. Then, the mutual authentication process between the security chip and the support center is executed. This mutual authentication process is
It is executed as the above-described TLS1.0 process in FIG. 16 or as a mutual authentication process using another method, for example, a public key method. In this mutual authentication processing, mutual public key certificates are verified and, if necessary, the root certificate authority (C
The public key certificates up to A) are verified in a chain. In this authentication processing, the security chip and the support center share the session key (Kses).

When mutual authentication is established, the control unit of the security chip outputs a global common key: Kg update request to the support center. The support center encrypts the already generated global common key for update: Kg3, or the global common key: Kg3 generated in response to the request with the session key: Kses generated in the authentication process, and the encrypted key data: [Kses ( Kg3)] to the security chip of the user device.

When the control unit of the security chip receives the global common key: Kg3 encrypted with the session key from the support center, that is, [Kses (Kg3)], the control unit of the security chip decrypts it using the session key held at the time of mutual authentication. The processing is executed to obtain the global common key: Kg3.

When the global common key: Kg3 is successfully obtained, the security chip control section replaces the global common key: Kg1 with the obtained global common key: Kg3. As a result, the global common keys held by the user device are Kg2 and Kg3. Since the global common key held by the user device has meaning including its order relation, the order relation of [Kg1, Kg2] is also corrected to [Kg2, Kg3]. It is assumed that the global common key holds the data together with the key data and the order relationship held in the user device.

FIG. 29 is a diagram showing an example of a processing sequence in which the service provider mediates and updates the global common key without directly transmitting and receiving data between the user device and the support center.

Each process shown in the process sequence of FIG. 29 will be described. FIG. 29 shows the processing in the support center under the control of the security chip controller, the user device controller, the service provider, and the system holder from the left.

At the support center, a new updated global common key: Kg3 is generated in advance, and the global common key: Kg3 is encrypted with the global common key: Kg2 already distributed to the user device, and the data: [Kg2 (K
g3)], and the private key of the support center:
Kss is signed and sent to the service provider.
The service provider uses the data [Kg2 (Kg3)],
Sig [Kss]. A, Sig [B]
Indicates a data structure in which a signature is added to the data A with the key B.

Next, when the user device control unit transmits a global common key: Kg update request to the security chip control unit, the security chip control unit connects to the service provider via the user device, and the security chip and the service are connected. Perform mutual authentication between providers. This mutual authentication processing is executed as the above-described TLS1.0 processing of FIG. 16 or other method, for example, mutual authentication processing using a public key method. In this mutual authentication processing, mutual public key certificates are verified, and public key certificates up to the root certificate authority (CA) are verified in a chained manner, if necessary. In this authentication process, the security chip and the service provider share the session key (Kses).

When mutual authentication is established, the control unit of the security chip outputs a global common key: Kg update request to the service provider. The service provider receives the data [Kg2 (Kg2 (Kg2
3)], Sig [SuC] are transmitted to the security chip of the user device.

The control unit of the security chip receives data [Kg2 from the support center from the service provider.
(Kg3)], Sig [SuC] is received, a signature verification process is executed to confirm that there is no data tampering, and then a global common key possessed by itself: Global common key encrypted with Kg2: Kg3, that is, [Kg2
(Kg3)] is decrypted using the global common key: Kg2 to obtain the global common key: Kg3. When applying the public key of the support center to the signature verification of the support center, the public key certificate of the support center is sent to the user device as data [Kg2
(Kg3)], Sig [SuC], or
Alternatively, it is distributed in advance to the user device.

When the acquisition of the global common key: Kg3 is successful, the security chip controller overwrites the global common key: Kg3 in the key storage area of the memory, for example, the global common key: Kg1 write area in the device management area described above. . By this update process, the global common key held by the user device is updated to Kg2 and Kg3.

[Decryption Processing Using Decoder] The encrypted content or the encrypted content key can be processed at a high speed by using a decoder having a dedicated decryption processing function to execute the processing. However, since the decoder has a hardware configuration independent of the security chip,
It is necessary to confirm the reliability of the decoder and then decrypt the content key and content in the decoder. Hereinafter, the decryption process of the encrypted content or the encrypted content key using the decoder will be described with reference to the drawings.

FIG. 30 is a diagram for explaining the content key and content decryption processing sequence when the user device has a security chip and a decoder.

The user device is the security chip 2.
10, a decoder 280, a memory unit 222 including a hard disk, a flash memory, etc., a security chip 210 by higher-level software, a decoder 280,
There is a user device side control unit 221 that inputs / outputs data to / from the memory unit 222 and issues various processing execution instructions.

The sequence at the time of content decryption processing will be described. First, when a content use request designating a content is input to the user device side control unit 221 by the operation of the input unit by the user, the user device side control unit 221 corresponds to the designated content stored in the memory unit 222. Search for attribute certificate (AC).
The attribute certificate (AC) extracted by the search is transferred to the security chip 210, and the security chip 210
Inside, the attribute certificate (AC) verification process is executed.

If the attribute certificate (AC) verification processing is successful, mutual authentication and session key sharing processing is executed between the security chip 210 and the decoder 280. After mutual authentication is established, the security chip 210
Decrypts the encrypted content key extracted from the attribute certificate (AC), re-encrypts the content key using the session key shared with the decoder 280 during mutual authentication, and sends the content key to the decoder 280. Upon receiving the encrypted content key, the decoder 280 applies the session key to decrypt the encrypted content key to obtain the content key.

Next, the user device side control section 221
The encrypted content stored in the memory unit 222 is searched, retrieved, and transmitted to the decoder 280. Decoder 28
0 executes the decryption process by applying the previously acquired content key to the input encrypted content.

In the processing to which the above-mentioned decoder is applied, the content key is not used in the security chip 210. Also, the decoder decrypts the encrypted content and externally outputs audio or video data as an analog output. The attribute certificate (AC) may describe the ID of the decoder to be authenticated and the authentication method. In this case, in the security chip 210, the decoder whose decoder is described in the attribute certificate (AC) at the time of mutual authentication is used. It is determined whether or not the ID and the authentication method are met, and the content key is output to the decoder only when the ID and the authentication method are met.

The processing sequence using the decoder will be described with reference to FIG. In FIG. 31, each processing of the security chip, upper software (user device side control unit), and decoder is shown from the left.

When a content use request designating a content is input to the higher-level software (user device side control section) by the user's operation of the input means, the higher-level software (user device side control section) corresponds to the specified content. The application ID is acquired, and the attribute certificate (AC) corresponding to the application ID stored in the memory such as the hard disk is searched based on the application ID.

Attribute certificate (AC) extracted by the search
Is transferred to the security chip together with the attribute certificate (AC) verification processing instruction, and the security chip executes the attribute certificate (AC) verification processing to obtain the attribute certificate (AC).
If the verification process is successful, the security chip extracts the encrypted content key from the attribute certificate (AC), executes the decryption process, and outputs a response message to the upper software (user device side control unit).

Next, between the security chip and the decoder, upper software (user device side control unit)
Mutual authentication and session key sharing processing are executed via. After mutual authentication is established, the security chip decrypts the encrypted content key extracted from the attribute certificate (AC), and then re-encrypts the content key by using the session key shared with the decoder at the time of mutual authentication to decode the content key. Send to. The decoder that receives the encrypted content key applies the session key to decrypt the encrypted content key to obtain the content key.

Next, the user device side control section searches for and retrieves the encrypted content stored in the memory, and sends it to the decoder. The decoder executes the decryption process by applying the previously acquired content key to the input encrypted content.

Next, the content decoding process using the decoder will be described with reference to the flow in FIG.

In step S101, when the user operates the input means to input a content use request designating content to the upper-level software (user device side control unit), in step S102, the upper-level software (user device side control). Part) acquires the application ID corresponding to the designated content, and in step S103, searches the attribute certificate (AC) corresponding to the application ID stored in the memory such as the hard disk based on the application ID.
The attribute certificate (AC) extracted by the search is transferred to the security chip along with the attribute certificate (AC) verification processing instruction in step S104, and the security chip receives the attribute certificate (A) in step S105.
When the verification process of C) is executed and the attribute certificate (AC) verification process is successful, the security chip determines that the attribute certificate (A).
The encrypted content key is extracted from C) and the decryption process is executed. Further, in step S106, a response message is output to the upper software (user device side control unit).

When the attribute certificate (AC) verification process is not successful, the subsequent process is stopped. If the verification is successful, mutual authentication and session key sharing processing is executed between the security chip and the decoder via the upper software (user device side control unit). Specifically, in step S108, the host software (user device side control unit) issues the first authentication command to the security chip, and in step S109, the host software (user device side control unit) receives a response from the security chip. Then, in step S110, the host software (user device side control unit) issues a second authentication command to the decoder, and in step S111, the host software (user device side control unit) receives the response from the decoder.
Furthermore, in step S112, the upper software (user device side control unit) issues a third authentication command to the security chip, and in step S113, the upper software (user device side control unit) receives a response from the security chip. ,
The authentication processing of the decoder by the security chip is executed. If the authentication process fails (NG in S114),
Subsequent processing is stopped, and if successful, step S
Proceed to 115.

In step S115, the host software (user device side controller) issues a fourth authentication command to the decoder, and in step S116, the host software (user device side controller) receives a response from the decoder. By this processing, the success or failure of authentication of the security chip by the decoder is determined. If the authentication process is unsuccessful (NG in S117), the subsequent processes are stopped, and if successful, the process proceeds to step S118.

In step S118, the security chip decrypts the encrypted content key extracted from the attribute certificate (AC), and then re-encrypts the content key using the session key shared with the decoder during mutual authentication (S118). ), And transmits to the upper software (user device side control unit) (S119). The upper software (user device side control unit) transmits the received encrypted content key to the decoder (S120).

The decoder having received the encrypted content key applies the session key to decrypt the encrypted content key to obtain the content key (S121). The upper software (user device side control unit) retrieves and extracts the encrypted content stored in the memory (S122) and transmits it to the decoder (S123). The decoder executes the decryption process by applying the previously acquired content key to the input encrypted content (S124).

As described above, in the decryption process using the decoder, the mutual authentication between the security chip and the decoder is executed, and the content key encrypted with the session key is output to the decoder on condition that the mutual authentication is established. With this configuration, decryption can be executed only by a trusted device, and proper content use can be ensured.

[Content Usage Restriction] As described above, the content usage condition related information stored in the attribute information field in the attribute certificate corresponding to the content storing the content usage restriction information includes the service provider's It includes various usage conditions such as the number of times of use of the provided content and the expiration date. That is, the following information. Condition: Information indicating whether the content is online usage content, offline usage content, and whether it is purchased content, time limit content, online number limit content, or offline number limit content Expiration date: Expiration date information use in case of period limitation Limit number of times: Number of times that can be used when the number of times is limited

[0266] In the attribute certificate corresponding to the content that has been sold out and the usage of the content after the purchase is made free, the above condition is set as the sold out. The attribute certificate corresponding to the content for which the usage period is set is
The above conditions are set as a time limit, and the expiration date is set. In the attribute certificate corresponding to the content for which the use count limit is set, the above condition is set as the count limit, and the set value (count value) is set for the use limit count. In the case of the number of times limit process, after the number of times limit is verified by the service provider and the number of times of offline limit that manages the number of times of use available in the user device to execute content use,
There is a limit on the number of times online that allows the content to be used within the set number of times recorded in the attribute certificate. There is also a combination restriction mode involving both a time restriction and a frequency restriction. The user device uses the content according to these aspects recorded in the attribute certificate. These specific processing modes will be described below.

In order to use the content in the user device, the encrypted content key is taken out from the attribute certificate corresponding to the content to be used, the decryption process is executed, and the content key: Kc is acquired. Will be needed. As described above, the content key acquisition process includes an offline process executed in the security chip of the device and an online process of sending the attribute certificate to the service provider and requesting the decryption.
Even in the content usage processing according to the usage conditions of the content described in the attribute certificate, there are offline processing for checking the usage conditions in the user device and online processing requiring confirmation by the service provider. Which of these is applied is determined according to the description in the attribute information field of the attribute certificate.

FIG. 33 shows a process flow of using the attribute certificate (AC) executed by the user device when using the content. Each step of the processing flow will be described.

When the user device selects the attribute certificate corresponding to the usage target content based on the application ID (content identification information), first, the attribute certificate format confirmation process is executed (S201). Required items are recorded in the attribute certificate, and the validity period of the certificate is valid. When the format confirmation process is completed, signature verification is executed in step S202. As described above, the attribute certificate is attached with the digital signature of the attribute certificate issuer (for example, the service provider), and the user device obtains the public key from the attribute certificate issuer's public key certificate. Take out and verify signature (see Fig. 20)
Do. In addition, verification of the public key certificate used at this time,
It is preferable that the verification process of the chained public key certificate is also executed as necessary. In some cases, this chain verification is essential.

In the signature verification process of step S202, if it is determined that the verification is successful and the attribute certificate is not tampered with, the process proceeds to step S203. On the other hand, step S
In the signature verification process of 202, if the verification is unsuccessful and it is determined that the attribute certificate is falsified, the process proceeds to step S205, the process to which the attribute certificate is applied is not executed, and The content usage process is stopped.

When it is determined that the attribute certificate has not been tampered with, and the process proceeds to step S203, the content use condition information in the attribute information field in the attribute certificate is acquired. That is, the content is an online usage content, an offline usage content, a purchase-out content, a period limited content, an online number limited content, or an offline number limited content. Whether the online processing in step S204 is performed according to this condition,
If it is offline, it is determined in step S206 whether the purchase is complete or the number of times is limited.

If it is determined in step S204 that online use is performed, the attribute certificate is sent to the service provider to verify the use restriction information in the attribute certificate, as described above with reference to FIG. To be executed. In the case of online processing, it is either a period limit or a frequency limit, and the service provider acquires these content usage condition information from the attribute certificate, and if the content usage request is within the usage restriction, acquires the content key. Is performed. If the content usage request exceeds the usage limit, the processing for enabling acquisition of the content key is not executed, and a message indicating that the content cannot be used is transmitted to the user device.

If it is determined in step S204 that the content is used offline and if it is determined in step S206 that the content is sold-out, the attribute certificate is stored in the service provider management area of the security chip of the user device. The service provider (SP) compatible storage public key corresponding to the created SP compatible storage private key: SC. Stoppub. SP. Content key data encrypted with K: [SC. Stoppub. S
P. K (Kc)] is stored, and in the user device, the SP compatible storage secret key SC.K stored in the service provider management area is stored. Stopri. SP. The decryption process is executed using K to obtain the content key: Kc, and the content is used by decrypting the content.

Further, if it is determined in step S204 that the content is for offline use, and it is determined in step S206 that the content is limited in number of times, the number of times is managed in the user device based on the setting condition of the attribute certificate. After executing the content availability determination, execute the decryption processing of the encrypted content key stored in the attribute certificate, on condition that the result of the determination that the content is available is acquired, and Update processing of content usage count management data managed in the device is executed. For this reason, it is necessary to have management data on the number of times the content is used in the device.

The import processing of the number-of-uses management data of step S207 is a management-data generation processing of the number of times of contents use. The import processing of the usage count management data is executed based on the attribute certificate. As for the management mode of the number of times of content usage, the security chip inside the user device manages the number of times the content can be used, and the number management file is stored and managed in an external memory (for example, a hard disk) outside the security chip, and the hash value of the management data is managed. There are two ways of storing only the memory in the security chip. Details of these will be described later. The attribute certificate application completion message generation step of step S208 is processing for notifying the user device outside the security chip from the security chip that the import processing of the number-of-uses management data of step S207 has been completed.

The content use conditions described in the attribute certificate (AC) will be sequentially described below by distinguishing them into the following four modes. (A) Online-usage limited content (B) Online-usage limited content (C) Offline-buy-out content (D) Offline-usage limited content

(A) Online-usage period restricted content First, when the content usage condition recorded in the attribute certificate is online processing and the usage period is restricted, the content is acquired from the acquisition of the attribute certificate. The process up to is described with reference to the sequence diagram of FIG.

In the processing sequence shown in FIG. 34, the user device has already received the encrypted content from the service provider, and has also received the attribute certificate storing the usage rule and the encrypted content key corresponding to the content. The processing is performed by the security chip controller, the user device controller (upper software) in the user device, and the service provider from the left.

In FIG. 34, the uppermost row (a) shows the service provider ID acquisition processing from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) shows the attribute certificate. The service provider ID acquisition processing from the attribute certificate when stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, (a) and (b) are attribute certifications. Selectively execute according to the storage location of the book. (C) Mutual authentication processing, (d)
The content acquisition process of is commonly executed.

First, the process (a) will be described. (A
1) The user device control unit requests the security chip control unit to search for the attribute certificate corresponding to the usage target content. (A2) The security chip control unit outputs the list of attribute certificates stored in the memory of the chip to the user device control unit, and (a3) the user device displays the list by the attached browser. (A4) The user specifies the attribute certificate (AC) corresponding to the content to be used from the displayed list, and sends a read command to the security chip control unit. (A5) The security chip control unit reads the specified attribute certificate from the internal memory and outputs it to the user device control unit. (A6) The user device displays the attribute certificate by the attached browser and stores the attribute certificate. Get the service provider identifier (SP ID) in the data.

When the attribute certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control section alone, the processing of (b) is performed. (B1) The user device control unit searches for an attribute certificate corresponding to the content to be used, and (b1)
2) In the user device, specify the attribute certificate (AC) corresponding to the content to be used from the AC list displayed by the attached browser, (b3) read out and display the attribute certificate, and (b4) store the attribute certificate. Get the service provider identifier (SP ID) in the data.

[0282] The service provider identifier (SP I obtained by any of the processes (a) and (b) above.
D) is used to acquire information necessary for mutual authentication from the service provider management area. As described above, access to the service provider management area requires the password input set for each service provider, and the user inputs the password corresponding to the service provider identifier (SP ID) acquired from the attribute certificate. , Access to the service provider management area, and mutual authentication processing between the security chip and the service provider shown in (c1) of FIG. 34 is executed.

This mutual authentication processing is the same as that shown in FIG.
TLS 1.0 process of step 1 or other method, for example, a mutual authentication process using a public key method. In this mutual authentication processing, mutual public key certificates are verified, and public key certificates up to the root certificate authority (CA) are verified in a chained manner, if necessary. In this authentication processing, the security chip and the support center share the session key (Kses). When the mutual authentication is established, next, the process shown in FIG. 34D, that is, the content acquisition process is executed.

(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the content usage request to which the attribute certificate is applied to the security chip. To do. The content use condition recorded in the attribute certificate in this example is an online period limitation.

(D2) Upon receiving the attribute certificate (AC) application request from the user device controller, the security chip controller executes the attribute certificate verification process. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above.

Further, if necessary, the control unit of the security chip acquires the public key certificate linked according to the public key certificate information of the AC holder in the attribute certificate (AC), and acquires the public key certificate of the public key certificate. It is preferable to perform verification. For example, when the reliability of the issuer of the attribute certificate (AC) is uncertain, the public key certificate of the certificate authority is verified by verifying the public key certificate of the issuer of the attribute certificate (AC). It is possible to judge whether or not the user has it legally. If the public key certificate has a hierarchical structure as described above, the route is traced upward to perform chained verification, and the public key certificate issued by the root certification authority (CA) is also verified. Preferably. In some cases, this chain verification is essential.

(D3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip sends the attribute certificate to the service provider. The attribute certificate records that the content is an online period limited content as usage conditions, and also stores expiration date data. Furthermore, the private key held by the service provider: SP. Sto. The content key data encrypted with K, that is, [SP. Sto.
K (Kc)] is stored.

(D4) The service provider which has received the attribute certificate from the security chip executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, the usage condition data and expiration date data stored in the attribute certificate are confirmed. When it is determined that the content usage request is within the expiration date as the usage condition recorded in the attribute certificate, the content key applied to decrypt the content stored in the attribute certificate: K
Encrypted data of c: [SP. Sto. K (Kc)] is decrypted.

The service provider owns the private key: SP. Sto. Encrypted content key stored in the attribute certificate: [SP. Sto. K (K
c)] is executed to extract the content key: Kc. Furthermore, the extracted content key: Kc is used as the session key (Kse
encrypted in step s) and transmitted to the security chip of the user device.

(D5) The control unit of the security chip is
When the content key encrypted with the session key, that is, [Kses (Kc)] is received from the service provider, the decryption process is executed using the session key held at the time of mutual authentication to obtain the content key: Kc.
When the content key: Kc is successfully obtained, the security chip control unit notifies the user device control unit that the preparation for decrypting the content is completed.

(D6) Next, the user device control section applies the acquired content key to the encrypted content [Kc (Content)] to be decrypted and stores it in the memory (eg hard disk) in the user device or the security chip control section. Through the memory in the security chip via. Furthermore, the acquired encrypted content is transmitted to the security chip, and (d7) the decryption process in which the content key: Kc is applied to the encrypted content is executed in the security chip, and the content obtained as the decryption process result is displayed. Output to the user device controller,
(D8) The user device acquires the content. When these processes are completed, (d9) the control unit of the security chip discards the content key: Kc and the content (Content) acquired by the decryption process.

Through these processes, the service provider confirms the usage period based on the attribute certificate (AC), and only when the usage period is within the limited usage period,
The content key: Kc is re-encrypted and sent in a decryptable state in the security chip, the content key is acquired in the security chip, the content is decrypted by the acquired content key, and the content can be used in the user device. Become.

[0293] Note that content distribution from the service provider to the user device or attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance.

(B) Online-Use Count Restricted Content Next, when the content use condition recorded in the attribute certificate is online processing and the use count is restricted, the content is acquired from the acquisition of the attribute certificate. The process up to acquisition will be described with reference to the sequence diagram of FIG.

The processing sequence shown in FIG. 35 has already received the encrypted content from the service provider, and the usage conditions and the encrypted content key corresponding to the content have been received, as in the processing sequence of FIG. 34 described above. The processing in the user device that has received the stored attribute certificate is shown, and the processing from the security chip control unit, the user device control unit (upper software) in the user device, and the service provider is shown from the left.

In the process shown in FIG. 35, the uppermost stage (a) is the service provider ID acquisition process from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) is the attribute. The service provider ID acquisition processing from the attribute certificate in the case where the certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, is shown (a) and (b). Is executed selectively according to the storage location of the attribute certificate. The processes of (a) and (b) and the mutual authentication process of (c) are the same as the processes in the case of the online period limitation described with reference to FIG. When the mutual authentication of (c) is established, next, the process shown in FIG. 35 (d), that is, the content acquisition process is executed.

(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the content usage request to which the attribute certificate is applied to the security chip. To do. The content use condition recorded in the attribute certificate in this example is the online count limit.

(D2) Upon receiving the attribute certificate (AC) application request from the user device controller, the security chip controller executes the attribute certificate verification process. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. In this verification process, the control unit of the security chip uses the attribute certificate (A
From the public key certificate linked according to the public key certificate information of the AC holder in C), the chained verification is performed up to the upper level, and the verification of the public key certificate issued by the root certification authority (CA) is executed. Preferably. In some cases, this chain verification is essential.

(D3) If the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip sends the attribute certificate to the service provider. In the attribute certificate, it is recorded that the content is a limited number of times online, and the limited number of times of use is stored. Furthermore, the private key held by the service provider: SP. Sto. The content key data encrypted with K, that is, [SP. Sto. K
(Kc)] is stored.

(D4) The service provider receiving the attribute certificate from the security chip executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, the use condition data and the use limit number of times stored in the attribute certificate are confirmed. The number of times of use is stored in the database in the service provider, and the service provider refers to the management data in the database and determines whether the content is used within the number of times limit recorded in the attribute certificate. .

When it is determined that the content is recorded within the limit of the number of times recorded in the attribute certificate, the content key applied to decrypt the content stored in the attribute certificate: Kc
Encrypted data: [SP. Sto. K (Kc)] is decrypted. The service provider owns the private key: SP. Sto. Encrypted content key stored in the attribute certificate: [SP. Sto. K (K
c)] is executed to extract the content key: Kc.

Further, the service provider updates the content usage count management data in the database and decrements the corresponding usage count of the usage target content by one. Further, the service provider encrypts the extracted content key: Kc with the session key (Kses) generated in the mutual authentication process, and transmits the encrypted content key: Kc to the security chip of the user device.

(D5) The control unit of the security chip is
When the content key encrypted with the session key, that is, [Kses (Kc)] is received from the service provider, the decryption process is executed using the session key held at the time of mutual authentication to obtain the content key: Kc.
When the content key: Kc is successfully obtained, the security chip control unit notifies the user device control unit that the preparation for decrypting the content is completed.

(D6) Next, the user device control section applies the acquired content key to the encrypted content [Kc (Content)] to be decrypted and stores it in the memory (eg hard disk) of the user device or the security chip control section. Through the memory in the security chip via. Furthermore, the acquired encrypted content is transmitted to the security chip, and (d7) the decryption process in which the content key: Kc is applied to the encrypted content is executed in the security chip, and the content obtained as the decryption process result is displayed. Output to the user device controller,
(D8) The user device acquires the content. When these processes are completed, (d9) the control unit of the security chip discards the content key: Kc and the content (Content) acquired by the decryption process.

By these processes, the service provider confirms the number of times of use of the content based on the attribute certificate (AC), and only when the number of times of use is limited, the content key: Kc is decrypted in the security chip. The content is re-encrypted and sent in a possible state, the content key is acquired by the security chip, the content is decrypted by the acquired content key, and the content can be used by the user device.

[0306] Note that the content distribution or attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance.

(C) Off-line-purchase content Next, the processing from the acquisition of the attribute certificate to the content acquisition when the content usage condition recorded in the attribute certificate is offline processing and the content is purchase-out content is shown in FIG. It will be described according to the sequence diagram of FIG.

The processing sequence shown in FIG. 36 has already received the encrypted content from the service provider, and the usage conditions and the encryption corresponding to the content are similar to the processing sequences of FIGS. 34 and 35 described above. The processing in the user device that has received the attribute certificate storing the content key is shown, and from the left, the processing of the security chip control unit, the user device control unit (upper software) in the user device, and the service provider is shown. There is.

In the process shown in FIG. 36, the uppermost stage (a) is the service provider ID acquisition process from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) is the attribute. The service provider ID acquisition processing from the attribute certificate in the case where the certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, is shown (a) and (b). Is executed selectively according to the storage location of the attribute certificate. The processes (a) and (b) are the same as the processes for the online period limitation described with reference to FIG. (A),
When the service provider ID is acquired by any of the processes of (b), next, the process shown in FIG.
That is, the content acquisition process is executed.

(C1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the content usage request to which the attribute certificate is applied to the security chip. To do. The content usage condition recorded in the attribute certificate in this example is offline purchase.

(C2) Upon receiving the attribute certificate (AC) application request from the user device controller, the security chip controller executes the attribute certificate verification process. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. In this verification process, the control unit of the security chip uses the attribute certificate (A
From the public key certificate linked according to the public key certificate information of the AC holder in C), the chained verification is performed up to the upper level, and the verification of the public key certificate issued by the root certification authority (CA) is executed. Preferably. In some cases, this chain verification is essential.

(C3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the security chip controller determines the encrypted content key: [SC. Stoppub. SP. K (Kc)], and S stored in the service provider management area
P-compatible storage secret key: SC. Stopri. SP.
The decryption process is executed by applying K, and the content key: Kc
To get. When the content key: Kc is successfully obtained,
The security chip control unit notifies the user device control unit that the content is ready for decryption.

(C4) Next, the user device control section applies the acquired content key to the encrypted content [Kc (Content)] to be decrypted and stores it in the memory (eg hard disk) in the user device or the security chip control section. Through the memory in the security chip via. Furthermore, the acquired encrypted content is transmitted to the security chip, and (c5) the decryption process in which the content key: Kc is applied to the encrypted content is executed in the security chip, and the content obtained as the decryption process result is displayed. Output to the user device controller,
(C6) The user device acquires the content. When these processes are completed, the control unit of the security chip (c7) discards the content key: Kc and the content (Content) acquired by the decryption process.

By these processes, the attribute certificate (A
Based on C), confirmation processing is performed that the content is a purchased content, the content key: Kc is decrypted by the security chip, the content key is acquired, the content is decrypted by the acquired content key, and the content is used by the user device. Is possible.

In the above configuration example, the public key cryptosystem is applied, and the SP compatible storage public key: SC. Stoppub. SP. K, using SP compatible storage secret key: SC. Sto
pri. SP. Although the configuration using K is used, it is also possible to apply the common key method. When the common key method is applied, SP is used for both encryption and decryption of the content key.
Corresponding storage key (common key): SC. Sto. SP. K
To use. In this case, SP compatible storage key (common key): SC. Sto. SP. K is stored in the service provider management area of the corresponding service provider in the memory of the security chip.

[0316] Note that the content distribution or attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance.

(D) Offline-Use count restricted content Next, when the content use condition recorded in the attribute certificate is offline processing and the use count is restricted, the content is acquired from the attribute certificate acquisition. The process up to acquisition will be described. When the usage condition of the attribute certificate is offline usage and the content has a limited number of times, the number of times the content is used is managed in the device to execute the number of times management based on the setting condition of the attribute certificate in the user device. It is necessary to have data. The process of retaining the management data of the number of times of use of content is the import process of the management data of the number of times of use.

(D-1) Import Processing First, the import processing of the number-of-uses management data will be described. As for the management mode of the number of times of content usage, the security chip inside the user device manages the number of times the content can be used, and the number management file is stored and managed in an external memory (for example, a hard disk) outside the security chip, and the hash value of the management data is managed. There are two ways of storing only the memory in the security chip.

First, with reference to FIG. 37, a description will be given of an import processing sequence of the usage count management data in the case where the number of times the content can be used is managed by the security chip in the user device. From the left, the processing of the security chip controller in the user device, the user device controller (upper software), and the service provider is shown. The processing sequence of FIG. 37 shows the processing after the issuance processing of the attribute certificate corresponding to the purchased content from the service provider to the security chip when mutual authentication between the security chip associated with the content purchasing processing and the service provider has already been established. ing. Here, the attribute certificate issued by the service provider is recorded as a content usage condition that the content is the usage-restricted content for offline usage, and the content usage-restricted content is recorded.

(1) When the attribute certificate is issued and transmitted from the service provider, (2) the control unit of the security chip executes the verification processing of the attribute certificate. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. In this verification process,
The control unit of the security chip performs a chained verification from the public key certificate linked according to the public key certificate information of the AC holder in the attribute certificate (AC) to a higher level,
It is preferable to execute the verification of the public key certificate issued by the root certificate authority (CA). In some cases, this chain verification is essential.

(3) When the control unit of the security chip determines that the content use condition recorded in the attribute certificate is the offline use count restricted content, the application I corresponding to the content identifier is determined from the attribute certificate.
D, attribute certificate (AC) serial number, and content usage limit number of times data are acquired. Further, each data of the user ID and the service provider ID input by the user during the content purchase processing is acquired via the user device control unit, and the acquired application I
It is verified whether or not the content usage count management data corresponding to each data of D, attribute certificate (AC) serial number, and user ID has been registered in the service provider management area of the memory in the security chip. When the user is logged in to the user device, the user ID and the like are retained, so the user device and the service provider ID may be transmitted by the user device instead of being input by the user.

In the memory of the security chip, as described above, the service provider management area is set for each registered service provider, and the content usage count management data is registered in the management area. FIG. 38 shows a configuration example of content usage count management data set in the service provider management area of the memory in the security chip.

As shown in FIG. 38, in the service provider management area, an application ID as a content identifier for each service provider ID and user ID.
(App.ID # n), AC serial (AC Serial #) that is the identifier of the corresponding attribute certificate (AC).
n), and the remaining usable count data (Count #
n) are stored in association with each other. Even if the same content is used, the data structure is such that it is possible to count the number of times of use based on a different attribute certificate for each user.

Returning to FIG. 37, the sequence of the import processing of the usage count management data will be continued. (3)
The control unit of the security chip has an application ID corresponding to the content identifier acquired from the attribute certificate,
Attribute certificate (AC) serial number, each piece of content usage limit data, user ID input by the user,
It is verified whether the content usage count management data corresponding to each data of the service provider ID is already registered in the service provider management area of the memory in the security chip, and it is confirmed that the content usage count management data is not registered. If confirmed, (4) the content usage count management data is additionally registered in the service provider management area, and (5) after the additional registration is completed, an attribute certificate reception message is generated and transmitted to the service provider.

In the example of FIG. 37, the attribute certificate (AC) received from the service provider is the application ID: 0001 attribute certificate (AC) serial: 1345. The data is user ID: 6737 service provider ID: 5678.

The control unit of the security chip verifies whether the content usage count management data corresponding to these data is in the corresponding service provider management area in the memory. In the SP management area data (before updating) shown in FIG. 37, the service provider ID is 567.
8. Application ID: 000 as content usage count management data corresponding to user ID: 6737
1, attribute certificate (AC) serial: There is no data corresponding to 1345.

Therefore, the content use frequency management data corresponding to the attribute certificate received from the service provider this time is stored as service provider ID: 5678, user ID:
A new addition process is performed as content usage count management data corresponding to 6737. As a result, the number management data of application ID: 0001 and attribute certificate (AC) serial: 1345 was added to the data of the SP management area data (after updating) shown in the lower part of the figure, and received as the number of times available. The content usage limit number recorded in the attribute certificate: 5 is set.

When the content is used, this content use count management data is referred to, the usable count is decremented by 1 for each use, and the data is updated to 5 → 4 → 3 → 2 → 1 → 0 and used. The content use is rejected after the permitted number of times becomes 0, and the content can be used within the limited number of use recorded in the attribute certificate. This content use processing will be described later.

The application ID of the attribute certificate received from the service provider, the attribute certificate (AC)
If the same data as the serial data has already been registered as the content usage count management data in the service provider management area of the corresponding service provider ID and user ID, it is determined that a duplicate attribute certificate is issued, The additional registration of the content usage count management data based on the attribute certificate is not executed.

Further, data having the same application ID as the attribute certificate received from the service provider but different attribute certificate (AC) serial is already stored in the service provider management area of the corresponding service provider ID and user ID. If it has been registered as content usage count management data, it is determined that it is an attribute certificate that enables new usage of the same content based on a different attribute certificate, and the content usage count management data based on the attribute certificate. Perform additional registration of.

That is, the same service provider I
D, even if, for example, data of application ID: 0001, AC serial: 0001, remaining content usage count: 2 already exists as content usage count management data in the service provider management area of the same user ID,

Application ID: 0001 AC serial: 0002 Number of remaining contents used: 5 The new management data of is additionally registered.

FIG. 39 shows an import processing flow of the usage count management data executed in the security chip when the number of times the content can be used is managed by the security chip in the user device. Each step will be described.

First, in step S221, the application ID, the number of times of use limitation, and the attribute certificate serial number are extracted from the attribute certificate (verified). Step S
In 222, it is searched whether or not the number management data of the same application ID stored in the attribute certificate is stored in the service provider management area set in the memory of the security chip.

If it is determined in step S223 that the number-of-times management data of the same application ID has not been registered, the process proceeds to step S225 and the application ID: nnnn, attribute certificate (AC) serial: mmmm, according to the attribute certificate. As the number of times of use permitted, the number of times of limited use of content: x recorded in the received attribute certificate is set, and the number-of-uses management data is registered.

On the other hand, if it is determined in step S223 that the number-of-times management data of the same application ID has been registered, the process proceeds to step S224, and the attribute certificate (AC) serial obtained from the attribute certificate is matched. It is determined whether or not the number-of-times management data has been registered in the service provider management area in the memory. If registered, it is determined that the same attribute certificate is duplicated, and new data registration is The process ends without execution. On the other hand, the attribute certificate (AC) obtained from the attribute certificate
If it is determined that the number-of-times management data matching the serial has not been registered in the service provider management area in the memory, the process proceeds to step S225, and the application ID: nnnn, attribute certificate (AC) serial: mmmm, use according to the attribute certificate. As the permitted number of times data, the number of times of limited use of contents: x recorded in the received attribute certificate is set, and the number of times of use management data is registered.

Next, referring to FIG. 40, a processing mode for storing and managing the number-of-times management file in an external memory (eg hard disk) outside the security chip and storing only the hash value of the management data in the memory inside the security chip will be described. The import processing sequence of the usage count management data in the case of doing so will be described. From the left, the processing of the security chip controller in the user device, the user device controller (upper software), and the service provider is shown. The processing sequence of FIG. 40 shows the processing after the issuance processing of the attribute certificate corresponding to the purchased content from the service provider to the security chip when the mutual authentication between the security chip involved in the content purchasing processing and the service provider has already been established. ing. Here, the attribute certificate issued by the service provider is recorded as a content usage condition that the content is the usage-restricted content for offline usage, and the content usage-restricted content is recorded.

In this processing mode, the limited memory area in the security chip is effectively utilized, and the actual data file of the number management data is stored and managed in the external memory (eg hard disk) outside the security chip,
By managing the hash value of this external management file information inside the security chip, it is possible to verify the tampering of the external management file information. The hash function is a function that receives a message, compresses the message into data having a predetermined bit length, and outputs the data as a hash value. It is difficult for the hash function to predict the input from the hash value (output). When one bit of the data input to the hash function changes, many bits of the hash value change and the same hash value is changed. It has a feature that it is difficult to find out different input data. Hash functions include MD4 and MD
5, SHA-1 may be used, and DES may be used.
-CBC may be used in some cases. In this case, the MAC which is the final output value becomes the hash value.

The processing sequence shown in FIG. 40 will be described. (1) When the attribute certificate is issued and transmitted from the service provider, (2) the control unit of the security chip executes the verification processing of the attribute certificate. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is
For example, it is executed according to the same sequence as the processing flow of FIG. 20 described above. In this verification process, the control unit of the security chip uses A in the attribute certificate (AC).
It is preferable that the public key certificate linked according to the public key certificate information of the C holder is traced to a higher level to perform chained verification, and even the verification of the public key certificate issued by the root certificate authority (CA) is executed. . In some cases, this chain verification is essential.

When the control unit of the security chip determines that the content use condition recorded in the attribute certificate is the off-line use count limited content, it executes the process of reading the count management file from the external memory. In the figure, the HDD managed by the user device controller has a count management file, and (3) the user device controller reads the count management file and outputs it to the security chip. This read target may be all data of the management file or only data relating to the service provider corresponding to the content.

Next, the control unit of the security chip
(4) The number-of-times management file received from the user device control unit is expanded in the RAM in the security chip, and the hash value is calculated based on the expanded data. The frequency management data has a field structure in which a plurality of frequency management data associated with a service provider ID and a user ID is stored. In the service provider management area in the memory of the security chip, the service provider ID and the user I
A hash value is generated and stored for the field data associated with D.

The control unit of the security chip extracts the field data corresponding to the service provider ID and the user ID designated by the user from the number-of-times management file received from the user device control unit and expanded in the RAM to obtain the hash value. Is calculated, and the calculated value is compared with the hash value stored in the service provider management area of the memory in the security chip. If the calculated hash value and the stored hash value match, it is determined that the data has not been tampered with, and the process proceeds to the next process.

In the example of the figure, the hash value is calculated based on the field data of the service data having the service provider ID: 5678 and the user ID: 6737 of the RAM expansion data, and the corresponding service provider (S
P) Corresponding field stored in the management area, ie service provider ID: 5678, user I
It will be compared with the hash value of D: 6737: 290a.

(5) If the hash values match, a notification indicating that they match is sent to the user device controller, and if no match is found, an error message is sent to the user device controller. (6) Next, the control unit of the security chip acquires each data of the application ID corresponding to the content identifier, the attribute certificate (AC) serial number, and the content usage limit number of times from the attribute certificate. Further, each data of the user ID and the service provider ID input by the user during the content purchase processing is acquired via the user device control unit, and the acquired application ID, attribute certificate (AC) serial number, and user ID are acquired. It is verified whether or not the content usage count management data corresponding to each of the data is received from the user device control unit and registered in the count management file expanded in the RAM.

When it is confirmed that the content use count management data is not registered, (7) the content use count management data is extracted from the attribute certificate (AC), and RA
It is additionally registered in the number management file expanded in M, (8) a new hash value is calculated based on the additional data, and (9)
It is stored in the corresponding field stored in the corresponding service provider (SP) management area in the security chip. (10) After the additional registration is completed, the attribute certificate reception message is transmitted to the user device together with the updated number management file, and (11) the user device stores the received number management file in the hard disk.

In the example of FIG. 40, as the attribute certificate (AC) received from the service provider, each data of application ID: 0001 attribute certificate (AC) serial: 1345 content use limit number: 5 is recorded, and user input The data is user ID: 6737 service provider ID: 5678.

The control unit of the security chip determines that the content usage count management data corresponding to these data is RA.
It is verified whether or not it has been registered in the number management file expanded in M. In the data in the SC innermost RAM shown in FIG. 40, application ID: 0001, attribute certificate (AC) serial: 1345 as content usage count management data corresponding to service provider ID: 5678, user ID: 6737. There is no data corresponding to.

Therefore, the content use frequency management data corresponding to the attribute certificate received from the service provider this time is stored as service provider ID: 5678, user ID:
A new addition process is performed as content usage count management data corresponding to 6737. As a result, the application I
D: 0001, Attribute Certificate (AC) Serial: 1345
The number-of-times management data is added, and the usable number of times is set to the content use limit number: 5 recorded in the received attribute certificate.

Furthermore, service provider ID: 567
8. The hash value is calculated based on the field data corresponding to the user ID: 6737. In the example of the figure, the hash value before data update is 290a, the hash value after data update is 8731, and the hash value: 8731 of the SP management area at the bottom of the figure is stored as the update value. .

At the time of using the content, the content use count management data is referred to, the usable count is decremented by 1 for each use, and the data is updated to 5 → 4 → 3 → 2 → 1 → 0. , A new hash value is calculated based on the update data, and the update process is executed. This content use processing will be described later.

The application ID of the attribute certificate received from the service provider, the attribute certificate (AC)
If the same data as the serial data has already been received from the user device and has been registered in the RAM as the content usage count management data of the corresponding service provider ID and user ID field of the count management file, duplicate attributes are registered. It is determined that the certificate is issued, and the additional registration of the content usage count management data based on the attribute certificate is not executed.

Data corresponding to the application ID of the attribute certificate received from the service provider but different in attribute certificate (AC) serial has already been received from the user device and expanded in the RAM. If it is already registered as content usage count management data in the fields of the service provider ID and the user ID to be used, it is determined that the attribute certificate enables new use of the same content based on a different attribute certificate, and Executes additional registration of content usage count management data and hash value update processing based on the attribute certificate.

FIG. 41 shows the number-of-uses management when the number-of-times management file is stored and managed in an external memory (eg hard disk) outside the security chip and only the hash value of the management data is stored in the memory inside the security chip. The data import processing flow is shown. Each step will be described.

First, in step S241, the count management file is read from the external memory, and in step S24
In 2, the hash value based on the field data specified based on the service provider ID and the user ID is calculated, and whether the calculated hash value matches the hash value stored in the service provider management area in the memory of the security chip. Whether or not it is verified (S243). If they do not match, it is determined that the number-of-times management file read from the external memory has been tampered with, and error processing, for example, subsequent processing is stopped.

If the hash values match and it is determined that the number-of-times management file read from the external memory has not been tampered with, the flow advances to step S244 to check the attribute ID (verified), application ID, usage limit number, attribute proof. Take out the serial number. Next, step S245.
In step S1, the number of times management data received from the user device controller and expanded in the RAM is searched for the number of times management data having the same application ID as that stored in the attribute certificate.

If it is determined in step S246 that the number-of-times management data of the same application ID is not registered, the process proceeds to step S247, and the application ID: nnnn, attribute certificate (AC) serial: mmmm, according to the attribute certificate. As the usable number of times, the content use limit number: x recorded in the received attribute certificate is set and the use number management data is registered.

On the other hand, if it is determined in step S246 that the number-of-times management data of the same application ID has been registered, the process proceeds to step S251, and the attribute certificate (AC) serial obtained from the attribute certificate is added. It is determined whether or not the matching count management data is registered in the count management file expanded in the RAM. If it is registered, it is determined that the same attribute certificate is duplicated, and new data is added. The process is terminated without executing the registration. On the other hand, the attribute certificate (A
C) If it is determined that the number-of-times management data matching the serial number has not been registered in the number-of-times management file expanded in the RAM, the process proceeds to step S247, and the application ID: nnnn and the attribute certificate (AC) serial: mmmm according to the attribute certificate. The number of times of use management data is registered by setting the number of times of limited use of content: x recorded in the received attribute certificate as the number of times of use.

At step S247, new count management data is written in the count management file expanded in the RAM in accordance with the attribute certificate. At step S248, a new hash value is created based on the data including the new addition data. The calculated new hash value is stored in the corresponding field stored in the corresponding service provider (SP) management area in the security chip.
Further, in step S249, the number management file stored in the external memory (for example, hard disk) is updated based on the updated number management file.

Next, the process from the acquisition of the attribute certificate to the acquisition of the content when the content use condition recorded in the attribute certificate is offline processing and the use count is limited content will be described with reference to the sequence diagram of FIG. To do.

The processing sequence shown in FIG. 42 is similar to the processing sequences of FIGS. 34, 35 and 36 described above.
It shows the processing in the user device that has already received the encrypted content from the service provider, and has also received the usage certificate corresponding to the content and the attribute certificate storing the encrypted content key. From the left, the user device is shown. The processing of the security chip control unit, the user device control unit (upper software), and the service provider in FIG.

In the process shown in FIG. 42, the uppermost stage (a) is the service provider ID acquisition process from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) is the attribute. The service provider ID acquisition processing from the attribute certificate in the case where the certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, is shown (a) and (b). Is executed selectively according to the storage location of the attribute certificate. The processes (a) and (b) are the same as the processes for the online period limitation described with reference to FIG. (A),
When the service provider ID is acquired by any of the processes in (b), next, the process shown in FIG.
That is, the content acquisition process is executed.

(C1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the content usage request to which the attribute certificate is applied to the security chip. To do. The content use condition recorded in the attribute certificate in this example is an offline use count limit.

(C2) Upon receipt of the attribute certificate (AC) application request from the user device controller, the security chip controller executes the attribute certificate verification processing. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. In this verification process, the control unit of the security chip uses the attribute certificate (A
From the public key certificate linked according to the public key certificate information of the AC holder in C), the chained verification is performed up to the upper level, and the verification of the public key certificate issued by the root certification authority (CA) is executed. Preferably. In some cases, this chain verification is essential.

(C3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the security chip control section executes the update processing of the number management data. Details of the update processing of the number management data will be described later.
Further, the security chip control unit controls the encrypted content key: [SC. St
opub. SP. K (Kc)], and the SP-compatible storage secret key: SC. Stopri. SP. The decryption process is executed by applying K to obtain the content key: Kc. When the content key: Kc is successfully obtained, the security chip control unit notifies the user device control unit that the preparation for decrypting the content is completed.

(C5) Next, the user device control section applies the acquired content key to the encrypted content [Kc (Content)] to be decrypted, and stores it in the memory (eg hard disk) in the user device or the security chip control section. Through the memory in the security chip via. Furthermore, the acquired encrypted content is transmitted to the security chip, and (c6) the decryption process in which the content key: Kc is applied to the encrypted content is executed in the security chip, and the content obtained as the decryption process result is displayed. Output to the user device controller,
(C7) The user device acquires the content. When these processes are completed, the control unit of the security chip (c8) discards the content key: Kc and the content (Content) acquired by the decryption process.

By these processes, the attribute certificate (A
The content key: Kc is decrypted by the security chip, the content key is acquired, and the decryption of the content is executed by the acquired content key only when the content is used within the content usage limit based on C). The contents can be used in.

In the above configuration example, the public key cryptosystem is applied, and the SP compatible storage public key: SC. Stoppub. SP. K, using SP compatible storage secret key: SC. Sto
pri. SP. Although the configuration using K is used, it is also possible to apply the common key method. When the common key method is applied, SP is used for both encryption and decryption of the content key.
Corresponding storage key (common key): SC. Sto. SP. K
To use. In this case, SP compatible storage key (common key): SC. Sto. SP. K is stored in the service provider management area of the corresponding service provider in the memory of the security chip.

It should be noted that the content distribution or attribute certificate (A
C: Attribute Certificate) is distributed based on the request from the user to the service provider, and from the service provider to the user who has a subscriber contract regardless of the user's request. Any form of so-called push type (push type model) of unilaterally transmitting is possible. In the push model, the service provider creates and distributes an attribute certificate (AC) for the target user in advance.

Next, with reference to FIG. 43 and FIG. 44, the update processing of the number-of-uses management data will be described. As the management mode of the number of times the content can be used, as described above, the security chip in the user device manages the number of times the content can be used, and the frequency management file is stored and managed in an external memory (for example, hard disk) outside the security chip. There are two modes in which only the hash value of management data is stored in the memory in the security chip. FIG. 43 is a diagram for explaining the update processing sequence of the number-of-times management data in the former case, and FIG.

First, with reference to FIG. 43, a description will be given of an update processing sequence of the number-of-times management data in the case where the content available times are managed by the security chip in the user device. From the left, the processing of the security chip control unit and the user device control unit (upper software) in the user device is shown. The processing sequence of FIG. 43 shows the subsequent processing assuming that the attribute certificate has already been verified in the security chip.

(1) When the control unit of the security chip determines that the content use condition recorded in the verified attribute certificate is the off-line use count limited content, the application ID corresponding to the content identifier from the attribute certificate, Acquires each data of the attribute certificate (AC) serial number and the limited number of times of content use. further,
Each data of the user ID and the service provider ID input by the user during the content purchase process is acquired via the user device control unit, and the acquired application ID, attribute certificate (AC) serial number, and user ID are acquired. It is verified whether the content usage count management data corresponding to the data has been registered in the service provider management area of the memory in the security chip.

In the memory of the security chip, as described above, the service provider management area is set for each registered service provider, and the content use frequency management data is registered in the management area.

In the example shown in FIG. 43, the attribute certificate (AC)
Is recorded with application ID: 0002 attribute certificate (AC) serial: 3278, content usage limit number: 10 2, and user input data is user ID: 6737 service provider ID: 5678.

The control unit of the security chip verifies whether the content usage count management data corresponding to these data is in the corresponding service provider management area in the memory. In the data of the SP management area data (before updating) shown in FIG. 43, the service provider ID: 567.
8. Application ID: 000 as content usage count management data corresponding to user ID: 6737
2. There is data corresponding to the attribute certificate (AC) serial: 3278, and the number of usable times (remaining number of times): 7 is set.

(2) From the extracted data, the security chip control unit determines that the usable number of times (remaining number of times): 7> 0, and the number of times of limitation recorded in the attribute certificate is less than or equal to
It is confirmed that 10 ≧ 7, and the use of the content is permitted on the condition that these are confirmed, that is, the decryption process of the (3) encrypted content key stored in the attribute certificate is executed.

(4) Further, the security chip control unit executes a data update process for reducing the usable number of times of the corresponding data of the corresponding service provider management area in the memory by one. In this case, application ID: 0
002, attribute certificate (AC) serial: The number of available times (remaining number): 7 in the data corresponding to 3278 is updated to 6. The decryption processing of the encrypted content key in (3) and the update processing of the number-of-times management data in (4) may be configured such that (4) precedes (3) and parallel processing is performed. May be run on.

Next, referring to FIG. 44, the number-of-times management file is stored and managed in an external memory (eg hard disk) outside the security chip, and only the hash value of the management data is stored in the memory inside the security chip. The update processing sequence of the number-of-times management data in this case will be described. From the left, the processing of the security chip control unit and the user device control unit (upper software) in the user device is shown. The processing sequence of FIG. 44 shows the subsequent processing assuming that the attribute certificate has already been verified in the security chip.

When the control unit of the security chip determines that the content use condition recorded in the attribute certificate is the offline use count limited content, the control unit executes the process of reading the count management file from the external memory. In the figure, the HDD managed by the user device controller has a count management file. (1) The user device controller reads the count management file and outputs it to the security chip. This read target may be all data of the management file or only data relating to the service provider corresponding to the content.

Next, the control unit of the security chip
(2) The number-of-times management file received from the user device control unit is expanded in the RAM in the security chip, and the hash value is calculated based on the expanded data. The frequency management data has a field structure in which a plurality of frequency management data associated with a service provider ID and a user ID is stored. In the service provider management area in the memory of the security chip, the service provider ID and the user I
A hash value is generated and stored for the field data associated with D.

The control unit of the security chip extracts the field data corresponding to the service provider ID and the user ID designated by the user from the frequency management file received from the user device and expanded in the RAM, and calculates the hash value. Then, the calculated value is compared with the hash value stored in the service provider management area of the memory in the security chip. If the calculated hash value and the stored hash value match, it is determined that the data has not been tampered with, and the process proceeds to the next process.

In the example of the figure, the hash value is calculated based on the field data of the service data of the service provider ID: 5678 and the user ID: 6737 of the RAM expansion data, and the corresponding service provider (S
P) Corresponding field stored in the management area, ie service provider ID: 5678, user I
It will be compared with the hash value: 8731 of D: 6737.

(3) If the hash values match, a notification indicating the match is sent to the user device, and if no match is found, an error message is sent to the user device. (4) Next, the control unit of the security chip acquires each data of the application ID corresponding to the content identifier, the attribute certificate (AC) serial number, and the content use limit number from the attribute certificate. further,
Each data of the user ID and the service provider ID input by the user during the content purchase process is acquired via the user device control unit, and the acquired application ID, attribute certificate (AC) serial number, and user ID are acquired. It is verified whether the content usage count management data corresponding to the data has been received from the user device and registered in the count management file expanded in the RAM.

In the example shown in FIG. 44, the attribute certificate (AC)
Is recorded with application ID: 0002 attribute certificate (AC) serial: 3278, content usage limit number: 10 2, and user input data is user ID: 6737 service provider ID: 5678.

The control unit of the security chip determines that the content usage count management data corresponding to these data is RA.
It is verified whether or not it has been registered in the number management file expanded in M. In the data in the SC innermost RAM shown in FIG. 44, application ID: 0002, attribute certificate (AC) serial: 3278 are stored as content usage count management data corresponding to service provider ID: 5678 and user ID: 6737. There is data corresponding to, and the available number of times (remaining number of times): 7 is set.

(5) From the extracted data, the security chip control unit determines that the usable number of times (remaining number of times): 7> 0, and the number of times of limitation recorded in the attribute certificate is less than or equal to
It is confirmed that 10 ≧ 7, and the use of the content is permitted on the condition that these are confirmed, that is, the decryption processing of the (6) encrypted content key stored in the attribute certificate is executed.

(7) Further, the security chip control section executes a data update process for reducing the usable count of the corresponding data of the count management file expanded in the RAM by one. In this case, a process of updating the usable number (remaining number): 7 in the data corresponding to the application ID: 0002 and the attribute certificate (AC) serial: 3278 to 6 is executed.

Further, the security chip controller is
(8) A new hash value based on the updated data is calculated, and (9) it is stored in the corresponding field stored in the corresponding service provider (SP) management area in the security chip. In the example of FIG. 44, the hash value based on the field data corresponding to the application ID: 0002 before update and the attribute certificate (AC) serial: 3278 is 8731, and the hash value based on the data of the same field after update is bc35. Therefore, the hash value: bc35 of the SP management area at the bottom of the figure corresponding to the service provider ID: 5678 and the user ID: 6737 is stored as the updated hash value.

(10) After the updating process is completed, the updated count management file is transmitted to the user device controller, and the user device controller stores the received count management file in the hard disk.

As described above, when the content is used, the content use count management data is referred to, the usable count is decremented by 1 for each use, and 5 → 4 → 3 → 2 →
The data is updated from 1 to 0, a new hash value is calculated based on the updated data, the update process is executed, and the content can be used within the usage limit number recorded in the attribute certificate. Becomes

The use of the content according to the content use condition of the attribute certificate has been described above. In the above description, the period limit and the number limit are separately described, but an attribute certificate having both the period limit and the number limit can be used. In these cases, the content usage is based on two conditions. It is assumed that the content key is decrypted on the condition that the content is confirmed to be used within the time limit and the number of times within the use condition set in the attribute certificate after determining whether the content key is usable.

[Upgrade process] In the attribute certificate,
It has been described that various usage conditions such as a time limit, a frequency limit, and a purchase limit are set as the usage conditions of the content, and the content is used in the user device having the security chip based on these usage conditions. Next, a description will be given of a process of changing the content use restriction, for example, changing the content use restriction number set in the attribute certificate or extending the period restriction, that is, an upgrade process.

Specifically, the upgrade process has various modes described below. (1) Increase the number of times the attribute certificate that can be used is recorded with the usage count limit as the content usage condition. For example, if you buy a ticket 10 times, it remains 5 times, and you increase it to 10. Buy a 10-time ticket, use it up, and increase it to a 10-time ticket. (2) The usage period of the attribute certificate in which the usage period limitation is recorded as the content usage condition is extended. For example, extend the period so that a product that can be used only after 1 week can be used until 1 month. One that has expired and is no longer usable
Extend the period so that you can use it until the end of a month. (3) Change the usage condition of the attribute certificate that records the number of times limit and the period limit as the content usage condition. For example, the number of times limit is changed to the period limit. Change the time limit to the number of times limit. Change the number of times limit to buy-out. Change the time limit to buy out. (4) Album upgrade There is a series of albumed content data, for example, a plurality (n) of contents 1 to n stored in one CD or DVD, or some series of contents 1 to n. When some of these have been purchased and the user holds a plurality of attribute certificates 1 to n corresponding to the purchased content in the user device, for example, the attribute certificate corresponding to content 1 1. If the user device holds the attribute certificate 3 corresponding to the content 3 and the attribute certificate 5 corresponding to the content 5, the album is constructed by presenting these attribute certificates to the service provider. Other contents, that is, contents 2, 4, 6-n can be purchased at a discount price all at once (album) .

There are various modes described above in the upgrade processing based on the attribute certificate. The outline of the execution sequence of this upgrade process is as follows. First,
The service provider (SP) presents the upgrade menu to the user device, and the user selects the upgrade menu. The user device transmits the upgrade request command to the security chip along with the designation data of the acquired attribute certificate to be subjected to the upgrade processing according to the designation of the user. The control unit of the security chip executes communication with the service provider and sends the acquired attribute certificate to be upgraded to the service provider. After verifying the received attribute certificate, the service provider executes the upgrade process specified by the user, issues a new attribute certificate, and sends it to the security chip. The user device can use the content according to the use condition of the new attribute certificate.

The following is a sequential description of the upgrade process in the case where the content usage conditions described in the attribute certificate (AC) used as the upgrade base are the following three modes. (A) Online-usage limited content (B) Online-usage limited content (C) Offline-usage limited content

(A) Online-Updating Period Restriction Attribute Certificate (AC) -Based Upgrade Process First, the content usage condition recorded in the attribute certificate is online processing, and the attribute proof is set with a usage period restriction. In the case of possessing a certificate, an upgrade process based on this online-use period limitation attribute certificate will be described with reference to the sequence diagram of FIG. FIG. 45 shows the processing of the security chip control unit, the user device control unit (upper software) in the user device, and the service provider from the left.

In FIG. 45, the top row (a) shows the service provider ID acquisition processing from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) shows the attribute certificate. The service provider ID acquisition processing from the attribute certificate when stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, (a) and (b) are attribute certifications. Selectively execute according to the storage location of the book. (C) Mutual authentication processing, (d)
The content acquisition process of is commonly executed.

First, the process (a) will be described. (A
1) The user device control unit requests the security chip control unit to search for the attribute certificate to be upgraded. (A2) The security chip control unit outputs the list of attribute certificates stored in the memory of the chip to the user device control unit, and (a3) the user device displays the list by the attached browser. (A4) The user specifies the attribute certificate (AC) to be upgraded from the displayed list, and sends a read command to the security chip controller. (A5) The security chip control unit reads the specified attribute certificate from the internal memory and outputs it to the user device control unit. (A6) The user device displays the attribute certificate by the attached browser and stores the attribute certificate. Service provider identifier (S
Get P ID).

When the attribute certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control section alone, the processing of (b) is performed. (B1) The user device control unit executes a search for the attribute certificate to be upgraded, and (b2)
A displayed by the attached browser on the user device
From the C list, the attribute certificate (A
(C) is specified and read out to display the attribute certificate.
4) Obtain the service provider identifier (SP ID) in the attribute certificate storage data.

[0399] The service provider identifier (SP I obtained by the processing of either (a) or (b) above.
D) is used to acquire information necessary for mutual authentication from the service provider management area. As described above, access to the service provider management area requires the password input set for each service provider, and the user inputs the password corresponding to the service provider identifier (SP ID) acquired from the attribute certificate. , Access to the service provider management area, and mutual authentication processing between the security chip and the service provider shown in (c1) of FIG. 45 is executed.

This mutual authentication processing is performed by referring to FIG.
TLS 1.0 process of step 1 or other method, for example, a mutual authentication process using a public key method. In this mutual authentication processing, mutual public key certificates are verified, and public key certificates up to the root certificate authority (CA) are verified in a chained manner, if necessary. In this authentication process, the security chip and the service provider share the session key (Kses). When the mutual authentication is established, next, the process shown in FIG. 45D, that is, the upgrade attribute certificate acquisition process is executed.

(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and sends the attribute certificate upgrade application request and the upgrade condition to the security chip. Output. The content usage condition recorded in the attribute certificate for the upgrade process in this example is an online period limit, and the upgrade condition specified by the user is, for example, changing the period limit (extension) period limit → changing the number of times online It is a condition such as changing the period limit to the off-line number limit and changing the period limit to the purchase limit.

(D2) Upon receiving the attribute certificate (AC) upgrade application request from the user device controller, the security chip controller executes the attribute certificate verification processing. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above.

Further, if necessary, the control unit of the security chip acquires the public key certificate linked according to the public key certificate information of the AC holder in the attribute certificate (AC), and acquires the public key certificate of the public key certificate. It is preferable to perform verification. For example, when the reliability of the issuer of the attribute certificate (AC) is uncertain, the public key certificate of the certificate authority is verified by verifying the public key certificate of the issuer of the attribute certificate (AC). It is possible to judge whether or not the user has it legally. If the public key certificate has a hierarchical structure as described above, the route is traced upward to perform chained verification, and the public key certificate issued by the root certification authority (CA) is also verified. Preferably. In some cases, this chain verification is essential.

(D3) When the attribute certificate is verified to determine that the attribute certificate has not been tampered with, the control unit of the security chip specifies to the service provider the attribute certificate to be upgraded by the user. It will be sent together with the upgraded upgrade condition information. The attribute certificate of the upgrade process records that the content is an online period limited content as usage conditions, and also stores expiration date data. Furthermore, the private key held by the service provider: SP. Sto. The content key data encrypted with K, that is, [SP. St
o. K (Kc)] is stored.

(D4) The service provider receiving the attribute certificate from the security chip executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, (d5) the upgrade attribute certificate generation process based on the upgrade condition information designated by the user is executed.

The upgrade attribute certificate generation process is a process of issuing a new attribute certificate in which the content usage condition designated by the user is recorded, that is, an attribute certificate having a serial number different from the attribute certificate received from the security chip. Run as. At this time, in the newly issued upgrade attribute certificate, history data including the serial of the attribute certificate that is the base of the upgrade is stored.

[0407] Note that, as described above, the mode of upgrade is any one of the following: change (extension) of the period limit: period limit → change to online count limit period limit → change to offline count limit period limit → buyout In the case of changing the time limit, an upgrade attribute certificate with a new use period is generated. Also, when changing to the online or offline number of times limit, an upgrade attribute certificate storing the number of times of use limit is generated. In addition, when changing to a purchase-out condition, an upgrade attribute certificate with a content usage condition as a purchase-out condition is generated.

When changing the period limit or changing the number of times of online limit, the content key stored in the upgrade attribute certificate is the same as the original attribute certificate.
P. Sto. K (Kc)], but when changing to the off-line number limit or changing to buyout,
Unlike the original attribute certificate, the upgrade attribute certificate has the SP corresponding storage secret key: SC.SC stored in the service provider management area of the security chip of the user device. Stopri. SP. The content key encrypted with the public key corresponding to K, that is, [SC. Sto
pub. SP. K (Kc)] is stored.

[0409] In the case of off-line processing and the common key method is applied instead of the public key method, the SP-compatible storage key stored in the service provider management area of the security chip of the user device. The content key encrypted by (common key) is stored. If the service provider does not have this common key, the SP compatible storage key (common key) is also sent when the attribute certificate is sent from the security chip to the service provider in step (d3) of FIG. To do. In this case, the session key generated during mutual authentication is encrypted and sent.

When the service provider generates the upgrade attribute certificate, it sends it to the security chip.

(D6) The security chip control unit receives the upgrade attribute certificate (A
When C) is received, the attribute certificate verification process is executed.
The verification processing includes confirmation of whether the stored authority information (content usage condition) matches the specified condition, format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip preferably performs chain verification of the public key certificate according to the public key certificate information of the AC holder in the attribute certificate (AC). In some cases, this chain verification is essential.

(D7) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip sends an upgrade attribute certificate reception confirmation to the service provider, and (d8 ) Store the upgrade attribute certificate in memory.

Further, the control unit of the security chip is
When the upgrade attribute certificate has a limit on the number of times of offline use, the above-described import processing of the number-of-uses management data is executed by the time the content is used. For details of the import processing of the usage count management data, refer to FIGS.
As described above, there are a mode in which the usable number is stored inside the security chip and a mode in which the usable number is stored in the external memory and only the hash value is stored in the security chip.

Through the above processing, the user device can obtain a new upgrade attribute certificate based on the attribute certificate already held and can use the content according to the usage conditions according to the upgrade attribute certificate. Becomes

(B) Online-Upgrading process based on number-of-use restrictions attribute certificate (AC) Next, the content use condition recorded in the attribute certificate is online processing, and an attribute for which the number-of-uses limit is set When the certificate is held, the upgrade process based on the online-usage limit attribute certificate will be described with reference to the sequence diagram of FIG. FIG. 46 shows the processing of the security chip control unit in the user device, the user device control unit (upper software), and the service provider from the left.

In FIG. 46, the top row (a) shows the service provider ID acquisition processing from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) shows the attribute certificate. The process of acquiring the service provider ID from the attribute certificate when stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, (c) shows the mutual relationship between the security chip and the service provider. This is an authentication process. These processes are the same as those shown in FIG.
The description is omitted because it is similar to the case.

Processing after establishment after mutual authentication will be described.
(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the attribute certificate upgrade application request and the upgrade condition to the security chip. . The content usage condition recorded in the attribute certificate of the upgrade process in this example is the online count limit, and the upgrade condition specified by the user is, for example, changing the usable count (increasing the count) Online count limit → period limit Change to Online number limit → Change to offline number limit Online number limit → Change to buyout.

(D2) Upon receipt of the attribute certificate (AC) upgrade application request from the user device controller, the security chip controller executes the attribute certificate verification processing. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip verifies the public key certificate of the AC holder in the attribute certificate (AC) and the chained public key certificate, and issues the root certificate authority (CA). It is preferable to execute the verification of the public key certificate. In some cases, this chain verification is essential.

(D3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip specifies to the service provider the attribute certificate to be upgraded by the user. It will be sent together with the upgraded upgrade condition information. The attribute certificate to be upgraded is recorded that the content is a limited number of times online and the number of times of use limitation is stored as a usage condition. Furthermore, the private key held by the service provider: SP. Sto. The content key data encrypted with K, that is, [SP. Sto.
K (Kc)] is stored.

(D4) The service provider receiving the attribute certificate from the security chip executes the signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, (d5) the upgrade attribute certificate generation process based on the upgrade condition information designated by the user is executed.

The upgrade attribute certificate generation process is a process of issuing a new attribute certificate in which the content usage condition designated by the user is recorded, that is, an attribute certificate having a serial number different from the attribute certificate received from the security chip. Run as. At this time, in the newly issued upgrade attribute certificate, history data including the serial of the attribute certificate that is the base of the upgrade is stored.

As described above, the mode of upgrade is to change the use limit number (increase the number of times) Online number limit → Change to period limit Online number limit → Change to offline number limit Online number limit → Change to buyout In the case of changing the number of times of limitation, an upgrade attribute certificate in which the number of times of use is newly set is generated. Also, when changing to a time limit, an upgrade attribute certificate storing time limit information is generated.

When changing the number of times of use limitation as the limitation of number of times of online use, or when changing to the limitation of period, the content key stored in the upgrade attribute certificate is encrypted with the private key of the service provider as with the original attribute certificate. Content key [SP. Sto. K (Kc)], but when changing to the offline count limit or changing to the purchase limit, the upgrade attribute certificate differs from the original attribute certificate in the service chip management area of the security chip of the user device. Stored in
Corresponding storage secret key: SC. Stopri. SP. K
Content key encrypted with the public key corresponding to [SC. Stoppub. SP. K (Kc)] is stored.

[0424] In the case of off-line processing and the common key method is applied instead of the public key method, the SP-compatible storage key stored in the service provider management area of the security chip of the user device. The content key encrypted by (common key) is stored. If the service provider does not have this common key, the SP compatible storage key (common key) is also sent when the attribute certificate is sent from the security chip to the service provider in step (d3) of FIG. To do. In this case, the session key generated during mutual authentication is encrypted and sent.

When the service provider generates the upgrade attribute certificate, it sends it to the security chip.

(D6) The security chip controller uses the upgrade attribute certificate (A
When C) is received, the attribute certificate verification process is executed.
The verification processing includes confirmation of whether the stored authority information (content usage condition) matches the specified condition, format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip preferably performs chain verification of the public key certificate according to the public key certificate information of the AC holder in the attribute certificate (AC). In some cases, this chain verification is essential.

(D7) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip sends an upgrade attribute certificate reception confirmation to the service provider, and (d8 ) Store the upgrade attribute certificate in memory.

Furthermore, the control unit of the security chip is
When the upgrade attribute certificate has a limit on the number of times of offline use, the above-described import processing of the number-of-uses management data is executed by the time the content is used. The details of the number-of-uses management data import process are as described above with reference to FIGS. 37 to 41. The mode of storing the number of times of use available in the security chip and the number of times of use available in the external memory are stored. There is a mode in which only the hash value is stored in the security chip.

[0429] Through the above processing, the user device can obtain a new upgrade attribute certificate based on the attribute certificate already held and can use the content according to the usage conditions according to the upgrade attribute certificate. Becomes

(C) Offline-Upgrade processing based on number-of-use restrictions attribute certificate (AC) Next, the content usage condition recorded in the attribute certificate is offline processing, and an attribute for which the number-of-use restrictions is set When the certificate is held, the upgrade process based on this offline-usage limit attribute certificate will be described with reference to the sequence diagram of FIG. FIG. 47 shows the processing of the security chip control unit in the user device, the user device control unit (upper software), and the service provider from the left.

In FIG. 47, the uppermost row (a) shows the service provider ID acquisition processing from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, and (b) shows the attribute certificate. The process of acquiring the service provider ID from the attribute certificate when stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone, (c) shows the mutual relationship between the security chip and the service provider. This is an authentication process. These processes are the same as those shown in FIG.
The description is omitted because it is similar to the case.

Processing after establishment after mutual authentication will be described.
(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the attribute certificate upgrade application request and the upgrade condition to the security chip. . In this example, the content usage condition recorded in the attribute certificate of the upgrade process is an offline count limit, and the upgrade condition specified by the user is, for example, changing the usable count (increasing the count) Offline count limit → period limit Change to offline limit → Change to online limit Limit to offline limit → Change to buyout.

(D2) Upon receiving the attribute certificate (AC) upgrade application request from the user device controller, the security chip controller executes the attribute certificate verification processing. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip verifies the public key certificate of the AC holder in the attribute certificate (AC) and the chained public key certificate, and issues the root certificate authority (CA). It is preferable to execute the verification of the public key certificate. In some cases, this chain verification is essential.

(D3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip specifies to the service provider the attribute certificate to be upgraded by the user. It will be sent together with the upgraded upgrade condition information. The attribute certificate to be upgraded is recorded as a usage condition that the content is an offline limited content, and the limited usage count is stored. Furthermore, the SP-compatible storage secret key: SC.0 stored in the service provider management area of the security chip of the user device. Stop
ri. SP. The content key encrypted with the public key corresponding to K, that is, [SC. Stoppub. SP. K (K
c)] is stored.

(D4) The service provider receiving the attribute certificate from the security chip executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, (d5) the upgrade attribute certificate generation process based on the upgrade condition information designated by the user is executed.

[0436] The upgrade attribute certificate generation process is a process for issuing a new attribute certificate in which the content use condition designated by the user is recorded, that is, an attribute certificate having a serial number different from the attribute certificate received from the security chip. Run as. At this time, in the newly issued upgrade attribute certificate, history data including the serial of the attribute certificate that is the base of the upgrade is stored.

As described above, the mode of upgrade is to change the use limit number (increase the number of times) offline number limit → change to period limit offline number limit → change to online number limit Offline number limit → change to buyout In the case of changing the number of times of limitation, an upgrade attribute certificate in which the number of times of use is newly set is generated. Also, when changing to a time limit, an upgrade attribute certificate storing time limit information is generated.

When changing the usage-restricted number of times as the offline-number-of-times restriction, or when changing to the purchase-out, the content key stored in the upgrade attribute certificate is the SP stored in the service provider management area, as with the original attribute certificate. Corresponding storage secret key: SC. Stopri. S
P. The content key encrypted with the public key corresponding to K, that is, [SC. Stoppub. SP. K (Kc)], but when changing to the period limit or online count limit, unlike the original attribute certificate,
The content key stored in the upgrade attribute certificate is
Content key encrypted with the private key of the service provider [SP. Sto. K (Kc)].

[0439] Note that, in the case of off-line processing and the common key method is applied instead of the public key method, the SP-compatible storage key stored in the service provider management area of the security chip of the user device. The content key encrypted by (common key) is stored. If the service provider does not have this common key, the SP compatible storage key (common key) is also sent when the attribute certificate is sent from the security chip to the service provider in step (d3) of FIG. To do. In this case, the session key generated during mutual authentication is encrypted and sent.

When the service provider generates the upgrade attribute certificate, it sends it to the security chip.

(D6) The security chip controller uses the upgrade attribute certificate (A
When C) is received, the attribute certificate verification process is executed.
The verification processing includes confirmation of whether the stored authority information (content usage condition) matches the specified condition, format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip preferably performs chain verification of the public key certificate according to the public key certificate information of the AC holder in the attribute certificate (AC). In some cases, this chain verification is essential.

(D7) When the attribute certificate is verified to determine that the attribute certificate has not been tampered with, the control unit of the security chip sends an upgrade attribute certificate reception confirmation to the service provider, and (d8 ) Store the upgrade attribute certificate in memory.

Furthermore, the control unit of the security chip is
When the upgrade attribute certificate has a limit on the number of times of offline use, the above-described import processing of the number-of-uses management data is executed by the time the content is used. The details of the number-of-uses management data import process are as described above with reference to FIGS. 37 to 41. The mode of storing the number of times of use available in the security chip and the number of times of use available in the external memory are stored. There is a mode in which only the hash value is stored in the security chip.

Through the above processing, the user device can obtain a new upgrade attribute certificate based on the attribute certificate already held and can use the content according to the usage conditions according to the upgrade attribute certificate. Becomes

(D) Album purchase type upgrade Next, a series of albumed content data, for example, a plurality of (n) stored in one CD or DVD or the like.
Content 1 to n, or some series of content 1 to n, some of which have been purchased, and the attribute certificate 1 corresponding to the purchased content 1
When the user holds a plurality of attribute certificates n in the user device, by presenting these attribute certificates to the service provider, other contents constituting the album, that is, contents 2, 4, 6-. An upgrade process, which is a process of purchasing (n) albums of n contents at a discounted price, will be described with reference to FIG.

FIG. 48 shows the processing of the security chip control section, the user device control section (upper software) in the user device, and the service provider from the left. The uppermost row (a) is a service provider ID acquisition process from the attribute certificate when the attribute certificate is stored in the internal memory of the security chip, (b)
Shows the service provider ID acquisition processing from the attribute certificate when the attribute certificate is stored in the external memory of the security chip, that is, the memory accessible by the control of the user device control unit alone. Mutual authentication processing between the chip and the service provider. These processes are the same as those in the case of FIG. 45 described above, and the description thereof will be omitted.

Processing after establishment after mutual authentication will be described.
(D1) The user confirms the authority information (content usage condition) of the attribute certificate displayed by the browser attached to the user device, and outputs the attribute certificate upgrade application request and the upgrade condition to the security chip. . The attribute certificate to be upgraded in this example is one or more attribute certificates corresponding to a part of the contents constituting an album identified as a set pair of a plurality of contents. The upgrade condition designated by the user is, for example, a condition such as purchase of some other contents constituting the album and purchase of all other contents constituting the album.

(D2) Upon receiving the attribute certificate (AC) upgrade application request from the user device controller, the security chip controller executes the attribute certificate verification processing. The verification processing includes confirmation of authority information (content usage conditions), format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip verifies the public key certificate of the AC holder in the attribute certificate (AC) and the chained public key certificate, and issues the root certificate authority (CA). It is preferable to execute the verification of the public key certificate. In some cases, this chain verification is essential.

(D3) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip specifies to the service provider the attribute certificate to be upgraded by the user. It will be sent together with the upgraded upgrade condition information.

(D4) The service provider receiving the attribute certificate from the security chip executes signature verification processing of the attribute certificate. Further, at this time, it is preferable to verify the public key certificate linked to the attribute certificate and the higher public key certificate in a chained manner. In some cases, this chain verification is essential. When the validity of the attribute certificate is confirmed by these verification processes, (d5) the upgrade attribute certificate generation process based on the upgrade condition information designated by the user is executed.

The upgrade attribute certificate generation process is a process for issuing a new attribute certificate recording the content usage condition designated by the user, that is, an attribute certificate having a serial number different from the attribute certificate received from the security chip. Run as. At this time, in the newly issued upgrade attribute certificate, history data including the serial of the attribute certificate that is the base of the upgrade is stored.

Note that, as described above, the upgrade mode is either purchase of some other contents constituting the album or purchase of all other contents constituting the album, and some of the other contents constituting the album. In the case of content purchase, an upgrade attribute certificate corresponding to a part of content designated for purchase is generated. In addition, in the case of purchasing all the other contents composing the album, the upgrade attribute certificate corresponding to all the other contents composing the album is generated.

The use condition in this case can be designated by the user in advance, or may be determined by the service provider. When the user specifies it, it is specified in step (d1) of FIG.
When the attribute certificate is sent from the security chip in 3) to the service provider, the specified conditions are also sent.

[0454] When the service provider generates an upgrade attribute certificate for offline use, the SP corresponding storage private key stored in the service provider management area: SC. Stopri. SP. Content key encrypted with the public key corresponding to K [SC. Stoppub.
SP. K (Kc)] to generate an upgrade attribute certificate for online use, the content key stored in the upgrade attribute certificate is a content key [SP. S
to. K (Kc)].

[0455] In the case of off-line processing and the common key method is applied instead of the public key method, the SP-compatible storage key stored in the service provider management area of the security chip of the user device. The content key encrypted by (common key) is stored. If the service provider does not have this common key, the SP compatible storage key (common key) is also sent when the attribute certificate is sent from the security chip to the service provider in step (d3) of FIG. To do. In this case, the session key generated during mutual authentication is encrypted and sent.

After generating the upgrade attribute certificate, the service provider sends it to the security chip.

(D6) The security chip controller uses the upgrade attribute certificate (A
When C) is received, the attribute certificate verification process is executed.
The verification processing includes confirmation of whether the stored authority information (content usage condition) matches the specified condition, format confirmation, and signature verification processing. The signature verification process is executed, for example, according to the same sequence as the process flow of FIG. 20 described above. Further, if necessary, the control unit of the security chip preferably performs chain verification of the public key certificate according to the public key certificate information of the AC holder in the attribute certificate (AC). In some cases, this chain verification is essential.

(D7) When the attribute certificate is verified and it is determined that the attribute certificate has not been tampered with, the control unit of the security chip sends an upgrade attribute certificate reception confirmation to the service provider, and (d8) ) Store the upgrade attribute certificate in memory.

Furthermore, the control unit of the security chip is
When the upgrade attribute certificate has a limit on the number of times of offline use, the above-described import processing of the number-of-uses management data is executed by the time the content is used. The details of the number-of-uses management data import process are as described above with reference to FIGS. 37 to 41. The mode of storing the number of times of use available in the security chip and the number of times of use available in the external memory are stored. There is a mode in which only the hash value is stored in the security chip.

[0460] Through the above processing, the user device can obtain a new upgrade attribute certificate based on the attribute certificate already held and can use the content in accordance with the usage conditions according to the upgrade attribute certificate. Becomes

[Data Backup and Restoration Processing] The right information and the certificates purchased by the user from the service provider and stored in the storage means in the user device having the security chip should be backed up in case of loss. Is preferred. Information that should be backed up includes information that can be viewed and information that must be securely stored. The information that can be seen is
Certificates such as public key certificates and attribute certificates. The information held securely includes, for example, evidence of service subscription written in the service provider management area of the security chip.

For certificates such as public key certificates and attribute certificates, it is sufficient for the user to store the copy information in a memory card equipped with a hard disk or a flash memory as appropriate. The content key is stored in the attribute certificate, but in the case of online use, it is necessary to connect with the service provider, and the validity of the device (security chip) is confirmed at the time of mutual authentication at this time. The content is never used illegally. Further, even in the case of offline use, the key for decrypting the content key is stored in the service provider management area of the security chip, so that the security chip of the legitimate user device is held and the access by the password described above is possible. Only the authorized user can decrypt the encrypted content key. Therefore, even if the attribute certificate is passed to a third party, the content will not be illegally used.

However, the secret information in the security chip must be securely stored in the temporary storage. For example, in the service provider management area of the security chip, ID information, key information, password, etc. necessary for mutual authentication with the service provider are stored, and it is necessary to prevent these from leaking to a third party. is there. Therefore, when backing up to an external storage medium (temporary storage), these backup data need to be encrypted.

When the user stores the secret information in the temporary storage, there is no meaning in the encryption in which the data leakage occurs due to the theft of the storage medium. In addition, if the key can be decrypted with a key that can be easily retrieved from the user device, a copy of the security device can be generated with the key retrieved from the user device, and the service provider management area data that is exactly the same on the user side can be generated. It may be possible to generate a second security device having Further, by mounting the portable medium having the duplicated security chip on another user device, it becomes possible for a plurality of user devices to receive exactly the same service. Therefore, in the system of the present invention, even if the secret information is stored in the temporary storage as backup data, it cannot be decrypted by an unauthorized third party, and the user holding the user device restores it without permission of the system holder. It is configured so that it cannot be stored in another security chip for use, and decryption and restoration of data can be performed only at the support center.

That is, in view of the difficulty of performing reliable information management in the user device and completely preventing data loss, the system of the present invention provides a data backup service at the support center, If necessary, the support center uses the backup data to perform data recovery, that is, restore processing. Restoration is performed at the support center, and is executed as a process of reading data from the temporary storage and importing the data into the security device of the user device. Hereinafter, the data backup process and the restore process by the support center will be described.

FIG. 49 shows an outline of backup processing of confidential information in the user device and restore processing in the support center.

In FIG. 49, the user device 410.
Has a security chip 411, and various secrets, that is, secret information is stored in the security chip 411. The secret information is, for example, storage information in the service provider management area of the security chip, and ID information, key information, necessary for mutual authentication with the service provider,
Password, etc. The public key certificate and the attribute certificate are stored in the memory outside the security chip of the user device.

The user backs up and saves this information in an external storage medium other than the user device in case of damage to the user device or loss of data.
For example, a public key certificate, an attribute certificate, etc. are stored in the hard disk of an external PC, or stored in an external storage medium 421 such as a card type storage medium having a flash memory.
As described above, these are stored in the external storage medium 421 without being encrypted by the risk of illegal use of the content due to leakage, and the user can store the content in the external storage medium 421 as necessary. It is possible to restore to.

On the other hand, when the secret information stored in the security chip is stored in the external storage medium 422 as backup data, a random number is used as a temporary key in the user device, and the backup key is Kb (common key system).
And encrypts various secret information (SecData) with the backup key: Kb, and the encrypted data:
It is stored in the storage medium 422 as [Kb (SecData)]. Further, the generated backup key: Kb is encrypted with the support center public key: Kps, and the encrypted key data [Kps (Kb)] is also stored in the external storage medium 422.
To store. After storing the secret information in the external storage medium 422, the backup key: Kb is erased without being held in the user device.

Encrypted data stored in the storage medium 422:
[Kb (SecData)] is the same as the storage medium 422.
Even if is handed over to a third party, the backup key: Kb, which is the key for decrypting it, is encrypted by the public key: Kps of the support center, and in order to obtain the backup key: Kb, The private key of the support center: Kss requires decryption processing, so decryption by a third party is impossible. Also, a legitimate user who holds the user device cannot generate the second security device by decryption.

Data restoration (restoration) processing is performed by the user site from the support center 450 to the storage medium 4
22 by sending. The restore process is executed for the new user device 430 when the original user device is damaged. It is also possible to send the original user device itself to the support center and perform restoration on the original user device that has been repaired. When the restore process for a new user device is executed, the process of invalidating the original user device, that is, the revoke process is also executed. This revoke process is performed by, for example, registering the public key certificate issued corresponding to the user device in the revocation list. The revocation list is
It is configured as a list of public key certificates corresponding to an unauthorized device, a revoked device, a user, and the like. The revocation list is referred to at the time of mutual authentication with the device, and when it is determined that the device is the device described in the list, the authentication is not established and the subsequent data communication can be stopped.

The restore processing in the support center 450 is first performed by the storage medium 42 sent from the user site.
The encrypted key data [Kps (Kb)] encrypted by the public key of the support center: Kps stored in 2'is taken out, decrypted by the secret key of the support center: Kss, and the backup key: Kb is taken out. After that, by applying the acquired backup key: Kb, the secret information encrypted data: [Kb (Se
cData)], and the decrypted data: S
This is executed as a process of storing ecData in the security chip of the user device 430. A specific restore processing sequence will be described later.

As described above, with the configuration in which the backup data of the confidential information in the user device can be restored only in the support center, it is possible to prevent the duplicate use of the confidential information.

FIG. 50 is a diagram for explaining the outline of the procedure at the time of restore processing. At the user site, the confidential information stored in the security chip in the user device 470 used by the user is stored in the backup storage medium 47.
Store in 1. As described above, the user device generates the backup key: Kb (common key system), and encrypts the secret information (SecData) with the backup key: Kb: data [Kb (SecData)] and backup key: Kb. The encryption key data [Kps (Kb)] encrypted by the public key of the support center: Kps is stored in the backup storage medium 471.

When the user device 470 becomes unusable due to some reason such as damage, the user can copy the backup storage medium 471 to the support center 475.
To send.

The support center 475 decrypts and restores the data of the backup storage medium 471 to the new user device or the original user device that repaired the damaged user device, and restores the secret information. Then, the backup storage medium 471 used for the restoration is returned to the user. In this restore process, the support center 475 executes the restore process on the new device, and when the original device is not used, executes the revoke process by registering in the revocation list. The support center 475 may also charge for the restore process.

Referring to FIG. 51, the data backup processing sequence for the backup storage medium executed at the user site will be described. FIG. 51 shows
From the left, the processes of the backup storage medium, the security chip controller in the user device, and the user device controller (upper software) are shown. First,
(1) The user device controller sends a backup processing request to the security chip controller. This is performed based on the user's instruction for executing the backup process to the input unit on the user device side.

Upon receiving the backup request, the control unit of the security chip generates (2) a backup key (key): Kb applied to encryption of the backup data. Backup key (key): Kb is a temporary key dedicated to backup generated based on a random number generated by, for example, a random number generation unit, and is erased without being held by a security chip after backup processing to a backup storage medium. To be done.

The control unit of the security chip (3) generates the backup key (key): Kb, then encrypts the backup data with the generated backup key (key), and the encrypted data: [Kb (SecData) ] Is generated. When the data encryption is completed, (4) the control unit of the security chip further encrypts the backup key (key): Kb using the public key: Kps of the support center, and the encryption key data: [Kps (Kb)]. To generate.

After the above processing, the control unit of the security chip executes (5) encrypted data: [Kb (SecDat
a)] and encryption key data: [Kps (Kb)] are stored in the backup storage medium. Note that after these processes, the backup key (key): Kb is erased from the security chip.

Note that the encrypted data: [Kb (SecData)] and the encryption key data: [Kps (Kb)] are not stored in the backup storage medium, and these data are directly transmitted to the support center to be sent to the support center. The backup data may be stored in the internal storage means in association with the user device ID or the security chip ID. With such a configuration, the restore process based on the backup data can be executed in response to a request from the user device (security chip) side to the support center via the communication network, without sending the backup storage medium. The restore process can be executed.

Next, with reference to FIG. 52, a process of acquiring backup data from a backup storage medium executed by the support center will be described. In the support center, first, the data stored in the backup storage medium sent from the user site is read. The read data is a backup key (key): Kb
Backup data encrypted with: [Kb (SecD
data)] and encryption key data: [Kps (Kb)] obtained by encrypting the backup key (key): Kb using the public key of the support center: Kps. As described above, the user device I is stored in the storage means in the support center.
When the backup data is stored in association with D or the security chip ID, the support center reads these data from the storage means based on the restore processing request from the user site.

After reading the data, the support center first backup key (key) encrypted with the support center's public key: Kps: Kb data: [Kps (K
b)] is the private key corresponding to the public key of the support center:
The decryption process is executed with Kss, and the backup key (key): Kb is taken out. Furthermore, the backup data encrypted by the backup key (key): Kb: [Kb
(SecData)] is applied to the extracted backup key (key): Kb to execute the decryption process, and the backup data: SecData is extracted.

Next, with reference to FIG. 53, a sequence of restore processing executed at the support center will be described. FIG. 53 shows, from the left, a security chip control unit of a new user device that stores data by a restore process, a user device control unit, a support center server, and an attribute certificate authority (AA) that is an attribute certificate issuer. : Attribute Certificate Authority) processing. The attribute certificate issuing authority is an organization that issues attribute certificates, and is configured in, for example, a service provider. Here, the attribute certificate issuing authority is an attribute certificate for generating the service provider management area in the memory in the security chip of the user device.

As described above, the attribute certificate for generating the service provider management area is an attribute issued for the purpose of the service provider registering and setting the management area of each service provider in the memory in the security chip of the user device. This is a certificate, and in the attribute information field, a service provider identifier (ID), a service provider name, a processing mode: memory area reservation, area size: memory area size, etc. are recorded.

The processing sequence of FIG. 53 will be described. First, (1) the user device controller outputs a restore processing request to the security chip controller. This is performed based on the restore processing execution instruction executed by the operator of the support center for the input unit on the user device side.

When the security chip control unit (2) receives the restore processing request from the user device control unit,
(3) Perform mutual authentication processing between the security chip and the service provider. This mutual authentication processing is performed by the TLS1.0 processing of FIG. 16 described above or another method,
For example, it is executed as a mutual authentication process using a public key method. In this mutual authentication processing, mutual public key certificates are verified, and public key certificates up to the root certificate authority (CA) are verified in a chained manner, if necessary. In this authentication processing, the security chip and the support center share the session key (Kses). When mutual authentication is established, next, (4) the security chip controller sends a restore processing request to the support center.

Upon receiving the restore processing request from the security chip, the support center performs (5) backup data search processing. This is executed as confirmation of whether the support center has received backup data from the user site.

Next, the support center sends (6) a request to issue the memory area securing attribute certificate (AC) to the attribute certificate issuing authority (person). (7) The attribute certificate issuer (AA), which is the attribute certificate issuer that has received the attribute certificate (AC) issue request, generates a memory area securing attribute certificate (AC). Attribute certificate (AC)
May be issued in advance by the attribute certificate authority (AA).

The memory area securing attribute certificate has a service provider identifier (ID), service provider name, processing mode: memory area securing, area size: memory area size, etc. recorded in the attribute information field. Yes, and is issued under the control of each service provider, for example. Therefore, when the restore processing is executed only for the data in one service provider management area, one service provider management area is set in the memory in the security chip control unit by one memory area securing attribute certificate. However, when restoring data in multiple service provider management areas, multiple memory area securing attribute certificates are issued, and multiple services are stored in the memory in the security chip controller. After setting the provider management area, data is stored for each usage area.

(8) The attribute certificate certificate authority (AA), which is the issuer of the attribute certificate, transmits the generated memory area securing attribute certificate (AC) to the support center server. When the support center receives the memory area securing attribute certificate (AC) from the attribute certificate issuer (AA) which is the issuer of the attribute certificate, (9) the attribute certificate and the backup data are sent to the security chip controller. Send. The backup data is data to be stored in the service provider management area secured in the memory of the security chip by the memory area securing attribute certificate (AC). For example, the backup data is a private key corresponding to the service provider (SP), a service provider (SP). ) Corresponding storage secret key, hash value of external management information, usage count management data, authentication information, user information, and other data.

(10) Upon receiving the memory area securing attribute certificate (AC) from the support center server, the security chip control unit executes the attribute certificate verification processing. The verification processing includes format confirmation and signature verification processing. The signature verification process is performed, for example, with reference to FIG.
It is executed according to the same sequence as the processing flow of.

Further, if necessary, the control unit of the security chip acquires the public key certificate linked according to the public key certificate information of the AC holder in the attribute certificate (AC), and acquires the public key certificate of the public key certificate. It is preferable to perform verification. For example, when the reliability of the issuer of the attribute certificate (AC) is uncertain, the public key certificate of the certificate authority is verified by verifying the public key certificate of the issuer of the attribute certificate (AC). It is possible to judge whether or not the user has it legally. If the public key certificate has a hierarchical structure as described above, the route is traced upward to perform chained verification, and the public key certificate issued by the root certification authority (CA) is also verified. Preferably. In some cases, this chain verification is essential.

(11) When the attribute certificate is verified to determine that the attribute certificate has not been tampered with, the control unit of the security chip follows the conditions recorded in the memory area securing attribute certificate (AC). Set the service provider management area in the memory in the security chip. (12)
Further, the control unit of the security chip stores the backup data received from the support center server in the service provider management area set in the memory.

Through the above processing, the service provider management area is secured in the memory of the security chip of the user device in accordance with the condition recorded in the memory area securing attribute certificate, and backup data is stored in the secured service provider management area. To be done. When restoring backup data corresponding to a plurality of service provider management areas, similar processing is repeatedly executed based on issuance of a plurality of memory area securing attribute certificates.

After the above-mentioned processing sequence or during the processing sequence, the support center executes the revoke processing of the original user device to be discarded. Further, a billing process for the user who has requested the restoration may be executed.

[Structure of Each Entity] Next, an example of the structure of each entity constituting the above-described content use management system will be described with reference to the drawings. First, a configuration example of a user device as a service receiving device that receives content from a service provider is shown in FIG.
Will be described with reference to.

The user device can be realized by a data processing means such as a CPU for executing data processing and control, a PC having a communication means capable of communicating with other service providers and the like. FIG. 54 shows a configuration example of the device. In addition,
The device configuration example shown in FIG. 54 is one example, and the device is not necessarily required to have all the functions shown here. The CPU (Central p
A rocessing unit) 501 is a processor that executes various application programs and an OS (Operating System). ROM (Read-Only-Memory) 502 is C
A program executed by the PU 501 or fixed data as a calculation parameter is stored. RAM (Random A
The ccess memory) 503 is used as a storage area and a work area for programs executed in the processing of the CPU 501 and parameters that change appropriately in the program processing.

The HDD 504 controls the hard disk, and stores and reads various data and programs to and from the hard disk. The security chip 512 has a tamper-proof structure as described above, and has key data necessary for encryption processing, a memory as a storage area for an access permit, and a control unit.

The bus 510 is a PCI (Peripheral Compone)
nt Interface) bus etc., each module,
It enables data transfer with each acquisition device via the input / output interface 511.

The input unit 505 is composed of, for example, a keyboard, a pointing device, etc., and has a CPU 501.
It is operated by the user to input various commands and data to. The output unit 506 is, for example, a CRT, a liquid crystal display, or the like, and displays various kinds of information by text or images.

The communication unit 507 executes communication processing with an entity to which the device is connected, for example, a service provider or the like, and under the control of the CPU 501, data supplied from each storage unit or data processed by the CPU 501, an encryption code. The process of transmitting the converted data or the like or receiving the data from another entity is executed.

The drive 508 is a floppy (registered trademark) disk or a CD-ROM (Compact Disc Read Only).
Memory), MO (Magneto optical) disk, DVD (Dig
Ital Versatile Disc), a magnetic disk, a semiconductor memory, and the like, which is a drive for performing recording / reproduction of the removable recording medium 509. Reproduction of programs or data from each removable recording medium 509, removable recording medium 5
The program or data storage for 09 is executed.

When the program or data recorded in each storage medium is read and executed or processed by the CPU 501, the read program or data is supplied to the connected RAM 503 via the interface 511 and the bus 510, for example. .

The program for executing the process in the user device included in the above description is, for example, the ROM
It is stored in 502 and processed by the CPU 501, or stored in a hard disk and supplied to the CPU 501 via the HDD 504 to be executed.

[0506] Next, a configuration example of a data processing device that constitutes each entity such as a service provider, a support center, a content creator, an attribute certificate issuing authority, and the like, which are configuration entities of the system of the present invention, will be described.
These entities can be realized by the configuration shown in FIG. 55, for example. The configuration example of the data processing device shown in FIG. 55 is one example, and each entity is not necessarily required to have all the functions shown here.

A CPU (Central processing) shown in FIG.
Unit) 601 is for various application programs,
An OS (Operating System) is actually executed. ROM
A (Read-Only-Memory) 602 stores a program executed by the CPU 601 or fixed data as a calculation parameter. RAM (Random Access Memory) 60
Reference numeral 3 is used as a storage area and a work area for programs executed in the processing of the CPU 601 and parameters that change appropriately in the program processing. HD
D604 controls the hard disk, and stores and reads various data and programs to and from the hard disk. The cryptographic processing unit 605 executes cryptographic processing, decryption processing, and the like of transmission data. Although an example in which the cryptographic processing means is an individual module is shown here, such an independent cryptographic processing module is not provided, and for example, the cryptographic processing program is stored in the ROM 602, and the CPU 601 reads and executes the ROM storage program. It may be configured to do so.

The drive 606 is a floppy disk,
CD-ROM (Compact Disc Read Only Memory), MO
(Magneto optical) Disc, DVD (Digital Versatil
e Disc), magnetic disk, semiconductor memory, or other drive that executes recording / reproduction of the removable recording medium 607, and executes reproduction of a program or data from each removable recording medium 607 and storage of a program or data in the removable recording medium 607. CPU by reading out the program or data recorded in each storage medium
When executing or processing in 601, the read program and data are, for example, the RAM 603, the communication unit 608, and the communication unit 60 that are connected via the bus 610.
9 is supplied.

The communication section 608 and the communication section 609 show an example in which a plurality of communication sections are provided on the assumption of a process of communicating with different entities as communication partners. For example, in the case of a service provider, one is used for communication with a user device and the other is used for communication processing with a content creator. Mutual authentication with a communication partner, transmission / reception processing of encrypted data, and the like are executed via each communication unit.

A program for executing each process in the data processing device constituting the service provider, support center, content creator, and attribute certificate issuing authority included in the above description is stored in, for example, the ROM 602 and processed by the CPU 601. Stored in the hard disk, or the CPU 6 via the HDD 604.
01 to be executed.

The present invention has been described in detail above with reference to the specific embodiments. However, it is obvious that those skilled in the art can modify or substitute the embodiments without departing from the scope of the present invention. That is, the present invention has been disclosed in the form of exemplification, and should not be limitedly interpreted. In order to determine the gist of the present invention, the section of the claims described at the beginning should be taken into consideration.

The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing the processing by software, the program recording the processing sequence is installed in the memory in the computer incorporated in the dedicated hardware and executed, or the program is stored in a general-purpose computer capable of executing various processing. It can be installed and run.

For example, the program can be recorded in advance in a hard disk or a ROM (Read Only Memory) as a recording medium. Alternatively, the program may be a floppy disk, CD-ROM (Compact Disc Read Only Me
mory), MO (Magneto optical) disc, DVD (Digit
al Versatile Disc), magnetic disk, semiconductor memory, or other removable recording medium, which can be temporarily (or permanently) stored (recorded). Such a removable recording medium can be provided as so-called package software.

The program is installed in the computer from the removable recording medium as described above, is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as LAN (Local Area Network) or the Internet. Then, the computer can receive the program thus transferred and install it in a recording medium such as a built-in hard disk.

The various processes described in the specification are as follows.
The processing may be executed not only in time series according to the description, but also in parallel or individually according to the processing capability of the device that executes the processing or the need. Further, the system in the present specification is a logical set configuration of a plurality of devices,
The devices of the respective configurations are not limited to being in the same housing.

[0516]

As described above, according to the content use management system, the content use management method, the information processing apparatus, and the computer program of the present invention, encrypted content is distributed, and only for authorized users. In a system that allows the usage of content, the content key is encrypted and stored in the content usage right certificate and distributed, and the content key can be decrypted and acquired by only a legitimate user. The content key can be acquired only by a legitimate user without managing the content usage authority of the user for each user on the service provider side.

Furthermore, the content use management system, the content use management method, and the information processing device of the present invention,
Also, according to the computer program, in a system that distributes encrypted content and allows only authorized users to use the content, the content key is encrypted and stored in the content usage right certificate, and the content usage period is Alternatively, the content usage conditions such as the number of times of usage are also stored and distributed, and the content key decryption processing start condition is set to satisfy the content usage conditions, so that it is different for each user. It is possible to acquire a content key only for a legitimate user if each usage condition is satisfied, without managing the content usage authority for each user on the service provider side.

Furthermore, the content use management system, the content use management method, and the information processing device of the present invention,
Also, according to the computer program, in a system that distributes encrypted content and allows only regular users to use the content, the content key is encrypted and stored in the content usage right certificate, and the content is used. In this case, it is configured to store and deliver the content usage condition together with whether to perform online processing that requires connection with the service provider or offline processing that does not require connection with the service provider, and decrypt the content key. As the processing start condition is configured to execute online processing or offline processing recorded in the content usage right certificate, various content usage rights that differ for each user do not have to be managed for each user on the service provider side. , Only for legitimate users, each Only when satisfying the use conditions, it is possible to acquire the content key.

Furthermore, the content use management system, the content use management method, and the information processing device of the present invention,
In addition, according to the computer program, the content usage right certificate is attached with the electronic signature of the issuing entity of the content usage right certificate, and the decryption process of the content key is not falsified by verifying the electronic signature. Since the configuration is performed on the condition that the confirmation is performed, it is possible to eliminate the possibility that an unauthorized certificate is forged and an unauthorized content is used.

[Brief description of drawings]

FIG. 1 is a diagram illustrating an outline of a content use management system configuration of the present invention.

FIG. 2 is a diagram showing a format of a public key certificate applicable in the content usage management system of the present invention.

FIG. 3 is a diagram showing a format of a public key certificate applicable in the content usage management system of the present invention.

FIG. 4 is a diagram showing a format of a public key certificate applicable in the content usage management system of the present invention.

FIG. 5 is a diagram showing a format of an attribute certificate as an authority information certificate applicable in the content use management system of the present invention.

FIG. 6 is a configuration diagram showing a configuration of a security chip in a user device.

FIG. 7 is a diagram showing main data to be processed in a user device.

FIG. 8 is a diagram showing a sequence of initial registration processing of authentication information (password).

FIG. 9 is a diagram showing a change processing sequence of authentication information (password).

FIG. 10 is a diagram showing a change processing sequence of authentication information (password).

FIG. 11 is a diagram illustrating correspondence between authentication information (password) and a master password.

FIG. 12 is a diagram illustrating a master password distribution process.

FIG. 13 is a diagram showing a master password reissue processing sequence.

FIG. 14 is a flowchart showing a master password calculation process.

FIG. 15 is a diagram showing a sequence of issuing an attribute certificate (AC) and receiving a content.

FIG. 16 is a diagram showing a sequence of a TLS1.0 handshake protocol which is an example of mutual authentication processing.

FIG. 17 is a diagram illustrating a MAC generation process applied to data tampering verification.

FIG. 18 is a diagram showing a sequence of issuing an attribute certificate (AC).

FIG. 19 is a flowchart illustrating an ECDSA signature generation procedure that is an example of signature generation processing.

FIG. 20 is a flowchart illustrating an ECDSA signature verification procedure that is an example of signature verification processing.

FIG. 21: Public key certificate (PKC) and attribute certificate (A
It is a figure explaining the association with C).

FIG. 22 is a diagram showing a verification processing flow of a public key certificate (PKC).

FIG. 23 is a diagram showing a verification processing flow (example 1) of an attribute certificate (AC).

FIG. 24 is a diagram showing a verification processing flow (example 2) of an attribute certificate (AC).

FIG. 25 is a sequence diagram illustrating a content usage process (offline) using an attribute certificate (AC).

FIG. 26 is a sequence diagram illustrating a content usage process (online) using an attribute certificate (AC).

FIG. 27 is a diagram illustrating a content usage process (offline) using an attribute certificate (AC) that stores encrypted data of a content key with a global common key.

FIG. 28 is a sequence diagram illustrating a global common key update process.

FIG. 29 is a sequence diagram illustrating a global common key update process.

[Fig. 30] Fig. 30 is a diagram for describing decoding processing using a decoder.

FIG. 31 is a diagram illustrating a decoding processing sequence using a decoder.

[Fig. 32] Fig. 32 is a diagram describing a decoding process flow using a decoder.

FIG. 33 is an attribute certificate (A
It is a flowchart explaining the application process of C).

[Fig. 34] Fig. 34 is a sequence diagram illustrating a process of using online period restricted content using an attribute certificate (AC).

[Fig. 35] Fig. 35 is a sequence diagram illustrating a process of using online limited content using an attribute certificate (AC).

[Fig. 36] Fig. 36 is a sequence diagram illustrating a process of using off-line purchase-out content using an attribute certificate (AC).

FIG. 37 is a diagram illustrating an import process of usage count management data corresponding to offline count restricted content.

[Fig. 38] Fig. 38 is a diagram illustrating a data configuration example of usage count management data corresponding to offline count restricted content.

[Fig. 39] Fig. 39 is a flowchart illustrating an import process of usage count management data corresponding to offline count restricted content.

FIG. 40 is a diagram illustrating an import process of hash value management type usage count management data corresponding to offline count restricted content.

FIG. 41 is a flowchart illustrating an import process of hash value management type usage count management data corresponding to offline count restricted content.

[Fig. 42] Fig. 42 is a diagram for describing content usage processing to which an attribute certificate of offline-number-restricted content is applied.

[Fig. 43] Fig. 43 is a diagram for describing a process of updating the number-of-times management data corresponding to the offline number-of-times limited content.

FIG. 44 is a diagram illustrating an update process of hash value management type count management data corresponding to offline count restricted content.

[Fig. 45] Fig. 45 is a diagram illustrating an upgrade process applied based on an online period limitation attribute certificate.

[Fig. 46] Fig. 46 is a diagram for describing an upgrade process applied based on an online number limit attribute certificate.

[Fig. 47] Fig. 47 is a diagram for describing an upgrade process applied based on an off-line count limit attribute certificate.

FIG. 48 is a diagram illustrating an album purchase type upgrade process.

[Fig. 49] Fig. 49 is a diagram illustrating an outline of a data restore process by a support center.

FIG. 50 is a diagram illustrating an outline of a processing sequence of data restoration processing by a support center.

FIG. 51 is a diagram illustrating a data backup processing sequence executed on the user device side.

[Fig. 52] Fig. 52 is a diagram for describing the outline of the backup data read processing by the support center.

FIG. 53 is a diagram illustrating a data restore processing sequence by the support center.

FIG. 54 is a diagram showing a configuration example of a user device.

[Fig. 55] Fig. 55 is a diagram illustrating a configuration example of each entity such as a service provider, a support center, and a content creator.

[Explanation of symbols]

101 user device 102 Service Provider 103 Content Creator 104 User device manufacturer 105 Support Center 106 Certificate Authority 110 attribute certificate 200 user devices 201 CPU (Central processing Unit) 202 interface 203 ROM (Read-Only-Memory) 204 RAM (Random Access Memory) 205 Cryptographic processing unit 206 memory 210 security chip 221 User device side control unit 222 External memory unit 280 decoder 301 system holder 302 Service Provider 303 Content Creator 304 user device 410 User device 411 security chip 421 storage means 422 storage media 430 user device 450 Support Center 470 user device 471 storage media 472 user device 475 Support Center 501 CPU (Central processing Unit) 502 ROM (Read-Only-Memory) 503 RAM (Random Access Memory) 504 HDD 505 Input section 506 Output section 507 Communication unit 508 drive 509 Removable recording medium 510 bus 511 I / O interface 512 security chip 601 CPU (Central processing Unit) 602 ROM (Read-Only-Memory) 603 RAM (Random Access Memory) 604 HDD 605 Cryptographic processing means 606 drive 607 Removable recording medium 608,609 Communication unit 610 bus

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04L 9/00 601A (72) Inventor Noboru Shimada 6-735 Kita-Shinagawa, Shinagawa-ku, Tokyo Sony stock In-house (72) Inventor Makoto Oka 6-35 Kita-Shinagawa, Shinagawa-ku, Tokyo F-term (reference) within Sony Corporation 5J104 AA07 AA09 AA16 EA01 EA05 EA06 EA18 EA19 KA02 KA06 MA05 NA02 NA03 NA12 NA35 NA36 NA37 NA42 PA05 PA07

Claims (34)

[Claims] 1. A user device that uses content encrypted with a content key: Kc, and a content usage authorization certificate that stores an encrypted content key obtained by encrypting the content key: Kc, to the user device. A service provider for distribution, wherein the user device applies a storage key in the user device to the encrypted content key stored in the content usage right certificate received from the service provider, or the service A configuration in which the content key: Kc is acquired by executing one of the decryption processes of the provider, and the decryption process of the encrypted content to which the acquired content key: Kc is applied is executed to obtain the content. Content use management system characterized by having 2. A content use condition is recorded in the content use authority certificate, and the user device executes a process of determining whether or not the content is used that satisfies the content use condition,
The storage key in the user device for the encrypted content key stored in the content usage right certificate is applied, provided that the content usage satisfies the content usage condition recorded in the content usage right certificate. The content use management system according to claim 1, wherein the content use management system is configured to execute the decryption process. 3. The content usage authorization is recorded in the content usage authorization certificate, and the service provider executes a process of determining whether or not the content usage satisfies the content usage condition. The configuration is such that decryption processing is performed on the encrypted content key stored in the content usage authorization certificate, provided that the content usage satisfies the content usage conditions recorded in the authorization certificate. The content use management system according to claim 1. 4. A management area for each service provider storing a key for decrypting the encrypted content key stored in the content usage right certificate is set and registered in the memory in the user device, and the user device is The content key: Kc is obtained by applying the decryption key to decrypt the encrypted content key stored in the content usage right certificate. The content usage management system described in 1. 5. A management area for each service provider storing a secret key corresponding to a service provider as a key for decrypting the encrypted content key stored in the content usage right certificate, in the memory in the user device. The encrypted content key set and registered and stored in the content usage right certificate is an encrypted content key encrypted by a public key generated corresponding to the service provider-compatible secret key, and the user device Is configured to apply the service-provider-corresponding private key and execute a decryption process of the encrypted content key stored in the content usage right certificate to obtain the content key: Kc. The content use management system according to claim 1. 6. A management area for each service provider storing authentication processing application data necessary for mutual authentication with a service provider is set and registered in a memory in the user device, and the user device stores the authentication processing application data. Is obtained, authentication with the service provider is performed, the content usage right certificate is sent to the service provider, and the content key: Kc is obtained by decryption processing of the encrypted content key by the service provider. The content use management system according to claim 1, wherein: 7. The encrypted content key stored in the content usage right certificate is an encrypted content key encrypted by a common key system key held by a service provider, and the service provider is a user device. From the content usage right certificate, and executes the decryption process by applying the common key system key held by the service provider to the encrypted content key stored in the received content usage right certificate. The content use management system according to claim 1, wherein the content key: Kc is acquired by performing the operation, and the acquired content key: Kc is transmitted to the user device. 8. The content usage right certificate is an online usage process that requires a usage right judgment process at a service provider as a content usage condition or an offline usage process that does not require a usage right judgment process at a service provider. The user device is configured to selectively execute online use or offline use as the content use condition recorded in the content use right certificate when using the content. The content use management system according to claim 1. 9. The content usage authorization certificate has data that sets, as content usage conditions, any one of a content usage period limited period limit, a content usage number limited number limit, and a purchase limit without usage limitation. When the content is used, the user device determines whether or not the content usage satisfies the usage condition according to the time limit or the number of times as the content usage condition recorded in the content usage right certificate, or the purchase limit. The content key: Kc is obtained by executing a process and performing a decryption process of the encrypted content key stored in the content use authority certificate on condition that the use condition is satisfied. The content use management system according to claim 1. 10. The content usage right certificate has a structure to which a digital signature of an issuing entity of the content usage right certificate is added, and a decryption process of an encrypted content key in the content usage right certificate is performed. The content usage management system according to claim 1, wherein the content usage management system is configured to be executed on condition that there is no data tampering by verifying the electronic signature. 11. The content usage right certificate is configured to store link information related to a public key certificate corresponding to the content usage right certificate, and decrypts an encrypted content key in the content usage right certificate. The conversion process is
2. The configuration is such that the public key certificate obtained from the link information is verified, and the validity of the content usage right certificate is checked on condition.
Content usage management system described in. 12. The content usage authority certificate is an attribute certificate issued by an attribute certificate certificate authority, and the encrypted content key is stored in an attribute information field in the attribute certificate. The content usage management system according to claim 1. 13. The content use authority certificate is an attribute certificate issued by an attribute certificate certificate authority, and has a structure in which content use conditions are stored in an attribute information field in the attribute certificate. Claim 1
Content usage management system described in. 14. An information processing device for using content encrypted by a content key: Kc, wherein a content provider authorization certificate storing an encrypted content key obtained by encrypting the content key: Kc is sent from a service provider. Decryption processing for receiving the encrypted content key stored in the received content usage right certificate by applying the storage key in the information processing device, or the service by sending the content usage right certificate to the service provider Content key by decryption processing at the provider:
An information processing apparatus having a configuration of acquiring Kc and executing a decryption process of encrypted content to which the acquired content key: Kc is applied to acquire the content. 15. The content usage authorization is recorded in the content usage authorization certificate, and the information processing apparatus executes a determination process as to whether or not the content is used to satisfy the content usage condition. Decryption by applying the storage key in the information processing device for the encrypted content key stored in the content usage right certificate, provided that the content usage satisfies the content usage condition recorded in the usage right certificate 15. The information processing apparatus according to claim 14, wherein the information processing apparatus is configured to execute a digitization process. 16. A management area for each service provider, which stores a key for decrypting the encrypted content key stored in the content usage right certificate, is set and registered in the memory of the information processing apparatus, and the information is stored. The processing device is configured to apply the decryption key, perform decryption processing of the encrypted content key stored in the content usage right certificate, and acquire the content key: Kc. The information processing apparatus according to claim 14, wherein 17. A management area for each service provider that stores a private key corresponding to a service provider as a key for decrypting the encrypted content key stored in the content usage authority certificate, in the memory of the information processing device. Is set and registered, and the encrypted content key stored in the content usage right certificate is an encrypted content key encrypted by a public key generated corresponding to the service provider-compatible secret key, and the information The processing device is configured to apply the private key corresponding to the service provider and execute a decryption process of the encrypted content key stored in the content usage right certificate to obtain the content key: Kc. The information processing device according to claim 14. 18. A management area for each service provider storing authentication processing application data required for mutual authentication with a service provider is set and registered in a memory in the information processing apparatus, and the information processing apparatus is configured to perform the authentication. The processing application data is acquired, authentication with the service provider is performed, the content usage right certificate is sent to the service provider, and the content key: Kc is acquired by the decryption processing of the encrypted content key by the service provider. The information processing apparatus according to claim 14, which is configured. 19. The content usage right certificate is an online usage process that requires a usage right judgment process in a service provider as a content usage condition or an offline usage process that does not require a usage right judgment process in a service provider. The information processing device is configured to selectively execute online use or offline use as the content use condition recorded in the content use right certificate when using the content. The information processing device according to claim 14, wherein 20. The content usage authorization certificate includes data in which, as content usage conditions, any one of a content usage period limited period restriction, a content usage number limited number of times restriction, and a purchase limitation without usage limitation is set. When the content is used, the information processing apparatus determines whether the content usage satisfies the usage condition according to the period limit or the number of times as the content usage condition recorded in the content usage right certificate or the purchase limit. The content key: Kc is executed by executing the determination process of No. 1 and performing the decryption process of the encrypted content key stored in the content usage right certificate on condition that the usage condition is satisfied.
15. The information processing apparatus according to claim 14, wherein the information processing apparatus is configured to acquire. 21. The content usage right certificate has a configuration in which a digital signature of an issuing entity of the content usage right certificate is added, and a decryption process of an encrypted content key in the content usage right certificate is performed. The information processing apparatus according to claim 14, wherein the information processing apparatus is configured to be executed on condition that confirmation of no data tampering is performed by verifying the electronic signature. 22. The content usage right certificate has a structure in which link information related to a public key certificate corresponding to the content usage right certificate is stored, and the encrypted content key in the content usage right certificate is decrypted. The conversion process is
2. The configuration is such that the public key certificate obtained from the link information is verified, and the validity of the content usage right certificate is checked on condition.
4. The information processing device according to item 4. 23. A content usage management method for managing content usage by decrypting encrypted content, comprising: a user device that uses content encrypted with a content key: Kc; and the content key: Kc. A service provider that delivers a content usage right certificate storing an encrypted encrypted content key to a user device, wherein the user device receives the content usage right certificate from the service provider; The content key is executed by executing either the decryption process of applying the storage key in the user device to the encrypted content key stored in the content usage right certificate or the decryption process of the service provider: The step of obtaining Kc, and Content key: content usage management method characterized by comprising the steps of: acquiring content by executing the decoding processing of the applied encrypted content Kc, the. 24. Content usage conditions are recorded in the content usage authorization certificate, and the user device executes a process of determining whether or not the content usage satisfies the content usage conditions.
The storage key in the user device for the encrypted content key stored in the content usage right certificate is applied, provided that the content usage satisfies the content usage condition recorded in the content usage right certificate. 24. The content usage management method according to claim 23, wherein the decryption process is performed. 25. Content usage conditions are recorded in the content usage authorization certificate, and the service provider executes a determination process as to whether or not the content usage satisfies the content usage conditions. A decryption process is performed on the encrypted content key stored in the content usage authorization certificate, provided that the content usage satisfies the content usage requirements recorded in the authorization certificate. Item 23. The content usage management method according to Item 23. 26. A management area for each service provider storing a key for decrypting the encrypted content key stored in the content use authority certificate is set and registered in the memory in the user device, and the user device is 24. The content key: Kc is obtained by applying the decryption key to decrypt the encrypted content key stored in the content usage right certificate. Content usage management method. 27. A management area for each service provider storing a private key corresponding to a service provider as a key for decrypting the encrypted content key stored in the content usage right certificate, in the memory in the user device. The encrypted content key set and registered and stored in the content usage right certificate is an encrypted content key encrypted by a public key generated corresponding to the service provider-compatible secret key, and the user device 24. The content key: Kc is obtained by applying the service provider compatible private key and performing a decryption process of the encrypted content key stored in the content usage right certificate.
Content usage management method described in. 28. A management area for each service provider storing authentication processing application data necessary for mutual authentication with a service provider is set and registered in a memory in the user device, and the user device stores the authentication processing application data. Is obtained, authentication with the service provider is performed, the content usage right certificate is sent to the service provider, and the content key: Kc is obtained by decryption processing of the encrypted content key by the service provider. The content use management method according to claim 23. 29. The encrypted content key stored in the content usage authority certificate is an encrypted content key encrypted by a common key system key held by a service provider, and the service provider is a user device. From the content usage right certificate, and executes the decryption process by applying the common key system key held by the service provider to the encrypted content key stored in the received content usage right certificate. The content use management method according to claim 23, wherein the content key: Kc is acquired by performing the operation, and the acquired content key: Kc is sent to the user device. 30. The content usage right certificate is an online usage process that requires a usage right determination process at a service provider as a content usage condition, or an offline usage process that does not require a usage right determination process at a service provider. Wherein the user device selectively executes online usage or offline usage as content usage conditions recorded in the content usage authorization certificate when using the content. Item 23. The content usage management method according to Item 23. 31. The content use authority certificate has data in which any one of a content use condition, that is, a period limit that limits a content use period, a number limit that limits the number of times content is used, or a purchase-out with no use limit is set. When the content is used, the user device determines whether or not the content usage satisfies the usage condition according to the time limit or the number of times as the content usage condition recorded in the content usage right certificate, or the purchase limit. The content key: Kc is acquired by executing a process and executing a decryption process of an encrypted content key stored in the content usage right certificate on condition that the usage condition is satisfied. 23. The content usage management method described in 23. 32. The content usage right certificate has a structure to which a digital signature of an issuing entity of the content usage right certificate is added, and a decryption process of an encrypted content key in the content usage right certificate is performed. 24. The content use management method according to claim 23, wherein the content use management method is executed under the condition that the verification of the electronic signature does not result in data tampering. 33. The content usage right certificate is configured to store link information about a public key certificate corresponding to the content usage right certificate, and decrypts an encrypted content key in the content usage right certificate. The conversion process is
24. The content usage management method according to claim 23, wherein the content usage management certificate is executed on condition that the validity of the content usage authorization certificate is verified by verifying the public key certificate acquired from the link information. 34. A computer program for causing a computer system to execute content utilization management processing for managing content utilization by decrypting encrypted content, the step of receiving a content utilization authority certificate from a service provider. And a decryption process in which the storage key in the user device is applied to the encrypted content key stored in the content usage right certificate, or the decryption process in the service provider is executed to execute content decryption. A computer program, comprising: a step of acquiring a key: Kc; and a step of executing a decryption process of encrypted content to which the acquired content key: Kc is applied to acquire the content.