JP2003234728A - Encryption device, decrypting device, secret key generation device, copyright protection system and cipher communication device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption device by which a digital literary work can safely be transferred and which can be protected against the exchange attack of a certificate revocation list (CRL). <P>SOLUTION: The encryption device is provided with a CRL memory unit 111 that memorizes the CRL, a device key ring memory unit 112 that memorizes an intrinsic device key KD<SB>-</SB>A in every IC card 210a used in a decrypting device 200a, a content key memory unit 113 that memorizes a content key Kc which is a secret key for decrypting content, a hashing function processing unit 114 that calculates a hashing value of the CRL memorized in the CRL memory unit 111 according to a hashing function, an Ex-OR unit 115 that carries out an exclusive OR between the hashing value and the device key KD<SB>-</SB>A, and an Enc unit 116 that encrypts the content key Kc with the output value of the Ex-OR unit 115. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption device, a decryption device and the like for copyright protection when transferring a digital work through a recording medium or a transmission medium, and particularly to a revoked public key. The present invention relates to a protection technique against a public key certificate revocation list replacement attack that identifies a certificate.

[0002]

2. Description of the Related Art When a digital work is transferred from a first device to a second device, in order to prevent copyright infringement due to illegal acquisition, the first device transfers the second device to the second device. Authentication (or mutual authentication) is performed. In other words, it is performed to confirm whether the communication partner is the one that he / she intends.

For example, as an example using public key cryptography, the first device transmits a random number to the second device, and then the second device encrypts the random number with its own secret key ( The electronic signature is sent to the first device, and finally the first device verifies the returned ciphertext (or signature text) using the public key of the second device. That is. However, in such authentication using public key cryptography, it is premised that the public key itself is valid.

Therefore, recently, an organization or company called a certificate authority indicates that the public key is correct for each user (it is "approved" for the public key).
"Public key certificates" have been issued. Of the issued public key certificates, those for which the expiration date has passed, the public key certificates of users who have acted illegally or whose private keys have been stolen, etc. are to be invalidated ( Public Key Certificate Revocation List (Certificate Revocation List) that lists the information that identifies the revoked public key certificate in order to inform other users that it has been revoked.
vocation List; hereinafter also referred to as "CRL", "public key revocation list" or "revocation list". ) Has been issued.

Therefore, when authenticating the communication partner using the public key of the communication partner, the public key certificate is obtained from the communication partner and the obtained public key certificate is added to the public key certificate revocation list. By performing the above-described authentication process after confirming that the digital work is not registered (invalidated), it is possible to avoid giving valuable digital work to an unauthorized communication partner.

[0006] Note that there is a method in which the key is verified using only the public key certificate (see, for example, Patent Document 1).
As described above, it is not possible to deal with the expired expiration date, the public key certificate of the user who has worked illegally, or the user whose private key has been stolen.

[0007]

[Patent Document 1] Japanese Patent No. 3199119 (page 2)

[0008]

However, not all devices can obtain the regular public key certificate revocation list to check the validity of the public key certificate of the communication partner. There is a possibility that fraudulent acts will be taken advantage of.

For example, a device such as a DVD drive device for reproducing a DVD (Digital Video / Versatile Disc) in which a digital work such as a movie is recorded acquires a regular public key certificate revocation list via the DVD. (The latest public key certificate revocation list recorded on the DVD is read), and the public key certificate revocation list is used to control the other device (a computer on which the built-in reproduction processing circuit or reproduction software operates). When the authentication method is adopted, in the process of reading the public key certificate revocation list, for example,
The old public key certificate revocation list may be replaced. To that end, legitimate (eg latest)
An invalid public key that has been registered as a revoked public key certificate in the public key certificate revocation list but has not been registered in the replaced old public key certificate revocation list. Can be used to attack a digital work that is illegally obtained.

Further, when a device which already holds the public key certificate revocation list obtains a new public key certificate revocation list, which public key certificate revocation list is the latest one? That is, it is necessary to accurately determine which public key certificate revocation list should be stored.

Therefore, the present invention has been made in view of such a situation, and it is possible to protect against an attack of replacing the public key certificate revocation list, and to securely transfer digital works. A first object of the present invention is to provide an encryption device, a decryption device, a secret key generation device, a copyright protection system, and an encryption communication device that enable the above. A second object of the present invention is to provide a device that performs cryptographic communication using a public key certificate revocation list, and when a new public key certificate revocation list is obtained, the latest one can be accurately updated. It is possible to specify and keep a more recent public key certificate revocation list in place of the old one.

[0012]

In order to achieve the first object, the encryption device according to the present invention is an encryption device which encrypts a digital work and outputs it to a recording medium or a transmission medium. A digital work storage means for storing a digital work and a first used for encryption of the digital work
A first secret key storage means for storing a secret key; a second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work; Public key revocation list storage means for storing a public key revocation list, which is a list of information specifying public key certificates,
Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the public key revocation list storage means, and the second secret key storage means The second secret key stored in the second secret key is transformed by the attribute value calculated by the attribute value calculating unit, and the first secret key stored in the first secret key storing unit is transformed by the transforming unit. A first encryption means for encrypting with a second secret key; and a second encryption means for encrypting a digital work stored in the digital work storage means with a first secret key stored in the first secret key storage means. Encryption means, a public key revocation list stored in the public key revocation list storage means, a first secret key encrypted by the first encryption means, and an encryption by the second encryption means Record digital works And an outputting means for outputting the body or the transmission medium.

Here, the encryption device further records confirmation data as a reference for confirming whether or not the first secret key decrypted by the decryption device is correct. A confirmation data output means for outputting to a medium or a transmission medium may be provided. For example, the confirmation data output means may use the data obtained by encrypting the data of a predetermined fixed pattern with the first secret key stored in the first secret key storage means as the confirmation data in the recording medium or the transmission medium. The confirmation data output means outputs the data obtained by encrypting the first secret key stored in the first secret key storage means with the first secret key as the confirmation data. May be output to.

Further, the encryption device according to the present invention is an encryption device for encrypting a digital work which is a digital work and outputting it to a recording medium or a transmission medium, and a digital work which stores the digital work. Storage means, first secret key storage means for storing a first secret key used for encryption of a digital work, and second secret key associated with a decryption device for decrypting the encrypted digital work A second private key storage means, a public key revocation list storage means for storing a public key revocation list, which is a list of information specifying the revoked public key certificate, and the first secret key storage. First encryption means for encrypting the first secret key stored in the means with the second secret key stored in the second secret key storage means, and a public key stored in the public key revocation list storage means Based on revocation list An attribute value calculating means for calculating an attribute value that depends on the contents of the public key revocation list, the first
Deformation means for transforming the first secret key stored in the secret key storage means with the attribute value calculated by the attribute value calculation means, and digital work stored in the digital work storage means by the transformation means Second encryption means for encrypting with the generated first secret key, public key revocation list stored in the public key revocation list storage means, first secret key encrypted by the first encryption means And output means for outputting the digital work encrypted by the second encryption means to a recording medium or a transmission medium.

In order to achieve the second object,
A cryptographic communication device according to the present invention is a device that cryptographically communicates with a partner device by using a public key of the partner device, and a public key revocation list that is a list of information specifying a revoked public key certificate. The storage means for storing, the obtaining means for obtaining a new public key revocation list, the size of the obtained public key revocation list and the size of the public key revocation list stored in the storage means are compared. Storing means for storing the acquired public key revocation list in the storage means and updating the acquired public key revocation list when the acquired public key revocation list has a large size; and a public key revocation list stored in the storage means. Is used to determine the validity of the public key of the partner device, and when it is determined to be valid, a communication means for performing cryptographic communication with the partner device using the public key is provided. Similarly, instead of the storage means, the number of the certificates shown in the obtained public key revocation list and the number of the certificates shown in the public key revocation list stored in the storage means. When the number of the certificates shown in the obtained public key revocation list is large, the obtained public key revocation list is stored in the storage means and updated as storage means. You can also

The present invention can be realized as a decryption device or a secret key generation device corresponding to the above-mentioned encryption device, or as a copyright protection system consisting of those encryption device and decryption device, or those encryptions. It is realized as an encryption method, a decryption method, and an encrypted communication method that have the characteristic means constituting the encryption device, the decryption device, and the encrypted communication device as steps, or as a program that causes a personal computer or the like to execute those steps. You can also do it. Needless to say, the program can be widely distributed via a recording medium such as a DVD or a transmission medium such as the Internet.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION A copyright protection system according to an embodiment of the present invention will be described in detail below with reference to the drawings.

(First Embodiment) FIG. 1 shows the first embodiment.
FIG. 3 is a functional block diagram showing an overall configuration of a copyright protection system for recording media according to the present invention. The recording medium copyright protection system 1a is for recording the encrypted content or the like on the DVD 2a as the recording medium, or reading the encrypted content or the like from the DVD 2a to decrypt the content. An encryption device 100a for recording encrypted content and the like, and a DVD
2a, a decryption device 200a that reads the encrypted content and the like to decrypt the content, and a terminal device used by a public key certificate authority CA that issues a public key certificate revocation list CRL and the like. Three
00 and the like.

The encryption device 100a is roughly divided into two.
Terminal device 110a used by a copyright protection licensor and a terminal device 160 used by a content manufacturer.

The decryption device 200a is, for example, an HD-DVD player or the like compatible with content reproduction at an image quality level HD (1125i / 750p), and an IC card 210a supplied by a copyright protection licensor and manufacturing of this player. Maker's descrambler 260 and DVD2a
DVD-RO that reads encrypted content from the
M drive (not shown) and the like.

The terminal device 110a used by the copyright protection licensor has information for copyright protection in the decryption device 200a, that is, the public key certificate revocation list C.
RL, a content key for decrypting content, and a computer device that provides a bundle of encrypted content keys obtained by encrypting this content key to the terminal device 160, and its function is a public key revocation list storage unit 111. A device key bundle storage unit 112 and a content key storage unit 113
Hash function processing unit 114 and Ex-OR unit 115
And an Enc unit 116 and the like.

The public key revocation list storage unit 111 periodically accesses the terminal device 300 via a communication network such as the Internet, and provides the latest public key certificate revocation list provided by the public key certificate certification authority CA. Update and store the CRL regularly. As shown in FIG. 2, the public key certificate revocation list CRL includes a file header, a "general" field, a "revocation list" field, and the like. In the file header, the “name” of the file ○ △ □ △. cr
l, file “size” 79 KB, file “type” certificate invalid list, file “update date” 2001
/ 09/07/12: 34 records are included. Also,
In the "General" field, "Version" V1, "Issuer" ○ △ □ △, "Effective start date" September 6, 2001,
"Next scheduled update date" September 16, 2001, includes a record of "signature algorithm" md5RAS. In addition, in the field of “invalid list”, records of the serial numbers of the invalidated certificates and the invalid dates are described in a text format. This public key certificate revocation list CR
As for L, the number of invalidated certificates continues to increase monotonously, so the more recent the version, the more the number of invalidated certificate serial number entries (the number registered in the list).
Has a property of monotonically increasing and the “size” of the file monotonically increasing.

The device key bunch storage unit 112 stores in advance a device key KD_A (for example, 128 bits) unique to each IC card 210a supplied by the copyright protection licensor as a bunch.

The content key storage unit 113 stores a content key Kc (for example, 128 bits) which is a secret key for encrypting a predetermined content such as a movie or music.

The hash function processing unit 114 compresses the public key certificate revocation list CRL, which is the variable-length data stored in the public key revocation list storage unit 111, according to the hash function and fixes it to a fixed length (for example, 128-bit) data (hash value Hash) is converted into, for example, SHA-1 (Secure Hash Algorithm-1)
Or MD5 and so on.

The Ex-OR unit 115 has the hash value Hash calculated by the hash function processing unit 114 and each device key KD_ stored in the device key bundle storage unit 112.
The exclusive OR with A is taken (each device key KD_A is transformed with the hash value Hash).

The Enc unit 116 includes the content key storage unit 1
The content key Kc stored in 13 is added to the Ex-OR unit 11
5, the hash value Hash is encrypted with the exclusive OR value of each device key KD_A to generate a bundle of encrypted content keys.

The hash function processing unit 114 and the Ex-OR unit 115 of the terminal device 110a depend on the public key certificate revocation list CRL stored in the public key revocation list storage unit 111 to make the device key KD_A. Is transformed, but this is the transformed device key KD_A
By encrypting the content key Kc with the Enc unit 1,
This is for associating the encrypted content key output from 16 with the public key certificate revocation list CRL. This makes it possible to protect against the attack of replacing the public key certificate revocation list CRL in the decryption process in the decryption device 200a described later.

The terminal device 160 used by the content manufacturer is a writing device for recording the public key certificate revocation list CRL passed from the terminal device 110a and a bundle of encrypted content keys on the DVD 2a as it is.
As its function, the content storage unit 161 and the Enc unit 162 are provided.

The content storage unit 161 stores in advance predetermined contents such as movies and music.

The Enc section 162 is a content storage section 16
The content stored in No. 1 is encrypted with the content key Kc passed from the terminal device 110a to generate encrypted content.

In this way, the two terminal devices 110a, 16a
In the encryption device 100a configured from 0, DV
When manufacturing D2a, the terminal device 110a stores the public key revocation list CRL in the public key revocation list storage unit 111.
Is read and the read public key revocation list CRL is passed to the hash function processing unit 114 and the terminal device 160. The hash function processing unit 114 calculates the hash value Hash of the public key revocation list CRL, and passes the calculated hash value Hash to the Ex-OR unit 115. Ex-OR
The unit 115 reads out the device keys KD_A, ... One by one from the device key bundle storage unit 112, calculates the exclusive OR of the device keys KD_A ,. Value is Enc section 116
Output to. Then, the terminal device 110a reads the content key Kc from the content key storage unit 113 and passes the read content key Kc to the Enc unit 116 and the terminal device 160. The Enc unit 116 encrypts the passed content key Kc with each exclusive OR value output from the Ex-OR unit 115. That is, the Enc unit 116
Is the device key KD_A value and the hash value H
The content key K with the exclusive OR value with ash as a key
Encrypt c. As a result, the Enc unit 116 generates a plurality of encrypted content keys, bundles the encrypted content keys, and passes them to the terminal device 160.

The terminal device 160 writes the public key revocation list CRL and the bundle of encrypted content keys passed from the terminal device 110a to the DVD 2a as it is. Then, the encrypted content generated by the Enc unit 162 is written to the DVD 2a. D produced in this way
The VD 2a includes the encrypted content, a bundle of encrypted content keys, and the latest public key revocation list CR at the time of manufacturing.
L and B are sold to the user in a bound state.

On the other hand, the IC card 210a of the decryption device 200a for decrypting such a DVD 2a is composed of a module (TRM: Tamper Resistance Module) used to prevent a computer program from being intentionally changed, and has a public key. The copyright is protected by excluding an unauthorized descrambler 260 that appears on the certificate revocation list CRL, and is roughly classified based on the public key certificate revocation list CRL bound to the DVD 2a. A content key decryption unit 220a that obtains a key for decrypting encrypted content, and a public key revocation list CR
L causes the communication partner (descrambler 260) to revoke
While checking whether it has been ke (disabled), SA in the form of mutual authentication with the descrambler 260
An authentication processing unit 230a for setting a C (Secure Authentication Channel) is provided.

The authentication processing unit 230a includes a certificate certification authority public key storage unit 231 and an IC card private key storage unit 232.
A public key certificate storage unit 233 for IC card (for copyright protection licensor), a random number generation unit 234, a public key revocation list check unit 235, and an elliptic curve cryptography processing unit 23.
6, an authentication unit 237, a buffer memory 238 and the like.

The certificate certification authority public key storage unit 231 stores in advance the certification authority public key PK_CA used for decoding the signature of the public key certificate certification authority CA.

The IC card private key storage unit 232 stores in advance the IC card private key SK_A unique to the IC card used by the IC card 210a supplied from the copyright protection licensor for its own signature.

Public key certificate storage unit 233 for IC card
Is a document that the public key certificate authority CA certifies that the public key PK_A belongs to the IC card 210a.
The C-key public key certificate Cert_A is stored in advance.
This IC card public key certificate Cert_A is, as shown in FIG. 3, the ID of the IC card 210a (copyright protection licensor), the IC card public key PK_A for the IC card private key SK_A, and the IC card public key. Key P
Signature of Certificate Authority CA for K_A, (of certificate)
It consists of an expiration date.

The random number generator 234 generates a random number (for example, 128 bits) as a time-varying value.

The public key revocation list check unit 235
The other party (descrambler 26
It is checked whether the ID of 0) is included.

The elliptic curve cryptographic processing unit 236 executes the cryptographic processing according to the elliptic curve (for example, a processing unit of 256 bits) at the time of authentication in the SAC setting.

The authentication section 237 is a communication interface for communicating with the descrambler 260 via SAC.

The buffer memory 238 is used by the random number generator 23.
4 holds the random number generated by No. 4 and the temporary data generated by the elliptic curve cryptography processing unit 236.

The content key decryption unit 220 includes a device key storage unit 221, a hash function processing unit 222, and an Ex-
The OR unit 223 and the Dec processing unit 224 are provided.

The device key storage unit 221 is used for the IC card 2
A device key KD_A (a secret key, for example, a key of AES128 bit) unique to 10a is stored.

The hash function processing unit 222 is used by the terminal device 1
10a has the same configuration as the hash function processing unit 114,
Hash value Hash (for example, 128 bits) of the public key certificate revocation list CRL bound to the DVD 2a
To calculate.

The Ex-OR unit 223 takes the exclusive OR of the device key KD_A stored in the device key storage unit 221 and the hash value Hash calculated by the hash function processing unit 222 (that is, the device key KD_A). Is transformed with the hash value Hash).

The Dec processing unit 224 uses the device key KD_A and the hash value Hash as its own encrypted content key recorded in a predetermined location from the bundle of encrypted content keys bound to the DVD 2a. The content key Kc is generated by decrypting with the exclusive OR value of

The descrambler 260 is the IC card 21.
Like 0a, it is composed of modules used to prevent unauthorized tampering of computer programs, and is roughly classified into a communication partner (IC
An authentication processing unit 270 for setting a SAC in a mutual authentication format with the IC card 210a while checking whether the card 210a) has been revoked,
The encrypted content read from the DVD 2a is decrypted with the content key Kc passed from the IC card 210a,
And a Dec processing unit 280 for acquiring content.

The authentication processing unit 270 includes a certificate certification authority public key storage unit 271 and a descrambler private key storage unit 27.
2, a descrambler (player maker) public key certificate storage unit 273, a random number generation unit 274, a public key revocation list check unit 275, and an elliptic curve encryption processing unit 27.
6, an authentication unit 277, a buffer memory 278 and the like.

The certificate certification authority public key storage unit 271 stores in advance the certificate certification authority public key PK_CA of the certificate certification authority CA.

The descrambler private key storage unit 272 is
The descrambler 260 stores in advance the descrambler secret key SK_i which is supplied by the manufacturer of the HD-DVD player 200 and is used for the signature of the descrambler 260.

Public key certificate storage unit 27 for descrambler
3 stores in advance a descrambler public key certificate Cert_i which is a document that the public key certificate certification authority CA certifies that the public key PK_i belongs to the player maker. This descrambler public key certificate Cert_i
4, the descrambler 260 (player maker) ID (certificate serial number), the descrambler public key PK_i for the descrambler private key SK_i, and the certification for the descrambler public key PK_i It consists of the signature of the certificate authority CA and the expiration date of the certificate.

The random number generator 274 generates a random number (for example, 128 bits) as a time-varying value.

The public key revocation list check unit 275
The other party (IC card 210
Check whether the ID in a) is included.

The elliptic curve cryptographic processing unit 276 executes the cryptographic processing according to the elliptic curve (for example, a processing unit of 256 bits) at the time of authentication in SAC.

The authentication section 277 is a communication interface for communicating with the IC card 210a via SAC.

The buffer memory 278 is used by the random number generator 27.
4 holds the random number generated by No. 4 and the temporary data generated by the elliptic curve cryptography processing unit 276.

Next, the SAC setting between the IC card 210a and the descrambler 260 and the sequence for decrypting the encrypted content recorded on the DVD 2a will be described with reference to FIG. FIG. 5 is a communication sequence diagram performed by the IC card 210a and the descrambler 260.

When there is an instruction to reproduce the content of the DVD 2a by a user operation, the random number generator 274 of the descrambler 260 generates a first random number y (for example, 128 bits) and stores it in the buffer memory 278 (S).
1). Then, the authentication unit 277 of the descrambler 260
Is the first random number y stored in the buffer memory 278.
And the descrambler public key certificate Cert_i stored in the descrambler public key certificate storage unit 273, and these are transmitted to the IC card 210a (S2).

The authentication unit 237 of the IC card 210a stores the first random number y received from the descrambler 260 and the descrambler public key certificate Cert_i in the buffer memory 238. Then, the public key revocation list check unit 235 checks whether or not the descrambler 260 has been revoked based on the public key revocation list CRL passed from the HD-DVD player 200a (S3). Specifically, public key revocation list C
It is determined whether the ID of the descrambler 260 is posted on the RL. If it is not Revoke,
The authentication unit 237 uses the public key PK_CA of the public key certificate authority,
The descrambler public key certificate Cert_i is verified (S4). Specifically, the signature of the public key certification authority included in the descrambler public key certificate Cert_i is decrypted by the public key PK_CA of the public key certification authority, and the descrambler public key certificate Cert_i is surely descrambler 26.
Verify whether it is 0 or not. When the verification is completed, the random number generation unit 234 generates the first random number x (for example, 128 bits) and stores the generated first random number x in the buffer memory 238 (S5). Then, the authentication unit 237
The first random number x stored in the buffer memory 238 and I
IC stored in C-card public key certificate storage unit 233
The card public key certificate Cert_A is read and these are transmitted to the descrambler 260 (S6).

In the descrambler 260, the first random number x received from the IC card 210a and the IC card public key certificate Cert_A are stored in the buffer memory 278 by the authentication unit 277, and then the public key is invalidated. The list check unit 275 is used by the HD-DVD player 200.
Based on the public key revocation list CRL passed from a,
It is checked whether the IC card 210a has been revoke (S7). Specifically, it is determined whether or not the ID of the IC card 210a is listed in the public key revocation list CRL. If it is not revoked, the authentication unit 277 determines that the public key P of the public key certificate certification authority.
Using K_CA, IC card public key certificate Cert
_A is verified (S8). Specifically, the signature of the public key certificate authority included in the player manufacturer public key certificate Cert_A is decrypted by the public key PK_CA of the public key certificate authority, and I
It is verified whether or not the C card public key certificate Cert_A is indeed the IC card 210a. Upon completion of the verification, the random number generation unit 274 causes the second random number y ′ (for example, 12
(8 bits) is generated and the second random number y ′ is stored in the buffer memory 278 (S9). Then, the elliptic curve cryptography processing unit 276 uses the second random number y ′ and the base point G.
(Constant) is multiplied on the elliptic curve to generate a multiplication result y′G, and the multiplication result y′G is stored in the buffer memory 278.
(S10). Next, the authentication unit 277 causes the signature S1: = Sig (SK_i,
y′G || x) is generated, and this signature S1 is stored in the buffer memory 278 (S11). This signature is obtained by bit-connecting the first random number x to the multiplication result y′G,
This is done by signing with the private key SK_i. In addition,
The symbol "||" represents bit concatenation, and y'G and the random number x are combined in the digit direction to form 256 bits (for example, y'G is upper 128 bits and random number x is lower 128 bits). Shows. When the storage of the signature S1 ends, the authentication unit 27
7 sets the multiplication result y′G and the signature S1 for the multiplication result I′G to I
It is sent to the C card 210a (S12).

The authentication unit 237 of the IC card 210a is
y'G and the signature S1 for this are stored in the buffer memory 2
38, the public key certificate for descrambler Ce
Descrambler public key PK_ obtained by rt_i
By using i, it is verified that S1 is the signature of the descrambler 260 for y'G || x (S13). Specifically, the signature S1 is decrypted with the descrambler public key PK_i, and the bit concatenation of y′G and the random number x is separated.
Verify. This allows the communication partner (descrambler 26
It can be confirmed that 0) is not an eavesdropper or the like.

After such verification, the IC card 2
The random number generation unit 234 of 10a generates the second random number x ′ and stores it in the buffer memory 238 (S14). Next, the elliptic curve cryptography processing unit 236 multiplies the second random number x ′ and the base point G (constant) on the elliptic curve to generate a multiplication result x′G, which is stored in the buffer memory 238. (S15). Next, the authentication unit 237 causes the signature S0: = Sig (SK_A,
x′G || y) is generated, and this signature S0 is stored in the buffer memory 238 (S16). This signature is performed by signing the bit number of the first random number y to the multiplication result x′G with the secret key SK_A. When the storage of the signature is completed, the authentication unit 237 causes the multiplication result x′G and the signature S0.
And are sent to the descrambler 260 (S17).

The authentication unit 277 of the descrambler 260 is
After the multiplication result x′G and the signature S0 received from the IC card 210a are stored in the buffer memory 278, the IC
IC obtained by public key certificate Cert_A for card
Using the card public key PK_A, it is verified that S0 is the signature of the descrambler 260 for x'G || y (S18). Specifically, the signature S1 is decrypted with the descrambler public key PK_i, and the bit concatenation of y′G and the random number x is separated for verification. This makes it possible to confirm that the communication partner (IC card 210a) is not an eavesdropper or the like.

The authentication section 277 of the descrambler 260 is
When it is confirmed that the IC card 210a has not been Revoke and is not an eavesdropper, the buffer memory 27
The second random number y ′ (for example, 128 bits) generated by itself stored in 8 and the multiplication result x′G obtained from the communication partner are multiplied to generate K ′ = y ′ (x′G). Then, the calculation result K ′ is stored in the buffer memory 278 as a session key (S19).

On the other hand, the authentication unit 237 of the IC card 210a
Confirms that the descrambler 260 has not been revoked and is not an eavesdropper, etc., the second random number x ′ stored in the buffer memory 238 and generated by the self and the communication partner received it. A multiplication K: = x '(y'G) with the multiplication result y'G is generated by calculation, and the calculation result K is stored in the buffer memory 238 as a session key (S20). As a result, the IC card 210a and the descrambler 260 can hold the key K (= K ') having the same value, and thereafter, encrypted communication is performed using K (= K') as the session key (S21). .

When the generation of the session key K is completed, the content key decryption unit 220a of the IC card 210a executes the content key decryption process. In this content key decryption processing, first, the hash function processing unit 222 sets H
The hash value Hash of the public key revocation list CRL passed from the D-DVD player 200a is calculated (S2).
2). Next, the Ex-OR unit 223 takes the exclusive OR of the device key KD_A of the IC card 210a itself and the hash value Hash stored in the public key storage unit 231 for the certificate authority (S23). The Dec processing unit 224 decrypts the encrypted content key with the obtained exclusive OR value, acquires the content key Kc (S24), passes the content key Kc to the authentication unit 237, and performs the content key decryption processing. To finish. When the content key Kc is passed, the authentication unit 237 encrypts the content key Kc with the session key K (S25) and sends the descrambler 2 via the SAC.
60 (S26). As a result, eavesdropping on the content key Kc can be reliably prevented.

The authentication section 277 of the descrambler 260 is
The encrypted content key received from the IC card 210a is decrypted with the session key K ', the content key Kc is acquired (S27), and the acquired content key Kc is passed to the Dec processing unit 280. The descrambler 260 decrypts the encrypted content with the content key Kc passed from the authentication unit 277, and acquires the content (S28). This makes it possible to decrypt the content while protecting the copyright.

Here, for the IC card 210a and the descrambler 260, the HD-DVD player 200a
It is assumed that, instead of the public key certificate revocation list CRL bound to the DVD 2a, the public key certificate revocation list CRL before its own public key is revoked is passed. In this case, as in the case where there is no switching, the SAC is set, and the process can proceed to the stage (S21) of the encrypted communication using the session key.

However, in the first embodiment, the public key certificate revocation list CRL and the encrypted content key encrypted with the information relating the hash value Hash of the public key certificate revocation list CRL are used. Bundle with DVD2a
I'm trying to bind to. Therefore, when the CRL is replaced, the hash value Hash of the replaced public key certificate revocation list CRL and the DVD 2a
The value does not match the hash value Hash of the public key certificate revocation list CRL bound to. As a result, even if the content key is decrypted using the hash value Hash of the replaced public key certificate revocation list CRL, the regular content key Kc cannot be obtained. Therefore, in order to obtain the content key Kc for decrypting the content, the public key certificate revocation list CRL bound to the DVD 2a must be passed. Therefore, the malicious decryption device 200a that replaces the public key certificate revocation list CRL can be eliminated, and the protection of copyright can be strengthened.

(Second Embodiment) FIG. 6 shows the second embodiment.
FIG. 3 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1b according to FIG. In the copyright protection system for recording media 1b, the parts corresponding to those of the copyright protection system for recording media 1a according to the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted. The difference from the case of 1a will be mainly described.

In the terminal device 110a of the encryption device 100a according to the first embodiment, the exclusive OR of the hash value Hash of the public key certificate revocation list CRL output from the hash function processing unit 114 and each device key. Ex-
Calculated by the OR unit 115, and in the Enc unit 116,
The content key Kc is encrypted with the exclusive OR value to generate a bundle of encrypted content keys. On the other hand, in the terminal device 110b of the encryption device 100b according to the second embodiment, the Enc unit 117 encrypts the content key Kc only with each device key stored in the device key ring storage unit 112, and only each device key is encrypted. It is configured to generate a bundle of encrypted content keys encrypted by.

Further, the encryption device 10 according to the first embodiment
The terminal device 110a of 0a passes the content key Kc to the terminal device 160 as it is. Therefore, the terminal device 1
In 60, the Enc unit 162 encrypts the content with the content key Kc to generate the encrypted content. On the other hand, the encryption device 100b according to the second embodiment
In the terminal device 110b, the Ex-OR unit 118 obtains the exclusive OR of the hash value Hash of the public key certificate revocation list CRL output from the hash function processing unit 114 and the content key Kc, and performs the exclusive OR. It is configured to pass the logical OR value to the terminal device 160. Therefore, the terminal device 16 that has received the exclusive OR value
At 0, the Enc unit 162 encrypts the content with the exclusive OR value to generate encrypted content.

Therefore, the hash value is not involved in each encrypted content key bound to the DVD 2b, and the hash value is involved in the encrypted content,
The relationship is opposite to that of the DVD 2a. Further, the content key decryption unit 22 of the decryption device 200a according to the first embodiment.
0a, the Ex-OR unit 223 calculates the exclusive OR value of the device key KD_A of its own stored in the device key storage unit 221 and the hash value Hash of the public key certificate revocation list CRL, and the Dec processing unit. In 224, the encrypted content key related to the hash value is decrypted with the exclusive OR value to obtain the content key Kc.

On the other hand, in the content key decryption unit 220b of the decryption apparatus 200b according to the second embodiment, the DV
Since the hash value Hash is not involved in the encrypted content key bound to D2b, the Dec processing unit 225
In the device key storage unit 221
The content key Kc is obtained by decrypting only the own device key stored in. And
Since the hash value Hash is involved in the encrypted content bound to the DVD 2b, the Ex-OR unit 226
, The content key Kc acquired by the Dec processing unit 225 and the hash value Ha of the public key certificate revocation list CRL calculated by the hash function processing unit 222.
The exclusive OR value with sh is calculated, and the obtained exclusive OR value is passed to the authentication unit 237 of the authentication processing unit 230a.

This content key Kc and the hash value Ha
The exclusive OR value with sh is obtained from the authentication unit 237 as SA
C, De through the authentication unit 277 of the descrambler 260
It is passed to the c processing unit 280. Therefore, the Dec processing unit 2
80 decrypts the encrypted content recorded with the hash value Hash recorded on the DVD 2b with the exclusive OR value of the content key Kc and the hash value Hash to obtain the content.

Therefore, also in the copyright protection system for recording media 1b according to the second embodiment, as in the case of the first embodiment, in order to obtain the key for decrypting the content, it is bound to the DVD 2a. The public key certificate revocation list CRL must be passed.
As a result, an unauthorized decryption device 200b that replaces the public key certificate revocation list CRL can be eliminated, and copyright protection can be strengthened.

(Third Embodiment) FIG. 7 shows the third embodiment.
2 is a functional block diagram showing the overall configuration of a recording medium copyright protection system 1c according to FIG. It should be noted that in the figure, the functional parts corresponding to the copyright protection system for recording media 1a of the first embodiment are omitted, and only the functional parts unique to the copyright protection system for recording media 1c are illustrated. There is.

The IC card 210a of the decryption device 200c according to the first embodiment simply passes the acquired content key Kc to the descrambler 260b, and the IC card 210a itself encrypts the acquired content key Kc. I didn't know if it was a legitimate key to decrypt the content properly. Therefore, the acquired content key K
Before passing c to the descrambler 260, it is desirable to internally check in advance whether the content key Kc has a correct value.

Therefore, the recording medium copyright protection system 1c according to the third embodiment is a system having such a key check function, and is the encryption device 100.
The terminal device 110c used by the copyright protection licensor of c further includes a fixed pattern storage unit 119 in addition to the configuration of the terminal device 110a. The fixed pattern storage unit 119 stores a predetermined fixed pattern plaintext (for example, a fixed pattern plaintext “012 represented in hexadecimal”).
3456789ABCDEF ") is encrypted with the content key Kc, and a fixed pattern is stored in advance. The fixed pattern stored in the fixed pattern storage unit 119 is bound to the DVD 2c via the terminal device 160.

On the other hand, the content key decryption unit 220c provided in the IC card 210c of the decryption device 200c.
In addition to the configuration of the content key decryption unit 220a, the Dec processing unit 227 and the content decryption key check unit 2
And 28. The Dec processing unit 227 deciphers the fixed pattern plaintext encrypted data bound to the DVD 2a.
The content key Kc is decrypted by the c processing unit 224. The content decryption key check unit 228 determines that the fixed pattern plaintext “0123456789ABCD”
EF ”is held in advance, and the content key Kc decrypted is the correct value depending on whether the fixed pattern plaintext stored in advance is the same as the fixed pattern plaintext decrypted by the Dec processing unit 227. Check if.

According to the recording medium copyright protection system 1c thus configured, it is possible to check in advance whether or not the content key Kc has a correct value inside the IC card 210c, and the descrambler 260 can make a mistake. It is possible to avoid in advance a wasteful decryption process of decrypting the content using the content key Kc.
In addition, in the copyright protection system 1c for a recording medium according to the third embodiment, the key check function is provided in the first embodiment.
Although the above is applied to the recording medium copyright protection system 1a, it may be applied to the recording medium copyright protection system 1b according to the second embodiment.

In this case, the content has the content key Kc and the hash value H of the public key certificate revocation list CRL.
Since it is encrypted with an exclusive OR value with ash, the fixed pattern plaintext “0123” is stored in the fixed pattern storage unit 119.
A fixed pattern obtained by encrypting "456789ABCDEF" with the exclusive OR value of the content key Kc and the hash value Hash may be stored in advance and this fixed pattern may be recorded on the DVD 2c.

On the other hand, De of the content key decryption unit 220c
In the c processing unit 227, the output of the Dec processing unit 224, that is, the output of the Ex-OR unit 226 (see FIG. 6) instead of the content key Kc, that is, the exclusive OR value of the content key Kc and the hash value Hash, is used as the DVD 2a. It suffices to decrypt the fixed pattern plaintext encrypted data bound to. Then, in the content decryption key check unit 228,
Fixed pattern held in advance Plain text "01234567
89ABCDEF "and the fixed pattern plaintext decrypted by the Dec processing unit 227 are the same as each other, that is, the key for decrypting the decrypted content, that is, the exclusive logic of the content key Kc and the hash value Hash. You can check if the sum value is correct.

(Fourth Embodiment) FIG. 8 shows a fourth embodiment.
3 is a functional block diagram showing the overall configuration of a recording medium copyright protection system 1d according to FIG. Note that, also in this figure, the functional portions corresponding to the recording medium copyright protection system 1a of the first embodiment are omitted, and only the functional portions unique to the recording medium copyright protection system 1d are shown. There is.

The copyright protection system for recording media 1d according to the fourth embodiment is a system having a key check function similarly to the copyright protection system for recording media 1c, and the terminal device 110d of the encryption device 100d is In addition to the configuration of the terminal device 110a, the Enc unit 131
Equipped with. The Enc unit 131 generates content key collation data by encrypting the content key Kc read from the content key storage unit 113 with the content key Kc. This content key collation data is bound to the DVD 2d.

On the other hand, the IC card 2 of the decryption device 200d
In addition to the configuration of the content key decryption unit 220a, the content key decryption unit 220d provided in
A unit 241 and a content key check unit 242 are provided. The Enc unit 241 is the Enc unit 1 of the terminal device 110d.
The content key Kc has the same configuration as 31 and is decrypted by the Dec processing unit 224 with the content key Kc to generate content key collation data. The content key check unit 242 compares the content key collation data generated by the Enc unit 241 with the content key collation data bound to the DVD 2d, and determines whether or not these data have the same value. It is checked whether the content key Kc decrypted by 224 is a correct key, that is, a key capable of decrypting encrypted content.

With the recording medium copyright protection system 1d configured as described above, as in the recording medium copyright protection system 1c, whether or not the content key Kc has a correct value inside the IC card 210d is checked in advance. It is possible to check, and it is possible to avoid in advance a wasteful decryption process of decrypting the content using the wrong content key Kc in the descrambler 260. In the recording medium copyright protection system 1d of the fourth embodiment, the key check function is applied to the recording medium copyright protection system 1a of the first embodiment.
It may be applied to the copyright protection system for recording media 1b according to the second embodiment.

In this case, the content has the content key Kc and the hash value H of the public key certificate revocation list CRL.
Since it is encrypted with the exclusive OR value with ash, E
In the nc unit 131, instead of the output of the content key storage unit 113, that is, the content key Kc, Ex-OR
The output of the unit 118, that is, the exclusive OR value of the content key Kc and the hash value Hash may be encrypted with this exclusive OR value, and this content key collation data may be recorded on the DVD 2c.

On the other hand, the En of the content key decryption unit 220d
In the c unit 241, the output of the Dec processing unit 224, that is, the output of the Ex-OR unit 226 (see FIG. 6) instead of the content key Kc, that is, the content key Kc and the hash value H.
The exclusive OR value with ash may be encrypted with the exclusive OR value. Then, the content key check unit 242
Then, the content key collation data generated by the Enc unit 241 is compared with the content key collation data bound to the DVD 2d, and it is generated by the Ex-OR unit 226 depending on whether or not these keys have the same value. It is possible to check whether the created key is the correct key, that is, the key that can decrypt the encrypted content.

(Fifth Embodiment) FIG. 9 shows the fifth embodiment.
3 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1e according to FIG. Note that, also in this figure, the functional parts corresponding to the copyright protection system for recording media 1a of the first embodiment are omitted, and only the functional parts unique to the copyright protection system for recording media 1e are illustrated. There is.

The recording medium copyright protection system 1e according to the fifth embodiment is a system having a key check function like the recording medium copyright protection systems 1c and 1d, and has the same configuration as that of the fourth embodiment. Encryption device 10
The DVD 2d has an Enc section 13
The content key matching data generated by 1 is bound.

On the other hand, the IC card 2 of the decryption device 200e
In addition to the configuration of the content key decryption unit 220a, the content key decryption unit 220e provided in
The processing unit 243 and the content decryption key check unit 244 are provided. The Dec processing unit 243 is the Enc unit 13 described above.
The content key collation data encrypted by 1 and bound to the DVD 2d is decrypted by the content key Kc decrypted by the Dec processing unit 224. The content decryption key check unit 244 compares the content key Kc decrypted by the Dec processing unit 224 with the content key Kc decrypted by the Dec processing unit 243, and determines whether these keys have the same value. Then, it is checked whether the content key Kc decrypted by the Dec processing unit 224 is a correct key, that is, a key capable of decrypting the encrypted content.

With the copyright protection system for recording media 1e configured as described above, as with the copyright protection systems for media 1c and 1d, it is determined whether the content key Kc has the correct value inside the IC card 210e. It is possible to check in advance, and it is possible to avoid in advance a wasteful decryption process of decrypting the content in the descrambler 260 using the wrong content key Kc.

In the recording medium copyright protection system 1e of the fifth embodiment, the key check function is used for the recording medium copyright protection system 1a of the first embodiment.
However, it may be applied to the recording medium copyright protection system 1b according to the second embodiment.

In this case, the content is the hash value H of the content key Kc and the public key certificate revocation list CRL.
Since it is encrypted by the exclusive OR value with ash, in the Enc unit 131, instead of the output of the content key storage unit 113, that is, the content key Kc, Ex is replaced with Ex. The output of the OR unit 118, that is, the exclusive OR value of the content key Kc and the hash value Hash is encrypted with this exclusive OR value, and the content key collation data generated by this encryption is recorded on the DVD 2c.
You can record it in.

On the other hand, De of the content key decryption unit 220e
In the c processing unit 243, the content key decrypted data read from the DVD 2c is output from the Dec processing unit 224, that is, the output from the Ex-OR unit 226 (see FIG. 6) instead of the content key Kc, that is, the content key Kc and the hash value. Decoding is performed by an exclusive OR value with Hash. And
In the content decryption key check unit 244, Ex-O
A key for decrypting the content decrypted by the R unit 226, that is, the content key Kc and the hash value Ha.
The exclusive OR with sh is compared with the key decrypted by the Dec processing unit 243, and the key decrypted by the Ex-OR unit 226 is correct depending on whether or not these keys have the same value. It suffices to check whether or not the key is a key that can decrypt the encrypted content.

(Sixth Embodiment) FIG. 10 is a functional block diagram showing an overall structure of a recording medium copyright protection system 1f according to a sixth embodiment. In the copyright protection systems 1a to 1e for recording media described above, the public key revocation list check unit 235 checks the public key certificate revocation list CRL bound to the DVD, and the communication partner (descrambler 260) is revoked. I was deciding whether or not. In such a check, if the DVD is manufactured old, that is, if the public key certificate revocation list CRL bound to the DVD is old, the communication partner (descrambler) will update after the update date of the public key certificate revocation list CRL. If the public key certificate of 260) is invalidated, the descrambler 260 cannot be revoked. Therefore, it is necessary to use the latest version of the public key certificate revocation list CRL as much as possible to determine whether or not the communication partner (descrambler 260) is revoked.

Therefore, in the copyright protection system for recording media 1f according to the sixth embodiment, the authentication processing section 23 related to the IC card 210f of the decryption device 200f.
0b is provided with a public key revocation list latest version storage processing unit 239 in addition to the configuration of the authentication processing unit 230a.

The public key revocation list latest version storage processing unit 239 is a processing unit for storing and holding the latest version in the public key certificate revocation list CRL received so far on the decryption device 200f side. The latest version detection processing unit 23
91, the latest version detection information storage unit 2392, and the storage unit 23
It consists of 93 mag.

The latest version detection processing unit 2391 uses the DVD 2a.
Every time the public key certificate revocation list CRL bound to is received, a process of confirming whether the public key certificate revocation list CRL is the latest version or the like is performed.

The latest version detection information storage unit 2392 stores the latest version detection information (for example, the file size of this list) of the public key certificate revocation list CRL held by this decryption device 200f.

The storage unit 2393 stores the hash value (for example, 128 bits) of the public key certificate revocation list CRL held by the decryption device 200f. The reason is,
This is to avoid the cost increase of the IC card 210f if the enormous amount of public key certificate revocation list CRL itself is stored / held in the IC card 210f. That is, in this embodiment, I
The public key certificate revocation list latest version storage unit 250 is provided outside the C card 210f (and inside the decryption device 200f).
The public key certificate revocation list latest version storage unit 2 is provided.
The latest version of the public key certificate revocation list CRL main body is stored in 50, and only the hash value of this list is stored in the IC card 2
A configuration in which the storage unit 2393 in 10f stores and holds is adopted. Then, the public key revocation list check unit 23
When checking whether the communication partner is a revoked device according to 5, the latest version of the public key certificate revocation list CRL is read into the IC card 210f, and the read public key certificate revocation list CRL is read. The hash value is checked to see if it has been tampered with.

Specifically, when the new public key certificate revocation list CRL bound to the DVD 2a is received,
As a process for storing (or not storing) the public key certificate revocation list CRL, the latest version detection processing unit 2391 first, as shown in the flowchart of FIG. Public key certificate revocation list C
The process of confirming whether or not the RL is the latest version is executed. That is, the latest version detection processing unit 2391 first sets the file size recorded in the header of the public key certificate revocation list CRL bound to the DVD 2a and the file size stored in the latest version detection information storage unit 2392. The comparison is made (S101). This comparison shows that the public key certificate revocation list CR shows that the number of revoked devices only monotonically increases over time and the file size also increases.
It is based on the property of L.

As a result, when the file size of the public key certificate revocation list CRL bound to the DVD 2a is larger (Yes in S101), that is, the current DVD
If the public key certificate revocation list CRL read from 2a is the latest, the file size of this latest version list is stored (overwritten) in the latest version detection information storage unit 2392 and updated (S102). Next, latest version detection processing unit 23
91 calculates the hash value of the latest version list, stores the calculated hash value in the storage unit 2393 (S103),
The latest version list is stored in the external public key certificate revocation list latest version storage unit 250 (S104), and the latest version list is transferred to the public key revocation list check unit 235 (S10).
5) The confirmation / judgment process is terminated.

On the other hand, if the file size of the public key certificate revocation list CRL bound to DVD2a is not larger (No in S101), that is, now DVD2.
If the public key certificate revocation list CRL read from a is not the latest version, the latest version detection processing unit 2391 ends the confirmation determination processing immediately. Then, if the latest public key certificate revocation list CRL is required, FIG.
The latest version list reading process shown in the flowchart of (b) is executed.

In the reading process, the latest version detection processing unit 2391 first stores the latest version list in an external storage unit, that is, the public key certificate revocation list latest version storage unit 2
From 50 (S111), the hash value of the latest version list is calculated (S112), and it is determined whether the calculated hash value matches the hash value stored in the storage unit 2393 (S113). This determination is made to detect whether or not the public key certificate revocation list CRL has been replaced outside the IC card 210f, and if there is no replacement, the hash values match.

If the hash values match (Y in S113)
es), the latest version detection processing unit 2391 transfers the latest version list read from the public key certificate revocation list latest version storage unit 250 to the public key revocation list check unit 235 (S114), and reads the latest version list. The process ends.
On the other hand, when the hash values do not match (No in S113), the latest version detection processing unit 2391 stops the process (S115) and ends the latest version list reading process.
If the latest public key certificate revocation list CRL cannot be read because the hash values do not match, it is considered that some kind of fraudulent act has been performed, for example, the public key certificate revocation list CRL. Cancels all the processing after using (rejects the authentication of the partner device).

As described above, according to the recording medium copyright protection system 1f of the sixth embodiment, only the latest public key certificate revocation list CRL read from the DVD 2a is the public key certificate. Since the revocation list latest version storage unit 250 holds and uses it, it is possible to avoid the problem of authenticating the partner device using the old public key certificate revocation list CRL. In the sixth embodiment, the file size is used as the method for checking the latest version list, but as a modification, the number of certificates registered in the public key certificate revocation list CRL (serial number The number of entries) may be used to confirm whether the list is the latest version.

Next, the decryption devices 200a-2 for recording media, which are the embodiments of the copyright protection system according to the present invention, will be described.
Regarding the example of applying 00f to an HD-DVD player,
This will be described with reference to the drawings. FIG. 12 is an external view of an HD-DVD player including the decoding devices 200a to 200f for recording media according to the embodiment of the present invention. This HD-
The DVD player 200 displays contents such as movies recorded on the DVDs 2a to 2d on the IC cards 210a to 210f.
Is a system for reproducing using an IC card 210a
~ 210f card insertion slot 2100, DVD
DVD-ROM drive 220 for reproducing 2a to 2d
0, a descrambler 260 and the like mounted inside the main body of the HD-DVD player 200.

The IC cards 210a to 210f are
This is a card in which an IC chip including a CPU is embedded in a plastic card, and it is possible to determine whether or not access is correct when reading or writing data by the processing by the built-in CPU. Therefore, it is very difficult to make unauthorized access or tampering from the outside,
High security can be realized.

By applying the encryption device according to the present invention to such a video reproducing system, the digital copyrighted material recorded on the DVDs 2a to 2d is protected from illegal copying.
We can expect healthy development of multimedia related products in the secondary market.

(Embodiment 7) FIG. 13 is a functional block diagram showing the overall configuration of a recording medium copyright protection system 1g according to the seventh embodiment. In addition, in this copyright protection system for recording media 1g, the first embodiment
The parts corresponding to those of the recording medium copyright protection system 1a will be denoted by the same reference numerals, and the description thereof will be omitted. Differences from the recording medium copyright protection system 1a will be mainly described.

By the way, in the encryption apparatus 100a according to the first embodiment, a bundle of two keys, the device key KD_A,
The content key Kc is stored in the device key bundle storage unit 112 and the content key storage unit 113, respectively, and the content key Kc is encrypted with the bundle of device keys KD_A in which the hash value of the public key revocation list CRL is involved. , A bundle of encrypted content keys is generated, the content is encrypted with the content key Kc, and the encrypted content key is generated. That is, the device key KD_A and the content key K
With c, the secret key is divided into two layers. Such a two-layer structure of the secret key usually provides sufficient encryption strength for an attack.

However, there is a licensor who wants to further improve the encryption strength. Therefore, the terminal device 110e of the encryption device 100e according to the seventh embodiment adopts a three-layered configuration in which the disk key Kd is further added to the above-mentioned device key KD_A and content key Kc as the secret key, and encryption is performed. The strength is further improved.

That is, the terminal device 110e of the encryption device 100e includes the public key revocation list storage unit 111, the device key bundle storage unit 112, the content key storage unit 113, the hash function processing unit 114, and the Ex-OR unit 115. In addition, a hash function processing unit 114 that stores the disk key Kd in advance and Enc units 142 and 143 are provided.
A plurality of disc keys Kd (7
This is a secret key that is provided above the content key for each content in consideration of the inclusion of (about individual pieces) of content.

The Enc unit 142 is the disk key storage unit 14
1, the disk key Kd stored in 1 is encrypted with an exclusive OR value of the hash value Hash and each device key KD_A,
Generate a bunch of encrypted disk keys.

The Enc unit 143 is the content key storage unit 1
The content key Kc stored in 13 is encrypted with the disk key Kd to generate an encrypted content key.

Therefore, the terminal device 160 is the DVD 2e.
On the other hand, in addition to the encrypted content and the public key certificate revocation list CRL, the bundle of encrypted disk keys generated by the Enc units 142 and 143 is bound to the encrypted content key. In response to this, the decoding device 200
content key decryption unit 220f of IC card 210g
Stores only the device key KD_A, and stores the bunch of encrypted disk keys bound to the DVD 2e as the device key KD_A.
The disk key Kd is decrypted by decrypting with A and the hash value of the public key revocation list CRL, and
By decrypting the encrypted content key bound to the DVD 2e with the disc key Kd, the content key Kc
To decrypt. That is, the content key decryption unit 220f
Is a device key storage unit 221 and a hash function processing unit 22.
2. In addition to the Ex-OR unit 223, the Dec processing unit 245,
246 is provided.

The Dec processing unit 245 is used by the descrambler 2
The key of the encrypted disk key passed from 60 is the device key K
The disk key Kd is decrypted by decrypting with the D_A and the hash value of the public key revocation list CRL.

The Dec processing section 246 is provided for the descrambler 2
The encrypted content key passed from 60 is the disk key Kd
The content key Kc is decrypted by decrypting with. Therefore, also in the copyright protection system for recording media 1g according to the seventh embodiment, as in the case of the first embodiment, in order to obtain the key for decrypting the content, the public key bound to the DVD 2e is used. The certificate revocation list CRL must be passed, and not only the unauthorized descrambler 260 that replaces the public key certificate revocation list CRL can be eliminated, but also the secret key is three-layered, so the attack The cryptographic strength against can be increased and the copyright protection can be further strengthened.
Although the secret key has three layers in this embodiment, it may have a multilayer structure. In this case,
It is possible to further increase the encryption strength for attacks.

Further, a confirmation data output unit for outputting to the terminal device 110e, confirmation data as a reference for confirming whether or not the content key decrypted by the decryption device 200g is correct, to the DVD 2e. May be provided. The confirmation data output unit may be configured to output the data obtained by encrypting the data of the predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2e as the confirmation data. The data output unit may be configured to output the data obtained by encrypting the content key with the content key to the DVD 2e as confirmation data. In addition, the content key decryption unit 220f corresponding to the terminal device 110e.
In addition, the content decryption key check unit 228, the content key check unit 242, and the content decryption key check unit 24 which determine whether or not the decrypted content key is a correct key.
It may be configured to include four or the like.

(Embodiment 8) FIG. 14 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1h according to an eighth embodiment. In addition, in this copyright protection system for recording media 1h, the seventh embodiment
The parts corresponding to those of the recording medium copyright protection system 1g will be denoted by the same reference numerals, and the description thereof will be omitted. Differences from the recording medium copyright protection system 1g will be mainly described.

By the way, in the terminal device 110e of the encryption device 100e according to the seventh embodiment, the disk key storage unit 1
The hash value Hash of the disk key Kd stored in 41.
And the device key KD_A are encrypted with an exclusive OR value to generate a bundle of encrypted disk keys, and the content key Kc stored in the content key storage unit 113 is encrypted with the disk key Kd to obtain encrypted content. Generate a key. As a result, in the terminal device 110e, while the encryption strength against the attack increases, the load for the two encryption processes is large. In addition, the content key decryption unit 220f also has a heavy load for two decryption processes.

Therefore, the terminal device 110f related to the encryption device 100f of the copyright protection system 1h for the present recording medium.
Then, instead of the content key storage unit 113, a media ID storage unit 144 that stores a unique media ID and MID for each DVD, and a media ID instead of the Enc unit 143,
Content key Kc based on MID and disk key Kd
By using the one-way function unit 145 for generating the content key Kc and omitting the process of encrypting the content key Kc.
The addition of 0f is reduced. That is, the terminal device 110 f of the encryption device 100 f includes the public key revocation list storage unit 111, the device key bundle storage unit 112, the hash function processing unit 114, the Ex-OR unit 115, the disk key storage unit 141, and the Enc unit 142. In addition, a media ID storage unit 144 and a one-way function unit 145 are further provided.

The one-way function unit 145 uses, for example, Ex-OR.
That is, the content key Kc is generated by substituting the media ID and MID stored in the media ID storage unit 144 and the disc key Kd into the one-way function. The process of generating the content key Kc has a lighter load than the process of generating the encrypted content key by the Enc unit 143 in FIG.

The terminal device 160, for the DVD 2f,
In addition to the public key revocation list CRL and encrypted content, the bundle of encrypted disk keys generated by the Enc unit 142 is bound to the media ID and MID output from the media ID storage unit 144.

In response to this, the IC of the decoding device 200h
The content key decryption unit 220g of the card 210h stores only the device key KD_A, and decrypts the bundle of encrypted disk keys bound to the DVD 2e with the device key KD_A and the hash value of the public key revocation list CRL. , The disk key Kd is decrypted, and the DVD2
A content key Kc is generated based on the media ID and MID bound to e and the disc key Kd. That is, the content key decryption unit 220g includes the device key storage unit 221, the hash function processing unit 222, and the Ex-OR unit 2.
23 and the Dec processing unit 245, a one-way function unit 247 having the same configuration as the one-way function unit 145 is further provided.

The one-way function unit 247 uses the media ID, M
A content key Kc is generated by subjecting the ID to a one-way function process with the disk key Kd. This content key K
The process of generating c has a lighter load than the process of decrypting the content key Kc by the Dec processing unit 246 of FIG. Here, the media ID and MID are easily known because they are bound to the DVD 2f, but the one-way function unit 14
Like the private key, the configurations of 5,247 are difficult to be known.

Therefore, also in the copyright protection system 1h for a recording medium according to the eighth embodiment, as in the case of the first embodiment, in order to obtain the key for decrypting the content, it is bound to the DVD 2a. Public key certificate revocation list CRL
Not only can the undesired descrambler 260 that replaces the public key certificate revocation list CRL be eliminated, but the strength of the encryption is increased, so that the encryption strength against an attack is increased and the protection of copyright is further strengthened. You can
Moreover, the terminal device 110f and the content key decryption unit 22
The load of 0 g can be reduced.

A confirmation data output unit for outputting, to the terminal device 110f, confirmation data as a reference for confirming whether or not the content key decrypted by the decryption device 200h is correct, to the DVD 2f. May be provided. The confirmation data output unit may be configured to output the data obtained by encrypting the data of the predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2f as the confirmation data. The data output unit may output the data obtained by encrypting the content key with the content key to the DVD 2f as confirmation data. Further, the content key decryption unit 220f corresponding to this terminal device 110f
In addition, the content decryption key check unit 228, the content key check unit 242, and the content decryption key check unit 24 which determine whether or not the decrypted content key is a correct key.
It may be configured to include four or the like.

(Ninth Embodiment) FIG. 15 is a functional block diagram showing a partial structure of a recording medium copyright protection system 1i according to a ninth embodiment. In addition, in this copyright protection system for recording media 1i, the first embodiment
The parts corresponding to those of the recording medium copyright protection system 1a will be denoted by the same reference numerals, and the description thereof will be omitted. Differences from the recording medium copyright protection system 1a will be mainly described.

By the way, the medium called DVD can be read by a personal computer (PC),
It has a high affinity with a PC, and at the same time as a DVD drive is attached to the PC, playback software is installed on a hard disk or the like, and this PC can be used as a decryption device like HD-DVD to watch contents. Has been done. Even in this case, the DVD drive may be fraudulent, and it is necessary to protect the copyright as in the case of the HD-DVD.

On the other hand, in the first embodiment, the IC card 21
0a and the descrambler 260 constitute the decoding device 200a, but in the case of a PC, it is general that the DVD drive and the reproduction software constitute the decoding device.
Therefore, in the ninth embodiment, the descrambler 260
Of the authentication processing unit 270 of the IC card 210a and the D of the descrambler 260.
ec processing unit 280 is a DVD playback PC software 500
The decoding device 200i is configured by including it in the. Note that the manufacturer of the DVD drive 400 and the seller of the DVD playback PC software 500 are different.

The DVD drive 400 includes the authentication processing section 27.
The bus authentication public key certificate storage unit 4 has substantially the same configuration as 0.
10, a private key storage unit 420 for bus authentication, a public key decryption unit 430, a key calculation unit 440, and a bus encryption unit 450.

The bus authentication public key certificate storage unit 410 of the DVD drive 400 stores in advance public key certificates for bus authentication such as IDE bus and SCSI bus.
When reproducing the content of 2a, the public key certificate for bus authentication is passed to the DVD reproducing PC software 500.

The bus authentication private key storage unit 420 to the bus encryption unit 450 generate the session key K, and the DVD reproducing PC.
The SAC is formed with the software 500.

The functions of the DVD reproduction PC software 500 are as follows: the certificate validity checking unit 510, the public key validity checking unit 520, the public key encryption unit 530, and the verification unit 540.
A key calculation unit 550, a bus decryption unit 560, a hash function processing unit 570, a device key storage unit 580, and a De key
c processing units 590 and 595. Such units are realized by software, a CPU of a PC, a memory, and the like.

The certificate validity checking unit 510 decrypts the certificate sent from the bus authentication public key certificate storage unit 410 with the public key, and checks whether the certificate is valid.

Upon receiving the notification from the certificate validity checking unit 510 that the certificate is valid, the public key validity checking unit 520 receives the bus authentication public key revocation list CRL received via the DVD drive 400. And the latest public key revocation list CRL for bus authentication read from the latest public key certificate revocation list storage unit 250, it is checked whether the DVD drive 400 has been revoked.

Public key encryption unit 530 to bus decryption unit 560
Is the public key validity check unit 520 to the DVD drive 40.
When 0 is not revoked, that is, when the DVD drive 400 is notified that the DVD drive 400 is valid, the session key K ′ is generated and the SA is exchanged with the DVD drive 400.
It is a portion forming C.

The public key encryption unit 530 calculates the hash value Hash of the public key certificate revocation list CRL.

The device key storage unit 580 stores the device key K
D_A is stored in advance.

The Dec processing unit 590 has a bus decoding unit 560.
The content key Kc is generated based on the encrypted content key output from the device, the hash value Hash output from the hash function processing unit 570, and the device key KD_A. The Dec processing unit 590 decrypts the encrypted content bound to the DVD 2a with the content key Kc,
Generate content.

Next, the authentication process and the like performed between the DVD drive 400 and the DVD reproduction PC software 500 will be described. The public key encryption unit 530 is the DVD drive 400.
Is received, the random number cha is generated, the generated random number cha is encrypted with the public key for bus authentication of the other party, and the encrypted random number cha is transferred to the public key decryption unit 430 of the DVD drive 400. To do.

The public key decryption unit 430 decrypts the encrypted random number cha with the bus authentication secret key stored in the bus authentication secret key storage unit 420 to obtain the random number cha. Then, the public key decryption unit 430 encrypts the random number cha and its own private key with the public key for bus authentication of the other party, transfers the encryption result to the verification unit 540, and also uses the random number cha and the private key as a key. It is passed to the calculation unit 440. The key calculation unit 440
The session key K is calculated based on the random number cha and the secret key, and the session key K is passed to the bus encryption unit 450. The bus encryption unit 450 encrypts the encrypted content key bundle with the session key K and sends the doubly encrypted content key bundle to the DVD playback PC software 500.

On the other hand, the verification unit 540 of the DVD reproduction PC software 500 confirms whether the random number cha obtained by the decryption matches the original random number cha by using its own secret key,
If they match, the random number cha and the other party's secret key are passed to the key calculation unit 550. The key calculation unit 550 uses the random number cha and
The session key K ′ is calculated using the secret key of the other party, and passed to the bus decryption unit 560. The bus decryption unit 560 decrypts the doubly encrypted bundle of content keys with the session key K ′, generates a bundle of encrypted content keys, and outputs the bundle of encrypted content keys to the Dec processing unit 590. .

On the other hand, the hash function processing section 570
The hash value Hash of the CRL output via the D drive 400 is calculated, and the hash value Hash is output to the Dec processing unit 590. The Dec processing unit 590 is, for example,
By calculating the exclusive OR of the bundle of encrypted content keys and the hash value Hash, the content key Kc is decrypted into a value encrypted with the device key KD_A, and further decrypted with the device key KD_A. , And decrypts the content key Kc, and passes the content key Kc to the Dec processing unit 595. The Dec processing unit 595 is the DVD 2a.
The encrypted content bound to the content key Kc
Decrypt with and play the content.

Therefore, the decoding device 200 of the copyright protection system for recording media 1i according to the ninth embodiment.
i, that is, DVD drive 400 and DVD playback PC
Even if the PC is configured with software 500, HD-DV
Similar to D, in order to obtain the key for decrypting the content, the public key certificate revocation list CRL bound to the DVD 2a must be passed, and the public key certificate revocation list CRL is replaced. Such an unauthorized descrambler 260 can be eliminated, and the copyright can be protected.

The decoding device 200i, that is, the PC
Is connected to the Internet, D
When the VD2e is played back, the terminal device 300 is accessed, the latest CRL is downloaded from the terminal device 300, and the DVD drive 4 is loaded using the downloaded latest CRL.
The public key validity check unit 520 may check whether 00 is Revoke.

Also, the decoding device 200i of the ninth embodiment
Then, the DVD drive 400 and the DVD playback PC software 500 are used, but in reality, the DVD playback PC software also has only the so-called “descramble” function, and it is assumed that the licensor supply protection module A is used in combination. To be done. That is, the IC card 210a can be attached to the PC, and the decryption device 200i configured by this PC is used as the DVD drive 400 and the IC card 21.
0a and the DVD playback PC software of the Dec processing unit 595 part.

In this case, the DVD drive 400 and the I
SAC is formed with C card 210a, and IC card 21
0a and the DVD playback PC software of the dec processing unit 595, SAC is formed, and then the encrypted content read by the DVD drive 400 is decrypted with the content key and the content may be played back.

Further, the confirmation data output for outputting to the encryption device 100a the confirmation data as a reference for confirming whether or not the content key decrypted by the decryption device 200i is correct, to the DVD 2a. And a configuration in which the confirmation data output unit outputs data obtained by encrypting the data of a predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2f as confirmation data. When the data output unit is configured to output the data obtained by encrypting the content key with the content key as confirmation data to the DVD 2f, the content key decrypting unit 220i corresponding to the terminal device 110a decrypts the decrypted content key. Content decryption key check unit 228, which determines whether the key is a correct key, Ntsu key checking unit 242 may be configured to include the content decryption key check unit 244 or the like.

The copyright protection system according to the present invention has been described above based on the embodiments.
The present invention is not limited to these embodiments. For example, in the copyright protection system in the above embodiment,
Although the digital work has been transferred via the recording medium called DVD, the present invention can be applied to a system for transferring the digital work via a transmission medium such as the Internet. That is, the copyright protection system according to the present invention can be applied by transmitting to the transmission line instead of recording on the recording medium and receiving from the transmission line instead of reading from the recording medium.

The present invention can also be applied to a system for transferring a digital work by combining a recording medium and a transmission medium. That is, for example, the encrypted content may be provided on a recording medium called a DVD, and the key for decrypting the encrypted content, the CRL, etc. may be provided on the Internet via a transmission medium. Further, the reverse form, that is, the key and the like may be provided by the recording medium, and the encrypted content may be provided by the net distribution by the transmission medium. In the system for transferring a digital work by combining the recording medium and the transmission medium, what is provided by the recording medium among the encrypted contents, keys, etc., and what is provided by net distribution by the transmission medium, It can be set arbitrarily.

In the above embodiment, the copyright protection module (tamper resistant module) is used as the IC card 210a.
˜210f, but as shown in FIG.
Each of the functional configurations of the C cards 210a to 210f may be configured by an LSI 210i integrated on one chip.
The I 210i may be attached to the socket 210j, or may be attached directly to the substrate with solder or the like. Further, in the above embodiment, the IC cards 210a to 210f are described as being supplied by the copyright protection licensor.
The IC cards 210a to 210f or the LSI 210i manufactured by the manufacturer of the decryption devices 200a to 200f may be used.

Further, in the above embodiment, the encryption device 1 of the copyright protection licensor or the content manufacturer.
00a to 100f and the decoding device 200 used by the user
The case where the copyright protection system according to the present invention is applied in a wide area between a to 200f has been described. This copyright protection system can be applied to.

(Embodiment 10) FIG. 17 is a block diagram showing the overall structure of a copyright protection system for encrypted communication of content via a small-scale home LAN.
Is the AV server 100j and each plasma TV 200k, VTR 200m, DVD recorder 200 shown in FIG.
It is a block diagram which shows the structure of n. In FIG. 18, plasma TV 200k, VTR 200m, DVD
Since the configuration of the recorder 200n is the same for the copyright protection mechanism part, the plasma TV 2 is a typical example of these.
Only the 00k configuration is shown.

The copyright protection system 1j comprises a home LAN 30 as a transfer medium, an AV server 100j connected to the home LAN 30, a plasma TV 200k, a VTR 200m and a DVD recorder 200n as clients.

The AV server 100j has a configuration similar to that of the encryption device 100a shown in FIG.
Content received from outside the home is stored in a content storage unit 161 composed of an HDD, etc.
This is a great difference from the case of the encryption device 100a in that the content requested in response to the stored content distribution request from the 200k, VTR 200m, and DVD recorder 200n is distributed via the home LAN 30 via the Internet.

More specifically, the AV server 100j receives content from the broadcasting station 100g via the satellite broadcasting (BS, CS) or terrestrial broadcasting network 3a, or from the content provider server 100h to the Internet network 3b. Receive content via the CATV station 1
00i via the CATV network 3c, and receives the received content from the content storage unit 161.
Accumulate in.

The AV server 100j is provided with a session key storage unit 112a, and when any one of the clients, for example, the plasma TV 200k requests distribution of the stored content stored in the content storage unit 161, this distribution is performed. Plasma TV 200 on request
A SAC is formed with k, the session key Kses obtained when the SAC is formed is stored in the session key storage unit 112a, and the session key Kses is used instead of the device key used in the encryption device 100a. The point that the content key Kc is encrypted by using the device key is largely different from the case of the encryption device 100a that encrypts the content key Kc by using the device key. That is, the point that the session key Kses is used instead of the device key is greatly different from the case of the encryption device 100a.

On the other hand, plasma TV 200k, VTR 20
0m, the DVD recorder 200n has almost the same structure as the decoding device 200a shown in FIG.
A session key storage unit 221a for storing the session key Kses obtained at the time of SAC formation with the V server 100j is provided, and the content key Kc is stored using the session key Kses stored in the session key storage unit 221a. Device key KD_A
Decryption device 20 for decrypting the content key Kc using
It is very different from the case of 0a. That is, device key K
The point that the session key Kses is used instead of D_A is largely different from the case of the decryption device 200a.

Next, A of this copyright protection system 1j
The processing performed by the V server 100j and the plasma TV 200k will be described focusing on the differences from the copyright protection system 1a.

When the AV server 100j receives a content distribution request from the DVD recorder 200n as a client, the AV server 100j performs SAC processing with the plasma TV 200k using elliptic encryption. Then, the session keys Kses having the same value are mutually held, the AV server 100j stores the session key Kses in the session key storage unit 112a, and the copyright protection module 21 of the plasma TV 200k.
The content key decryption unit 220h at 0k stores the session key Kses in the session key storage unit 221a. Next, the Ex-OR unit 115 of the AV server 100j
XORs the session key Kses shared between the plasma TVs 200k and the CRL hash value. Then, the Enc unit 116 uses the value obtained by the Ex-OR unit 115 as a key to encrypt the content key Kc. Then, the Enc unit 162 uses the content key Kc.
Then, the requested content of the AV data is encrypted.
Once the content key and content are encrypted, the AV
The server 100j transmits the encrypted content key and the encrypted content together with the CRL to the plasma TV 200k via the home LAN 30.

The copyright protection module 210k in the plasma TV 200k receives the CRL and encrypted content key transmitted via the home LAN 30, and
The descrambler 260 receives the CRL and the encrypted content. Next, the content key decryption unit 22 in the copyright protection module 210k of the plasma TV 200k
The Ex-OR unit 223 of 0h is the session key storage unit 22.
The session key Kses stored in 1a is XORed with the hash value of the CRL obtained by the hash function processing unit 222. Then, the Dec processing unit 224 sends the E
The content key is decrypted using the value obtained by the x-OR unit 223 as a key. And the plasma TV 20
Based on the CRL sent between the copyright protection module 210k within 0k and the descrambler 260,
SAC processing is performed and the session key KK is shared.

Then, the authentication unit 237 of the copyright protection module 210k encrypts the content key Kc with the shared session key KK and sends it to the descrambler 260, and the authentication unit 277 of the descrambler 260 decrypts the content key Kc. Turn into. The Dec processing unit 280 decrypts the encrypted content with the obtained content key Kc. Therefore, even a client connected to a relatively small network, such as a home or a company, can easily use the content, and moreover, the copyright protection can be thoroughly enforced even to the end client.

In the tenth embodiment, the session key Kses is used instead of the device key.
Between the server 100j and the plasma TV 200k, the secret key K
s may be shared in advance. In this case, the secret key Ks may be used instead of the session key Kses. Also, in order to check in advance whether the decrypted content key is a correct value, the fixed pattern described above is CR
It may be configured such that it is transmitted together with L or the like and can be confirmed in advance in the copyright protection module 210k.

Further, according to the present invention, various encryption devices and decryption devices can be realized by combining the characteristic processes of the above ten embodiments. In other words, in the case of encryption, when (1) each of encryption for a private key and conversion by a one-way function for a media ID is called a layer, the number of layers is 2 layers or 3 layers. It is possible to select whether to use a layer. (2) For the key used for content encryption, select whether to use a content key or a function value obtained by converting the media ID by a one-way function. Is possible, and (3) with regard to the target that involves the hash value of the public key revocation list,
Choice of device key, disk key, content key, media ID, session key, or function value obtained by converting the media ID with a one-way function Is possible.

Therefore, by arbitrarily combining the respective independent parameters (1), (2), and (3), various forms of the encryption device, the decryption device, and the IC card can be realized. be able to. Also, the number of layers for encryption (or decryption) of the above-mentioned secret key is 1 to
The number of layers is not limited to 3 and may be more than 3 layers. In consideration of these variations, the encryption device, the decryption device, and the IC module (secret key generation device) according to the present invention can be expressed as follows.

That is, in the case of the encryption method using the content key, in the encryption device that encrypts the digital work and outputs it to the recording medium or the transmission medium, the first of n (≧ 2) secret keys In the first encryption chain, the digital work is encrypted using the first private key and the (i−1) th private key is encrypted using the i-th (2 ≦ i ≦ n) private key. ~ A method of repeatedly outputting the encrypted first to (n-1) th secret keys to the medium by repeating the (n-1) th secret key, wherein at least one of the first to nth secret keys In encryption using, prior to the encryption,
It is an encryption method characterized in that a private key is transformed using an attribute value that depends on the contents of a public key revocation list, which is a list of information that identifies revoked public key certificates.

Further, in the case of the encryption method using the media ID, in the encryption device which encrypts the digital work and outputs it to the recording medium or the transmission medium, the first of n (≧ 1) secret keys is selected. After the medium identification information is converted by the one-way function using one private key, the digital work is encrypted by the converted medium identification information, and when the n is 2 or more, the i-th (2 ≦ i ≤n) using the private key (i-
1) The encryption chain of encrypting the private key is the first
~ A method of repeatedly outputting the encrypted first to (n-1) th secret keys to the medium by repeating the (n-1) th secret key, wherein at least one of the first to nth secret keys In the encryption or conversion using, (i) prior to the encryption or conversion, an attribute value depending on the contents of the public key revocation list, which is a list of information specifying the revoked public key certificate, is set. The encryption method is characterized in that the secret key is transformed by using it, or (2) the medium identification information obtained by the transformation is transformed by the attribute value. Further, in the case of the decryption method using the content key, in the decryption device for decrypting the encrypted digital work, the encrypted digital work and n (≧ 2) encrypted secret keys are used. After the public key revocation list, which is a list of information specifying the revoked public key certificate, is acquired via a recording medium or a transmission medium, the n encryptions are performed using a private key held in advance. The decryption chain of decrypting the first encrypted secret key of the encrypted secret keys and decrypting the second encrypted secret key with the obtained first secret key is repeated for the n encrypted secret keys. A method for decrypting a digital work with the n-th private key obtained by the last decryption, wherein at least one of the decryptions for the first to n-th encrypted private keys is the decryption. Prior to this, the private key used for decryption A decoding method characterized in that allowed to deform in the attribute value dependent on the contents of the reduction list.

Further, in the case of the decryption method using the media ID, in the decryption apparatus for decrypting the encrypted digital work, the encrypted digital work, the medium identification information, and n (≧ 1). Individual encrypted private keys and a public key revocation list, which is a list of information specifying the revoked public key certificate, are acquired via a recording medium or transmission medium, and then the private key held in advance is The first encrypted secret key of the n encrypted secret keys is decrypted by using the second encrypted secret key when the n is 2 or more, and the first secret key obtained by the decryption is used. The decryption chain of decrypting is repeated for the n encrypted secret keys, the medium identification information is converted by the one-way function using the n-th secret key obtained in the final decryption, and the conversion is performed. How to Decrypt Digital Work After Media Identification Information Accordingly, in at least one of the decryption of the first to nth encrypted secret keys and the conversion of the medium identification information, (1) prior to the decryption or conversion, the secret key used for the decryption or conversion Is transformed with an attribute value depending on the contents of the public key revocation list, or (2) the medium identification information obtained by the transformation is transformed with the attribute value. It is a method of conversion.

[0175]

As is apparent from the above description, the encryption device according to the present invention is an encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium, and stores the digital work. And a first secret key storage means for storing a first secret key used for encryption of the digital work, and a decryption device for decrypting the encrypted digital work. Second secret key storage means for storing a second secret key, public key revocation list storage means for storing a public key revocation list that is a list of information for identifying revoked public key certificates, and the public disclosure. Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the key revocation list storage means, and stored in the second secret key storage means The second done Deformation means for transforming the secret key with the attribute value calculated by the attribute value calculation means, and the first secret key stored in the first secret key storage means with the second secret key transformed by the deformation means. A first encryption unit for encrypting the digital work, a second encryption unit for encrypting the digital work stored in the digital work storage unit with the first secret key stored in the first secret key storage unit, and A public key revocation list stored in the public key revocation list storage means, a first secret key encrypted by the first encryption means, and a digital work encrypted by the second encryption means are recorded on a recording medium. Or output means for outputting to a transmission medium.

As a result, the encrypted digital work and the first digital copy used for the encryption are sent from the encryption device.
The encrypted private key (encrypted first secret key) and the public key revocation list are output, and the encrypted first secret key is the second secret associated with the decryption device. The first secret key is not simply encrypted with the key, but is encrypted with the second secret key involved in the public key revocation list. Therefore, these encrypted digital works,
When the decryption device receives the encrypted first private key and the public key revocation list, the public key revocation list is used for the involvement of the public key revocation list in the case where the public key revocation list has been replaced. The content will be different,
The encrypted first secret key cannot be decrypted into the original first secret key using the second secret key thus modified, and therefore the encrypted digital work cannot be correctly decrypted. . Therefore, it is possible to safely transfer a digital work having a defense function against a public key revocation list replacement attack.

Here, the encryption device further records confirmation data as a reference for confirming whether or not the first secret key decrypted by the decryption device is correct. A confirmation data output means for outputting to a medium or a transmission medium may be provided. For example, the confirmation data output means may use the data obtained by encrypting the data of a predetermined fixed pattern with the first secret key stored in the first secret key storage means as the confirmation data in the recording medium or the transmission medium. The confirmation data output means outputs the data obtained by encrypting the first secret key stored in the first secret key storage means with the first secret key as the confirmation data. May be output to.

As a result, the decryption device, which has received the encrypted digital work, the encrypted first secret key, and the public key revocation list output from this encryption device, is subjected to the replacement attack of the public key revocation list. Since it is possible to determine whether or not it has been possible to restore the correct first secret key, the useless process of decrypting the digital work with the wrong first secret key is avoided in advance. It becomes possible to do.

Further, the encryption device according to the present invention is an encryption device for encrypting a digital work which is a digital work and outputting it to a recording medium or a transmission medium, and a digital work which stores the digital work. Storage means, first secret key storage means for storing a first secret key used for encryption of the digital work, and second secret key associated with a decryption device for decrypting the encrypted digital work. A second private key storage means, a public key revocation list storage means for storing a public key revocation list that is a list of information for specifying the revoked public key certificate, and the first secret key storage First encryption means for encrypting the first secret key stored in the means with the second secret key stored in the second secret key storage means, and a public key stored in the public key revocation list storage means Based on revocation list An attribute value calculating means for calculating an attribute value that depends on the contents of the public key revocation list, the first
Deformation means for transforming the first secret key stored in the secret key storage means with the attribute value calculated by the attribute value calculation means, and digital work stored in the digital work storage means by the transformation means Second encryption means for encrypting with the generated first secret key, public key revocation list stored in the public key revocation list storage means, first secret key encrypted by the first encryption means And output means for outputting the digital work encrypted by the second encryption means to a recording medium or a transmission medium.

As a result, the encrypted digital work and the first digital copy used for the encryption are sent from the encryption device.
The encrypted private key (encrypted first private key) and the public key revocation list are output, but the encrypted digital work is simply encrypted with the first private key. Instead, it is encrypted with the modified first secret key in which the public key revocation list is involved in the first secret key. Therefore, when the decryption device receives the encrypted digital work, the encrypted first private key, and the public key revocation list, if the public key revocation list has been replaced, the decrypted first private key The contents of involvement by the public key revocation list with respect to are different, and the encrypted digital work cannot be correctly decrypted using the first secret key thus modified. Therefore, it is possible to safely transfer a digital work having a defense function against a public key revocation list replacement attack.

Further, similarly to the above, the encryption data output from this encryption device is output by attaching the confirmation data relating to the one in which the public key revocation list is involved to the first secret key and outputting it from the encryption device. The decryption device, which has received the encrypted digital work, the encrypted first private key, and the public key revocation list, is used to determine whether the public key revocation list has been replaced, that is, is used for encrypting the digital work. Since it is possible to determine whether or not the correct private key could be restored, it is possible to avoid in advance the useless processing of decrypting the digital work with the wrong private key.

Further, the encrypted communication device according to the present invention is a device which performs encrypted communication with the partner device by using the public key of the partner device, and is a list of information specifying the revoked public key certificate. A storage unit that stores the key revocation list, an acquisition unit that acquires a new public key revocation list, a size of the acquired public key revocation list, and a public key revocation list stored in the storage unit. The size of the obtained public key revocation list is compared with the size, and the obtained public key revocation list is stored in the storage unit and updated, and a storage unit stored in the storage unit. The public key revocation list is referred to determine the validity of the public key of the partner device, and when it is determined to be valid, the public key is used to perform cryptographic communication with the partner device. . Similarly, instead of the storage means, the number of the certificates shown in the obtained public key revocation list and the number of the certificates shown in the public key revocation list stored in the storage means. When the number of the certificates shown in the obtained public key revocation list is large, the obtained public key revocation list is stored in the storage means and updated as storage means. You can also

As a result, the number of public key certificates registered in the public key certificate revocation list increases with the passage of time, so that the encrypted communication device has a larger size (or A public key certificate revocation list (which has a large number of registrations), that is, a more recent public key certificate revocation list can always be held.

As described above, according to the present invention, it is possible to safely transfer a digital work against attacks such as replacement of the public key certificate revocation list, and to record on a transmission line such as the Internet or a DVD. Today, the distribution and distribution of digital works via media have become active, and their practical value is extremely high.

[Brief description of drawings]

FIG. 1 is a functional block diagram showing an overall configuration of a copyright protection system for recording media according to a first embodiment.

FIG. 2 is a diagram showing a configuration example of a public key certificate revocation list CRL.

FIG. 3 is a diagram showing a configuration example of a public key certificate for copyright protection licensor.

FIG. 4 is a diagram showing a configuration example of a public key certificate for a player maker.

FIG. 5 is a diagram showing a sequence of processing performed between the IC card 210a and the descrambler 260 of the decryption device 200a.

FIG. 6 is a functional block diagram showing the overall configuration of a recording medium copyright protection system 1b according to the second embodiment.

FIG. 7 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1c according to a third embodiment.

FIG. 8 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1d according to a fourth embodiment.

FIG. 9 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1e according to a fifth embodiment.

FIG. 10 is a functional block diagram showing the overall configuration of a recording medium copyright protection system 1f according to a sixth embodiment.

11A is a flowchart of a confirmation determination process performed by a latest version detection processing unit 2391 of FIG. 10, and FIG. 11B is a flowchart of a latest version list reading process.

FIG. 12 is an external view when the decoding devices 200a to 200f for recording media according to the first and second embodiments are applied to an HD-DVD player.

FIG. 13 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1g according to a seventh embodiment.

FIG. 14 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1h according to an eighth embodiment.

FIG. 15 is a functional block diagram showing an overall configuration of a recording medium copyright protection system 1i according to a ninth embodiment.

FIG. 16 is a diagram showing an implementation example when the copyright protection module is configured by an LSI.

FIG. 17 is a block diagram showing the overall configuration of a copyright protection system that encrypts and communicates content via a small-scale home LAN.

18 is a block diagram showing the configurations of an AV server 100j and a plasma TV 200k shown in FIG.

[Explanation of symbols]

1a to 1j Copyright protection system 2a to 2f DVD 30 Home LAN 100a to 100f Encryption device 100j AV server 110a to 110f, 160, 300
Terminal device 111 Public key revocation list storage unit 112 Device key bundle storage unit 113 Content key storage unit 114, 222 Hash function processing unit 115, 118, 223, 226 Ex-OR unit 116, 117, 131, 142, 143, 162 , 2
41 Enc unit 119 Fixed pattern storage unit 144 Media ID storage unit 145, 247 One-way function unit 161 Content storage unit 200 HD-DVD player 200a to 200i Decoding device 210a to 210h IC card 210 LSI 210k Copyright protection module 220a to 220i Content key decryption unit 221 Device key storage unit 222 Hash function processing units 224, 225, 227, 243, 280
Dec processing unit 228, 244 content decryption key check unit 242 content key check unit 230, 270 authentication processing unit 239 public key revocation list latest version storage processing unit 2391 latest version detection processing unit 2392 latest version detection information storage unit 2393 storage unit 250 Public key certificate revocation list Latest version storage 260 Descrambler 400 DVD drive 500 DVD playback PC software

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04L 9/00 675D (72) Inventor Takahiro Nagai 1006 Kadoma, Kadoma-shi, Osaka Prefecture Matsushita Electric Industrial Co., Ltd. ( 72) Inventor Hideshi Ishihara 1006, Kadoma, Kadoma-shi, Osaka Prefecture F-term (reference) inside Matsushita Electric Industrial Co., Ltd. (reference) NA38 NA40 NA41 NA42

Claims (83)

[Claims] 1. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, the device being a digital work storing means for storing the digital work and a device used for encrypting the digital work. A first secret key storage means for storing a first secret key; a second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work; Based on the public key revocation list stored in the public key revocation list storage means for storing a public key revocation list which is a list of information specifying the public key certificate An attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list, and an attribute value calculated by the attribute value calculation means for the second secret key stored in the second secret key storage means. Transformed by And a first secret key that is encrypted by the second secret key that is transformed by the transforming unit.
Encryption means, second encryption means for encrypting the digital work stored in the digital work storage means with the first secret key stored in the first secret key storage means, and the public key invalidation The public key revocation list stored in the list storage means, the first secret key encrypted by the first encryption means, and the digital work encrypted by the second encryption means are recorded on a recording medium or a transmission medium. An encryption device, comprising: output means for outputting. 2. The encryption device further includes confirmation data serving as a reference for confirming whether or not the first secret key decrypted by the decryption device is correct. The encryption apparatus according to claim 1, further comprising confirmation data output means for outputting to a medium. 3. The confirmation data output means is data obtained by encrypting data of a predetermined fixed pattern with a first secret key stored in the first secret key storage means as the confirmation data on the recording medium or The encryption device according to claim 2, wherein the encryption device outputs to a transmission medium. 4. The confirmation data output means is the recording medium or transmission, wherein the confirmation data is data obtained by encrypting the first secret key stored in the first secret key storage means with the first secret key. The encryption device according to claim 2, wherein the encryption device outputs the data to a medium. 5. The attribute value calculation means calculates a hash value of the public key revocation list as the attribute value, and the transformation means calculates an exclusive OR of the second secret key and the hash value. The encryption device according to claim 1, wherein the second secret key is transformed by taking the second secret key. 6. An encryption device for encrypting a digital work, which is a digital work, and outputting it to a recording medium or a transmission medium, the digital work storing means storing the digital work, and the encryption code of the digital work. Secret key storage means for storing a first secret key used for encryption, and second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work. A public key revocation list storage means for storing a public key revocation list which is a list of information for specifying the revoked public key certificate; and a first secret key stored in the first secret key storage means. Based on the public key revocation list stored in the public key revocation list storage means, and the first encryption means for encrypting the above with the second secret key stored in the second secret key storage means. Key revocation list Attribute value calculation means for calculating an attribute value depending on contents; transformation means for transforming the first secret key stored in the first secret key storage means with the attribute value calculated by the attribute value calculation means; Second encryption means for encrypting the digital work stored in the digital work storage means with the first secret key transformed by the transformation means; and the public key revocation stored in the public key revocation list storage means. An encryption list, a first secret key encrypted by the first encryption means, and an output means for outputting the digital work encrypted by the second encryption means to a recording medium or a transmission medium. And encryption device. 7. The encryption device further includes confirmation data serving as a reference for confirming whether or not the first secret key decrypted by the decryption device is correct. 7. The encryption device according to claim 6, further comprising confirmation data output means for outputting to a medium. 8. The confirmation data output means outputs data obtained by encrypting data of a predetermined fixed pattern with the first secret key transformed by the transformation means as the confirmation data to the recording medium or transmission medium. The encryption device according to claim 7, wherein 9. The confirmation data output means outputs the data obtained by encrypting the first secret transformed by the transformation means with the first secret key to the recording medium or the transmission medium as the confirmation data. The encryption device according to claim 7, characterized in that. 10. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, wherein the digital work storage means stores the digital work, and a medium used for encrypting the digital work. Medium identification information storage means for storing identification information, first secret key storage means for storing a first secret key associated with a decryption device for decrypting an encrypted digital work, and revoked disclosure Public key revocation list storage means for storing a public key revocation list, which is a list of information for identifying key certificates, and based on the public key revocation list stored in the public key revocation list storage means, Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list; and an attribute value calculated by the attribute value calculation means for the first secret key stored in the first secret key storage means. Transforming means for transforming the medium identification information, function transforming means for transforming the medium identification information stored in the medium identifying information storage means and the first secret key transformed by the transforming means into a one-way function for transformation. Second encryption means for encrypting the digital work stored in the digital work storage means with the function value obtained by the function conversion means; and the public key revocation stored in the public key revocation list storage means. A cipher comprising a list, medium identification information stored in the medium identification information storage means, and output means for outputting the digital work encrypted by the second encryption means to a recording medium or a transmission medium. Device. 11. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, wherein the digital work storage means stores the digital work, and a medium used for encrypting the digital work. Medium identification information storage means for storing identification information, first secret key storage means for storing a first secret key associated with a decryption device for decrypting an encrypted digital work, and revoked disclosure Public key revocation list storage means for storing a public key revocation list, which is a list of information for specifying key certificates, medium identification information stored in the medium identification information storage means, and the first secret key storage means. Function conversion means for inputting and converting the stored first secret key into a one-way function, and based on the public key revocation list stored in the public key revocation list storage means, the public key revocation An attribute value calculation means for calculating an attribute value depending on the contents of the conversion list; a transformation means for transforming the function value obtained by the function conversion means with the attribute value calculated by the attribute value calculation means; A digital copyrighted material stored in a physical storage means is encrypted with the attribute value transformed by the transforming means.
Encryption means, public key revocation list stored in the public key revocation list storage means, medium identification information stored in the medium identification information storage means, and digital work encrypted by the first encryption means An encryption device, comprising: an output unit that outputs an object to a recording medium or a transmission medium. 12. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, comprising: a digital work storage means for storing the digital work; and a device used for encrypting the digital work. A first secret key storage means for storing a first secret key; a second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work; Third secret key storage means for storing a third secret key used for encrypting the secret key, and a public key revocation store for storing a public key revocation list that is a list of information specifying the revoked public key certificate And an attribute value calculation unit that calculates an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the public key revocation list storage unit, Second secret Deformation means for deforming the second secret key stored in the storage means with the attribute value calculated by the attribute value calculation means; and Deformation means for deforming the third secret key stored in the third secret key storage means. First encrypted with the generated second secret key
An encryption means; a second encryption means for encrypting the first secret key stored in the first secret key storage means with a third secret key stored in the third secret key storage means; Third encryption means for encrypting the digital work stored in the object storage means with the first secret key stored in the first secret key storage means, and public disclosure stored in the public key revocation list storage means Key revocation list, third secret key encrypted by the first encryption means, first encryption key encrypted by the second encryption means
An encryption device, comprising: a secret key and an output unit that outputs the digital work encrypted by the third encryption unit to a recording medium or a transmission medium. 13. The encryption device further includes confirmation data serving as a reference for confirming whether or not the third secret key decrypted by the decryption device is correct. 13. The encryption device according to claim 12, further comprising confirmation data output means for outputting to a medium. 14. The confirmation data output means is data obtained by encrypting data of a predetermined fixed pattern with a third secret key stored in the third secret key storage means as the confirmation data on the recording medium or 14. The encryption device according to claim 13, wherein the encryption device outputs to a transmission medium. 15. The confirmation data output means is the third device.
14. The cipher according to claim 13, wherein data obtained by encrypting the third secret key stored in the secret key storage means with the third secret key is output to the recording medium or the transmission medium as the confirmation data. Device. 16. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, the device being a digital work storage means for storing the digital work and a device used for encrypting the digital work. A first secret key storage means for storing a first secret key; a second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work; Third secret key storage means for storing a third secret key used for encrypting the secret key, and a public key revocation store for storing a public key revocation list that is a list of information specifying the revoked public key certificate Encryption list storage means, first encryption means for encrypting the third secret key stored in the third secret key storage means with the second secret key stored in the second secret key storage means, and the public disclosure Stored in key revocation list storage means An attribute value calculation unit that calculates an attribute value that depends on the content of the public key revocation list based on the public key revocation list that has been created; and a third secret key stored in the third secret key storage unit. Transforming means for transforming with the attribute value calculated by the attribute value calculating means, and second encryption for encrypting the first secret key stored in the first secret key storage means with the attribute value transformed by the transforming means. Means, third encryption means for encrypting the digital work stored in the digital work storage means with the first secret key stored in the first secret key storage means, and the public key revocation list storage The public key revocation list stored in the means, the third secret key encrypted by the first encryption means, the first secret key encrypted by the second encryption means
An encryption device, comprising: a secret key and an output unit that outputs the digital work encrypted by the third encryption unit to a recording medium or a transmission medium. 17. An encryption device for encrypting a digital work and outputting the same to a recording medium or a transmission medium, the digital work storing means storing the digital work, and a device used for encrypting the digital work. A first secret key storage means for storing a first secret key; a second secret key storage means for storing a second secret key associated with a decryption device for decrypting an encrypted digital work; Third secret key storage means for storing a third secret key used for encrypting the secret key, and a public key revocation store for storing a public key revocation list that is a list of information specifying the revoked public key certificate Encryption list storage means, first encryption means for encrypting the third secret key stored in the third secret key storage means with the second secret key stored in the second secret key storage means, and the first encryption means 1 stored in the secret key storage means Second encryption means for encrypting the secret key with the third secret key encrypted by the first encryption means; and a public key revocation list stored in the public key revocation list storage means, Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list, and the first secret key stored in the first secret key storage means with the attribute value calculated by the attribute value calculation means. Transforming means for transforming, third encrypting means for encrypting the digital work stored in the digital literary work storing means with the first secret key transformed by the transforming means, and the public key revocation list storing means The public key revocation list stored in the third key, the third secret key encrypted by the first encryption means, and the first secret key encrypted by the second encryption means.
An encryption device, comprising: a secret key and an output unit that outputs the digital work encrypted by the third encryption unit to a recording medium or a transmission medium. 18. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, wherein the digital work storage means stores the digital work, and a medium used for encrypting the digital work. Medium identification information storage means for storing identification information; first secret key storage means for storing a first secret key associated with a decryption device for decrypting an encrypted digital work; Second secret key storage means for storing a second secret key used for encryption, and a public key revocation list storage for storing a public key revocation list that is a list of information specifying a revoked public key certificate Means for calculating attribute values depending on the contents of the public key revocation list stored in the public key revocation list storage means; Deformation means for transforming the first secret key stored in the secret key storage means with the attribute value calculated by the attribute value calculation means, and the transformation means for transforming the second secret key stored in the second secret key storage means. First encrypted with the first secret key modified by
Encryption means, and function conversion means for inputting and converting the medium identification information stored in the medium identification information storage means and the second secret key stored in the second secret key storage means into a one-way function. A second encryption means for encrypting the digital work stored in the digital work storage means with the function value obtained by the function conversion means; and a public key stored in the public key revocation list storage means. The revocation list, the second secret key encrypted by the first encryption means, the medium identification information stored in the medium identification information storage means, and the digital work encrypted by the third encryption means are recorded. An encryption device, comprising: an output unit that outputs to a medium or a transmission medium. 19. The encryption device further includes confirmation data serving as a reference for confirming whether or not the second secret key decrypted by the decryption device is correct. 19. The encryption device according to claim 18, further comprising confirmation data output means for outputting to a medium. 20. The confirmation data output means uses the data obtained by encrypting data of a predetermined fixed pattern with a second secret key stored in the second secret key storage means as the confirmation data on the recording medium or The encryption device according to claim 19, wherein the encryption device outputs to a transmission medium. 21. The confirmation data output means is the recording medium or transmission, wherein the confirmation data is data obtained by encrypting a second secret key stored in the second secret key storage means with the second secret key. The encryption device according to claim 19, wherein the encryption device outputs to a medium. 22. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, the digital work storing means storing the digital work, and a medium used for encrypting the digital work. Medium identification information storage means for storing identification information; first secret key storage means for storing a first secret key associated with a decryption device for decrypting an encrypted digital work; Second secret key storage means for storing a second secret key used for encryption, and a public key revocation list storage for storing a public key revocation list that is a list of information specifying a revoked public key certificate Means, first encryption means for encrypting the second secret key stored in the second secret key storage means with the first secret key stored in the first secret key storage means, and the public key invalidation List storage means An attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the stored public key revocation list; and a second secret key stored in the second secret key storage means. Deformation means for deforming with the attribute value calculated by the attribute value calculation means, medium identification information stored in the medium identification information storage means, and the second secret key transformed by the deformation means into a one-way function. A function converting means for inputting and converting; a second encrypting means for encrypting a digital work stored in the digital work storing means with a function value obtained by the function converting means; The public key revocation list stored in the list storage means, the second secret key encrypted by the first encryption means, the medium identification information stored in the medium identification information storage means, and the third encryption means. Dark Encryption device and an outputting means for outputting of digital work into the recording medium or a transmission medium. 23. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, the digital work storing means storing the digital work, and a medium used for encrypting the digital work. Medium identification information storage means for storing identification information; first secret key storage means for storing a first secret key associated with a decryption device for decrypting an encrypted digital work; Second secret key storage means for storing a second secret key used for encryption, and a public key revocation list storage for storing a public key revocation list that is a list of information specifying a revoked public key certificate Means, first encryption means for encrypting the second secret key stored in the second secret key storage means with the first secret key stored in the first secret key storage means, and the medium identification information storage Memorized by means Stored in the public key revocation list storage means; function conversion means for inputting the converted medium identification information and the second secret key stored in the second secret key storage means into a one-way function for conversion. Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list, and the function value obtained by the function conversion means is calculated by the attribute value calculation means. A transforming means for transforming with the attribute value, and a second encrypting the digital work stored in the digital work storing means with the function value transformed by the transforming means.
Encryption means, public key revocation list stored in the public key revocation list storage means, second secret key encrypted by the first encryption means, medium stored in the medium identification information storage means An encryption device comprising: identification information and output means for outputting the digital work encrypted by the second encryption means to a recording medium or a transmission medium. 24. A decryption device for obtaining and decrypting an encrypted digital work via a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. An acquisition means for acquiring, via a recording medium or a transmission medium, a public key revocation list that is a list of information specifying the encrypted first private key and the revoked public key certificate obtained by encrypting the first private key. A second secret key storage means for storing a second secret key unique to the decryption device, and an attribute value depending on the contents of the public key revocation list, based on the obtained public key revocation list Attribute value calculation means, a transformation means for transforming the second secret key stored in the second secret key storage means with the attribute value calculated by the attribute value calculation means, and an encryption obtained by the acquisition means. Modified the first secret key The decrypted with the second private key that has been deformed by the step 1
It is characterized by further comprising decryption means and second decryption means for decrypting the encrypted digital work obtained by the obtaining means with the first secret key decrypted by the first decrypting means. Decoding device. 25. The attribute value calculation means calculates a hash value of the public key revocation list as the attribute value, and the transformation means calculates an exclusive OR of the second secret key and the hash value. 25. The decryption device according to claim 24, wherein the second secret key is transformed by taking the second secret key. 26. A decryption device for obtaining and decrypting an encrypted digital work via a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. An acquisition unit that acquires, via a recording medium or a transmission medium, a public key revocation list that is a list of information that identifies the encrypted first private key and the revoked public key certificate that are obtained by encrypting the first private key. A second secret key storage means for storing a second secret key unique to the decryption device; and a second secret key storage means for storing the encrypted first secret key obtained by the obtaining means. First decryption means for decrypting with a private key, and attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list acquired by the acquisition means Decoding by the first decoding means Deformation means for transforming the generated first secret key with the attribute value calculated by the attribute value calculation means, and the encrypted digital work obtained by the acquisition means by the first secret key transformed by the deformation means. Second to decrypt
A decoding device comprising: a decoding unit. 27. A decryption device for obtaining and decrypting an encrypted digital work via a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. Acquiring means for acquiring a public key revocation list, which is a list of medium identification information and information specifying the revoked public key certificate, via a recording medium or a transmission medium, and a first secret unique to the decryption device. First secret key storage means for storing a key, attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the obtained public key revocation list, and the first secret Deformation means for deforming the first secret key stored in the key storage means with the attribute value calculated by the attribute value calculation means, medium identification information acquired by the acquisition means, and first deformed by the deformation means. Private key To a one-way function for conversion, and first decryption means for decrypting the encrypted digital work acquired by the acquisition means with the function value obtained by the function conversion means. A decoding device comprising. 28. A decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. Acquiring means for acquiring a public key revocation list, which is a list of medium identification information and information specifying the revoked public key certificate, via a recording medium or a transmission medium, and a first secret unique to the decryption device. First secret key storage means for storing a key; medium identification information acquired by the acquisition means;
Based on the obtained public key revocation list, the function conversion means for inputting and converting the first secret key stored in the private key storage means into the one-way function, and the contents of the public key revocation list Attribute value calculating means for calculating a dependent attribute value, deforming means for deforming the function value obtained by the function converting means with the attribute value calculated by the attribute value calculating means, and the cipher obtained by the obtaining means And a first decoding unit for decoding the digitalized digital work with the attribute value transformed by the transforming unit. 29. A decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. An encrypted first secret key that encrypts the first secret key, an encrypted second secret key that encrypts the second secret key used to encrypt the first secret key, and a revoked public key certificate. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of information specifying the third secret key storing means for storing a third secret key unique to the decryption apparatus. An attribute value calculation unit that calculates an attribute value that depends on the content of the public key revocation list based on the obtained public key revocation list, and a third secret key stored in the third secret key storage unit. Change with the attribute value calculated by the attribute value calculation means. And deforming means for, first of decoded encrypted second private key acquired by the acquisition unit in the third secret key which is deformed by said deforming means
Decryption means, second decryption means for decrypting the encrypted first secret key acquired by the acquisition means with the second secret key decrypted by the first decryption means, and acquired by the acquisition means And a third decryption unit that decrypts the encrypted digital work that has been decrypted with the first secret key decrypted by the second decryption unit. 30. A decryption device that obtains and decrypts an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. An encrypted first secret key that encrypts the first secret key, an encrypted second secret key that encrypts the second secret key used to encrypt the first secret key, and a revoked public key certificate. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of information specifying the third key; First decryption means for decrypting the encrypted second secret key obtained by the obtaining means with the third secret key stored in the third secret key storage means, and based on the obtained public key revocation list Attributes that depend on the contents of the public key revocation list Attribute value calculation means for calculating the second secret key decrypted by the first decryption means with the attribute value calculated by the attribute value calculation means, and the encryption obtained by the acquisition means. A second decrypting the encrypted first secret key with the second secret key transformed by the transforming means;
It is characterized by comprising decryption means and third decryption means for decrypting the encrypted digital work obtained by the obtaining means with the first secret key decrypted by the second decrypting means. Decoding device. 31. A decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. An encrypted first secret key that encrypts the first secret key, an encrypted second secret key that encrypts the second secret key used to encrypt the first secret key, and a revoked public key certificate. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of information specifying the third secret key storing means for storing a third secret key unique to the decryption apparatus. First decryption means for decrypting the encrypted second secret key acquired by the acquisition means with a third secret key stored in the first secret key storage means; and an encrypted first secret key acquired by the acquisition means. 1 private key is decrypted by the first decryption means Second decryption means for decrypting with two secret keys; attribute value calculation means for calculating an attribute value depending on the content of the public key revocation list based on the acquired public key revocation list; 2 Deformation means for transforming the first secret key decrypted by the decryption means with the attribute value calculated by the attribute value calculation means, and the encrypted digital work acquired by the acquisition means by the deformation means And a third decryption means for decrypting the decrypted first secret key. 32. A decryption device which obtains and decrypts an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. A public key revocation, which is a list of medium identification information, an encrypted first private key obtained by encrypting the first private key used to encrypt the medium identification information, and information specifying the revoked public key certificate. Based on the acquisition means for acquiring the list via the recording medium or the transmission medium, the second secret key storage means for storing the second secret key unique to the decryption device, and the acquired public key revocation list, An attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list, and a second secret key stored in the second secret key storage means with the attribute value calculated by the attribute value calculation means. Deforming means for deforming, and The To decoded encrypted first private key acquired by the second private key that has been deformed by the deforming means by resulting unit 1
The decryption means, the medium identification information acquired by the acquisition means, and the first
The function conversion means for inputting and converting the one-way function with the first secret key decrypted by the decryption means, and the encrypted digital work acquired by the acquisition means are obtained by the function conversion means. A decoding device comprising: a second decoding means for decoding with a function value. 33. A decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. A public key revocation, which is a list of medium identification information, an encrypted first secret key obtained by encrypting the first secret key used to encrypt the medium identification information, and information specifying the revoked public key certificate. An acquisition unit that acquires the list via a recording medium or a transmission medium, a second secret key storage unit that stores a second secret key unique to the decryption device, and an encrypted first secret acquired by the acquisition unit. First decryption means for decrypting the key with the second secret key stored in the second secret key storage means, and based on the obtained public key revocation list, depending on the contents of the public key revocation list Attribute value calculator that calculates the attribute value A transformation means for transforming the first secret key decrypted by the first decryption means with the attribute value calculated by the attribute value calculation means; medium identification information obtained by the acquisition means; and the transformation means The function conversion means for inputting and converting the attribute value modified by the one-way function, and the encrypted digital work acquired by the acquisition means are decrypted by the function value obtained by the function conversion means. A decoding device comprising: a second decoding means. 34. A decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium, the encrypted digital work being used for the encryption thereof. A public key revocation, which is a list of medium identification information, an encrypted first secret key obtained by encrypting the first secret key used to encrypt the medium identification information, and information specifying the revoked public key certificate. An acquisition unit that acquires the list via a recording medium or a transmission medium, a second secret key storage unit that stores a second secret key unique to the decryption device, and an encrypted first secret acquired by the acquisition unit. First decryption means for decrypting the key with the second secret key stored in the second secret key storage means, medium identification information obtained by the obtaining means, and the first
Depending on the content of the public key revocation list, based on the function conversion means for inputting and converting the first secret key decrypted by the decryption means into the one-way function, and the obtained public key revocation list Attribute value calculation means for calculating the attribute value, transformation means for transforming the function value obtained by the function conversion means with the attribute value calculated by the attribute value calculation means, and encryption obtained by the acquisition means A second decoding means for decoding the digital work with the function value transformed by the transforming means. 35. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list that is a list of information specifying the encrypted first private key and the revoked public key certificate that have encrypted the first private key. And a second secret key storing a second secret key unique to the secret key generation device.
Private key storage means, attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the acquired public key revocation list, and stored in the second secret key storage means. A transforming unit that transforms the second secret key with the attribute value calculated by the attribute value calculating unit; First to decrypt
Decoding means and output means for outputting the first secret key decrypted by the first decrypting means to the decryption device as a secret key for decrypting the digital work. Private key generation device. 36. The secret key generation device further determines whether or not the first secret key decrypted by the first decryption means is a correct first secret key used to encrypt the digital work. 36. The private key generation device according to claim 35, further comprising a determination means for determining. 37. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the acquired confirmation data is decrypted by the first decryption means. And a confirmation data decryption unit for decrypting with the first secret key, and whether or not the data obtained by the decryption by the confirmation data decryption unit matches a predetermined fixed pattern. 37. The secret key generation device according to claim 36, further comprising a determination unit that determines that the first secret key is correct. 38. The determination means includes a confirmation data acquisition unit that acquires confirmation data as a reference for the determination from the recording medium or the transmission medium, and a first secret key decrypted by the first decryption means. A first secret key encryption unit that encrypts with the first secret key, and a first secret key encrypted by the first secret key encryption unit matches the confirmation data acquired by the confirmation data acquisition unit. 37. The secret key generation device according to claim 36, further comprising: a determination unit that determines whether or not the first secret key is correct when they match. 39. The confirmation means obtains confirmation data from the recording medium or the transmission medium, the confirmation data being a reference of the determination, and the confirmation data obtained by the confirmation data acquisition portion is decrypted by the first decoding. A confirmation data decryption unit that decrypts with the first secret key decrypted by the decryption unit, a value decrypted by the confirmation data decryption unit, and a first secret key decrypted by the first decryption unit 37. The secret key generation device according to claim 36, further comprising: a determination unit that determines whether or not and that the first secret key is correct when they match. 40. The attribute value calculation means calculates a hash value of the public key revocation list as the attribute value, and the transformation means calculates an exclusive OR of the second secret key and the hash value. 36. The private key generation device according to claim 35, wherein the second private key is modified by taking the above. 41. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list that is a list of information specifying the encrypted first private key and the revoked public key certificate that have encrypted the first private key. A second secret key storage means for storing a second secret key unique to the decryption device; and an encrypted first secret key obtained by the obtaining means, stored in the second secret key storage means. 2 first decryption means for decrypting with a private key, and attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list acquired by the acquisition means And decoding by the first decoding means Deformation means for transforming the generated first secret key with the attribute value calculated by the attribute value calculation means, and the first secret key transformed by the deformation means as a secret key for decrypting the digital work. An output device for outputting the secret key. 42. The private key generation device further determines whether or not the first private key modified by the modifying unit is a correct first private key used for encryption of the digital work. 42. The private key generation device according to claim 41, further comprising means. 43. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the acquired confirmation data is transformed by the deforming means.
It is determined whether the confirmation data decryption unit that decrypts with the private key and the data obtained by the decryption by the confirmation data decryption unit match a predetermined fixed pattern, and if they match, the first 43. The secret key generation device according to claim 42, further comprising a determination unit that determines that the secret key is correct. 44. The confirmation means acquires a confirmation data from the recording medium or the transmission medium, the confirmation data obtaining section being a reference of the determination, and the first secret key transformed by the transforming means to the first secret. A first secret key encryption unit that encrypts with a key, and whether the first secret key encrypted by the first secret key encryption unit matches the confirmation data acquired by the confirmation data acquisition unit. 43. The private key generation device according to claim 42, further comprising: a determination unit that determines that the first secret key is correct if determined and matched. 45. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the confirmation data acquired by the confirmation data acquisition unit by the transformation unit. A confirmation data decryption unit that decrypts with the modified first secret key, and whether or not the value decrypted by the confirmation data decryption unit and the first secret key modified by the transformation unit match. 43. The private key generation device according to claim 42, further comprising: a determination unit that determines that the first secret key is correct if determined and matched. 46. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of the medium identification information and the information specifying the revoked public key certificate, and a first unit unique to the decryption apparatus. A first secret key storing means for storing a secret key; an attribute value calculating means for calculating an attribute value depending on the contents of the public key revocation list based on the obtained public key revocation list; Deformation means for deforming the first secret key stored in the secret key storage means with the attribute value calculated by the attribute value calculation means, medium identification information acquired by the acquisition means, and deformation by the deformation means. 1 private key A function conversion means for inputting and converting into a one-way function, and an output means for outputting the function value obtained by the function conversion means to the decryption device as a secret key for decrypting the digital work. A secret key generation device comprising: 47. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. Acquiring means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of the medium identification information and the information specifying the revoked public key certificate, and a first unit unique to the decryption apparatus. First secret key storage means for storing a secret key; medium identification information acquired by the acquisition means;
Based on the obtained public key revocation list, the function conversion means for inputting and converting the first secret key stored in the private key storage means into the one-way function, and the contents of the public key revocation list Attribute value calculating means for calculating dependent attribute values, deforming means for deforming the function value obtained by the function converting means with the attribute value calculated by the attribute value calculating means, and attribute deformed by the deforming means An output unit that outputs a value as a secret key for decrypting the digital work, and a secret key generating device. 48. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. An encrypted first secret key obtained by encrypting the first secret key, an encrypted second secret key obtained by encrypting the second secret key used for encrypting the first secret key, and a revoked public key proof Acquisition means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of information specifying a document, and a third secret key storing a third secret key unique to the secret key generation device.
Private key storage means, attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the obtained public key revocation list, and stored in the third secret key storage means. The transforming means for transforming the third secret key with the attribute value calculated by the attribute value calculating means, and the encrypted second secret key obtained by the obtaining means by the third secret key transformed by the transforming means. First to decrypt
Decryption means, second decryption means for decrypting the encrypted first secret key obtained by the obtaining means with the second secret key decrypted by the first decryption means, and the second decryption means An output means for outputting the first secret key decrypted by the means to the decryption device as a secret key for decrypting the digital work, the secret key generation device. 49. The secret key generation device further determines whether the second secret key decrypted by the first decryption means is a correct second secret key used for encrypting the first secret key. 49. The private key generation device according to claim 48, further comprising a determination means for determining whether or not 50. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the acquired confirmation data is decrypted by the first decryption means. And a confirmation data decryption unit for decrypting with the second secret key, and whether or not the data obtained by the decryption by the confirmation data decryption unit agrees with a predetermined fixed pattern. 50. The secret key generation device according to claim 49, further comprising a determination unit that determines that the second secret key is correct. 51. The determination means includes a confirmation data acquisition section for acquiring confirmation data as a reference for the determination from the recording medium or the transmission medium, and a second secret key decrypted by the first decryption means. A second secret key encryption unit that encrypts with the second secret key, and a second secret key encrypted by the second secret key encryption unit matches the confirmation data acquired by the confirmation data acquisition unit. 50. The secret key generation device according to claim 49, further comprising: a determination unit that determines whether or not the second secret key is correct when they match. 52. The confirmation means acquires a confirmation data from the recording medium or the transmission medium, the confirmation data being a reference of the determination, and the confirmation data acquired by the confirmation data acquisition unit, A confirmation data decryption unit that decrypts with the second secret key decrypted by the decryption unit, a value decrypted by the confirmation data decryption unit, and a second secret key decrypted by the first decryption unit 50. The secret key generation device according to claim 49, further comprising: a determination unit that determines whether or not and that the second secret key is correct when they match. 53. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. An encrypted first secret key obtained by encrypting the first secret key, an encrypted second secret key obtained by encrypting the second secret key used for encrypting the first secret key, and a revoked public key proof Acquisition means for acquiring, via a recording medium or a transmission medium, a public key revocation list, which is a list of information for specifying a document, and a third secret key storage means for storing a third secret key unique to the decryption apparatus. A first decryption unit for decrypting the encrypted second secret key obtained by the obtaining unit with the third secret key stored in the third secret key storage unit; and a public key revocation list obtained, An attribute that depends on the contents of its public key revocation list Attribute value calculation means for calculating the second secret key decrypted by the first decryption means with the attribute value calculated by the attribute value calculation means, and the encryption obtained by the acquisition means. A second decrypting the encrypted first secret key with the second secret key transformed by the transforming means;
Decoding means and output means for outputting the first secret key decrypted by the second decrypting means to the decryption device as a secret key for decrypting the digital work. Private key generation device. 54. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. An encrypted first secret key obtained by encrypting the first secret key, an encrypted second secret key obtained by encrypting the second secret key used for encrypting the first secret key, and a revoked public key proof Acquisition means for acquiring, via a recording medium or a transmission medium, a public key revocation list that is a list of information specifying a document, and the encrypted second secret key acquired by the acquisition means is the first secret key storage means. A first decryption means for decrypting with the third secret key stored in, and an encrypted first secret key obtained by the obtaining means with the second secret key decrypted by the first decrypting means. The second decryption means for converting the acquired public key revocation list And an attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list, and a first secret key decrypted by the second decryption means by the attribute value calculation means. Transforming means for transforming with the attribute value obtained, and output means for outputting the first secret key decrypted by the second decrypting means to the decryption device as a secret key for decrypting the digital work. A secret key generation device comprising: 55. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. The public key invalid, which is a list of the medium identification information, the encrypted first private key obtained by encrypting the first private key used to encrypt the medium identification information, and the information specifying the revoked public key certificate. Acquiring means for acquiring the encryption list via a recording medium or a transmission medium, and a second secret key storing a second secret key unique to the secret key generating device.
Private key storage means, attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the acquired public key revocation list, and stored in the second secret key storage means. A transforming unit that transforms the second secret key with the attribute value calculated by the attribute value calculating unit; First to decrypt
The decryption means, the medium identification information acquired by the acquisition means, and the first
A function converting means for inputting and converting the first secret key decrypted by the decrypting means into a one-way function; and a function value obtained by the function converting means for decrypting the digital work. An output means for outputting the secret key to the decryption device, the secret key generation device. 56. The secret key generation device further determines whether the first secret key decrypted by the first decryption means is a correct first secret key used for encrypting the medium identification information. 56. The private key generation device according to claim 55, further comprising a determination means for determining. 57. The confirmation means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the acquired confirmation data is decrypted by the first decryption means. And a confirmation data decryption unit for decrypting with the first secret key, and whether or not the data obtained by the decryption by the confirmation data decryption unit matches a predetermined fixed pattern. 57. The secret key generation device according to claim 56, further comprising a determination unit that determines that the first secret key is correct. 58. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and a first secret key decrypted by the first decryption means. A first secret key encryption unit that encrypts with the first secret key, and a first secret key encrypted by the first secret key encryption unit matches the confirmation data acquired by the confirmation data acquisition unit. 57. The secret key generation device according to claim 56, further comprising: a determination unit that determines whether or not the first secret key is correct when they match. 59. The determination means includes a confirmation data acquisition unit that acquires confirmation data serving as a reference for the determination from the recording medium or the transmission medium, and the confirmation data acquired by the confirmation data acquisition unit in the first decoding. A confirmation data decryption unit that decrypts with the first secret key decrypted by the decryption unit, a value decrypted by the confirmation data decryption unit, and a first secret key decrypted by the first decryption unit 57. The secret key generation device according to claim 56, further comprising: a determination unit that determines whether or not and that the first secret key is a correct one when and. 60. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. The public key invalid, which is a list of the medium identification information, the encrypted first private key obtained by encrypting the first private key used to encrypt the medium identification information, and the information specifying the revoked public key certificate. An acquisition unit that acquires the encrypted list via a recording medium or a transmission medium; a second secret key storage unit that stores a second secret key unique to the decryption device; and an encryption first acquired by the acquisition unit. First decryption means for decrypting the secret key with the second secret key stored in the second secret key storage means, and the contents of the public key revocation list based on the obtained public key revocation list. Attribute value calculator that calculates dependent attribute values A transformation means for transforming the first secret key decrypted by the first decryption means with the attribute value calculated by the attribute value calculation means; medium identification information obtained by the acquisition means; and the transformation means A function conversion means for inputting and converting the attribute value modified by the method into a one-way function; and the function value obtained by the function conversion means as the secret key for decoding the digital work. An output device for outputting the secret key to the device. 61. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, which is used for encryption of a digital work. The public key invalid, which is a list of the medium identification information, the encrypted first private key obtained by encrypting the first private key used to encrypt the medium identification information, and the information specifying the revoked public key certificate. An acquisition unit that acquires the encrypted list via a recording medium or a transmission medium; a second secret key storage unit that stores a second secret key unique to the decryption device; and an encryption first acquired by the acquisition unit. First decryption means for decrypting the secret key with the second secret key stored in the second secret key storage means; medium identification information obtained by the obtaining means; and the first
Depends on the contents of the public key revocation list based on the function conversion means for inputting and converting the first secret key decrypted by the decryption means into the one-way function, and the obtained public key revocation list Attribute value calculating means for calculating the attribute value, deforming means for deforming the function value obtained by the function converting means with the attribute value calculated by the attribute value calculating means, and the function value transformed by the deforming means Is output to the decryption device as a secret key for decrypting the digital work. 62. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 1 and the decryption device according to claim 24. A copyright protection system characterized by being configured. 63. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 5 and the decryption device according to claim 25. A copyright protection system characterized by being configured. 64. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 6 and the decryption device according to claim 26. A copyright protection system characterized by being configured. 65. A copyright protection system for securely transmitting a digital work via a recording medium or a transmission medium, comprising: the encryption device according to claim 10 and the decryption device according to claim 27. A copyright protection system characterized by being configured. 66. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 11 and the decryption device according to claim 28. A copyright protection system characterized by being configured. 67. A copyright protection system for safely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 12 and the decryption device according to claim 29. A copyright protection system characterized by being configured. 68. A copyright protection system for safely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 16 and the decryption device according to claim 30. A copyright protection system characterized by being configured. 69. A copyright protection system for safely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 17 and the decryption device according to claim 31. A copyright protection system characterized by being configured. 70. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 18 and the decryption device according to claim 32. A copyright protection system characterized by being configured. 71. A copyright protection system for safely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 22 and the decryption device according to claim 33. A copyright protection system characterized by being configured. 72. A copyright protection system for securely transmitting a digital work through a recording medium or a transmission medium, comprising: the encryption device according to claim 23 and the decryption device according to claim 34. A copyright protection system characterized by being configured. 73. A device which cryptographically communicates with a partner device by using the public key of the partner device, and which stores a public key revocation list that is a list of information specifying a revoked public key certificate. And an acquisition means for acquiring a new public key revocation list, comparing the size of the acquired public key revocation list with the size of the public key revocation list stored in the storage means. When the size of the public key revocation list is large, reference is made to a storage unit that stores the obtained public key revocation list in the storage unit and updates it, and a public key revocation list stored in the storage unit. A cryptographic communication device comprising: a communication unit that determines the validity of a public key of a partner device and, if it determines that the public key is valid, uses the public key to cryptographically communicate with the partner device. 74. A device for cryptographically communicating with a partner device using the public key of the partner device, the storage means storing a public key revocation list that is a list of information specifying a revoked public key certificate. Acquisition means for acquiring a new public key revocation list, and the number of certificates shown in the acquired public key revocation list and the public key revocation list stored in the storage means. When the number of the certificates shown in the obtained public key revocation list is large, the obtained public key revocation list is stored in the storage means and updated. Storing means and a public key revocation list stored in the storing means to determine the validity of the public key of the partner device, and if it is determined to be valid, the public key is used to encrypt the public key of the partner device. A communication means for communicating. Cryptographic communication device. 75. In an encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, n (≧
2) Of the secret keys, the first secret key is used to encrypt the digital work, and the i-th (2 ≦ i ≦ n) secret key is used to encrypt the (i−1) th secret key. A method of repeating the encryption chain for each of the first to (n-1) th secret keys and outputting the encrypted first to (n-1) th secret keys to the medium. In the encryption using at least one of the 1st to n-th private keys, it depends on the contents of the public key revocation list which is a list of information specifying the revoked public key certificate prior to the encryption. An encryption method comprising a first step of transforming a secret key using an attribute value. 76. An encryption device for encrypting a digital work and outputting it to a recording medium or a transmission medium, wherein n (≧
1) Of the secret keys, the first secret key is used to convert the medium identification information by the one-way function, and then the converted digital identification information is used to encrypt the digital work, and n is 2 or more. In the case of, the encryption chain of encrypting the (i−1) th secret key using the ith (2 ≦ i ≦ n) secret key is repeated for the first to the (n−1) th secret keys. A method of outputting the encrypted first to (n-1) th secret keys to the medium, wherein in the encryption or conversion using at least one of the first to nth secret keys, ( i) Before the encryption or conversion, the private key is transformed by using an attribute value that depends on the contents of the public key revocation list, which is a list of information that identifies the revoked public key certificate, or Alternatively, (2) the medium identification information obtained by the conversion is transformed with the attribute value. An encryption method comprising the following second step. 77. In a decryption device for decrypting an encrypted digital work, the encrypted digital work, n (≧ 2) encrypted private keys and a revoked public key certificate are recorded. A public key revocation list, which is a list of information to be specified, is acquired via a recording medium or a transmission medium, and then the first encryption of the n encrypted secret keys is performed using a secret key held in advance. The decryption chain of decrypting the encrypted private key and decrypting the second encrypted private key with the obtained first private key is repeated for the n encrypted private keys, and is obtained in the final decryption. A method of decrypting a digital work with an n-th private key, wherein at least one of the decryptions of the first to n-th encrypted private keys is performed by a private key used for the decryption prior to the decryption. Attribute value depending on the contents of the public key revocation list Decoding method characterized in that it comprises a third step to be deformed. 78. In a decryption device for decrypting an encrypted digital work, the encrypted digital work, medium identification information, n (≧ 1) encrypted private keys, and revoked public disclosure. After obtaining a public key revocation list, which is a list of information specifying the key certificate, via a recording medium or a transmission medium, a secret key held in advance is used to obtain one of the n encrypted secret keys. Decrypting the first encrypted secret key, and when n is 2 or more, the decryption chain of decrypting the second encrypted secret key with the first secret key obtained by the decryption Repeated for each encrypted secret key, the medium identification information is converted by a one-way function using the nth secret key obtained in the final decryption, and the digital work is decrypted by the converted medium identification information. And a method for the first to n-th encrypted secret keys Hey is at least one transformation on-coding and the medium identification information,
(1) Prior to the decryption or conversion, the private key used for decryption or conversion is transformed with an attribute value depending on the contents of the public key revocation list, or (2) obtained by the conversion. A decoding method including a fourth step of transforming the medium identification information with the attribute value. 79. In a secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, n (≧ 2) encrypted secret keys And a public key revocation list, which is a list of information specifying the revoked public key certificate, is acquired through a recording medium or a transmission medium, and then the n number of encryptions are performed using a private key held in advance. The decryption chain of decrypting the first encrypted secret key of the encrypted secret keys and decrypting the second encrypted secret key with the obtained first secret key is repeated for the n encrypted secret keys. A method of outputting the n-th secret key obtained by the last decryption to the decryption device, wherein at least one of the decryptions for the first to n-th encrypted secret keys is the decryption. Prior to, the private key used for decryption is set to the public key revocation list. Secret key generation method characterized by comprising the fifth step to be deformed by the attribute value dependent on the contents. 80. A secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, the medium identification information and n (≧).
1) Secrets that are held in advance after obtaining, via a recording medium or a transmission medium, a private key revocation list, which is a list of information that specifies the number of encrypted private keys and revoked public key certificates. The first of the n encrypted secret keys using the key
The encryption secret key is decrypted, and when n is 2 or more, the decryption chain is such that the second encrypted secret key is decrypted by the first secret key obtained by the decryption The encrypted secret key, the medium identification information is converted by a one-way function using the n-th secret key obtained in the final decryption, and the converted medium identification information is output to the decryption device. Then, in at least one of decryption for the first to n-th encrypted secret keys and conversion for the medium identification information,
(1) Prior to the decryption or conversion, the private key used for decryption or conversion is transformed with an attribute value depending on the contents of the public key revocation list, or (2) obtained by the conversion. A secret key generation method comprising a sixth step of transforming the medium identification information with the attribute value. 81. A program used in an encryption device for encrypting a digital work and outputting the encrypted work to a recording medium or a transmission medium, the method causing a computer to execute the steps in the encryption method according to claim 75 or 76. Characteristic program. 82. A decryption method according to claim 77 or 78, which is a program used in a decryption apparatus for obtaining and decrypting an encrypted digital work via a recording medium or a transmission medium. A program that causes a computer to execute steps. 83. A program used in a secret key generation device for outputting a secret key for decryption to a decryption device for decrypting an encrypted digital work, wherein the program is used. A program for causing a computer to execute the steps of the described secret key generation method.