JP2003195753A - Ciphering method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To permit contents reproduction only once and to move them after recording them in a medium. <P>SOLUTION: A recording and reproducing device is provided with: a ciphering means for ciphering, by each unit block, information in which a plurality of unit blocks are continued; a recording means for recording the ciphered information; and a deciphering means for deciphering and reproducing, by the unit block, the plurality of unit blocks of the ciphered information read from a recording medium. The seed of a cipher key for ciphering the unit block and the seed of the cipher key for deciphering the ciphered unit block are based on one or more unit blocks other than a prescribed unit block or the information for which one or more unit blocks other than the prescribed unit block are ciphered. In recording data ciphered by the method on the recording medium requiring driving, the cipher key or the seed of the cipher key is recorded in a memory attached to the recording medium. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption method for encrypting content whose viewing is restricted, and more particularly to a method for managing an encryption key used in encryption and a seed for the encryption key.

[0002]

2. Description of the Related Art Conventionally, contents such as video and audio have been recorded on tape-shaped recording media such as video tapes and audio tapes, or on disk-shaped recording media such as CDs and DVDs. It has been a problem that content recorded on the medium is illegally copied by an act such as dubbing.

In addition, a digital system has come to be adopted when recording contents such as video and audio, and the contents are distributed not only by recording on the above-mentioned medium but also by data distribution or the like, which is illegal. Copy protection is becoming more important.

Next, a method of restricting copying of digital content data will be described. In recent years, due to the widespread use of digital distribution of video and audio as described above, content providers that distribute content have placed restrictions on digital content data such as "copy prohibited" and "copy once". . Further, in the case of analog copying, by inserting a copy guard signal into the content, when copying the content, the image of the copied content is disturbed.

A typical copy guard adopting such a method is called a macrovision system (pseudo sync pulse system, color stripe system). This is because by recording a certain signal in the specific part of the analog signal of the content for which "copy prohibition" is restricted, even if this content is recorded, the recording device recognizes the signal embedded in the specific part and records it. In order to
This is a method in which when the screen after copying is reproduced, the screen becomes unpleasant for viewing due to the influence of the above-mentioned signal. Note that this method is adopted for PPV (Pay Per View) programs of digital broadcasting.

However, with this type of copy guard, copying can be performed in a normal state simply by removing a signal that disturbs the screen, and therefore, a device for avoiding this copy guard has been commercially available.

[0007] In addition, for the content which is restricted to "copy once", the copy generation is managed to prevent copying more than a specified number of times. A typical example of this is CGMS (Copy Generation Manage).
ment System) is called. This incorporates a specific digital signal (1. No copy, 2. Copy one generation only, 3. Unlimited copy) into a specific portion of the digital signal of the content, and the digital recording device identifies this signal. By doing so, it is a method of limiting copying as directed by the particular digital signal embedded in the content. Note that the CGMS method is also used for MD (mini disk) copy generation management.

However, in the above-mentioned CGMS system, the copy guard can be canceled by rewriting the flag relating to the copy generation from the "copy not possible" to the "copy possible".

In view of the above, in the DVD, the digital content data itself is encrypted and recorded on the medium. Therefore, even if the data is taken out from the DVD as it is, the encrypted content is taken out, and since it is difficult to take out the encryption key, the digital signal which is not actually encrypted is copied. It's getting harder.

DE, which is one of such encryption methods
The S (Data Encryption Standard) will be described. D
ES is a block cipher having a size of 64 bits for the plaintext (original text), ciphertext, and cipher key. However, the encryption key is 6
It is a block cipher with a size of 4 bits. However,
Since the encryption key uses 8 bits out of 64 bits for parity, the substantial length of the encryption key is 56 bits.

The basic structure of the DES is shown in FIG. After swapping the bits so that adjacent bits of the plaintext are approximately 32 bits apart, the same 16-stage transformation is applied repeatedly. In each stage, the top 32 input from the previous stage
L _n-1 of the bits and R _n-1 of the lower 32 bits are grouped together, and are converted into L _n and R _n by using a 48-bit key K _n input from the key generation unit. Output to the next stage. After exchanging L ₁₆ and R ₁₆ of the 16th stage output, each bit is replaced by IP ⁻¹ to output the ciphertext. On the other hand, the key is 8 by the selective replacement PC-1.
The parity pits of the bits are removed and the remaining 56 bits are replaced.

After that, the upper 28-bit C _n and the lower 28
1 shift for each D _n of bits
A key K _n is created for each step while repeating 6 steps. Figure 1
The 16-stage conversion unit that is the basic unit of the DES shown in FIG. 2 has the structure shown in FIG.
_n−1 , R _n−1 ) and the output (L _n , R _n ) of the next stage satisfy the following relationship. _{L n = R n-1,} R n = L n-1 EXORf In _{(R n-1, K n} ) where, EXOR indicates an exclusive OR function _{f (R n-1, K} n) Further has the structure shown in FIG.

The input R _n-1 to the f-function consists of 32 bits, but is expanded to 48 bits by the expansion replacement E. Next, the 48 bits and K _n are subjected to exclusive OR in bit units, and then divided into eight 6-bit units, each of which is input to the S box of S _{1 to} S ₈ . In each S box, a 6-bit input is non-linearly converted into a 4-bit output. Finally, the bit position of the 32 bits obtained by combining 8 bits of the output is replaced by the replacement P, and f
The output is (R _n-1 , K _n ).

Solving the equations L _n = R _n-1 and R _n = L _n-1 EXORf (R _n-1 , K _n ) which are basic transformations of DES, (L _n-1 , R _n-1 ) Is expressed by (L _n , R _n ), the following equation is obtained. R _n-1 = L _n , L _n-1 = R _n EXORf (R _n-1 , K _n ) = R
_n EXORf (L _n , K _n ) Thus, the operation of obtaining (R _n-1 , L _n-1 ) from (R _n , L _n ) is performed from (L _n-1 , R _{n -1} ) to (L _n , R _n ) has the same structure. This property means that decryption can be performed with the same conversion as encryption.

[0015]

However, for example, a PPV program of digital broadcasting is restricted by "copy prohibition", so that the content can be viewed only once, but the viewer can watch the PPV program. I had to see it at a fixed time. As described above, with respect to the content of “copy prohibition”, even if the copyright holder intends to permit the content to be viewed only once, the time period for actually viewing the content is limited. It was In addition, when recording "copy prohibited" contents on a recording medium and allowing viewing only once,
There has not been established a method that makes it impossible to reproduce the content once the content is viewed. Further, in order to realize this, it is difficult to realize that it is difficult to erase the data at the end of viewing while reproducing the content. For example, in a personal computer or the like, the data on the hard disk is deleted only by erasing the FAT of the file system, and thus the data is not actually deleted.

On the other hand, the contents of "copy once" are
For example, even when recording is performed by a recording / reproducing apparatus that is a combination of a VTR and an HDD (hard disk drive), if recording is performed on either medium once, further recording cannot be performed because it is a second copy. Therefore, it was not possible to re-record only the desired program on the storage medium after viewing once. Like this, "copy once"
As for the content, even if the copyright holder intends to limit the content to one medium, the content recorded once is actually recorded on another medium and the original recording medium The so-called movement of contents, which erases the recorded part, was not permitted.

Further, regarding encryption, it has become easier to know the encryption key due to the improvement in computer performance.
And using a fixed key for one piece of content means that if the key can be known, all the content has been decrypted, and as a result, digital content can be illegally copied. . Therefore, in order to avoid this, there is a method of changing the key every time. As a result, even if the key used to encrypt a part of the content is known, the entire content is not decrypted, and the security is increased as compared to the case where a fixed key is used. The key used for encryption is calculated when multiple keys are generated during decryption. It is necessary to store the key or the seed of the key separately. There is a drawback that it grows in proportion to the number of keys. Here, the “key seed” represents the information that is the basis of key generation.

Further, regarding the encryption, Japanese Patent Laid-Open No. 9-107
As described in Japanese Patent No. 536, as an encryption process in the block chaining method, P1 is made to depend on an encryption key K and an initial value IV, and encryption is performed using an encryption function E1.
Pi (2 ≦ i ≦ n) is sequentially encrypted using the encryption function E2 depending on the encryption keys K and (Pi−1), and the encrypted data blocks (C1, C2, ..., Cn). A method of generating is disclosed. However, in this case, since the encryption key K is fixed, there is a problem that there is a high risk of decryption.

[0019]

In order to solve the above-mentioned problems, when encrypting information in which a plurality of unit blocks are continuous for each unit block, an encryption key for encrypting a predetermined unit block is used. The seed is an encryption method that is one or a plurality of unit blocks other than the predetermined unit block, or an encryption method that is information obtained by encrypting one or a plurality of unit blocks other than the predetermined unit block. There is provided an encryption method characterized in that, when the encrypted information is recorded on a recording medium, the encryption key or the seed of the encryption key is recorded by a memory provided integrally with the recording medium.

The encryption method according to claim 1, wherein the plurality of unit blocks have a reproduction order.

Further, the encryption method according to claim 2, wherein seeds of an encryption key for encrypting the predetermined unit block are chained at least twice.

[0022]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of an encryption method according to the present invention will be described below with reference to the drawings. When the digital content data is AV data sent from a broadcasting station and is "copy prohibited", the digital content data is recorded and reproduced as a recording / playback device that allows the program to be viewed only once at an arbitrary time after the broadcast time. A VTR will be described as an example.

In the present embodiment, such a digital VTR is realized by allowing the content "copy prohibited" to be viewed only once. MP for videotape
The transport stream (TS) of EG (Motion Picture Expert Group) is recorded. DES is used for encryption / decryption.

FIG. 4 is a diagram showing a recording section of a digital VTR incorporating an encryption section to which the encryption method according to the present invention is applied. MPE by tuner 1 and external signal input unit 2
The G TS is input and sent to the switch circuit unit 3.
Here, according to the instruction issued by the user interface 200, a signal is sent from the tuner 1 or the external signal input unit 2 to the recording signal processing unit 4. A time code, an absolute track number, etc. are generated for the signal sent to the recording signal processing unit 4. After that, the signal is sent to the encryption unit 5 to encrypt the data. Then, it is recorded on the tape 100 in the recording unit 6. In addition to the video signal and the audio signal, a time code or the like is recorded on the tape 100, for example, in a sub code area. The encryption key generated by the encryption unit 5, the seed of the encryption key, or the like is recorded in the memory attached to the tape.

FIG. 5 is a diagram showing a reproducing unit of a digital VTR having a built-in decoding device for decoding a signal encrypted by the encryption method according to the present invention. First, the reproducing unit 10 reads the signal of the tape 100. At the same time, the memory reading unit 14 reads the encryption key or the seed of the encryption key recorded in the memory attached to the cassette tape. The read signals are sent to the decoding unit 9. Therefore, after the data is decoded, it is sent to the reproduction signal processing unit 8 and subjected to error correction and the like, and then output to the monitor 300 via the external signal output unit 7.

As described above, in the digital VTR having the configuration shown in FIGS. 4 and 5, when the digital content data of "copy prohibited" is recorded, the signal indicating "copy prohibited" is recorded by the CGMS described above. . For example, in digital broadcasting, TS is digital copy control d
There is a descriptor called escriptor, and digitalre
There is a 2-bit field called cording control data (digital copy control information). In the field, for example, "copy permitted" = 00, "copy once" = 10,
It is described as “copy prohibition” = 11. When the digital VTR detects 2 bits of "11" in the input signal, a certain C
The initial value IV = h _i (Const _i ) is calculated using onst _i as the input of the initial vector generation function h _i .

The initial value IV serves as a key seed when encrypting the first unit block of the input content. Therefore, if the initial value IV is easily known, the encrypted content may be decrypted.
The initial value IV is recorded on a medium that is difficult to analyze. For example, a memory attached to a video tape is used as the medium.

A concrete structure of the video tape is shown in FIG. As shown in the figure, a non-contact type memory chip 12 is provided in the housing of the tape 11. This memory chip includes a non-volatile memory and its control circuit. Having a non-volatile memory allows the information in that memory to be read at any time while the tape is inserted into the VCR. Therefore, the initial value IV can be read regardless of the current position of the tape. Also,
Since the memory is a non-contact type, an antenna 13 is provided for exchanging data with the interface. Furthermore, by recording the start address of the part that is allowed to play in the memory, if the current position of the tape is the part where the play is not allowed, the tape is fast-forwarded to the start address of the part that is allowed to play. Or, it becomes possible to rewind.

The internal structure of the non-contact type memory chip is shown in FIG. As shown in the figure, it includes a power circuit 14, an RF processing unit 15, a controller 16, and a ROM 17. Power is supplied externally via the antenna. The power supplied to the power circuit is supplied to the RF processing unit 15, controller 16, ROM 1
7 is supplied. The RF processing unit 15 is where the received signal is demodulated. The controller 16 controls decoding of the received signal and writing to the ROM 17. It can also be realized by having a contact-type non-volatile memory instead of a non-contact type. A method of actually managing data by attaching a memory to a tape is disclosed in Japanese Patent Laid-Open No. 2000-173237.

First, assuming that the unit block is 184 bytes, the initial value IV is used as the input of the key generation function g to generate the key K.
Calculate ₁ = g (IV, Const). After that, K _i is
It represents a key used when encrypting / decrypting the i-th block. Also, Const represents other information that is the basis of key generation. Here, assuming that the Const information changes with time within the same content, the Const information must be stored. Also, if the information changes with time, a large-capacity memory for storing all the changed information must be used.
It is assumed that nst consists of constant parameters in the same content such as an ID unique to a video deck. Since DES is used for encryption / decryption, the key K _i needs to be 56 bits. Therefore, the initial value I
It is preferable that the total number of bits of V and Const is 56 bits or more. Because the key generation function g is 1: 1
This is because it is easy to infer the initial value IV or Const from the key K _i if it is a function. Therefore, the key generation function g is n (n
≧ 2) Make a one-to-one function.

Next, the encryption method according to the present invention will be described with reference to FIG. The value of 184 bytes of the unit block excluding the 4 bytes of the header from the 188 bytes of 1 TS packet is the number of bytes in the area in which AV data is recorded. There are 23 DES encrypted block 64-bit blocks in the 184 bytes that are the AV data of the TS packet P (1). Then, each of these 23 blocks is encrypted with the encryption key K ₁ of the TS packet P (1). The encrypted P (1) is described as C (1). The same operation is performed for the TS packets P (2), P (3), ....

Next, the key K ₂ used for encryption of P (2)
Explain how to create. Key K ₂ = g (S ₁ , Const)
It is defined as Here, S ₁ is defined as S _i = h (P (i)), where h is the key seed generation function. That is, the plaintext of the previous unit block is used as the key seed. This makes the key variable for each unit block,
Even if one key is known, it is difficult to decrypt all plaintexts. In addition to this, there is a method of making a key variable by preparing a plurality of key seeds, but it is necessary to separately store the seeds of all keys. But,
When the method of the present invention is adopted, since the variable part of the key seed is the plaintext obtained by decrypting the ciphertext recorded on the hard disk, it is difficult to analyze and it is not necessary to store it in another area. . After K _3, K ₃ = g (S ₂ , Cons
t), K ₄ = g (S ₃ , Const), ...

On the other hand, when reproducing, the initial value I on the memory
Read V to generate key K ₁ and encrypt P (1). At this time, S ₁ is also generated from P (1) at the same time. next,
The key K ₂ is generated from the S ₁ and P (2) is encrypted. The outline of encryption and decryption is shown in FIG. Further, in the above-described embodiment, the seed of the encryption key is generated from the previous unit block, but the seed of the encryption key of the unit block may be generated from any one unit block in the past, for example, You may use the unit block two before.

Next, a description will be given of a method of preventing the part that has been once reproduced from being seen when the "copy prohibited" content is reproduced halfway. TS as shown in FIG.
It is assumed that packets C (1) to C (4) are reproduced. As described above, first read the initial value IV and then C
Decoding starts from (1). Then, when the decoding of C (4) is finished, the reproduction is finished. Where next time C
The initial value IV recorded in the memory is erased so that the data from (1) to C (4) cannot be reproduced. This causes the key K ₁ to decrypt C (1)
Can no longer be generated. But next time, C
In order to start reproduction from (5), the seed S ₄ of the key K ₅ for decrypting C (5) must be recorded. Therefore, the initial value IV is erased from the memory when the reproduction is started, or moved to the buffer if necessary thereafter. Then, when the reproduction is finished, S ₄ is recorded in the memory. As a result, the next time, C (1) to C (4) cannot be decoded, and thus reproduction cannot be performed. On the other hand, by recording the start address of P (5) together with S ₄ in the memory, reproduction from C (5) onward can be performed from the next time. In this example, S _i is the seed of the key K _{i + 1} used to decrypt C (i + 1), but two initial values IV ₁
And IV ₂ and may be the seed of the key K _{i +2} of using S _i to decrypt C (i + 2) by having a. Similarly,
By having the initial value IV three, four, ... and, S _i
Can be used as seeds for decoding unit blocks three or four ahead. Further, a plurality of seeds of K _{i + 2} may be set as S _i and S _{i + 1} , that is, a key may be generated based on two or more plaintexts in the past. The fact that S _i is the seed of K _{i + 1} , S _{i + 1} is the seed of K _{i + 2} , ... Is called “chained” hereinafter.

Originally, the content of "copy prohibited" is broadcast for the purpose of being viewed only once at the time of broadcasting. Therefore, there is a possibility that it will be against the intention of the copyright holder to rewind and watch the reproduced portion, and thus it may not be permitted. However, it is natural that the current content of "copy prohibited" cannot be rewound and viewed, but it is possible to view it from the middle. Therefore, in the case of "copy prohibited" content, only fast-forwarding may be permitted. Therefore, if fast-forwarding is performed by the method described above, even if data is recorded on a randomly accessible hard disk or optical disk, it is always C (1).
I have to decrypt from. Therefore, if the content is viewed from the latter half, it takes a very long time to access that content. Therefore, the following configuration can be considered.

FIG. 10 shows its outline. The arrow in the drawing indicates that the information at the starting point of the arrow serves as a seed of a key for encrypting the information pointed to. Frequently resetting the chain of adjacent blocks, instead of resetting, a block called P (2-1) is provided next. P (2-
1) is encrypted with a key using the initial value IV as a seed.
Then, P (2-1) becomes a seed of the encryption key of P (2-2) and P (3-1). With such a configuration, when it is desired to access P (3-4), for example, the initial value IV →
P (2-1) → P (3-1) → P (3-2) → P (3-
3) → P (3-4) Decoding in the order makes it possible to access in a short time. Such a structure will be hereinafter referred to as two “hierarchies”. And P
(2-1), P (3-1), P (4-1), ... Will be referred to as “second layer”. In the above-described embodiment, the case where the number of layers is two has been described, but the number of layers may be three or more. However, if the number of layers is three or more, the time required for random access is shortened, but the method of encryption / decryption is complicated. From here, a function for generating a seed of a key for encrypting / decrypting the unit block of the first layer is h ₁ , and a function for generating a seed of a key for encrypting / decrypting the unit block of the second layer. Is described as h ₂ , ... Further, the seed of the key K _3-1 generated by P (2-1) in the second layer is T _2-1 and the seed of the key K _4-1 generated by P (3-1) is T _{3-. 1} , ...

Next, a method of making the once reproduced portion of the content unviewable in the case of a plurality of layers will be described. As shown in FIG. 11, the TS packet C
It is assumed that (1-1) to C (2-3) are reproduced. At the start of reproduction, the initial value IV is recorded in the memory. Then, the initial value IV is erased from the memory when the reproduction is started, or moved to the buffer when necessary thereafter, and when the reproduction is completed up to C (2-3), T
Record _2-1 and S _2-3 in the memory. The reason why S _2-3 is recorded is that K _2-4 is generated as in the case of not having a plurality of layers, that is, reproduction is possible from C (2-4). On the other hand, when the reproduction is completed up to C (2-3) and the next reproduction is to be performed from C (4-1), in order to randomly access C (4-1) of the second layer as quickly as possible, T The fastest way is to go from _{2-1 to} C (3-1) to C (4-1). Therefore, for random access, T
_{2-1 is} also recorded in the memory. Furthermore, reproduction from C (2-4) and random access become possible.

Up to this point, the description has been given of the case of recording "copy prohibited" digital contents on the digital VTR.
In this embodiment, 184 bytes corresponding to the digital content data of the MPEG TS packet has been taken as the size of the unit block, but this can take various sizes depending on the application.
When the chain as shown in FIG. 8 or FIG. 10 is performed through one content, the data may not be correctly reproduced by mistakenly reading or recording the data in the middle. In this case, since an error at one place occurs due to chaining after that, in order to prevent this, the initial value IV
It is also possible to reset the chain starting from multiple times within the same content. For example, by preparing a plurality of initial values IV as shown in FIG. 12, the chain is reset a plurality of times, so that error propagation can be prevented.

Although only the digital VTR has been described in this embodiment, in the case of "copy prohibited" contents, it can be realized by a hard disk recorder, an optical disk recorder, or the like.

Up to now, the case of the content of "copy prohibited" has been described, but hereinafter, when the digital content data sent from the broadcasting station is "copy once", the program is classified into one. As an example of a recording / reproducing apparatus capable of recording only on a medium, a recording / reproducing apparatus combining a hard disk recorder and a digital VTR will be described. In the embodiment of the present invention, the content of "copy once" can be recorded only once onto another medium, thereby realizing a recording / reproducing apparatus combining such a hard disk recorder and a digital VTR. . MPEG TS is recorded on the hard disk of the hard disk recorder and the VTR video tape.
Then, DES is used for encryption / decryption.

FIG. 13 is a block diagram of a recording section of a recording / reproducing apparatus in which a hard disk recorder according to an embodiment of the present invention and a digital VTR are combined. In the figure, the tuner 1 and the external signal input unit 2 are used for MPEG.
TS packet is input and sent to the switch circuit unit 3. Here, according to the instruction issued from the user interface 200, a signal is sent to the tape recording signal processing unit 12 or the disk recording signal processing unit 14. A time code, an absolute track number, etc. are generated for the signal sent to the tape recording signal processing unit 12. After that, it is sent to the tape recording unit 13 and digitally recorded on the tape 300. On the tape 300, a time code, an absolute track number, etc. are recorded in, for example, a subcode area in addition to a video signal and an audio signal. Further, a time code or the like is generated for the signal sent to the disc recording signal processing unit 14. Then, it is sent to the disc recording unit 15 and digitally recorded on the disc 100. In addition to the video signal and the audio signal, the time code and the absolute track number are recorded on the hard disk as well as the tape. Tape reproduction signal processing unit 18
Is for reproducing a signal recorded by a digital VTR, and by transmitting the reproduced signal to the disc recording signal processing section 14, data can be copied.

FIG. 14 is a block diagram of a reproducing section of the digital signal recording / reproducing apparatus of the present invention. At the time of tape reproduction, the tape reproduction unit 19 reads the signal of the tape 300. Then, the signal is the tape reproduction signal processing unit 18
To the switch circuit unit 3 and the disc recording signal processing unit 14 after error correction and the like are performed there. When the disc is reproduced, the disc reproducing unit 21 reads the signal of the disc 100. Then, the signal is sent to the disc reproduction signal processing unit 20, where error correction and the like are performed, and then sent to the switch circuit unit 3. Then, according to the instruction issued by the user interface 200, the reproduction signal of the tape 300 or the disc 1
00 reproduction signal via the external signal output unit 16
Output to 00.

Next, a description will be given of the recording of the digital content data of "copy once" by the recording / reproducing apparatus in which the hard disk recorder having the configuration shown in FIGS. 13 and 14 is combined with the digital VTR. The signal indicating "copy once" is recorded by the CGMS in the same manner as the signal indicating "copy prohibited". For example, in digital broadcasting, there is a descriptor called digital copy control descriptor in TS, and digital recording control
There is a 2-bit field called rol data (digital copy control information). In the field, for example, “copy permitted” = 00, “copy once permitted” = 10, and “copy prohibited” = 11 are described. When the recording / reproducing apparatus detects 2 bits of “10” in the input signal, a constant Const _i is input to the initial vector generation function h _{i for} the same content, and the initial value IV = h _i
Calculate as (Const _i ). Hereinafter, the encryption is performed as in the case of "copy prohibition". Also, unlike the content that is "copy prohibited", the content that is "copy once" can be repeated many times. Therefore, the content that is "copy once" can be recorded only on another medium. We will delete the key. For example, as shown in FIG. 9, when C (1) to C (4) recorded on the tape starts to be recorded on the hard disk, the initial value IV is erased from the memory and the recording up to C (4) is completed. Then, the seed S ₄ is recorded in the memory. Therefore, at the time of reproduction, the initial value IV of the memory is referred to, but neither recording nor erasing is performed on the memory. And if you want to remove the tape in the middle,
It is necessary to record the seed of the corresponding encryption key in the memory so that the seed can be seen from the position when it is inserted next time.

As for the contents of "copy prohibited", since the contents of PPV of digital broadcasting are originally broadcast with the intention that they can be viewed only once, when reproduced from a unit block in the middle, the contents of the data before that are reproduced. Regeneration was not allowed and it didn't need to be considered. However, it is also possible for the viewer to copy only the desired portion. For example, as shown in FIG. 15, C (2
It is also possible to copy -3) or later to the hard disk so that it can be played back on the tape before that. As the method, first, copying from C (2-3) to the hard disk is started, and when the unit block C (2-3) is completely copied, the data itself of C (2-3) is deleted or C (2-3) is deleted. Rewrite the data of 2-3) to irrelevant data. Then, the data in the memory is not rewritten. As a result, when the copying is completed, C (2-3) cannot be decrypted because the data itself does not exist, and at the same time, _K2-4 cannot be generated. However, the initial values IV and C (2
The initial value IV → C (2-
1) → C (3-1) →, which enables decoding after C (3-1). Therefore, to avoid this, C
At the time when copying is completed up to (3-1), C (3-1) is erased as well as C (2-3). This makes reproduction impossible after C (3-2). Further, for example, when copying from C (2-3) to C (3-3), C (2-3) and C (3-1) can be obtained by combining the above.
And erase T _3-1 and S _3-3 in the memory.

In the above, the description has been given of the recording / reproducing apparatus in which the hard disk recorder and the digital VTR are combined to record the "one-time copying allowed" digital contents. A hard disk recorder and a digital VTR
Although only the recording / reproducing apparatus in which the and are combined has been described, in the case of the content of "copy once", the hard disk drive unit can be replaced with any recording apparatus.

[0046]

As described above in detail, according to the encryption method of the present invention, the content of "copy prohibition" can be viewed only until the broadcasting until now. Content can now be viewed only once at the time you want to watch. Also, "copy once"
The contents can be copied and edited on another medium only once after being recorded on the medium. At that time, the security of the data on the tape is guaranteed by being encrypted. Furthermore, if you see the content halfway to the "copy prohibited" content, it is possible to realize the function of making it impossible to play back to the middle point by the method of deleting the seed of the decryption key up to that point. Is. Similarly, the content that is "copy once" can be made unplayable in the portion copied to another medium. Further, if the seed of the encryption key is a plaintext other than a predetermined unit block or a ciphertext, it is possible to realize a function of disabling reproduction after a desired block. By adopting the chaining method, the capacity of the key seed information to be recorded can be very small. Further, by recording the encryption key or the seed of the encryption key in the memory attached to the tape, it is possible to make a specific portion of the tape unreproducible even in a tape-shaped recording medium that cannot be randomly accessed.

[Brief description of drawings]

FIG. 1 is a diagram showing a basic configuration of a DES.

FIG. 2 is a diagram showing a structure of a 16-stage conversion unit which is a basic unit of DES.

FIG. 3 is a diagram showing a structure of a function f used in DES.

FIG. 4 is a block diagram showing a configuration of a recording unit of a digital VTR to which the encryption key management method according to the present invention is applied.

FIG. 5 is a block diagram showing a configuration of a reproducing unit of a digital VTR that reproduces a signal recorded by applying the encryption key management method according to the present invention.

FIG. 6 is a diagram showing a configuration of a video tape which is recorded by applying the encryption key management method according to the present invention and which has a nonvolatile memory in a housing.

FIG. 7 is a diagram showing a configuration of a non-contact type memory chip provided on a video tape, which is recorded by applying the encryption key management method according to the present invention.

FIG. 8: MPEG T in the encryption method according to the present invention
It is a figure which shows the structure of S, and the outline of encryption.

FIG. 9 is a diagram showing encryption by the encryption method according to the present invention, decryption method, and decryption by the decryption device.

FIG. 10 is a diagram showing a method for reproducing content encrypted by the encryption method according to the present invention.

FIG. 11 is a diagram showing an example of encryption by the encryption method according to the present invention.

FIG. 12 is a diagram showing another reproduction method of content encrypted by the encryption method according to the present invention.

FIG. 13 is a diagram showing another example of encryption by the encryption method according to the present invention.

FIG. 14 is a block diagram showing a recording unit of a recording / reproducing apparatus in which a hard disk recorder to which the encryption key management method according to the present invention is applied and a digital VTR are combined.

FIG. 15 is a block diagram showing a reproducing unit of a recording / reproducing apparatus in which a hard disk recorder to which the encryption key management method according to the present invention is applied and a digital VTR are combined.

FIG. 16 is a diagram showing a reproducing method of a recording / reproducing apparatus in which a hard disk recorder to which the encryption method according to the present invention is applied and a digital VTR are combined.

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04N 5/91 H04N 5/91 P (72) Inventor Takayuki Sugawara 3-12 Moriya-cho, Kanagawa-ku, Yokohama-shi, Kanagawa Address In Japan Victor Co., Ltd. (72) Inventor Wataru Inaba 3-12 Moriya-cho, Kanagawa-ku, Yokohama, Kanagawa Prefecture In-house Japan Victor Co., Ltd. (72) Toshio Kuroiwa 3-chome, Moriya-cho, Kanagawa-ku, Yokohama No. 12 F-term within Victor Company of Japan (reference) 5C053 FA13 GB07 LA11 5D044 AB05 AB07 BC01 BC04 CC03 CC04 DE12 DE50 EF05 GK12 GK17 HL08 5J104 AA12 EA17 EA18 JA03 JA07

Claims (3)

[Claims] 1. When encrypting information in which a plurality of unit blocks are continuous for each unit block, a seed of an encryption key for encrypting a predetermined unit block is one other than the predetermined unit block or A plurality of unit blocks, or an encryption method that is information that encrypts one or more unit blocks other than the predetermined unit block, wherein when recording the encrypted information on a recording medium, An encryption method comprising recording an encryption key or a seed of the encryption key in a memory provided integrally with the recording medium. 2. The encryption method according to claim 1, wherein the plurality of unit blocks have a reproduction order. 3. The encryption method according to claim 2, wherein seeds of encryption keys for encrypting the predetermined unit block are chained at least twice.