JP2006060793A - Method for transmission of content usage information, content usage information providing apparatus capable of utilizing the method, and apparatus for receiving content usage information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve processing efficiency, when encrypting and inputting/outputting data that should be confidential between a recording apparatus and a host device. <P>SOLUTION: Upon a license-data transmitter verifying a certificate C[KPdx] (the license-data receiver and the license-data transmitter are to be referred to as "x" and "y", respectively), the license-data transmitter transmits challenge information EP(KPdx, Kcy) to the license-data receiver. In response to the challenge information, the license-data receiver transmits session information Es(Kcy, Ksx/KPpy) to the license-data transmitter. The license-data transmitter provides encrypted license data Es(Ksx, Ep(KPpx, LIC)) in a form encrypted by using these two keys Ksx and KPpx thus received. With this cryptosystem according to the present invention employing EC-DH as the public key cryptosystem, the transmitter provides second or subsequent license data, without the transmission of the challenge information or updating of the shared key in the EC-DH. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a data input / output technology, and more particularly to a technology for encrypting and inputting data that should be kept secret between a storage device and a host device.

  For example, in Patent Document 1, a device that handles license data in an unencrypted state is a server device, a memory card (storage device), or a decoder (use device) as a content data distribution system that increases the confidentiality of license data. It is classified into three devices, and license data transmission / reception between the devices (server device and storage device, storage device and using device) is performed by constructing an encrypted communication path between the two devices that transmit and receive license data. The server device, the storage device, and the using device are provided with a TRM (Tamper-Resistant-Module) that can handle encrypted license data.

  In constructing an encrypted communication path, a device that receives license data (referred to as a license receiving device) first transmits a certificate including a public key to a device that provides license data (referred to as a license providing device). Then, the license providing device verifies this certificate. As a result of the verification, if the certificate from the license receiving device is a regular certificate and is not invalidated by the certificate revocation list, Key exchange is performed between devices using the public key included in the certificate. The license providing apparatus transmits license data encrypted with the key transmitted from the license receiving apparatus in the key exchange to the license receiving apparatus.

  The TRM is a circuit module in which confidentiality is physically protected, and is configured to restrict exchange of license data with other devices other than via an encrypted communication path.

  When acquiring license data, the memory card is mounted on a terminal device that can communicate with the server device, and receives license data from the server device via the terminal device. Further, when using the content, the memory card is attached to a terminal device incorporating a decoder, and transmits license data to the decoder via the terminal device.

As described above, in content distribution services, copyright protection related to content is thoroughly implemented by encrypting content data and concealing license data. By thoroughly protecting the content copyright in this way, the content to be distributed can be added to the line-up with peace of mind, and as a result, the needs of users who receive the distribution service can be satisfied more widely. It becomes like this.
JP 2004-133654 A

  Video content compatible with high-definition television is emerging. Here, high-definition TV image quality video content is called HD content, and conventional TV image quality video content is called SD content.

  HD content has a larger amount of data per unit time than SD content. For example, in the MPEG2 system used in digital broadcasting, the data amount per unit time of HD content is about three times the data amount per unit time of SD content. Therefore, further high-speed access is required for storage devices that record HD content.

  On the other hand, it is considered to use the copyright protection function of the conventional system for such HD contents. In the conventional system, public key cryptography is used for transmission and reception of license data. Since the computation time of the public key cryptography requires more time than the computation time of the common key cryptography, the time required for transmitting or receiving one license requires the computation time of the public key cryptography.

  When license data is recorded in units of programs and played back in units of programs, the access frequency of the license data is low and the access time is not so much of a problem, but special playback (skip playback, multiple programs partially) In the case of providing continuous program reproduction or the like, the access frequency of the license data is increased, and the license data is required to be accessed at a higher speed.

  The present invention has been made in view of such a situation, and an object of the present invention is to reduce the access time when data to be kept secret is encrypted and input / output between the storage device and the host device. It is.

  In view of the above problems, the present invention has the following features.

  One embodiment of the present invention relates to a content usage information transmission method. This content usage information transmission method is a method of transmitting and receiving content usage information including a content key for decrypting encrypted content data, and the content usage information transmission source authenticates the transmission destination of the content usage information. A step of sharing a first symmetric key between the transmission source and the transmission destination when the transmission destination is approved; and the transmission source encrypts the content usage information and transmits the transmission destination And sharing the first symmetric key with an Elliptic Curve Diffie-Hellman encryption algorithm using the public key of the destination to send the first symmetric key to the destination Generating the data to be shared with and transmitting the data to the other device, and transmitting the content usage information The step of sharing a second symmetric key between the transmission source and the transmission destination when the timing for transmitting the content usage information has arrived, and the first symmetric key and the second symmetric key Encrypting the content usage information with a symmetric key and transmitting it to the destination.

  Thereby, a symmetric key (shared key) can be securely shared using a public key cryptosystem using an operation on an elliptic curve. In addition, by continuously holding a shared symmetric key and using it for encryption and decryption of license data, the amount of computation when sending and receiving license data can be reduced, and the processing speed can be increased. In addition, the circuit scale can be reduced. In addition, when transmitting and receiving confidential data such as content usage information, once the encryption communication path is established, the data is encrypted using only the common key encryption algorithm and not transmitted using the public key encryption algorithm. can do. Since the common key encryption algorithm has a smaller calculation amount than the public key encryption algorithm and can be easily implemented in hardware, the processing efficiency and the processing speed can be improved by using only the common key encryption algorithm. Further, since the content usage information is double-encrypted with the first symmetric key and the second symmetric key and transmitted / received, the encrypted data can be efficiently transmitted / received without losing security.

  The first symmetric key may be held at the transmission source and the transmission destination after the step of transmitting the content usage information and used when transmitting the content usage information next time. When the timing for transmitting the content usage information has arrived, if the first symmetric key is already shared between the transmission source and the transmission destination, the authenticating step and the first symmetric key The step of sharing the key may be omitted. As a result, when content usage information is repeatedly transmitted and received, it is possible to quickly encrypt and transmit and receive without sacrificing safety. Further, when the content usage information is continuously transmitted and received, the processing can be speeded up without sacrificing safety by omitting the authentication processing. When it becomes necessary to authenticate the destination again, the first symmetric key that has already been shared is discarded, and the step of sharing the first symmetric key includes the newly issued first symmetric key. Keys may be shared. For example, when the connection between devices is canceled or one of the power supplies is turned off and the established encrypted communication path cannot be maintained, the first symmetric key is discarded and the encryption The communication path may be disconnected. Thereby, the safety | security of encryption communication is securable.

  The second symmetric key may be newly issued when the next content usage information is transmitted after the step of transmitting and receiving the content usage information is completed, and may be shared between the transmission source and the transmission destination. Since the content usage information is encrypted with the newly issued second symmetric key every time the content usage information is transmitted, leakage of the content usage information can be prevented, and safety can be improved.

  The first symmetric key may be issued by either the transmission source or the transmission destination, and the second symmetric key may be issued by the other. As a result, even when one of the devices is an unauthorized device, it is possible to prevent leakage of the content usage information, thereby improving safety.

  The content usage information transmission method may further include a step of sharing a third symmetric key used for sharing the second symmetric key between the transmission source and the transmission destination. The step of sharing the symmetric key may share the second symmetric key by encrypting the second symmetric key with the third symmetric key and transmitting / receiving it. The third symmetric key may be shared using public key cryptography. The third symmetric key may be held at the transmission source and the transmission destination after the step of transmitting the content usage information is completed and used when the second symmetric key is shared next time. Good. As a result, once an encrypted communication channel is established, data can be transmitted and received using only a common key encryption algorithm without using a public key encryption algorithm, thereby improving processing efficiency and processing speed. Can do.

  When it becomes necessary to authenticate the destination again, the already-shared third symmetric key is discarded, and the step of sharing the third symmetric key includes the newly issued third symmetric key. Keys may be shared. Thereby, the safety | security of encryption communication is securable.

  Another aspect of the present invention relates to a content use information providing apparatus. The content usage information providing device is a content usage information providing device that provides content usage information including a content key for decrypting encrypted content data to the content usage information receiving device, and authenticates from the content usage information receiving device. A verification unit that obtains information and verifies the validity of the authentication information; and when the verification unit approves the content use information receiving device, a public key cryptosystem is provided between the content use information receiving device and the verification unit. A second symmetric key is shared between the first symmetric key sharing means for sharing the first symmetric key and the license usage information receiving device when the timing for transmitting the content usage information arrives Second symmetric key sharing means for encrypting the content usage information with the first symmetric key and the second symmetric key Encoding means and content usage information transmitting means for transmitting to the content usage information receiving device encrypted by the encryption means, wherein the first symmetric key sharing means generates a random number. And generating the first symmetric key using the random number and the public key of the content use information receiving device by an Elliptic Curve Diffie-Hellman encryption algorithm, and using the first symmetric key as the content use information receiving device. First symmetric key generating means for generating data to be shared between and a transmitting means for transmitting the data to the content use information receiving apparatus.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content usage information receiving device is a content usage information receiving device that receives content usage information including a content key for decrypting encrypted content data from the content usage information providing device. A first symmetric key using a public key cryptosystem between the authentication information transmitting means for transmitting the authentication information and the content usage information providing device when the content usage information providing device approves the authentication information. A second symmetric key sharing unit that shares a second symmetric key between the first symmetric key sharing unit that shares the content use information and the content use information providing device when the timing for receiving the content use information arrives. Means and the content usage information encrypted with the first symmetric key and the second symmetric key. A content usage information receiving means for receiving from the information providing apparatus; and a decrypting means for decrypting the encrypted content usage information, wherein the first symmetric key sharing means A public key providing means for providing the public key, an acquisition means for acquiring data for sharing the first symmetric key with the content usage information providing apparatus, and an Elliptic Curve Diffie-Hellman encryption algorithm First symmetric key generation means for generating the first symmetric key using data and a secret key paired with the public key.

  Still another aspect of the present invention relates to a content use information providing apparatus. This content usage information providing device is a content usage information providing device that provides content usage information including a content key for decrypting encrypted content data to a content usage information receiving device, wherein the content usage information receiving device Set in the content usage information receiving device, an interface for controlling data exchange with the content usage information receiving device, a symmetric key generation unit that generates a first symmetric key that is temporally generated in communication with the content usage information receiving device A first encryption unit that encrypts data using the first public key, a decryption unit that decrypts data using the first symmetric key generated by the symmetric key generation unit, and the content usage information receiving device Elliptic curve Diffie − In accordance with the Hellman encryption algorithm, a second encryption unit that encrypts data, a random number generation unit that generates a random number to be supplied to the second encryption unit, and a second symmetry generated by the content use information receiving device A third encryption unit that encrypts data using a key; and a control unit, wherein the second encryption unit acquires the random number generated by the random number generation unit, and the acquired random number and the second random number Based on the public key, a function for generating a shared key used for encryption and data for sharing the shared key with the content usage information receiving device, and encrypting the content usage information with the generated shared key In the encryption process using the second public key for the first time after the first symmetric key is generated in the symmetric key generation unit, the random number generation A random number generated by the unit, based on the acquired random number and the second public key, a shared key used for encryption, and data for sharing the shared key with the content use information receiving device; And encrypting the data using the shared key, and encrypting the content usage information using the previous shared key in the second and subsequent encryption processes after the first symmetric key is generated in the symmetric key generation unit. The control unit controls the symmetric key generation unit to generate the first symmetric key, and uses the first symmetric key encrypted by the first public key as the first encryption unit. And transmitted to the content use information receiving device via the interface and encrypted with the first symmetric key received via the interface The second symmetric key and the second public key received from the content use information receiving device, given to the decryption unit, and generated based on the second public key decrypted by the decryption unit The encrypted content usage information encrypted with the key and the second symmetric key is received from the second encryption unit or the third encryption unit, and transmitted to the content usage information receiving apparatus via the interface. It is characterized by that.

  The content usage information providing apparatus may further include a content encryption unit that generates the content usage information and encrypts content data with the content key included in the generated content usage information. The content usage information generated by the content encryption unit may be acquired and provided to the third encryption unit.

  The content usage information providing apparatus may further include a storage unit that stores the content usage information, and the control unit acquires the content usage information stored in the storage unit from the storage unit, and You may give to a 3rd encryption part.

  The storage unit may include a first storage unit that stores the encrypted content data and a second storage unit that stores the content usage information. The second storage unit is highly confidential. You may be comprised by the tamper-resistant structure.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content usage information receiving device is a content usage information receiving device that receives content usage information including a content key for decrypting and reproducing encrypted content data from the content usage information providing device, and the content usage information providing device And a first secret that holds a first secret key for decrypting data encrypted with a first public key set in the content use information receiving device A key holding unit, a second public key holding unit holding a second public key of the elliptic curve encryption set in the content usage information receiving device, and decrypting data encrypted by the second public key And a second secret key holding unit for holding a second secret key for storing data encrypted by the first public key in the first secret key. For identifying communication between the first decryption unit that decrypts the data, the encryption unit that encrypts data using the first symmetric key generated by the content use information providing device, and the content use information provision device A symmetric key generation unit for generating a second symmetric key; a second decryption unit for decrypting data encrypted with the second symmetric key; and data encrypted with the second public key A third decryption unit that decrypts data in accordance with the Elliptic curve Diffie-Hellman encryption algorithm with a second secret key; and a control unit, wherein the third decryption unit is a shared information acquired from the content use information providing device A function for generating the shared key based on the data for sharing the key and the second secret key, and a data encrypted with the shared key. A decrypting process for decrypting data encrypted with the second public key received only after the first symmetric key is decrypted in the first decrypting unit, After generating the shared key based on the data to be shared and the second secret key, the encrypted data is decrypted using the shared key, and the first decryption unit performs the first decryption. In the second and subsequent decryption processes after the symmetric key is decrypted, the encrypted data is decrypted using the shared key used for the previous decryption, and the control unit is encrypted with the first public key. Receiving the first symmetric key from the interface, providing the received encrypted first symmetric key to the first decryption unit and generating the second symmetric key so as to generate the second symmetric key; Control The encryption unit transmits the second symmetric key and the second public key encrypted with the first symmetric key to the content usage information providing apparatus via the interface, and The encrypted content usage information encrypted with the second public key and the second symmetric key received in this way is provided to the second decryption unit.

  The content usage information receiving device further includes a content reproduction unit that decrypts the encrypted content data and reproduces the content data using the content key included in the content usage information extracted by the third decryption unit. Also good.

  The content usage information receiving device may further include a storage unit that stores the content usage information, and the control unit stores the content usage information extracted by the third decryption unit in the storage unit. May be.

  The features of the present invention and the technical significance thereof will become more apparent from the following description of embodiments. However, the following embodiment is only one embodiment of the present invention, and the meaning of the present invention or the terms of each constituent element is limited to those described in the following embodiment. is not.

  According to the present invention, it is possible to improve processing efficiency when data to be concealed is encrypted and input / output between the storage device and the host device.

(First embodiment)
FIG. 1 shows an overall configuration of a data management system 10 according to the first embodiment. The data management system 10 includes a recording device 100 that controls recording of data in the storage device 200, a playback device 300 that controls playback of data recorded in the storage device 200, and a storage device 200 that records and holds data. The storage device 200 according to the present embodiment includes not only a storage medium that holds data but also a controller that controls input / output of data between a host device such as the recording apparatus 100 or the playback apparatus 300 and the storage medium. Is a drive-integrated storage device. In the present embodiment, a hard disk drive will be described as an example of the storage device 200.

  The conventional hard disk drive is generally used by being fixedly connected to one host device, but the storage device 200 of the present embodiment is a host device such as the recording device 100 and the playback device 300. It is comprised so that attachment or detachment is possible. That is, the storage device 200 of the present embodiment can be removed from the host device and carried in the same manner as a CD or DVD, and the storage device 200 includes a recording device 100, a playback device 300, a recording / playback device capable of recording and playback, and the like. A storage device that can be shared between host devices.

  As described above, the storage device 200 according to the present embodiment is assumed to be connected to a plurality of host devices. For example, the storage device 200 is connected to a host device of a third party other than the owner and recorded therein. Data may be read out. When it is assumed that contents to be protected by copyright such as music and video, confidential data such as corporate and personal information are recorded on the storage device 200, the confidential data leaks to the outside. In order to prevent this, it is preferable to provide the storage device 200 itself with a configuration for appropriately protecting data and to have a sufficient tamper resistance function.

  From such a viewpoint, the storage device 200 according to the present embodiment has a configuration for encrypting and exchanging confidential data when the confidential data is input and output with the host device. Further, in order to store confidential data, a confidential data storage area different from a normal storage area is provided, and the confidential data storage area is configured to be accessible only through a cryptographic engine provided in the storage device 200. . This cryptographic engine inputs / outputs secret data only to / from a host device verified as having a legitimate authority. Hereinafter, such a data protection function is also referred to as a “secure function”. With the above configuration and function, the confidential data recorded in the storage device 200 can be appropriately protected.

  In order to make the most of the characteristics of the storage device 200 as a removable medium, it is preferable that normal data can be input / output even by a host device that does not support the secure function. Therefore, the storage device 200 according to the present embodiment supports ATA (AT Attachment), which is a standard of ANSI (American National Standards Institute), in order to maintain compatibility with the conventional hard disk, and the secure function described above. Is realized as an ATA extension instruction.

  Hereinafter, a case where content data such as video is recorded and reproduced will be described as an example of confidential data input / output. Although the content data itself may be handled as confidential data, in the present embodiment, the content data is encrypted, and the encrypted content data itself is recorded as normal data in the storage device 200. Then, data (license data and data) including a key for decrypting the encrypted content (referred to as a content key) and information (referred to as a usage rule) related to content reproduction control, license use, transfer, and copy control. Is input / output as secret data using the secure function described above. As a result, while maintaining sufficient tamper resistance, data input / output can be simplified, processing speed can be increased, and power consumption can be reduced. Here, the license data includes a license ID for specifying the license data in addition to the content key and the usage rule.

  Hereinafter, of the commands issued by the host device such as the recording device 100 and the playback device 300 to the storage device 200, the extended command for the secure function is also referred to as “secure command”, and the other commands are also referred to as “normal command”. Call.

  FIG. 2 shows an internal configuration of the recording apparatus 100 according to the embodiment. This configuration can be realized in hardware by a CPU, memory, or other LSI of an arbitrary computer, and in software, it is realized by a program having a recording control function loaded in the memory. So, functional blocks that are realized by their cooperation are drawn. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The recording apparatus 100 mainly includes a controller 101, a storage interface 102, a cryptographic engine 103, an encryptor 104, a content encoder 105, and a data bus 110 that electrically connects them.

  The content encoder 105 codes the content acquired online or offline into a predetermined format. Here, video data acquired from a broadcast wave or the like is coded in the MPEG format.

  The encryptor 104 issues license data LIC including a content key for decrypting the encrypted content, and encrypts the content coded by the content encoder 105 using this content key. The encrypted content is recorded in the storage device 200 via the data bus 110 and the storage interface 102. The issued license data LIC is notified to the encryption engine 103 and recorded in the storage device 200 via the encryption engine 103.

  The cryptographic engine 103 controls cryptographic communication with the storage device 200 in order to input the license data LIC to the storage device 200. The storage interface 102 controls data input / output with the storage device 200. The controller 101 comprehensively controls the components of the recording apparatus 100.

  FIG. 3 shows an internal configuration of the playback apparatus 300 according to the embodiment. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof.

  The playback apparatus 300 mainly includes a controller 301, a storage interface 302, a cryptographic engine 303, a decoder 304, a content decoder 305, and a data bus 310 that electrically connects them.

  The storage interface 302 controls data input / output with the storage device 200. The cryptographic engine 303 controls cryptographic communication with the storage device 200 in order to receive the license data LIC including the content key from the storage device 200.

  The decryptor 304 decrypts the encrypted content read from the storage device 200 with the content key included in the license data LIC obtained from the storage device 200.

  The content decoder 305 decodes and outputs the content decoded by the decoder 304. For example, if the content is in MPEG format, the video signal and the audio signal are restored from the content, the video signal is output to a display device (not shown), and the audio signal is output to a speaker (not shown). The controller 301 comprehensively controls the components of the playback device 300.

  FIG. 4 shows an internal configuration of the storage device 200 according to the embodiment. The storage device 200 mainly includes a controller 201, a storage interface 202, a cryptographic engine 203, a tamper resistant storage unit 204, a normal data storage unit 205, and a data bus 210 that electrically connects them.

  The storage interface 202 controls data input / output with the recording device 100 and the playback device 300. The cryptographic engine 203 controls cryptographic communication for inputting / outputting secret data such as license data LIC including a content key between the recording device 100 and the playback device 300. The normal data storage unit 205 is a normal storage area for recording encrypted content, normal data, and the like. The tamper resistant storage unit 204 is a confidential data storage area for recording confidential data such as license data LIC including a content key. The controller 201 comprehensively controls the components of the storage device 200. The normal data storage unit 205 is directly accessed (data input / output) from the outside, but the tamper-resistant storage unit 204 is configured so that it cannot be accessed (data input / output) through the cryptographic engine 203.

  Here, the key used in this embodiment will be described. In the present embodiment, the key is expressed as a character string starting with a capital letter “K”.

  When the second character is lowercase “c” or “s”, it represents a symmetric key (common key). In the case of “c”, it is a challenge key, and is a temporally symmetric key generated at the transmission source of the encrypted data. In the case of “s”, it is a session key, which is a temporal symmetric key generated at the transmission destination of the encrypted data.

  When the second character is capital “P”, it indicates a public key of the public key cryptosystem. This key always has a corresponding secret key, and this secret key has a notation excluding the second letter capital letter “P” from the notation of the public key.

  When the character string indicating the key includes a lowercase “d”, it indicates that the key is assigned to each group of devices. If the character string indicating the key includes a lowercase letter “p”, it indicates that the key is assigned to each device. Each is given as a pair of a public key and a private key, and the public key given for each group is given as a public key certificate with an electronic signature.

  The character described at the end of the character string indicating the key, for example, “2” of the public key KPd2, is a symbol for identifying the cryptographic engine to which the key is given. In the present embodiment, when the provision destination is clear, it is represented by numbers such as “1”, “2”, “3”, etc., and is a key provided from other than the encryption engine, and the provision destination is unknown. If not specified or not specified, it is written in English characters such as “x” and “y”. In this embodiment, “1” is used as the identification symbol for the cryptographic engine 103 of the recording device 100, “2” is used as the identification symbol for the cryptographic engine 203 of the storage device 200, and the cryptographic engine 303 of the playback device 300 is identified. Each symbol “3” is used.

  Here, the encryption algorithm used in the embodiment will be described. In the present embodiment, an encryption algorithm is adopted one by one from a public key cryptosystem and a symmetric key (common) cryptosystem.

  The public key encryption method is an encryption method in which encryption and decryption are performed using different keys. A key to be encrypted is called a public key, and a key to be decrypted is called a secret key. As the name indicates, the public key is a public key and does not need to be managed secretly. On the other hand, the secret key is managed secretly.

  In this method, cryptographic algorithms such as RSA and EC-DH (Elliptic Curve Diffie-Hellman) are known. In this embodiment, an EC-DH algorithm is adopted. EC-DH encrypts data with a symmetric key (called a shared key) shared by both parties by multiplication on an elliptic curve over a finite field (this operation algorithm is called elliptic curve cryptography). The encrypted data has a format in which the result of encrypting the data and data for sharing the shared key (referred to as parameters) are concatenated.

  For example, transmission of encrypted data using the public key KPdx and the secret key Kdx will be described. In EC-DH, the relationship between the two is KPdx = Kdx * B. Here, the base point on the elliptic curve is indicated by “B”, and the multiplication on the elliptic curve is indicated by “*”. In the following description, “x” indicates a side that receives encrypted data (referred to as a receiving side), and “y” indicates a side that provides encrypted data (referred to as a transmitting side).

  The receiving side transmits the public key KPdx to the transmitting side. Upon receiving the public key KPdx, the transmission side first generates a random number rdy in order to create encrypted data. Then, the public key KPdx and the random number rdy are multiplied on an elliptic curve to obtain a shared key KPdx * rdy. At the same time, the parameter B * rdy is calculated in order to share the shared key KPdx * rdy with the receiving side. The base point B is shared in advance with the elliptic curve equation.

  The target data (denoted as Data) is encrypted with the generated shared key KPdx * rdy to generate encrypted data Es (KPdx * rdy, Data). Then, the parameter B * rdy and B * rdy // Es (KPdx * rdy, Data) obtained by concatenating the result are sent to the receiving side as Ep (KPdx, Data).

  Here, the symbol “//” indicates data concatenation, and B * rdy // Es (KPdx * rdy, Data) is a combination of the parameter B * rdy and the encrypted data Es (KPdx * rdy, Data) side by side. Indicates the data string. Further, Es indicates an encryption function using a common key encryption method, and Es (KPdx * rdy, Data) indicates that the target data Data is encrypted with the symmetric key KPdx * rdy. Ep indicates an encryption function using a public key cryptosystem, and indicates that the target data Data is encrypted with the public key KPdx.

  Thus, in EC-DH, Ep (KPdx, Data) = B * rdy // Es (KPdx * rdy, Data).

  On the receiving side, when Ep (KPdx, Data) is received, the shared key Kdx * B * rdy = KPdx * rdy is obtained by multiplying the stored secret key Kdx and the parameter B * rdy on an elliptic curve. The encrypted data Es (KPdx * rdy, Data) is decrypted with the obtained shared key KPdx * rdy. The same applies to the set of the public key KPpx and the secret key Kpx.

  The common key encryption method is an encryption method that performs encryption and decryption using the same key, and DES (Data Encryption Standard), AES (Advanced Encryption Standard), and the like are known as encryption algorithms. In this embodiment, any method can be adopted, but AES is adopted in consideration of the balance between the use in the public key encryption method described above and the encryption strength.

  FIG. 5 shows an internal configuration of the cryptographic engine 103 of the recording apparatus 100 shown in FIG. The cryptographic engine 103 electrically connects the certificate verification unit 120, the random number generation unit 121, the first encryption unit 122, the decryption unit 123, the second encryption unit 124, the third encryption unit 125, and at least some of these components. A local bus 130 is provided for connection.

  The certificate verification unit 120 verifies the certificate C [KPd2] acquired from the storage device 200. The certificate C [KPd2] includes plaintext information (referred to as “certificate body”) including the public key KPd2 and an electronic signature attached to the certificate body. This electronic signature is obtained by applying a calculation result of a hash function to the certificate body (this calculation process is referred to as “hash calculation”), and a root key Ka of a certificate authority (not shown) as a third party. Data encrypted by. The root key Ka is a private key that is strictly managed by the certificate authority and serves as a secret key of the certificate authority. The certificate verification unit 120 holds a verification key KPa that is paired with the root key Ka. This verification key KPa is a public key for verifying the validity of the certificate.

  The verification of the certificate is judged by the validity of the certificate and the validity of the certificate. The verification of the validity of the certificate is a process of comparing the calculation result of the hash function for the certificate body of the certificate to be verified with the result of decrypting the electronic signature with the verification key KPa. It is judged that. The certificate verification unit 120 maintains a certificate revocation list (CRL) that is a list of invalid certificates, and the CRL checks whether the certificate to be verified is valid. It is judged that it is effective when it is not described. The process of judging the validity and validity of a certificate and approving a valid certificate is called verification.

  If the verification is successful, the certificate verification unit 120 retrieves the public key KPd2 of the storage device 200, transmits it to the first encryption unit 122, and notifies the verification result. If verification fails, a verification error notification is output.

  The random number generator 121 generates a random number. The random number may be a pseudo random number. Here, a challenge key Kc1 and random numbers rd1 and rp1 that are temporarily used to perform encrypted communication with the storage device 200 are generated. By generating the challenge key Kc1, which is a random number, every time encrypted communication is performed, the possibility that the challenge key Kc1 can be detected is minimized. The generated challenge key Kc1 is transmitted to the first encryption unit 122 and the decryption unit 123. The random numbers rd1 and rp1 are transmitted to the first encryption unit 122 and the second encryption unit 124, respectively, and used for encryption by ED-DH.

  In order to notify the storage device 200 of the challenge key Kc1, the first encryption unit 122 encrypts the challenge key Kc1 with the public key KPd2 of the storage device 200 extracted by the certificate verification unit 120, and encrypts the challenge key Ep. (KPd2, Kc1) = B * rd1 // Es (KPd2 * rd1, Kc1) is generated. For the encryption, the random number rd1 generated by the random number generator 121 is used.

  The decryption unit 123 decrypts the data encrypted with the challenge key Kc1. Since the session key Ks2 issued by the storage device 200 and the public key KPp2 held by the storage device 200 are supplied from the storage device 200 as session information Es (Kc1, Ks2 // KPp2), the decryption unit 123 generates a random number. The challenge key Kc1 generated by the unit 121 is acquired, the session information Es (Kc1, Ks2 // KPp2) is decrypted, and the session key Ks2 and the public key KPp2 are extracted. The extracted public key KPp2 and session key Ks2 are transmitted to the second encryption unit 124 and the third encryption unit 125, respectively.

  The second encryption unit 124 acquires the license data LIC including the content key issued when the encryptor 104 encrypts the content, and uses the license data LIC as the license data providing destination, that is, the public key of the storage device 200. Ep (KPp2, LIC) = B * rp1 // Es (KPp2 * rp1, LIC) encrypted with KPp2 is generated. For encryption, the random number rp1 generated by the random number generator 121 is acquired and used. Then, Ep (KPp2, LIC) is transmitted to the third encryption unit 125.

  The third encryption unit 125 further encrypts Ep (KPp2, LIC) generated by the second encryption unit 124 with the session key Ks2 issued by the storage device 200, and encrypts the license data Es (Ks2, Ep ( KPp2, LIC)).

  In FIG. 5, among the components of the cryptographic engine 103, the certificate verification unit 120, the first encryption unit 122, the decryption unit 123, and the third encryption unit 125 are electrically connected by the local bus 130. It is connected to the data bus 110 of the recording apparatus 100 via 130. Various modifications can be considered in the form of connecting each component. In this embodiment, the challenge key Kc1, the random numbers rd1 and rp1 generated by the random number generation unit 121, and the session key Ks2 received from the storage device 200 are used. Consideration is given so as not to flow directly to the data bus 110. Thereby, it is possible to prevent each key used in the cryptographic engine 103 from leaking to the outside through other components of the recording apparatus 100 and improve the security.

  FIG. 6 shows the internal configuration of the cryptographic engine 303 of the playback apparatus 300 shown in FIG. The cryptographic engine 303 electrically connects the certificate output unit 320, the random number generation unit 321, the first decryption unit 322, the encryption unit 323, the second decryption unit 324, the third decryption unit 325, and at least some of these components. A local bus 330 is provided for connection.

  The certificate output unit 320 outputs the certificate C [KPd3] of the playback device 300. The certificate may be held by the certificate output unit 320 or may be held in a certificate holding unit (not shown) and read out. The certificate is composed of a certificate body including the public key KPd3 of the playback apparatus 300 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority, similarly to the certificate of the storage device 200.

  The random number generator 321 generates a session key Ks3 that is temporarily used for performing cryptographic communication with the storage device 200. The generated session key Ks3 is transmitted to the encryption unit 323 and the second decryption unit 324.

  The first decryption unit 322 decrypts the data encrypted with the public key KPd3 with the secret key Kd3. At the time of reproduction, the challenge key Kc2 issued by the storage device 200 is supplied from the storage device 200 as challenge information Ep (KPd3, Kc2) encrypted with the public key KPd3 of the reproduction device 300. Therefore, the first decryption unit 322 The private key Kd3 is used for decryption to extract the challenge key Kc2. The extracted challenge key Kc2 is transmitted to the encryption unit 323.

  The encryption unit 323 encrypts data using the challenge key Kc2 extracted by the first decryption unit 322. The session key Ks3 generated by the random number generation unit 321 and its own public key KPp3 are concatenated and encrypted to generate session information Es (Kc2, Ks3 // KPp3).

  The second decryption unit 324 decrypts the data encrypted with the session key Ks3. Since the license data is supplied from the storage device 200 as encrypted license data Es (Ks3, Ep (KPp3, LIC)) that is doubly encrypted with the public key KPp3 and the session key Ks3, the second decryption unit 324 The session number Ks3 generated by the random number generation unit 321 is decrypted, and the result is transmitted to the third decryption unit 325.

  The third decryption unit 325 decrypts the data encrypted with the public key KPp3. The result of the second decryption unit 324 is decrypted with the secret key Kp3 paired with the public key KPp3, and the license data LIC is extracted. The extracted license data LIC is transmitted to the decryptor 304, and the decryptor 304 decrypts the encrypted content using the content key included in the license data LIC.

  In the cryptographic engine 303 shown in FIG. 6, various modifications can be considered in the form of connecting each component. In the present embodiment, the session key Ks3 generated by the random number generation unit 321 is paired with the public key. Are configured so that the private keys Kd3 and Kp3 and the session key Ks2 received from the storage device 200 do not flow on the data bus 310, so that the decryption key used in the cryptographic engine 303 is leaked to the outside. To prevent that.

  FIG. 7 shows an internal configuration of the cryptographic engine 203 of the storage device 200 shown in FIG. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof. The cryptographic engine 203 includes a control unit 220, a random number generation unit 221, a certificate output unit 222, a certificate verification unit 223, a first decryption unit 224, a first encryption unit 225, a second decryption unit 226, a third decryption unit 227, The second encryption unit 228, the fourth decryption unit 229, the third encryption unit 230, the fourth encryption unit 231 and a local bus 240 that electrically connects at least some of these components.

  The control unit 220 mediates data input / output between the control of the internal configuration of the cryptographic engine 203 and the external configuration in accordance with an instruction from the controller 201 of the storage device 200.

  The random number generator 221 generates random numbers rd2 and rp2, a session key Ks2, and a challenge key Kc2 that are temporarily used for encrypted communication with the recording device 100 or the playback device 300 by random number calculation. Specifically, when the storage device 200 provides license data, random numbers rd2 and rp2 and a challenge key Kc2 are generated. When the storage device 200 receives provision of license data, a session key Ks2 is generated.

  The certificate output unit 222 outputs the certificate C [KPd2] of the storage device 200. The certificate may be held by the certificate output unit 222, or may be held in a predetermined storage area of the storage device 200, for example, the tamper resistant storage unit 204, and read out. The certificate includes a certificate body including the public key KPd2 of the storage device 200 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority.

  The certificate verification unit 223 verifies a certificate provided from the outside. Specifically, the certificate C [KPd1] acquired from the recording device 100 and the certificate C [KPd3] acquired from the playback device 300 are verified using the authentication key KPa. Since the detailed processing of the verification has been described above, the description thereof is omitted here.

  The first decryption unit 224 decrypts the data encrypted with its own public key KPd2. Specifically, at the time of recording, the challenge key Kc1 issued by the recording device 100 is encrypted with the public key KPd2 of the storage device 200 and challenge information Ep (KPd2, Kc1) = B * rd1 // Es (KPd2 * rd1 , Kc1) is supplied from the recording apparatus 100, and is decrypted with its own secret key Kd2, and the challenge key Kc1 is extracted. The extracted challenge key Kc1 is given to the first encryption unit 225.

  The first encryption unit 225 encrypts data with the challenge key Kc1 issued by the recording apparatus 100. Specifically, the session key Ks2 generated by the random number generator 221 and its own public key KPp2 are concatenated and encrypted with the challenge key Kc1, and the session information Es (Kc1, Ks2 // KPp2) is obtained. Generate.

  The second decryption unit 226 decrypts the data encrypted with the session key Ks2 generated by the random number generation unit 221. Specifically, since the license data LIC is received from the recording apparatus 100 as encrypted license data Es (Ks2, Ep (KPp2, LIC)) that is doubly encrypted with the public key KPp2 and the session key Ks2, this is received. Decryption is performed using the session key Ks2, and the result is given to the third decryption unit 227.

  The third decryption unit 227 decrypts the data encrypted with its own public key KPp2. The license data Ep (KPp2, LIC) = B * rp1 // Es (KPp2 * rp1, LIC) encrypted with the public key KPp2 given from the second decryption unit 226 is its own secret paired with the public key KPp2. Decrypt with the key Kp2 and take out the license data LIC.

  The extracted license data LIC is supplied to the data bus 210 via the local bus 240 and the control unit 220, and is stored in the tamper resistant storage unit 204 in accordance with an instruction from the controller 201.

  The second encryption unit 228 encrypts data with the public key KPd3 of the playback device 300. Specifically, when the license data is provided to the playback device 300, the challenge key Kc2 generated by the random number generation unit 221 with the public key KPd3 extracted from the certificate C [KPd3] received from the playback device 300. Is encrypted, and challenge information Ep (KPd3, Kc2) = B * rd2 // Es (KPd3 * rd2, Kc2) is generated. For the encryption, the random number rd2 generated by the random number generation unit 221 is used. The generated encryption challenge key Ep (KPd3, Kc2) is given to the control unit 220 via the local bus 240.

  The fourth decryption unit 229 decrypts the data encrypted with the challenge key Kc2 generated by the random number generation unit 221. The session information Es (Kc2, Ks3 // KPp3) received from the playback device 300 is decrypted with the challenge key Kc2 generated by the random number generation unit 221, and the session key Ks3 and the public key KPp3 of the playback device 300 are extracted. The extracted session key Ks3 and public key KPp3 are transmitted to the fourth encryption unit 231 and the third encryption unit 230, respectively.

  The third encryption unit 230 encrypts the data with the public key KPp3 of the playback device 300. When providing license data to the playback device 300, the license data LIC is encrypted with the public key KPp3 received from the playback device 300, and Ep (KPp3, LIC) = B * rp2 // Es (KPp3 * rp2, LIC ) The license data is read from the tamper resistant storage unit 204 in accordance with an instruction from the controller 201 and supplied to the third encryption unit 230 via the data bus 210, the control unit 220, and the local bus 240. In addition, the random number rp2 generated by the random number generator 221 is used for encryption.

  The fourth encryption unit 231 encrypts data with the session key Ks3 issued by the playback device 300. Specifically, the license data encrypted with the public key KPp3 of the playback device 300 in the third encryption unit 230 is further encrypted with the session key Ks3, and the encrypted license data Es (Ks3, Ep (KPp3, LIC)) Is generated.

  8 and 9 show a procedure until the recording apparatus 100 records the license data LIC in the storage device 200. FIG.

  First, the controller 101 of the recording apparatus 100 issues a certificate output command to the storage device 200 (S102). When the controller 201 of the storage device 200 normally accepts the certificate output command (S104), the controller 201 instructs the cryptographic engine 203 to output the certificate, reads the certificate C [KPd2] from the cryptographic engine 203, and sends it to the recording device 100. Output (S106).

  Upon obtaining the certificate C [KPd2] from the storage device 200, the controller 101 sends it to the cryptographic engine 103 of the recording device 100 (S108). When the cryptographic engine 103 receives the certificate C [KPd2] of the storage device 200 (S110), the certificate verification unit 120 verifies the certificate with the verification key KPa (S112). When the certificate is not approved (N in S112), the certificate verification unit 120 transmits a verification error notification to the controller 101 (S190). When the controller 101 receives the error notification (S192), it ends the process abnormally.

  When the certificate is approved (Y in S112), the cryptographic engine 103 generates a challenge key Kc1 in the random number generation unit 121, and transmits the generated challenge key Kc1 to the first encryption unit 122 and the decryption unit 123. The decryption unit 123 holds the challenge key Kc1 inside (S114). Furthermore, the random number generation unit 121 generates a random number rd1 and transmits the generated random number rd1 to the first encryption unit 122. The first encryption unit 122 calculates the shared key KPd2 * rd1 and the parameter B * rd1 using the random number rd1 (S116). The challenge key Kc1 is encrypted with the shared key KPd2 * rd1, and challenge information Ep (KPd2, Kc1) = B * rd1 // Es (KPd2 * rd1, Kc1) is generated and transmitted to the controller 101 (S118). .

  Upon receiving the challenge information Ep (KPd2, Kc1) (S120), the controller 101 issues a challenge information processing command to the storage device 200 (S124). In the storage device 200, when the controller 201 receives the challenge information processing command, the controller 201 requests input of challenge information Ep (KPd2, Kc1) (S126). In response to this request, the controller 101 of the recording apparatus 100 outputs challenge information Ep (KPd2, Kc1) to the storage device 200 (S128).

  When the storage device 200 receives the challenge information Ep (KPd2, Kc1) (S130), in the cryptographic engine 203, the first decryption unit 224 uses the challenge information Ep (KPd2, Kc1) as the parameter B * rd1 and the encrypted challenge key. Decomposes into Es (KPd2 * rd1, Kc1). The shared key Kd2 * B * rd1 (= KPd2 * rd1) is calculated from the parameter B * rd1 and the private key Kd2 (S132), and the encrypted challenge key Es (KPd2 * rd1, Kc1) is decrypted. The challenge key Kc1 is extracted (S134). Then, the challenge key Kc1 extracted by the first decryption unit 224 is held in the first encryption unit 225 (S136).

  On the other hand, when the processing of the challenge information processing command is completed in the storage device 200, the controller 101 issues a session information generation command to the storage device 200 (S138). In the storage device 200, when the controller 201 receives a session information generation command (S140), the cryptographic engine 203 generates a session key Ks2 according to an instruction from the control unit 220, and the generated session key Ks2 is second. This is given to the decryption unit 226 and the first encryption unit 225. Then, the second decryption unit 226 holds this session key Ks2 (S142). The first encryption unit 225 concatenates the session key Ks2 and its own public key KPp2, encrypts it with the challenge key Kc1 held in step S136, and generates session information Es (Kc1, Ks2 // KPp2) ( S144).

  On the other hand, when the processing of the session information generation command is completed in the storage device 200, the controller 101 of the recording apparatus 100 issues a session information output command (S146). In the storage device 200, when the session information output command is received (S148), the controller 201 reads the session information Es (Kc1, Ks2 // KPp2) from the cryptographic engine 203 and outputs it to the controller 101 of the recording apparatus 100 (S150). .

  Upon receiving the session information Es (Kc1, Ks2 // KPp2) from the storage device 200, the controller 101 of the recording device 100 sends it to the cryptographic engine 103 (S152). When the cryptographic engine 103 receives the session information Es (Kc1, Ks2 // KPp2) from the controller 101 (S154), the decryption unit 123 uses the challenge key Kc1 held in step S114 to store the session information Es (Kc1, Ks2 // KPp2). ) And the session key Ks2 and the public key KPp2 of the storage device 200 are extracted (S156) and transmitted to the third encryption unit 125 and the second encryption unit 124, respectively.

  Subsequently, the cryptographic engine 103 determines whether the recording of the license data is the first recording process after holding the challenge key Kc1 in step S114 or the second and subsequent recording processes by repeated recording (S158). In the case of the first processing (Y in S158), the cryptographic engine 103 generates a random number rp1 in the random number generation unit 121 and transmits the generated random number rp1 to the second encryption unit 124. The second encryption unit 124 calculates the shared key KPp2 * rp1 and the parameter B * rp1 using the random number rp1 and holds it inside (S160).

  On the other hand, in the case of the second and subsequent processes (N in S158), step S160 is skipped, that is, the shared key KPp2 * rp1 and parameter B * rp1 are not generated, and the process proceeds to the next step S162.

  The second encryption unit 124 encrypts the license data LIC issued by the encryptor 104 with the stored shared key KPp2 * rp1, and the encrypted license data Ep (KPp2, LIC) = B * rp1 // Es ( KPp2 * rp1, LIC) is generated and transmitted to the third encryption unit 125. Then, the third encryption unit 125 further encrypts the encrypted license data Ep (KPp2, LIC) generated by the second encryption unit 124 with the session key Ks2 issued by the storage device 200, and the encrypted license data Es (Ks2, Ep (KPp2, LIC)) is generated and sent to the controller 101 (S162).

  Thus, in the first case (Y of 158), multiplication is performed on the elliptic curve for newly generating the shared key KPp2 * rp1 and the parameter B * rp1, that is, the cryptographic calculation is performed by the public key cryptosystem, and the result is the calculation result. Step S162 is performed using the shared key KPp2 * rp1 and the parameter B * rp1, and encrypted license data Es (Ks2, Ep (KPp2, LIC)) is generated and sent to the controller 101.

  On the other hand, in the case of the second and subsequent processes (N in S158), the shared key KPp2 * rp1 and the parameter B * rp1 are not newly generated, and the process proceeds to Step S160, which is created in the first process, and the second encryption unit 124 Using shared key KPp2 * rp1 and parameter B * rp1 held inside, step S162 is performed to generate encrypted license data Es (Ks2, Ep (KPp2, LIC)) and send it to controller 101. That is, since the shared key KPp2 * rp1 and the parameter B * rp1 are not generated, the multiplication on the elliptic curve can be omitted, and only the data encryption process is performed. The processing time in this case is the same as the cryptographic operation of the common key cryptosystem, and high-speed operation is possible. As described above, the second and subsequent processes can be performed at a higher speed than the first process that performs multiplication on an elliptic curve.

  Upon receiving the encrypted license data Es (Ks2, Ep (KPp2, LIC)) (S164), the controller 101 issues a license data write command to the storage device 200 (S166). The license write command is accompanied by an address for specifying a recording position in the tamper resistant storage unit 204 and control information indicating whether or not a shared key generation operation is performed when decrypting the encrypted license data. Here, the address indicates a logical address and does not directly specify the recording position in the tamper-resistant storage unit 204, but the controller records the data recorded by specifying the address so that it can be read by specifying the same address. 201. However, the physical address directly indicating the position in the tamper resistant storage unit 204 may be used.

  When the storage device 200 accepts the license write command (S168), the storage device 200 requests input of encrypted license data, and the controller 101 of the recording apparatus 100 responds to the request with the encrypted license data Es (Ks2, Ep ( KPp2, LIC)) is output to the storage device 200 (S170).

  When the storage device 200 receives the encrypted license data Es (Ks2, Ep (KPp2, LIC)) (S172), it transmits the encrypted license data Es to the second decryption unit 226 of the cryptographic engine 203. The second decryption unit 226 decrypts the encrypted license data Es (Ks2, Ep (KPp2, LIC)) with the session key Ks2 held therein, and the license data Ep (encrypted with its own public key KPp2). KPp2, LIC) is taken out (S174). The extracted encrypted license data Ep (KPp2, LIC) is transmitted to the third decryption unit 227.

  And the control part 220 confirms the control information which shows the presence or absence of the production | generation of a shared key (S176). When generation is necessary, that is, when the recording of this license data is the first recording process after holding the common key Kc1 in step S136 (Y in S176), the third decryption unit 227 transmits the transmitted Ep (KPp2, LIC) = B * rp1 // Es (KPp2 * rp1, LIC), the parameter B * rp1 is extracted, and the shared key Kp2 * B * rp1 = KPp2 * rp1 is ellipse from the parameter B * rp1 and its own secret key Kp2. Calculation is performed on the curve, and this is held inside (S178).

  On the other hand, when the calculation of the shared key is unnecessary, that is, in the case of the second and subsequent processing (N in S176), step S178 is skipped, the shared key Kp2 * B * rp1 is not generated, and the process proceeds to the next step S180. .

  The third decryption unit 227 uses the key Kp2 * B * rp1 held therein to decrypt the encrypted license data Ep (KPp2, LIC) transmitted from the second decryption unit 226 to extract the license data LIC ( S180), the data is transmitted to the data bus 210 via the local bus 240 and the control unit 220.

  In this way, in the first case (Y in 176), multiplication on the elliptic curve for generating a new shared key Kp2 * B * rp1, that is, cryptographic operation by the public key cryptosystem is performed, and the shared key as the operation result is obtained. The encrypted license data Ep (KPp2, LIC) is decrypted with KPp2 * rp1, and the license data LIC is extracted.

  On the other hand, in the case of the second and subsequent processes (N in S176), the process proceeds to step S180 without newly generating the shared key KPp2 * rp1, and is created in the first process and is stored in the third decryption unit 227. Using Kp2 * B * rp1, the encrypted license data Ep (KPp2, LIC) is decrypted, and the license data LIC is taken out.

  The controller 201 performs a storage process of storing the license data transmitted to the data bus 210 at a specified address of the tamper resistant storage unit 204 (S182).

  On the other hand, after the processing of the license data write command is completed in the storage device 200, the controller 101 determines whether to continue recording license data (S184).

  When license data is continuously recorded (Y in S184), the process proceeds to step S138, and the procedure is started from the issue of the session information generation command. This is because, when a plurality of license data is recorded, the certificate verification process and the encryption operation and the decryption operation by the public key cryptosystem are shared by the plurality of recording processes, and when the license data is subsequently recorded, 2 This is a procedure for shortening the processing time required for the subsequent recording. It is not necessary to record the next license data immediately after recording one license data. The encryption engine 103 and the storage device 200 share the challenge key Kc1, the shared key KPp2 * rp1, and the parameter B * rp1, specifically, the decryption unit 123 of the encryption engine 103 of the recording apparatus 100 and the storage device 200. The first encryption unit 225 of the encryption engine 203 holds the same challenge key Kc1, and the second encryption unit 124 of the encryption engine 103 of the recording device 100 and the third decryption unit 227 of the encryption engine 203 of the storage device 200 However, any timing may be used as long as the same shared key KPp2 * rp1 and parameter B * rp1 are both held.

  Even if the license data is continuously recorded, the procedure may be started from step S102. However, even after the second time, the time is required for recording because it is treated as the first time.

  On the other hand, if the license data is not continuously recorded (N in S184), the process ends normally.

  With the above procedure, the license data necessary for decrypting and playing back the encrypted content is recorded in the storage device 200. The encrypted content is normal data and is directly stored in the normal data storage unit 205 of the storage device 200 by a normal command. The description of the normal data storage process is omitted.

  Note that the recording order of the license data and the encrypted content data to the storage device 200 may be any first. Further, the license data may be recorded by dividing and issuing the secure command during the free time when recording the encrypted content data.

  Further, in the control unit 220 of the cryptographic engine 203 of the storage device 200, as a means for determining whether the process is the first process or the second process or later, the license write command is instructed whether or not a shared key generation operation is performed. As shown in this embodiment, if the encrypted license data includes a parameter regardless of whether or not the shared key is calculated, the parameter is retained at the first processing and accepted as the retained parameter. Whether the parameter is included in the encrypted license data may be determined based on whether the parameters included in the encrypted license data match or not. Further, after the second time, the encrypted license data may be in a format that does not include parameters, and the determination may be made based on the presence or absence of parameters. Further, similarly to the cryptographic engine 103 in the present embodiment, the processing procedure may be managed and determined internally. The determination in the cryptographic engine 103 can be made in the same manner.

  Note that the procedure until the recording apparatus 100 shown in FIGS. 8 and 9 records the license data in the storage device 200 is an example in the case of normal processing transition.

  10 and 11 show a procedure until the playback device 300 reads license data from the storage device 200. FIG.

  First, the controller 301 of the playback device 300 makes a certificate transmission request to the cryptographic engine 303 (S302). When the cryptographic engine 303 receives the transmission request (S304), the certificate output unit 320 sends the certificate C [KPd3] to the controller 301 (S306). Upon receiving the certificate C [KPd3] from the cryptographic engine 303 (S308), the controller 301 issues a certificate verification command to the storage device 200 (S310).

  When the storage device 200 receives the certificate verification command (S312), the storage device 200 requests the input of the certificate, and the controller 301 of the playback device 300 responds to the request with the certificate C [KPd3] received from the cryptographic engine 303. Is output to the storage device 200 (S314).

  When the storage device 200 receives the certificate C [KPd3] (S316), the storage device 200 gives the certificate C [KPd3] to the internal encryption engine 203. In the cryptographic engine 203, the certificate verification unit 223 verifies the certificate C [KPd3] with the verification key KPa according to the instruction of the control unit 220 (S318). When the certificate is not approved (N in S318), the certificate verification unit 223 transmits a verification error notification to the controller 301 via the control unit 220, the controller 201, and the storage interface 202 (S400). When receiving the error notification (S402), the controller 301 of the playback device 300 abnormally ends the process.

  On the other hand, when the certificate C [KPd3] is approved (Y in S318), the cryptographic engine 203 holds the public key KPd3 in the second cryptographic unit 228 (S320).

  On the other hand, when the storage device 200 approves the certificate C [KPd3] of the cryptographic engine 303 in the storage device 200, the controller 301 issues a challenge information generation command to the storage device 200 (S322). Then, the storage device 200 receives the challenge information generation command (S324). In the cryptographic engine 203, the random number generation unit 221 generates a challenge key Kc 2 in accordance with an instruction from the control unit 220, and transmits the generated challenge key Kc 2 to the second encryption unit 228 and the fourth decryption unit 229. Then, the fourth decryption unit 229 holds the challenge key Kc2 inside (S326). Further, the random number generation unit 221 generates a random number rd2 and transmits the generated random number rd2 to the second encryption unit 228. Then, the second encryption unit 228 calculates the public key KPd3 and the random number rd2 held in step S320, and calculates the shared key KPd3 * rd2 and the parameter B * rd2 (S328). Then, the challenge key Kc2 transmitted from the random number generator 221 is encrypted with the calculated shared key KPd3 * rd2 to generate challenge information Ep (KPd3, Kc2) (S330).

  On the other hand, when the processing of the challenge information generation command is completed in the storage device 200, the controller 101 issues a challenge information output command (S332). When the storage device 200 receives the challenge information output command (S334), the controller 201 retrieves the challenge information Ep (KPd3, Kc2) from the cryptographic engine 203 by the controller 201 and outputs it to the controller 301 of the playback device 300 (S336).

  Upon receiving the challenge information Ep (KPd3, Kc2), the controller 301 of the playback device 300 sends it to the cryptographic engine 303 (S338). When the cryptographic engine 303 receives the challenge information Ep (KPd3, Kc2) (S340), in the cryptographic engine 303, the first decryption unit 322 encrypts the challenge information Ep (KPd3, Kc2) with the parameter B * rd2. Decompose into challenge key Es (KPd3 * rd2, Kc2). The shared key Kd3 * B * rd2 (= KPd3 * rd2) is calculated from the parameter B * rd2 and its own secret key Kd3 (S342), and the encrypted challenge key Es (KPd3 * rd2, Kc2) is decrypted. The challenge key Kc2 is extracted (S344). The extracted challenge key Kc2 is transmitted to and held in the encryption unit 323 (S346).

  On the other hand, the controller 301 of the playback device 300 issues a license read command to the storage device 200 (S348). The license read command is accompanied by an address that designates a read position in the tamper resistant storage unit 204. Upon receiving the license read command (S350), the storage device 200 reads the license data LIC stored at the specified address in the tamper-resistant storage unit 204, and the read license data LIC is the third license engine LIC. It is held by the encryption unit 230 (S352).

  On the other hand, the controller 301 of the playback device 300 sends a session information transmission request to the cryptographic engine 303 (S354). When the cryptographic engine 303 receives this transmission request (S356), in the cryptographic engine 303, the random number generation unit 321 generates a session key Ks3 and transmits it to the cryptographic unit 323 and the second decryption unit 324. The second decryption unit 324 holds the session key Ks3 inside (S358).

  The encryption unit 323 encrypts Ks3 // KPp3 obtained by concatenating its public key KPp3 to the session key Ks3 generated by the random number generation unit 321 with the challenge key Kc2 held in step S346, and stores the session information Es (Kc2, Ks3 // KPp3) is generated and sent to the controller 301 (S360). Upon receiving the session information Es (Kc2, Ks3 // KPp3) from the cryptographic engine 303 (S362), the controller 301 issues a session information processing command to the storage device 200 (S364). This session information processing instruction is accompanied by control information indicating whether or not a shared key is generated when the license data is encrypted.

  When the storage device 200 receives the session information processing command (S366), the storage device 200 requests the input of session information, and the controller 301 of the playback device 300 responds to the request with the session information Es (Kc2, Ks3 // KPp3) is output to the storage device 200 (S367). When the storage device 200 receives the session information Es (Kc2, Ks3 // KPp3) (S368), the storage device 200 gives it to the fourth decryption unit 229 of the cryptographic engine 203. The fourth decryption unit 229 decrypts the given session information Es (Kc2, Ks3 // KPp3) with the challenge key Kc2 held in step S326. Then, the session key Ks3 issued by the playback device 300 and the public key KPp3 of the playback device 300 are extracted and transmitted to the fourth encryption unit 231 and the third encryption unit 230, respectively (S370).

  And the control part 220 confirms the control information which shows the presence or absence of shared key generation (S372). When shared key generation is necessary, that is, for the first reproduction process after generation of the challenge key Kc2 in step S326 (Y in S372), the control unit 220 instructs the random number generation unit 221 to generate a random number rp2. The random number generation unit 221 generates a random number rp2 and transmits the generated random number rp2 to the third encryption unit 230. The third encryption unit 230 calculates the shared key KPp3 * rp2 and the parameter B * rp2 using the random number rp2, and holds it inside (S374).

  On the other hand, if shared key generation is not required, that is, after the generation of the challenge key Kc2 in step S326, the second and subsequent playback processes (N in S372), step S374 is skipped, and the shared key KPp3 * rp2 and parameter B are skipped. * Proceed to the next step S376 without generating rp2.

  The third encryption unit 230 encrypts the license data LIC held in step S352 with the held shared key KPp3 * rp2, concatenates the result and the held parameter B * rp2, and encrypts the license data B * rp2 // Es (KPp3 * rp2, LIC) = Ep (KPp3, LIC) is generated and transmitted to the fourth encryption unit 231. The fourth encryption unit 231 encrypts the encrypted license data Ep (KPp3, LIC) with the session key Ks3 given from the fourth decryption unit 229, and encrypts the license data Es (Ks3, (Ep (KPp3, LIC)). ) Is generated (S376).

  On the other hand, when the processing of the session information processing command is completed in the storage device 200, that is, the encrypted license data is generated, the controller 301 of the playback device 300 issues an encrypted license output command (S378). In the storage device 200, when the encrypted license output command is received (S380), the controller 201 extracts the encrypted license data Es (Ks3, Ep (KPp3, LIC)) from the cryptographic engine 203, and the controller 301 of the playback device 300. (S382).

  Upon receiving the encrypted license data Es (Ks3, Ep (KPp3, LIC)) from the storage device 200, the controller 301 of the playback device 300 sends it to the cryptographic engine 303 (S384). When the cryptographic engine 303 receives the encrypted license data (S386), the second decryption unit 324 decrypts the encrypted license data Es (Ks3, Ep (KPp3, LIC)) with the session key Ks3 held in step S358 ( In S388, the decoding result Ep (KPp3, LIC) is transmitted to the third decoding unit 325.

  Then, it is determined whether this reproduction process is the first process or the second and subsequent processes after the challenge key Kc2 is held in step S346 (S390). In the case of the first reproduction process (Y in S390), the third decoding unit 325 extracts the parameter B * rp2 from the transmitted Ep (KPp3, LIC) = B * rp2 // Es (KPp3 * rp2, LIC). The shared key Kp3 * B * rp2 = KPp3 * rp2 is calculated on the elliptic curve from the parameter B * rp2 and its own secret key Kp3, and the calculation result is held inside (S392).

  On the other hand, if it is not necessary to generate a shared key, that is, in the case of the second and subsequent playback processes (N in S390), step S392 is skipped, and the shared key Kp3 * B * rp2 is not generated and the process proceeds to the next step S394. move on.

  The third decryption unit 325 extracts the encrypted license data Es (KPp3 * rp2, LIC) from the transmitted Ep (KPp3, LIC) = B * rp2 // Es (KPp3 * rp2, LIC) And the shared data Kp3 * B * rp2 held in the license key LIC2 and the license data LIC is extracted (S394). The license data is sent to the decryptor 304 (S396), and is used when the decryptor 304 decrypts the encrypted content data. With the above procedure, license data for decrypting the encrypted content is read from the storage device 200 by the playback device 300.

  As described above, when the reproduction process is the first time (Y in 390), multiplication on the elliptic curve for generating a new shared key Kp3 * B * rp2, that is, a cryptographic operation by the public key cryptosystem is performed, and the result is the operation result. The encrypted license data Ep (KPp3, LIC) is decrypted with the shared key KPp3 * rp2, and the license data LIC is extracted.

  On the other hand, in the case of the second and subsequent reproduction processes (N in S390), the process proceeds to step S394 of the decryption process without generating the shared key KPp3 * rp2 and the parameter B * rp2, and is generated in the first process, and the third decryption unit The encrypted license data Ep (KPp3, LIC) is decrypted with the shared key Kp3 * B * rp2 held in 325, and the license data LIC is taken out.

  When the storage device 200 reads out the license data and then reads out other license data (Y in S398), the controller 301 of the playback device 300 proceeds to step S348 and starts the procedure from issuing the license read command. . This is a procedure for reducing the processing by sharing the certificate verification processing when reading a plurality of license data. Here, it is assumed that the license data is continuously read out, but it is not always necessary to perform the next reading immediately after reading out one license data. The cryptographic engine 103 and the storage device 200 share the challenge key Kc2, the shared key KPp3 * rp2, and the parameter B * rp2. Specifically, the fourth decryption unit 229 and the playback device of the cryptographic engine 203 of the storage device 200 The encryption unit 323 of the encryption engine 303 of 300 shares the same challenge key Kc2, and the third encryption unit 230 of the encryption engine 203 of the storage device 200 and the second decryption unit 324 of the encryption engine 303 of the playback device 300 Can be at any timing as long as both hold the same shared key KPp3 * rp2 and the same parameter B * rp2.

  Further, even if the license data is read continuously, the procedure may be started from step S302. In this case, even if the reproduction process is performed for the second time or later, it takes time because it is treated as the first time.

  If the other license data is not read subsequently (N in S398), the controller 301 ends the process normally.

  In the above embodiment, the control unit 220 of the cryptographic engine 203 of the storage device 200 instructs the license write command as to whether or not to calculate the shared key as means for determining whether the process is the first process or the second and subsequent processes. As shown in this embodiment, when the public key KPp3 is included in the session information regardless of whether or not the shared key is calculated, the public key KPp3 is held at the first processing, It is also possible to determine whether or not the second and subsequent processing is performed based on whether or not the held public key KPp3 matches the public key KPp3 included in the received session information. Further, in the second and subsequent processes, the session information may be in a format that does not include the public key KPp3, and the determination may be made based on the presence or absence of the public key KPp3. Further, the processing procedure may be managed and determined internally by the control unit 220.

  In this way, the license data recorded in the storage device 200 is copied (license data recorded in the storage device 200 is available) or moved (license data recorded in the storage device 200) to another storage device. Can be deleted or invalidated). If another storage medium that newly records license data has the same function, the license may be transferred between the storage devices in the same procedure, and the license may be recorded from the storage device 200 to another storage device. Obviously we can do it. In this case, the transfer of the license from the storage device 200 to the other storage device includes the use of the license from the storage device 200 to the playback device 300 and the transfer of the license from the other storage device to the storage device 200. It functions in the same manner as license recording from the recording apparatus 100 to the storage device 200.

  In the above embodiment, for simplification, it has been described that the data is encrypted with the shared keys Kp2 * B * rp1 = KPp2 * rp1, Kp3 * B * rp2 = KPp3 * rp2, but for data encryption, Kp2 * It is also possible to derive the key length data of the symmetric key algorithm from B * rp1 or Kp3 * B * rp2 and then encrypt the data according to the result of this derivation function. As a result, it is possible to compensate for the difference between the shared keys Kp2 * B * rp1 and Kp3 * B * rp2 shared by elliptic curve cryptography and the key formats that can be used in the symmetric key encryption algorithm. At this time, the symmetric key encryption algorithm for encrypting data from the two coordinate values of the shared key Kp2 * B * rp1, Kp3 * B * rp2, or one coordinate value, which is a two-dimensional coordinate on the elliptic curve. It is necessary to share the derivation function for obtaining the key length data in advance between the license data transmission source and the license data transmission destination together with the base point.

  According to the above-described embodiment, the public key encryption algorithm should be concealed like license data by combining the common key encryption algorithm that has a smaller amount of computation than the public key encryption algorithm and is easy to implement in hardware. Even when data is repeatedly accessed (recorded or read), confidential data can be accessed at high speed without compromising safety. Therefore, data that should be kept confidential between the storage device and the host device is encrypted. Therefore, the processing efficiency when inputting / outputting can be improved.

(Second Embodiment)
FIG. 12 shows a configuration of a recording / reproducing apparatus 400 according to the second embodiment. In the present embodiment, the recording apparatus 100 and the reproducing apparatus 300 in the first embodiment are realized as one recording / reproducing apparatus 400.

  The recording / reproducing apparatus 400 of this embodiment includes a controller 401, a storage interface 402, a recording unit 403, a reproducing unit 404, and a data bus 410 that electrically connects at least some of these components. The recording unit 403 includes the configuration of the recording device 100 according to the first embodiment illustrated in FIG. 2, and the reproducing unit 404 includes the configuration of the reproducing device 300 according to the first embodiment illustrated in FIG. In the figure, the same reference numerals are assigned to the same components as those in the first embodiment.

  The cryptographic engine 103 corresponds to the cryptographic engine 103 of the recording device 100 in the first embodiment, and the cryptographic engine 303 corresponds to the cryptographic engine 303 of the playback device 300 in the first embodiment. The internal configuration of the cryptographic engine 103 is the same as the cryptographic engine 103 of the first embodiment shown in FIG. 5, and the internal configuration of the cryptographic engine 303 is the cryptographic engine of the first embodiment shown in FIG. This is the same as the internal configuration 303. The controller 401 has the functions of both the controller 101 of the recording apparatus 100 and the controller 301 of the playback apparatus 300 in the first embodiment. The storage interface 402 controls data input / output with the storage device 200, and the data bus 410 electrically connects the configuration of the recording / playback apparatus 400.

  The operation of the recording / reproducing apparatus 400 in the present embodiment is the same as that in the first embodiment. In the operation described in the first embodiment, the recording apparatus 100 and the reproducing apparatus 300 are connected to the recording / reproducing apparatus 400. Further, the controller 101 and 301 are replaced with the controller 401, the storage interface 102 and 302 are replaced with the storage interface 402, and the data buses 110 and 310 are replaced with the data bus 410, respectively.

  In this embodiment, the recording unit 403 and the playback unit 404 include the cryptographic engine 103 and the cryptographic engine 303, respectively. However, the same functional block in these cryptographic engines may be shared. The configuration is the same as that of the cryptographic engine 203 in the storage device 200 shown in FIG.

(Third embodiment)
FIG. 13 shows a configuration of a content distribution system according to the third embodiment. In the present embodiment, the recording device 100 in the first embodiment is realized as a distribution server 500 that distributes content and a terminal device 520 that receives the content. In the figure, the same components as those of the recording apparatus 100 according to the first embodiment are denoted by the same reference numerals.

  The distribution server 500 includes a cryptographic engine 103, a communication device 502, a content database 503, a license database 504, a user database 505, a controller 501 that controls them, and a data bus 510 that electrically connects them. The terminal device 520 includes a controller 101, a storage interface 102, a communication device 521, and a data bus 522 that electrically connects them. The distribution server 500 and the terminal device 520 are connected by the Internet 20 as an example of a network via the communication devices 502 and 521, respectively.

  The cryptographic engine 103 of the distribution server 500 has the same function as the cryptographic engine 103 of the first embodiment. The controller 101 and the storage interface 102 of the terminal device 520 are the same as the controller 101 of the first embodiment. It has the same function as the storage interface 102.

  The content database 503 holds content provided to the user. The license database 504 holds license data including a content key used for encrypting content. In this embodiment, the content is already encrypted with the content key and stored in the content database 503. However, the content before encryption is stored in the content database 503, and the distribution server 500 stores the first content. The content encoder 105 and the encryptor 104 included in the recording apparatus 100 according to the embodiment may be further provided, and the content may be read from the content database 503, encoded, and encrypted. The user database 505 holds information on a user who is a content providing destination. For example, the user's personal information, the user's terminal device 520 address, content purchase history, billing information, and the like may be held.

  The controller 501 reads encrypted content from the content database 503 in response to a user request and provides it to the user. Then, when the license data for decrypting the content is provided to the user by the encryption engine 103, the user database 505 is updated to charge for the content provision.

  In this embodiment, if the data bus 510, the communication device 502, the Internet 20, the communication device 521, and the data bus 522 are the data bus 110 in the first embodiment having the electrically connected configuration, The configuration is the same as that of the first embodiment.

  The procedure of the cryptographic input / output process of this embodiment is the same as that of the first embodiment. In the present embodiment, the communication between the cryptographic engine 103 and the controller 101 is performed via the Internet 20, as described with reference to FIGS. 8 and 9, even between the cryptographic engine 103 and the controller 101. Since data is encrypted and transmitted / received, high tamper resistance can be realized.

  Content playback can be performed by attaching the storage device 200 to the playback device 300 in the first embodiment or the recording / playback device 400 in the second embodiment. Further, the terminal device 520 may be configured to include the playback unit 404 of the recording / playback device 400 in the second embodiment, and playback may be performed.

  As mentioned above, although embodiment which concerns on this invention was described, this embodiment is an illustration, this invention is not limited to this embodiment, The combination of each of those component and each processing process is carried out. It will be appreciated by those skilled in the art that various modifications are possible and that such modifications are within the scope of the present invention.

  For example, in the above-described embodiment, the functional block for performing encryption and the functional block for performing decryption are separately provided in the cryptographic engine, but the circuit may be shared by these components. As a result, the circuit scale can be reduced, contributing to downsizing and low power consumption.

  The embodiments of the present invention can be appropriately modified in various ways within the scope of the technical idea shown in the claims.

It is a figure which shows the whole structure of the data management system which concerns on 1st Embodiment. 1 is a diagram illustrating an internal configuration of a recording apparatus according to a first embodiment. It is a figure which shows the internal structure of the reproducing | regenerating apparatus concerning 1st Embodiment. It is a figure which shows the internal structure of the storage device which concerns on 1st Embodiment. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the internal structure of the recording / reproducing apparatus which concerns on 2nd Embodiment. It is a figure which shows the internal structure of the recording / reproducing apparatus which concerns on 3rd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Recording apparatus 200 Storage device 300 Playback apparatus 400 Recording / playback apparatus 500 Distribution server 520 Terminal apparatus

Claims (22)

A method for transmitting and receiving content usage information including a content key for decrypting encrypted content data,
A source of the content usage information authenticating a destination of the content usage information;
Sharing a first symmetric key between the source and the destination when the destination is approved;
The transmission source encrypts the content usage information and transmits it to the transmission destination,
Sharing the first symmetric key comprises:
Using Elliptic Curve Diffie-Hellman encryption algorithm to generate data for sharing the first symmetric key with the destination using the destination public key;
Transmitting the data to a counterpart device,
The step of transmitting the content usage information includes:
Sharing a second symmetric key between the transmission source and the transmission destination when the timing for transmitting the content usage information arrives;
Encrypting the content usage information with the first symmetric key and the second symmetric key and transmitting the encrypted content usage information to the transmission destination.   The first symmetric key is retained in the transmission source and the transmission destination after the step of transmitting the content usage information is used, and is used when transmitting the content usage information next time. The content usage information transmission method according to claim 1.   When the timing for transmitting the content usage information has arrived, if the first symmetric key is already shared between the transmission source and the transmission destination, the authenticating step and the first symmetric key 3. The content usage information transmission method according to claim 1, wherein the step of sharing the key is omitted.   When it becomes necessary to authenticate the destination again, the first symmetric key that has already been shared is discarded, and the step of sharing the first symmetric key includes the newly issued first symmetric key. 4. The content usage information transmission method according to claim 2, wherein a key is shared.   The second symmetric key is newly issued when the next content usage information is transmitted after completion of the step of transmitting and receiving the content usage information, and is shared between the transmission source and the transmission destination. The content usage information transmission method according to any one of claims 1 to 4.   The first symmetric key is issued by one of the transmission source and the transmission destination, and the second symmetric key is issued by the other. The content usage information transmission method described. Further comprising sharing a third symmetric key used to share the second symmetric key between the source and the destination;
2. The step of sharing the second symmetric key includes sharing the second symmetric key by encrypting and transmitting the second symmetric key with the third symmetric key. 7. The content usage information transmission method according to any one of items 1 to 6.   The third symmetric key is held at the transmission source and the transmission destination after the step of transmitting the content usage information is completed, and is used when the second symmetric key is shared next time. The content usage information transmitting method according to claim 7.   When it becomes necessary to authenticate the destination again, the already-shared third symmetric key is discarded, and the step of sharing the third symmetric key includes the newly issued third symmetric key. 9. The content usage information transmission method according to claim 8, wherein a key is shared. A content use information providing device that provides content use information including a content key for decrypting encrypted content data to a content use information receiving device,
Verification means for acquiring authentication information from the content use information receiving device and verifying the validity of the authentication information;
A first symmetric key sharing unit that shares a first symmetric key with the content usage information receiving device using a public key cryptosystem when the verification unit approves the content usage information receiving device;
A second symmetric key sharing means for sharing a second symmetric key with the license usage information receiving device when the timing for transmitting the content usage information arrives;
Encryption means for encrypting the content usage information with the first symmetric key and the second symmetric key;
Content usage information transmitting means for transmitting the content usage information encrypted by the encryption means to the content usage information receiving device,
The first symmetric key sharing means includes
Random number generating means for generating a random number;
The Elliptic Curve Diffie-Hellman encryption algorithm is used to generate the first symmetric key using the random number and the public key of the content usage information receiving device, and the first symmetric key is used between the content usage information receiving device. First symmetric key generation means for generating data to be shared with
Transmitting means for transmitting the data to the content usage information receiving device. A content usage information providing device, comprising: The content usage information providing device includes:
A content usage information generating unit for generating the content usage information;
A content data encryption unit that encrypts the content data with the content key and outputs the encrypted content data;
The content usage information providing apparatus according to claim 10, further comprising: The content usage information providing device includes:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information providing apparatus according to claim 10 or 11, wherein the second storage unit is configured by a tamper-resistant structure. A content use information receiving device for receiving content use information including a content key for decrypting encrypted content data from a content use information providing device,
Authentication information transmitting means for transmitting the authentication information to the content usage information providing device;
A first symmetric key sharing means for sharing a first symmetric key with the content usage information providing apparatus using a public key cryptosystem when the content usage information providing apparatus approves the authentication information;
A second symmetric key sharing means for sharing a second symmetric key with the content usage information providing device when the timing for receiving the content usage information arrives;
Content usage information receiving means for receiving, from the content usage information providing device, the content usage information encrypted with the first symmetric key and the second symmetric key;
Decrypting means for decrypting the encrypted content usage information,
The first symmetric key sharing means includes
Public key providing means for providing the public key to the content usage information providing device;
Obtaining means for obtaining data for sharing the first symmetric key with the content usage information providing device;
And a first symmetric key generating means for generating the first symmetric key by using a secret key that is paired with the data and the public key by an Elliptic Curve Diffie-Hellman encryption algorithm. Usage information receiving device. The content use information receiving device is:
A content data decrypting unit for decrypting the encrypted content data with the content key;
The content use information receiving apparatus according to claim 13, further comprising: a reproducing unit that reproduces the content data decrypted by the content data decrypting unit. The content use information receiving device is:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information receiving apparatus according to claim 13 or 14, wherein the second storage unit is configured by a tamper resistant structure. A content use information providing device for providing content use information including a content key for decrypting encrypted content data to a content use information receiving device,
An interface for controlling the exchange of data with the content use information receiving device;
A symmetric key generation unit that generates a first symmetric key that is temporally generated in communication with the content use information receiving device;
A first encryption unit that encrypts data using a first public key set in the content use information receiving device;
A decryption unit for decrypting data with the first symmetric key generated by the symmetric key generation unit;
A second encryption unit for encrypting data in accordance with the elliptic curve Diffie-Hellman encryption algorithm using the second public key of the elliptic curve encryption set in the content usage information receiving device;
A random number generator for generating a random number to be supplied to the second encryption unit;
A third encryption unit that encrypts data with a second symmetric key generated by the content use information receiving device;
A control unit,
The second encryption unit is
In order to acquire a random number generated in the random number generation unit and share the shared key used for encryption with the content use information receiving device based on the acquired random number and the second public key And a function of encrypting the content usage information with the generated shared key,
In the encryption process using the second public key for the first time after the first symmetric key is generated in the symmetric key generation unit, the random number generated in the random number generation unit is acquired, and the acquired random number and the first Generating a shared key used for encryption and data for sharing the shared key with the content use information receiving device, encrypting the data using the shared key,
In the encryption process after the first symmetric key is generated in the symmetric key generation unit, the content usage information is encrypted with the previous shared key,
The controller is
Controlling the symmetric key generation unit to generate the first symmetric key;
Receiving the first symmetric key encrypted with the first public key from the first encryption unit and transmitting it to the content use information receiving device via the interface;
Receiving the second symmetric key encrypted by the first symmetric key received via the interface and the second public key from the content use information receiving device and giving them to the decryption unit;
Encrypted content usage information encrypted with the shared key and the second symmetric key generated based on the second public key decrypted by the decryption unit is the second encryption unit or the third encryption unit. The content usage information providing device, wherein the content usage information providing device transmits the content usage information to the content usage information receiving device via the interface. A content encryption unit that generates the content usage information and encrypts content data with the content key included in the generated content usage information;
The content usage information providing apparatus according to claim 16, wherein the control unit acquires the content usage information generated by the content encryption unit and provides the content usage information to the third encryption unit. A storage unit for storing the content usage information;
The content usage information providing device according to claim 16 or 17, wherein the control unit acquires the content usage information stored in the storage unit from the storage unit and gives the content usage information to the third encryption unit. . The storage unit
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information providing apparatus according to claim 18, wherein the second storage unit is configured by a tamper-resistant structure with high confidentiality. A content use information receiving device for receiving content use information including a content key for decrypting and reproducing encrypted content data from a content use information providing device,
An interface for controlling the exchange of data with the content usage information providing device;
A first secret key holding unit that holds a first secret key for decrypting data encrypted with a first public key set in the content use information receiving device;
A second public key holding unit holding a second public key of elliptic curve cryptography set in the content use information receiving device;
A second secret key holding unit for holding a second secret key for decrypting data encrypted with the second public key;
A first decryption unit for decrypting data encrypted with the first public key with the first secret key;
An encryption unit for encrypting data with the first symmetric key generated by the content use information providing device;
A symmetric key generation unit that generates a second symmetric key for specifying communication with the content usage information providing device;
A second decryption unit for decrypting data encrypted with the second symmetric key;
A third decryption unit for decrypting data encrypted by the second public key according to an elliptic curve Diffie-Hellman encryption algorithm by the second secret key;
A control unit,
The third decoding unit includes:
A function for generating the shared key based on the data for sharing the shared key acquired from the content use information providing apparatus and the second secret key, and a function for decrypting the data encrypted with the shared key; Have
In the decryption processing for decrypting the data encrypted with the second public key received only after the first symmetric key is decrypted in the first decryption unit, the data to be shared and the second After generating the shared key based on a secret key, decrypt the data encrypted using the shared key,
In the first and subsequent decryption processes, the first decryption unit decrypts the encrypted data using the shared key used for the previous decryption.
The controller is
Receiving the first symmetric key encrypted with the first public key from the interface, and providing the received first encrypted symmetric key to the first decryption unit;
Controlling the symmetric key generation unit to generate the second symmetric key;
Transmitting the second symmetric key and the second public key encrypted by the first symmetric key in the encryption unit to the content usage information providing apparatus via the interface;
Giving the second decryption unit encrypted content usage information encrypted with the second public key and the second symmetric key received via the interface;
A content use information receiving apparatus characterized by the above.   21. The content according to claim 20, further comprising a content reproduction unit that reproduces the content data by decrypting the encrypted content data with the content key included in the content usage information extracted by the third decryption unit. Usage information receiving device. A storage unit for storing the content usage information;
The controller is
The content usage information receiving device according to claim 20 or 21, wherein the content usage information extracted by the third decryption unit is stored in the storage unit.

Images