JP2003178164A - License managing device, license managing method and license managing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide flexible contents utilization control and accurate prevention of fraudulent utilization of contents to an information provision authority. <P>SOLUTION: A copyright holder system 20, a contents server 30, a license server 40 and a user system 50 are provided. An ACL setting part 23 of the copyright holder system 20 sets a plurality of partial utilization permission conditions with respect to the contents as structurally represented utilization permission conditions ACL by a combination of logical sums and logical products on the basis of a user ID and IDs of a plurality of physical elements including a medium used in the user system 50, and stores them in an access control list 43. The license server 40 encrypts the access control list 43 and a decipher key Kc by combining the plurality of physical element IDs. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention manages a content use permission condition together with a decryption key for decrypting encrypted content, and encrypts the decryption key and the use permission condition in response to a content use request from a user. The present invention relates to a license management device, a license management method, and a license management program that are provided to users as a license.

The role of money provides equitable rewards to people due to its material nature of money. The object of money was not just a mere promising sharing concept, it was a physical requirement that it physically existed, could be carried, and that it was difficult to forge it by anyone other than the issuer. By being physically present and portable, users of that value can be fairly confirmed by users, and due to the difficulty of forgery, the trigger of such fair confirmation can be controlled by the fair issuer of money. It was However, due to the recent development of industrial technology, the difficulty of counterfeiting money will soon collapse. A new value confirmation object to replace money is needed. Again, the object must first be physically present, portable, and difficult to counterfeit. In addition, the object must be access controllable by the publisher.

[0003] In addition to the demand for security enhancement, the demand for "super-distribution" is also increasing from the viewpoints of diversification, large capacity and high speed of information distribution. The environment that realizes this "super distribution" satisfies the following conditions. That is, (1) the information user can obtain digital information almost free of charge, and (2) the information provider specifies the conditions (billing, modified usage conditions, etc.) that permit the use of the information, and Being able to enforce the agreed terms,
(3) When using this service, the required additional operation by the information user is about “confirming access conditions”.

A system that can accurately and safely execute access control for such super distribution can be expected to contribute to the correction of inequality in the collection of copyright fees such as license fees. In the current system, the provider cannot make a profit unless the copyrighted work is sold in a considerable number, but it is desired that the system can be constructed so that the copyright holder can accurately get it. Also,
From professional artists to designers who provide creative work as parts, it is desirable that the rewards be proportionately distributed to each person's service charge.

[0005]

2. Description of the Related Art Conventionally, when controlling access to contents such as copyrighted works in a distributed system environment, especially on an open network, the contents are stored in a server accessible by users of the contents, and access to this server is restricted. By controlling, the use of the content was controlled. Here, the content is digital content having a structure as a set of bit strings that can be recorded in a single storage device medium, and includes document text, images, moving images, program software, and the like.

For example, FIG. 17 is a diagram showing a conventional access control model. In FIG. 17, the content 2
04 allows the content operation from the user 205 only through the access control function 203. Also,
The copyright holder 200 only registers the content 204 in the server protected by the access control function 203, for example, only by a server other than the copyright holder 200. For example, an administrator who manages this server controls access to the access control function 203. The operation was being done.

That is, as shown in FIG. 18, the server system 212 holding the contents is managed by the server operator system 211 managed and operated by the administrator 201, and the server operator system 211 sends the contents to the server system 212. The copyright holder and the user are registered, a directory for this purpose is created, and access control by the copyright holder is permitted. The copyright holder system 210 causes the server system 212 to store the content of the copyrighted person's copyrighted work, and sets the access control condition (ACL) in the server system 212. In this case, the copyright holder is the server system 212.
Access control permission must be obtained. On the other hand, the user system 213 makes a content transmission request to the server system 212 when using the content, and if the ACL is satisfied, the server system 2
The contents stored in 12 are acquired.

However, if the content user is given all rights and the user is changed by moving or copying (copying), the original copyright holder's authority is not given to the moving or copying destination content. It doesn't work at all. Also,
It is not clear between the server administrator who saves the content object and the copyright holder how to enforce access permission to the object. For example, it is natural that the server administrator can change the access right without asking the copyright holder. It was supposed to be.

On the other hand, the distributed system environment has been promoted by the recent price reduction of storage media and the like, and the contents can be cached and distributed to a plurality of servers without concentrating the network traffic. You can access at high speed. Therefore, the access control model as shown in FIG. 17 may have a strong access control function only for the entrance to the content operation by the user 205, but in the above-mentioned distributed system environment, it is omnidirectional. It was necessary to perform access control or security protection.

Therefore, an access control model as shown in FIG. 19 has been considered. In this access control model, the copyright holder 200 has a copyright holder protection area that can be protected by conventional security technology, an open area that accepts attacks from the outside, and hardware / software tampering protection. It is separated into a secret protection area to which digital data copy prevention processing is applied. The confidential protection area is protected by the omnidirectional access control function 221, and the content 222 is stored in the access control function 221.

For this content, the copyright holder 200
Allows the access control operation to the access control function 221 as well as the registration of the content 222.
The user 205 can access the access control function 22 from the open area.
The content 222 will be acquired via 1. The inter-area protection interface 220 is an interface that protects between the copyright holder protection area and the open area.

The implementation of the access control model under the distributed system environment shown in FIG. 19 is described in US Pat. No. 5,339.
Japanese Patent Application Laid-Open No. 9-13.
4311, US Pat. No. 5,392,351, US Pat. No. 5,555,304, and US Pat.
Japanese Unexamined Patent Publication No. 24 discloses a technique of checking the user's device to prevent unauthorized use of the content. Less than,
A conventional content usage control system will be described with reference to these publications.

FIG. 20 is a diagram showing a content distribution model of a conventional content usage control system. In FIG. 20, the decryption protection area and the reproduction protection area correspond to the confidentiality protection area shown in FIG. 18, and the decryption protection area is an area for hardware / software tampering protection and output data copy protection protection. The protected area is an area for preventing duplication of digitally decoded data. Usage environment specific physical element (PCSUE)
235-1 to 235-N are physical elements that specify the usage environment of the content, and are specifically a CPU, a peripheral device, a removable storage medium, an IC card, and the like.

In the decryption protected area, PCSUE 235-1
~ 235-N physical element ID certificate 236-
1 to 236-N, the content 234 that is a copy of the content 233 encrypted by the copyright holder 200 and that exists in the server in the open area is decrypted, and this content is decoded via the reproduction protected area. The content is used by the user. Therefore, the content is encrypted with the key corresponding to the physical element ID (content 233), and in order to decrypt the content 234 corresponding to this content 233, each physical element ID or a secret key corresponding thereto is required. Become.

Here, the content distribution model includes a license simultaneous model in which a license used for decrypting encrypted content is distributed simultaneously with the encrypted content, and the encrypted content is cached in the server. There is a content cacheable model that is stored in and acquired at a different timing from the license. FIG. 21 is a diagram showing this content cacheable model.

In FIG. 21, the author 200 first creates content in the copyright holder protection area, encrypts the content, and then copies and caches it in a server or the like in the open area. On the other hand, PCSUE 235-1-23
Certificate 241-1 that encrypted the physical element ID of 5-N
241-N is output to the copyright holder protection area in an encrypted state, extracts the private key Kp from the user physical object class corresponding to PCSUE 235-1 to 235-N, and outputs the private key Kp and the certificate 241. -1 to 241
-N and the physical element IDs 243-1 to 243-N are decrypted, the content decryption key Kc is encrypted by the physical element IDs 243-1 to 243-N, and output to the secret protection area.

In the secret protection area, the encrypted content decryption key Kc is stored in the physical element IDs 242-1 to 242-N.
To obtain the content decryption key Kc. Using this content decryption key Kc, the encrypted content 234 acquired from the open area is decrypted and the content 24 is decrypted.
The user 205 is caused to use the number 4.

FIG. 22 is a block diagram showing a schematic structure of a content use control system corresponding to the content cacheable model shown in FIG. 22, the copyright holder system 250 exists in the copyright holder protection area, the content server 251 exists in the open area,
License server 252 and user system 253
Exists in the confidential protection area. Copyright holder system 250
Encrypts the created content and stores the encrypted confidential content in the content server 251.

Further, the content decryption key Kc is transmitted to the license server 252 to transfer the access control right to the license server 252. Further, the access control list (ACL) is set. User system 25
3 transmits a usage request indicating that the content is used to the license server 252, and at this time, the physical element ID
When the certification group of No. is not attached, the certification group of the physical element ID is acquired by the physical element condition designation of the license server 252 and sent to the license server 252.

As shown in FIG. 21, the license server 252 acquires the secret key Kp of the physical object class of the user, decrypts the physical element ID certification group, and contents encrypted by the decrypted physical element ID. The decryption key Kc is sent to the user system 253 as the license L. As a result, if the physical element IDs of the user system 253 match, decryption is performed, and the secret content can be decrypted using this decrypted content decryption key Kc.

Since the secret contents are stored in the contents server 251, the user system 253 is used.
Must separately issue a secret content distribution request to the content server 251, and receive the secret content distribution from the content server 251.

On the other hand, FIG. 23 shows a schematic block diagram of a content use control system for realizing the content simultaneous distribution type model. In FIG. 23, the content server 251 does not exist, and it is sent to the user system 253 at the same time when the license is sent. As shown in FIG. 22, when the secret content is acquired via the content server 251, the secret content is previously transported to a server close to the user system 253 in advance, so the user system 253 needs the content. You can make a usage request at any time.

Further, it becomes possible to appropriately select the distribution channel of the content as compared with the content simultaneous distribution type model,
For users, it can be expected that response time will be shortened when acquiring content. In the content cacheable model, the content can be distributed in advance by the ROM medium base, the broadcasting, the cache by the proxy server, etc., in addition to the provision of the license, which is advantageous.

[0024]

However, in the above-mentioned conventional content use control system, if the device matches the physical element ID unique to the user system, the secret content can be basically decrypted, and this content can be decrypted. Although it can be used, since the license (usage permission condition) is generated only by this physical element ID, for example, a condition for limiting the number of times of reading the content determined by the copyright holder's intention is added, There is a problem in that it is not possible to set a time limit or set a charging condition, and it is not possible to flexibly control content usage.

Further, the use environment specifying physical element does not always have a simple structure. When the device has a complicated structure, a specific device or part of the device is illegal. In such a case, there is a problem that even if the usage permission condition is simply generated by the usage environment specifying physical element which is a large-sized device, the illegality is overlooked and the security is deteriorated. .

The present invention has been made in view of the above,
A license management device and license management capable of flexibly controlling the use of contents and accurately preventing unauthorized use of contents by information providing authorized persons including those who are licensed to information creators such as copyright holders The purpose is to provide a method and license management program.

[0027]

[Means for Solving the Problems]
In order to achieve the object, the present invention manages a use permission condition of the content together with a decryption key for decrypting the encrypted content, and responds to the content use request from the user with the decryption key and the use permission condition. A license management device that is encrypted and provided to users as a license,
On the basis of the physical element route storage unit that stores information about the physical elements to which the license is sequentially transferred before the decryption key is used for decrypting the content, and the physical element information stored by the physical element route storage unit. And a license generation unit that generates a license by encrypting the decryption key and the use permission condition.

According to the present invention, the information of the physical element to which the license is sequentially transferred until the decryption key is used for decrypting the content is stored, and the decryption key and the use permission condition are stored based on the stored information of the physical element. Since the license is generated by encrypting, the illegal use of the content can be prevented with high accuracy.

Further, the present invention manages the use permission condition of the content together with the decryption key for decrypting the encrypted content, and encrypts the decryption key and the use permission condition in response to the content use request from the user. A license management method for providing a license as a license to a user, the physical element path registration step of registering information of physical elements to which the license is sequentially transferred before the decryption key is used to decrypt the content, A license generation step of generating a license by encrypting the decryption key and the usage permission condition based on the information of the physical element registered in the physical element route registration step.

Further, according to the present invention, the decryption key for decrypting the encrypted content is managed together with the use permission condition of the content, and the decryption key and the use permission condition are encrypted in response to the content use request from the user. A physical element route registration procedure for registering information of physical elements to which licenses are sequentially transferred before the decryption key is used for decrypting contents, which is a license management program that is provided to a user as a license. And a license generation procedure of generating a license by encrypting the decryption key and the use permission condition based on the information of the physical element registered by the physical element route registration procedure.

According to this invention, the information of the physical elements to which the license is sequentially transferred until the decryption key is used for decrypting the content is registered, and the decryption key and the usage permission condition are registered based on the registered information of the physical element. Since the license is generated by encrypting, the illegal use of the content can be prevented with high accuracy.

[0032]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Preferred embodiments of a license management device, a license management method, and a license management program according to the present invention will be described below with reference to the accompanying drawings.

FIG. 1 is a diagram showing the configuration of a content use control system according to an embodiment of the present invention. The content usage control system 10 shown in FIG. 1 is a system that controls the usage of the copyrighted content created by the copyright holder 1 when the user 2 uses the content. In FIG. 1, the content usage control system 10 is
It has a copyright holder system 20, a content server 30, a license server 40, and a user system 50.

The copyright holder system 20 encrypts the created content and registers the encrypted confidential content in the content server 30 (S10). The confidential content registration unit 21 performs the processing, and the encrypted content (secret content). By transmitting the content decryption key necessary for decrypting the access control server to the license server 40 to transfer the access control right to the license server (S12), and the access control right transfer unit 22 and the use permission condition (ACL). Set in the license server 40 (S1
4) It has an ACL setting section 23 and manages usage control relating to the contents of the copyrighted work.

The content server 30 registers the secret content sent from the copyright holder system 20, and receives the secret content distribution request from the user system 50 (S).
In the case of 16), the secret content registered and stored is sent to the user system 50 in an encrypted state (S17).

The license server 40 has a license permission / generation unit 41 and an LDAP system 42. When there is a content usage request from the user system 50 (S18), the license permission / generation unit 41 searches the LDAP system 42 for the physical element ID certificate added to this usage request and the corresponding decryption key. Then, the physical element ID is decrypted, the content decryption key corresponding to the content requested to be used is searched, and the license obtained by encrypting the retrieved content decryption key with the physical element ID is transmitted (S21).

This license is a physical environment specific element condition, and is in the form of a combination that is structured by using a logical sum and a logical product corresponding to the structure of the physical element. Further, in this embodiment, not only the physical environment specifying element condition that has been conventionally used but also the accounting condition based on the usage status of the user are encrypted as the ACL. The encryption and decryption of this license will be described later. If the physical element ID certificate is not added to the usage request (S18) or if it is not present in the LDAP system 42, the physical element condition designation (S19) is sent to the user system 50 for use. Returns the physical element ID certificate group generated by the administrator system 50 (S20).

On the other hand, when the content decryption key by the access control right transfer is sent from the copyright holder system 20 (S12), this content decryption key is made a secret content in the database of the key 44 in the LDAP system 42 described later. Correspond and register. When the ACL setting is sent from the copyright holder system 20 (S14), the ACL is made to correspond to the secret content, and the LDA is set.
It is stored in the access control list (ACL) in the P system 42.

The user system 50 requires a secret content distribution / request (S16) and a secret content request / acquisition unit 51 for acquiring the distributed secret content, and a license request, that is, a usage request (S18) and a license acquisition. License request / acquisition unit 52 that performs the process of (S21)
And a specific usage environment (SUE) 53 of the user system. The specific usage environment 53 refers to a specific content usage environment, and is comprehensive information such as a CPU, peripheral devices, removable storage media, IC card, content usage status, and the like.

The specific usage environment includes usage environment specific physical elements (PCSUE) 54-1 to 54-N such as a CPU and a content storage device 55-for storing contents.
1-55-M and playback devices 56-1-56-L such as players and viewers. Each PCSUE 54-1
To 54-N, each content storage device 55-1
To 55-M, and playback devices 56-1 to 56-L
Are the respective physical element IDs 57-1 to 57-N, 59
-1 to 59-M, 61-1 to 61-L, and encryption / decryption / evaluation units 58-1 to 58-N, 60
-1 to 60-M, 62-1 to 62-L.

Encryption / decryption / evaluation units 58-1 to 58-
N, 60-1 to 60-M, and 62-1 to 62-L are physical elements I of their own physical elements when encrypting each physical element.
When the data is encrypted by D and output, and each physical element is decrypted, the decryption is performed using the physical element ID of the own physical element, and the decryption result is evaluated. That is, the processing of each physical element ID is performed for each physical element so that information is not leaked even on the interface between the physical elements.

Next, the operation processing of the copyright holder system 20, the content server 30, the license server 40, and the user system described above will be described mainly with reference to the flowcharts. First, the internal processing procedure of the copyright holder system 20 will be described with reference to the flowchart in FIG.

In FIG. 2, the copyright holder system 20 is
First, it is determined whether or not an operation event has occurred (step S100). If the operation event has not occurred (step S100, none), this processing is repeated until the operation event occurs, and if the operation event has occurred (step S100, there is), the operation content of the operation event is the secret content. It is determined whether it is registration, ACL registration, or access control right transfer (step S101).

When the operation content is the secret content registration (step 101, secret content registration), the secret content registration unit 21 encrypts the content (step S110) and selects the desired content server 30 from the content server list. Is designated (step S111),
A secret content registration request is made to the designated content server 30 (step S112). After that, a response is received from the content server 30 and the response is OK.
Whether or not there is an error (step S11)
3).

If the response from the content server 30 is OK, if there is an error, the error processing is performed (step S114), and then it is determined whether or not the next content server is designated. (Step S115). If the next content server is designated (step S115, YES), the process proceeds to step S112 and the above-described processing is repeated. If the next content server is not designated (step S115, NO), step S112 is performed. The process moves to S100 and the above-described processing is repeated.

When the operation content is the ACL setting (step 101, ACL setting), the ACL setting section 23 further determines whether or not to register the designated content decryption key (step S120), and the content decryption key. If not registered (step S120, none), error processing is performed (step S124), and step S10 is performed.
The processing shifts to 0 and the above processing is repeated. On the other hand, if the content decryption key is registered (step S120, Yes), the ACL setting request is transmitted to the license server 40 (step S122), the ACL registration result is received from the license server 40 (step S123), and thereafter. The process moves to step S100 and the above-described processing is repeated.

If the operation content is transfer of access control right (step S101, transfer of access control right), the encrypted content decryption key is transmitted to the license server 40 (step S130), and the encrypted content decryption key is sent. The registration result of is received (step S131), the process proceeds to step S100, and the above-described processing is repeated.

Next, the ACL set by the ACL setting unit 23 will be described. FIG. 3 is a diagram showing an example of access conditions. There are two types of access conditions, accounting conditions and physical environment specific element (PCSUE) conditions. As shown in FIG. 3, the accounting condition, which is one of the features of the present invention, is maxCount (maximum operable number of times), and the content usage status corresponding to this is co
unt (number of times operations have been completed). An attempt is made to control access, that is, limit and authorize, by setting a limit of the maximum number of operations that can be performed on a variable value of the number of times of operations.

The content usage status corresponding to the accounting condition value of the next maxLength (maximum read length) is totalL
en (read length + requested read length), which is intended to control access by the maximum read length of the content. The content usage status corresponding to the accounting condition value of the next maxTimeLen (maximum executable time) is totalTime (executed time length), and the access is controlled by the maximum executable time of the content. Next, the usage status of the content corresponding to the accounting condition value of maxDebt (loanable amount (billing condition)) is debt (remaining amount of money), and the negative value of the remaining amount is the borrowing amount of money. To do.

As the physical environment specifying element condition, there is the computer main body first, and the class of the physical element ID corresponding thereto is PSN, which is the serial number of the processor. Here, the class is an object class on the database. The class of the physical element ID corresponding to the next peripheral device is DSN, which indicates the type of device and the serial number. Physical element I corresponding to the next medium
Class D is MSN, which indicates the media type and serial number. Physical element I corresponding to the next IC card
D is a certificate, which indicates a certificate issued by the IC card.

The next human body part is, for example, fingerprint or retina (iris) information, and the physical element ID corresponding thereto.
The class is bodyParts, which is the authentication information of the human body part. The class of the physical element ID corresponding to the next permitted time zone is timePeriod, which is a local clock or global GPS time. The next network domain indicates an area on the network, and the class of the physical element ID corresponding to this is MACAddress, which indicates a MAC address. The next geographical location indicates the country of use, and the physical element ID class corresponding to this is location
And indicates the position detected by GPS or PHS.
The class of the physical element ID corresponding to the memory of the next person is us
er-ID With Pwd, which indicates a user ID and password. The class of the physical element ID corresponding to the last group is group, which indicates a set of physical element IDs.

Such access conditions are AND and OR.
A set with a logical combination of
It is set as L. The access condition includes the accounting condition and the physical environment specifying element condition as described above, but these can be arbitrarily combined. For example, one AC
The following is set as L. That is, an ACL such as udac_acl read: ((grop = sysrapOR group = soft4soft) AND 45661244 <MSN <45661412) OR count <1; modify: user = yujiOR user = hataOR IC_card = 1afd234fe4def458c3bac78497bbda6f; print: group = sysrap; is set. can do.

According to the ACL thus set, "read"
Indicates browsing conditions, group is "sysrap" or "so
ft4soft ”and media serial number MSN
Is more than 45661244 and less than 45661412, or the number of times the operation has been performed is less than 1, that is, the condition for browsing is that the content has never been used. further,
“Modify” indicates an update condition, and the condition for content update is that the user name is “yuji” or “hata” or the “IC_card” number is “1afd234fe4def458c3bac78497bbda6f”.

"Print" indicates a print output condition,
Content can be printed only when the group is "sysrap". Such an ACL is a copyright holder system 2
It can be arbitrarily set by the copyright holder 1 from 0. This ACL setting improves the operability by using the GUI. The ACL type may be set together with the operation name. For example, the condition of access condition (1) can be selected for the operation name 1, and the condition of access condition (2) can be selected for the operation name 2. This further improves the operability.

Next, the internal processing procedure of the content server 30 will be described with reference to the flowchart shown in FIG. In FIG. 4, first, the content server 30
It is determined whether a network event is input, or if it is input, a secret content registration request or a secret content distribution request (step S200). When the network event is not input (step S200, none), the determination process in step 200 is repeated.

If the network event is a secret content registration request (step S200, secret content registration request), the secret content requested to be registered is internally registered (step S210), and the default ACL is set.
Is set (step S211). Then, the copyright holder system 20 responds to the secret content registration request (step S212), shifts to step S200, and repeats the above-described processing.

On the other hand, if the network event is a secret content distribution request (step S200, secret content distribution request), the secret content requested to be distributed is distributed to the user system 50 (step S200).
220), and then, a response to the confidential content distribution request is sent to the user system 50 (step S
221), the process moves to step S200 and the above-described processing is repeated. Thereby, the secret content can be distributed from the copyright holder system 20 to the user system 50 in a secret state via the content server 30. In this case, the traffic is distributed, high-speed transfer is possible, and the secret content can be held in advance up to the content server in the vicinity of the user system 50, so that the distribution processing can be processed at high speed.

Next, the internal processing procedure of the license server 40 will be described with reference to the flowchart shown in FIG. In FIG. 5, first, the license server 40
Determines whether the network event of the content use request is input (step S300). If no network event is input (step S30)
0, none), the determination process of step S300 is repeated.

When the network event is a content use request (step S300, content use request), the ACL of the specified content is retrieved from the LDAP system 42 (step S301), and further,
Related access conditions are extracted from the retrieved ACL to generate a new ACL (step 302). Corresponding physical element I corresponding to the extracted physical environment specific condition
It is determined whether or not there is a D certificate (step S303),
If there is a corresponding physical element ID certificate (step S30)
(3, there is a corresponding physical element ID certificate) as it is, if there is no corresponding physical element ID certificate (step S303, there is no corresponding physical element ID certificate), to the content use requester, that is, the user. After requesting the certificate from the system 50 (step S304), it is further determined whether or not there is the next physical environment specifying condition (step S305).

If there is the next physical environment specifying condition (Yes in step S305), the process proceeds to step S303 to prepare for the corresponding physical element ID certificate, and if there is no next physical environment specifying condition. (Step S305,
For none, the physical element ID certificate group is received from the content use requester, that is, the user system 50 (step S306).

After that, the license permission / generation unit 41
Search for the specified content decryption key (step S3
07), the access conditions in the ACL are rearranged in the certificate of the enforceable physical element (step S308). further,
A process of putting all AND / OR expressions in the ACL in parentheses in the order of authentication priority is performed (step S309). After that, the license permission / generation unit 41 puts the AN in parentheses.
A license generation process for generating a license is performed based on the D / OR expression (step S310). Then, the generated license is transmitted to the user system 50 (step S311), the process proceeds to step S300, and the above-described processing is repeated.

Here, the relationship between the generated license and the secret content will be described with reference to FIG. Figure 6
Shows the relationship between the license transmitted from the license server 40 to the user system 50 and the secret content transmitted from the copyright holder system 20 to the user system 50 via the content server 30.

In FIG. 6, A of the license server 40
In CL43, each secret content 71 to 75 is contained.
System ACLs 43-1 to 43-5 associated with are stored. Based on this system ACL,
For example, the licenses 84 to 86 for the secret contents 71 to 73 are generated from the system ACL corresponding to the secret contents 71 to 73 and transmitted to the user system. The licenses 84 to 86 correspond to the corresponding physical element I.
Since it is encrypted with D, no information leaks to the outside. The user system 50 can decrypt the client ACLs 81 to 83 from the licenses 84 to 86, decrypt the secret contents 71 ′ to 73 ′ corresponding to these, and obtain the respective contents.

In this case, since the secret content is also encrypted, the security is sufficient. In this way, the ACL and the secret content are associated with each other, while maintaining the secret state and different transfer routes. The state of the secret content transmitted via the transfer path including the content server 30 is represented as a virtual storage area 70.

Now, the LDAP system 42 in the license server 40 will be described with reference to FIG. In FIG. 7, the LDAP system 42 includes a plurality of L
The DAP server is provided, and the license server 40 is positioned as a client server thereof, and each LDAP server functions under the control of the license server 40. The LDAP server is an X. It is a directory server using a lightweight version of DAP protocol included in 500. The LDAP server is divided into a plurality of classes, for example, personal information 9
1, system class 92, media class 93, XML
It has a class of XML information described in.

Then, for example, when "own system" is searched in the class of the personal information 91, this system is searched from the system class 92 by "system name", and the current medium "curr" in the system class 92 is searched.
With “ent media”, the media class 93 can be searched from the media classes, and further, the XML information 94 corresponding to this content can be searched from the content in this media class 93. Information regarding the content is stored in the XML information 94.

By the way, the specific use environment of the user system 50 has a logical structure having layers shown in FIG. In FIG. 8, the specific use environment 100 includes an application layer 110, an OS kernel layer 111, and a device layer 112.
And three layers, and each layer is connected by a service interface indicated by a dotted line. Application layer 11
0 has a content reproduction / execution application 101, and internally has a secret content decryption protection library 1
02 as a program module.

Secret content decryption protection library 102
Is the storage driver 103, the file system 10
5, multiple usage environment specific physical element drivers 106 to 10
8. Operate the playback device driver. The storage driver 103 drives the content storage device, the use environment specifying physical element drivers 106 to 108 drive the use environment specifying physical elements 109 to 111, and the reproducing device driver 112 is the reproducing device 113.
Drive. Note that even with one physical device, the content storage device 1 such as an MO device is used.
04 and the use environment specifying element 109 may play two roles.

FIG. 9 shows a physical element (PCSU) specific to the usage environment.
The correspondence between the OS kernel layer 111 and the device layer 112 in E) is shown. As shown in FIG. 9, PCSUEs may have an inclusion relation. Of course, the same applies to other devices in the device layer 112. For example, PCSUE133, 1 is subordinate to PCSUE131.
34 is located, and PC is subordinate to PCSUE134.
The SUEs 135, 136 are located. PCSUEs having such an inclusion relationship can exchange data such as physical element IDs.

For example, a PCSUE of a media reproducing device such as a DVD device includes a PCSUE of a medium such as a DVD, and content data and media ID information are exchanged between them. For example, PCSUE134 and PC
Information exchange with the SUE135. Then, only the uppermost PCSUE exchanges data with the PCSUE driver. For example, PCSUE driver 120 and PCS
This is the relationship with the UE 131. Therefore, even the same device layer may have an inclusion relation and a hierarchical relation.

As described above, the license is the license information for the specific environment, and includes only the information unique to the client environment requesting the license, that is, the environment of the user system, and the ACL and the content decryption key Kc. Access information consisting of a physical element ID (PCSU
It is encrypted by E-ID).

Here, an example of the multiplexed license is as follows. That is,

[Equation 1] Is. Here, K _{1 to} K ₅ are PCSUE-I, respectively.
It is D. This license has access information K _{1 to} K ₅
Are combined by AND conditions. Multiple encryption may be performed using each PCSUE-ID in order of increasing security strength of the physical element. On the contrary, this decoding is sequentially performed from the outer PCSUE-ID.

If the security strengths of the physical elements are almost the same, each PCSUE-ID may be decrypted by the exclusive OR operation by the resulting encryption key. For example,

[Equation 2] It is good to do like. The multiplexing of these encryptions brings about an effect of risk distribution in which the risk of the content decryption key Kc being stolen due to a successful attack on some products, that is, some physical elements is distributed.

When a plurality of PCSUE-IDs are combined by an OR operator, that is,

[Equation 3] In such a case, a sublicense encrypted with each PCSUE-ID, for example, {<access information>} K ₁ is generated, and all sublicenses are simply O.
A value obtained by performing R calculation and combining may be used as a license. In this case, the above-described encryption multiplexing may be applied to each sublicense, and AND, XOR, and OR operations may be nested to generate a combined license. This also provides the effect of risk diversification.

Next, the procedure for generating such a license will be described with reference to the flowchart shown in FIG. The flowchart shown in FIG. 10 is a subroutine of the license generation processing procedure shown in step S310 of FIG. In FIG. 5, first, one word is read from the ACL described above (step S400). Then, it is determined whether or not the read word is "(" (step S410).

When the read word is "(" (step S410, "(")), the current read position of the ACL is stored as the start point of the ACL in parentheses (step S).
411). After that, the variable NB is set to "0" (step S412), and one word is further read from the ACL (step S413). After that, the read word is "("
Is determined (step S414), and if "(", "1" is added to the variable NB (step S415), the process proceeds to step S413, and the next one word is read again. read out.

On the other hand, if the read word is not "(" (step S414, other), it is further determined whether the read word is ")" (step S416). If this read word is not “)”, that is, if it is other, then step S413.
Then, one word is read from the ACL. On the other hand, if the read word is “)”, then N
It is determined whether B is "0" (step S41).
7). When NB is not "0" (step S417, N
In step S41, "1" is subtracted from the value of NB.
Then, the process proceeds to 3, and one word is read from the ACL.

When NB is "0" (step S417,
(YES), in front of the current ACL position, in parentheses A
It is stored as the end point of CL (step S419). After that, the license generation process of the ACL in parentheses is performed (step S420), and the process of adding the return value by the recursive call to the access condition AC is performed (step S4).
21) and then proceeds to step S400. This produces the ACL in parentheses.

On the other hand, if the read word is not "(" (step S410, other), it is further determined whether the read word is a physical element condition or accounting condition (step S410). If it is a condition or accounting condition, specify this condition as access condition AC
(Step S431), and this condition is set as the secret key Kp of the compulsory physical element (step S43).
2), shift to step S400, and further 1 from ACL
Read word.

When the read word is not the physical condition or accounting condition (step S410, other), it is further determined whether the read word is "OR" (step S430). The read word is "O
If it is “R”, then A after this read word
A CL license generation process is performed (step S44).
1). After that, it is determined whether or not the generated license includes AC (step S442), and if AC is included (step S442, YES), the return value of the license generation processing in step S441 is used. The license is set to "{AC, hash} Kp, return value" (step S443), and the generated license is returned (step S454). On the other hand, when AC is not included in the license (step S442, NO)
Is set to a license of “{Kc, AC, hash} Kp, return value” using the return value of the license generation processing in step S441 (step S445), and the generated license is returned (step S454).

On the other hand, when the read word is not "OR" (step S430, other), it is further determined whether or not the read word is "AND" (step S440). Read word is "AND"
, The ACL after this read word
License generation processing (step S452), and using the return value of this license generation processing, "{return value, A
C, hash} Kp ”is returned (step S
454).

Further, this read word is "AN
If it is not “D” (step S440, other),
The license that is “{Kc, AC, hash} Kp” is returned (step S454). As a result, the license is generated from the ACL.

Next, the internal processing procedure of the user system 50 will be described with reference to the flowchart shown in FIG. In FIG. 11, first, the user system 50
It is determined whether or not there is a content usage request (step S500). When there is no content usage request (step S500, none), this determination process is repeated, and when there is a content usage request (step S5).
00, present), a content use request is transmitted (step S501). After that, it is determined whether or not there is a request for the certificate of the physical element from the license server 40 (step S502), and if there is no request for the certificate of the physical element (step S502, none), step S50.
Go to 8.

On the other hand, when there is a request for a physical element certificate (step S502, Yes), the physical element ID certificate is read (step S503), and it is determined whether the reading has failed (step S504). . If the reading fails (step S504, YES), an error notification is sent to the license server (step S50).
5) and shifts to step S500. On the other hand, if the reading has not failed (step S504, NO), it is determined whether or not there is the next physical element (step S50).
6) If there is the next physical element (step S506,
Yes), the process proceeds to step S503, the next physical element ID certificate is read, and the above-described processing is repeated.

On the other hand, if there is no next physical element (step S506, none), the physical element ID certificate group is transmitted to the license server 40 (step S507), and it is further determined whether the received content is an error or a license. (Step S508). If the received content is an error (step S508, error), the process proceeds to step S500 and the above-described processing is repeated. If the received content is a license (step S508, license), further
The license is passed to the physical element (PCSUE) 1 (step S509), the process proceeds to step S500, and the above-described processing is repeated. As a result, the user system 50 can obtain the license from the license server 40.

Here, PCSUE1 indicates the first PCSUE of (N-1) PCSUEs, and is generally PC
It is indicated by SUEi, and i is an integer of 1 to (N-1).
Therefore, an internal processing procedure when each PCSUEi is given a license will be described with reference to the flowchart of FIG.

In FIG. 12, first, the PCSUEi decrypts the received license with Kpi (step 60).
0). Then, the decrypted access condition ACi is evaluated (step S601), and it is determined whether the evaluation result of the access condition ACi is acceptable or not (step S602). If the evaluation result of the access condition ACi is not acceptable (step S6)
02, impossible), error processing is performed (step S6).
04), and this processing ends. On the other hand, the access condition ACi
If the evaluation result of is valid (Yes in step S602), the decrypted license is transmitted to PCSUE (i + 1), the decryption is continued, and the internal processing of the present PCSUEi is terminated.

Next, PCSUE (i + 1) is the PCS
It corresponds to the UE (N), in which the physical element of the playback device performs internal processing, for example. This internal processing procedure will be described with reference to the flowchart shown in FIG.
In FIG. 13, first, the received license is decrypted with Kpn (step S700). Thereafter, the decrypted access condition AC (N) is evaluated (step S701),
It is determined whether this evaluation result is acceptable or not (step S702). If the evaluation result is not acceptable (step S702, Impossible), error processing is performed (step S703), this processing ends, and as a result, the secret content cannot be decrypted.

On the other hand, when the evaluation result for the access condition AC (N) is acceptable (Yes in step S702),
The secret content is decrypted with this decrypted Kc (step S704), and the decrypted content is played back by the playback device (step S705), and this processing ends.

Here, a specific license decryption process will be described with reference to FIG. In FIG. 14, the license generated by the license server 40 includes the access control list ACL and the content decryption key as the playback device 1.
Encryption using the key Kp, which is the physical element ID of 44,
Further, it is encrypted using the value of the exclusive OR of the DSN 141 which is the device serial number of the storage device and the MSN 143 which is the media serial number of the medium 142 as a key.

First, the storage device 140 reads an unwritable MSN into the medium 142, performs an exclusive OR operation of this value and the DSN of the storage device 140 itself, and decrypts the license based on the result of this operation. Becomes {ACL, Kc} Kp. This partially decrypted license is the playback device 1
44, and the playback device 144 sends the playback device 1 to the playback device 1
When the license is decrypted using the key Kp which is the physical element ID of 44, the access condition list ACL and the content decryption key Kc are acquired, and the content decryption key Kc is satisfied when the access condition indicated by the access condition ACL is satisfied. The decrypted content will be played by the playback device 144.

The above-mentioned license request and content decryption processing by license acquisition will be further described with reference to the data flow shown in FIG. In the decryption protection area in the user system 50 in FIG. 15, the license request process 152 is sent to the license server 40 with the physical element ID certificate attached in order to use the content.
At this time, the physical element ID certificate is the use environment specifying physical element 1 by the use environment specifying physical element certificate acquisition processing 153.
50 and passed by the license request process 152.

On the other hand, when the license is transmitted from the license server 40, the license acquisition processing 156 acquires this license, and the access permission processing 155 acquires the license from the license income processing 156 and, at the same time, the utilization environment specifying physical element ID. The authentication processing 154 acquires the physical element ID through the usage environment specifying physical element certificate acquisition processing 153, further acquires the usage status from the accounting processing 157, and uses these to extract the decryption key.

Then, the content decryption processing 159 decrypts the secret content 158 using the content decryption key and outputs the plaintext content. In addition, accounting process 15
7 notifies the usage status monitoring physical element 151, and the usage environment monitoring physical element 151 automatically decrements the current usage status according to usage.

By the way, FIG. 16 is a diagram showing the influence on the protection strength when each processing procedure is implemented in each entity of the specific use environment shown in FIG. From this result, it can be seen that it is preferable that the generation of the usage environment-specific physical element possession certificate is implemented in the device layer, and the accounting information protection is implemented in the device layer using the IC card. in this way,
Since the protection strength differs depending on the layer in which each processing procedure is implemented, it is necessary to implement each processing function shown in FIG. 15 in consideration of the layer arrangement.

In the above-described embodiment, the structure based on the so-called content cacheable model has been described, but the present invention is not limited to this, and it is apparent that the present invention can be applied to a structure based on the simultaneous content distribution model. Is. In this case, the content server 30 may be handled as a configuration internally arranged in the license server 40.

Further, in the above-described embodiment, it is premised that a key is used for encryption and decryption, but in this case, even if the secret key cryptosystem is used, the public key cryptosystem is used. However, any of them can be implemented, and an appropriate method may be applied depending on the applied system.

Further, the physical elements shown in the above-described embodiment are not limited to the devices fixed to the user system 50.
It includes a medium used when the user system 50 is used, that is, a portable recording medium such as a CD-ROM, a DVD, an MO, an IC card and a floppy disk. In the user system in which this portable recording medium is used, in addition to the physical elements fixed to this user system, this portable recording medium used is also included in the physical elements, and content usage control is performed. Will be. Needless to say, a fixed medium, such as a fixed hard disk device or a fixed ROM, is included in the above-mentioned physical elements in the user system 50.

[0099]

As described above, according to the present invention,
Store the information of the physical element to which the license is passed in order until the decryption key is used for decrypting the content, and generate the license by encrypting the decryption key and the usage permission condition based on the stored information of the physical element. Because I configured
It is possible to prevent illegal use of contents with high accuracy.

Further, according to the present invention, the information of the physical element to which the license is handed over in order is registered until the decryption key is used for decrypting the content, and the decryption key and the use are registered based on the registered information of the physical element. Since the license condition is encrypted to generate the license, it is possible to prevent illegal use of the content with high accuracy.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration of a content usage control system according to an embodiment of the present invention.

FIG. 2 is a flowchart showing an internal processing procedure of the copyright holder system 20 shown in FIG.

FIG. 3 is a diagram showing an example of accounting conditions and physical environment specifying element conditions.

4 is a flowchart showing an internal processing procedure of the content server 30 shown in FIG.

5 is a flowchart showing an internal processing procedure of the license server 40 shown in FIG.

FIG. 6 shows a license transmitted from the license server 40 and the copyright holder system 10 or the content server 30.
It is a figure which shows the relationship with the confidential content transmitted from.

FIG. 7 is a diagram showing a configuration of an LDAP system 42 shown in FIG.

FIG. 8 is a diagram showing a layer logical structure of a specific use environment.

FIG. 9 is a diagram showing an example of physical elements having an inclusion relation.

FIG. 10 is a detailed flowchart showing a license generation processing procedure.

11 is a flowchart showing an internal processing procedure of the user system 50 shown in FIG.

FIG. 12 is a flowchart showing a license decryption processing procedure by the use relationship specifying physical element.

FIG. 13 is a flowchart showing a license decryption processing procedure by a physical element of a playback device.

FIG. 14 is a diagram showing an example of a license decryption process.

FIG. 15 is a data flow diagram showing content decryption processing by license request and license acquisition.

FIG. 16 is a diagram showing an influence on protection strength when each processing procedure is implemented in each entity of the specific use environment.

FIG. 17 is a diagram showing a conventional access control model.

FIG. 18 is a diagram showing a schematic configuration of a content usage control system corresponding to a conventional access control model.

FIG. 19 is a diagram showing an improved access control model.

FIG. 20 is a diagram showing a content distribution model of a conventional content usage control system.

FIG. 21 is a diagram showing a content cacheable model.

22 is a diagram showing a schematic configuration of a content usage control system corresponding to the content cacheable model shown in FIG. 21. FIG.

FIG. 23 is a diagram showing a schematic configuration of a content usage control system that realizes a content simultaneous distribution type model.

[Explanation of symbols]

1 Copyright Holder 2 User 10 Content Usage Control System 20 Copyright Owner System 21 Secret Content Registration Unit 22 Access Control Right Transfer Unit 23 ACL Setting Unit 30 Content Server 40 License Server 41 License Permission / Generation Unit 42 LDAP System 43 Access Control List (ACL) 44 Key 50 User system 51 Hidden content request / acquisition unit 52 License request / acquisition unit 53 Specific usage environment 54-1 to 54-N Usage environment specific physical element 55-1 to 55-M Content storage device 56 -1 to 56-L Playback devices 57-1, 59-1, 61-1 Physical element IDs 58-1, 60-1, 62-1 Encryption / decryption / evaluation unit

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) G06F 15/00 330 G06F 15/00 330Z H04L 9/08 H04L 9/00 601D (72) Inventor Yuji Miyazawa Kanagawa 4-1-1 Kamiodanaka, Nakahara-ku, Kawasaki-shi, Fukushima F-term within Fujitsu Limited (reference) 5B017 AA03 AA06 BB09 BB10 CA16 5B085 AA08 AE08 AE23 AE29 BC02 BG02 BG07 5J104 AA12 AA16 EA04 EA15 MA01 NA02

Claims (15)

[Claims] 1. A license is managed together with a decryption key for decrypting the encrypted content, and the decryption key and the license condition are encrypted as a license in response to a content usage request from a user. A license management device provided to a user, comprising: a physical element path storage unit that stores information on physical elements to which licenses are sequentially transferred until the decryption key is used to decrypt the content; A license management device comprising: a license generation unit that generates a license by encrypting the decryption key and the use permission condition based on the information of the physical element stored by the unit. 2. The physical element information stored by the physical element path storage means includes unique identifiers of a plurality of physical elements to which licenses are sequentially transferred, and the license generation means uniquely identifies the plurality of physical elements. The license management device according to claim 1, wherein the license is generated by combining the identifier and encrypting the decryption key and the usage permission condition. 3. The license generation means decrypts the element conditions that can be enforced by each physical element among the element conditions constituting the usage permission condition from the license received by each physical element using a unique identifier. The license management device according to claim 2, wherein the license management device is encrypted in a possible form. 4. The plurality of physical elements in which the unique identifiers are stored by the physical element route storage means are a recording medium, a recording device and a reproducing device, and the license generation means is
4. The license management device according to claim 2, wherein encryption is performed based on a unique identifier of the recording medium, the recording device and the reproducing device. 5. The license generation means encrypts using the unique identifier of the reproducing apparatus, and then encrypts using the exclusive OR of the unique identifier of the recording medium and the unique identifier of the recording apparatus. The license management device according to claim 4, wherein the license management device is a license management device. 6. A license, which manages the decryption key for decrypting the encrypted content, manages the usage permission condition of the content, and encrypts the decryption key and the usage permission condition in response to a content usage request from the user to obtain a license. A license management method provided to a user, wherein a physical element route registration step of registering information of physical elements to which licenses are sequentially transferred until the decryption key is used for decrypting content, the physical element route registration And a license generation step of generating a license by encrypting the decryption key and the use permission condition based on the information of the physical element registered in the step. 7. The physical element information registered in the physical element path registration step includes unique identifiers of a plurality of physical elements to which licenses are sequentially transferred, and the license generation step includes a unique identifier of the plurality of physical elements. 7. The license management method according to claim 6, wherein the license is generated by combining the identifier and encrypting the decryption key and the usage permission condition. 8. The license generation step decrypts the element conditions that can be enforced by each physical element of the element conditions that constitute the usage permission condition from the license received by each physical element using a unique identifier. The license management method according to claim 7, wherein encryption is performed in a possible form. 9. The plurality of physical elements in which the unique identifiers are stored in the physical element route storing step are a recording medium, a recording device and a reproducing device, and the license generating step includes
9. The license management method according to claim 7, wherein encryption is performed based on a unique identifier of the recording medium, the recording device, and the reproducing device. 10. The license generation step comprises: encrypting using the unique identifier of the reproducing apparatus, and then encrypting using the exclusive OR of the unique identifier of the recording medium and the unique identifier of the recording apparatus. The license management method according to claim 9, wherein the license management method is used. 11. A license is managed together with a decryption key for decrypting the encrypted content, and the decryption key and the license are encrypted as a license in response to a content usage request from the user. A license management program provided to a user, wherein a physical element path registration procedure for registering information of physical elements to which licenses are sequentially transferred until the decryption key is used for decrypting content, and the physical element route registration A license management program, which executes a license generation procedure of encrypting the decryption key and the use permission condition to generate a license based on the information of the physical element registered by the procedure on a computer. 12. The physical element information registered by the physical element route registration procedure includes unique identifiers of a plurality of physical elements to which licenses are sequentially transferred, and the license generation procedure is unique to the plurality of physical elements. The license management program according to claim 11, wherein a license is generated by combining the identifier to encrypt the decryption key and the usage permission condition. 13. The license generation procedure includes decrypting an element condition that can be enforced by each physical element of the element conditions that constitute the usage permission condition from a license received by each physical element using a unique identifier. The license management program according to claim 12, wherein the license management program is encrypted in a possible form. 14. A plurality of physical elements whose unique identifiers are registered by the physical element route registration procedure are a recording medium, a recording device, and a reproducing apparatus, and the license generating procedure is the recording medium, recording apparatus, and a reproducing apparatus. 14. The license management program according to claim 12, wherein the license management program is encrypted based on a unique identifier of the license management program. 15. The license generation procedure comprises encrypting using a unique identifier of the reproducing apparatus, and then encrypting using an exclusive OR of the unique identifier of the recording medium and the unique identifier of the recording apparatus. 15. The license management program according to claim 14, which is characterized in that.