JP2006115418A - Copyright data distribution system, copyright data distribution method, and communication program for copyright data distribution - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technology of effectively preventing the illegitimate use of copyright data in the case of carrying out copyright data distribution. <P>SOLUTION: A commercial transaction system adopting a client and server configuration and utilizing the Internet prevents extraction of copyright data not only from communications but also from a computer and the illegitimate use of the extracted copyright data by encrypting a protocol on a transport layer for use in communication and managing the copyright data as encrypted information on the transport layer. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a copyright data distribution system, a copyright data distribution method, and a copyright data distribution communication program for realizing the copyright data distribution system.

  In recent years, the distribution of electronic data using the Internet has been rapid because anyone can access the computer for distribution anytime, anywhere by simply connecting it to the network as long as there is a computer device that can be connected to the Internet. Has spread to. On the other hand, with the spread of Internet communication, hackers and crackers infiltrate computer systems for commerce, steal software, data, and tamper and destroy. In addition, the act of copying, taking, reselling, or intimidating data from internal crimes has become a serious social problem.

  As a specific example of unauthorized tampering, first, there is a system tampering that sends a large number of messages from the network and hinders the operation of the computer system so that the central system can no longer be used. If the host is overloaded due to this interference, the system may go down.

In addition, there is an illegal interception of “illegal access and impersonation” that obtains a host password, steals confidential information including personal data, and alters or destroys information.
In addition, there is no risk of cyber terrorism due to intentional stealing of personal information or cyber terrorism lurking inside the company at the site or server operator.

  For this reason, IPsec (IPSEC: Security Architecture for Internet Protocol) is a function for preventing data leakage or tampering in communication over the Internet using conventional TCP / IP (Transmission Control Protocol / Internet Protocol). ) And SSL (Secure Socket Layer) encrypted communication is used. However, unlike SSL, IPsec requires a large number of settings and requires advanced skills, so not everyone can use it. Moreover, there are many restrictions in a network environment, and it cannot be used from anywhere. SSL is an HTTP protocol with security function developed by Netscape Corporation (currently merged with AOL). By using this protocol, the client and server can authenticate each other on the network, and credit card information It is possible to exchange highly confidential information such as. This prevents data eavesdropping, replay attacks (attack of eavesdropping on data flowing over the network and repeatedly sending data), spoofing (communication by pretending to be the person), data tampering, etc. be able to.

  FIG. 9 shows an example of a protocol stack when performing encrypted communication using the conventional SSL. As shown in FIG. 9, in the OSI reference model, the lowest layer (first layer) is the physical layer, the second layer is the data link layer, the third layer is the network layer, the fourth layer is the transport layer, and the fifth layer is The session layer, the sixth layer is the presentation layer, and the top layer (seventh layer) is the application layer. In FIG. 9, the sixth layer and the seventh layer are omitted. Seven layers in the OSI reference model are obtained by dividing the communication function into seven stages, and standard function modules are defined for each layer. The protocol stack is a software group in which protocols for realizing functions in each layer of the network are selected and stacked in a hierarchical manner.

  First, an outline of the OSI reference model will be described. The physical layer of the first layer is a layer that defines physical electrical characteristics of a signal line, a code modulation method, and the like. However, this layer alone is rarely defined and implemented alone, and is usually defined as, for example, the Ethernet standard together with the data link layer of the second layer.

  The data link layer of the second layer is a layer that defines data packetization, physical node address, packet transmission / reception method, and the like. This layer defines a protocol for exchanging packets between two nodes through a physical communication medium. Each node is assigned some address, and the packet destination is based on that address. And the packet is transmitted on the communication medium. There are various communication media such as copper wiring, radio, and optical fiber. Also, there are many types of connections (topologies) such as a bus type, a star type, and a ring type as well as a one-to-one facing connection. When the packet transmitted on the communication medium arrives at the receiving node, the packet is taken into that node and passed to a higher protocol layer.

  A NIC (Network Interface Card) driver arranged across the physical layer and the data link layer is an expansion board for connecting a personal computer, a printer, and the like to a local area network (LAN). If it is simply a network card, it is often connected to Ethernet. With this NIC driver, a node (device) that wants to transmit data monitors the availability of the cable and starts transmission when the cable is available. At this time, if a plurality of nodes start transmission at the same time, data collides in the cable and is destroyed, so both stop transmission and wait for a random time to resume transmission. Thus, a plurality of nodes can share a single cable and communicate with each other.

  The network layer of the third layer is a layer that defines a communication method between any two nodes. TCP / IP corresponds to the IP layer. In the data link layer, communication between nodes on the same network medium can be performed, but communication is performed while performing routing between any two nodes existing on the network by using the function. This is the role of this network layer. Here, routing refers to selecting and transmitting an optimum route when transmitting a packet to a target host in a TCP / IP network. For example, in Ethernet, only nodes on the same segment can communicate with each other, but in the network layer, communication is performed by routing packets between two Ethernet segments. In addition, routing to a dial-up PPP (Point to Point Protocol) line that connects a computer to a network (Ethernet) through a telephone line, and routing to a dedicated line using optical fiber, regardless of the physical network medium. Packets can be routed to For this purpose, an address independent of a physical medium (IP address in the case of TCP / IP) is normally assigned to each node, and routing is performed based on this.

  The transport layer of the fourth layer is a protocol layer for realizing a virtual communication path without error between two processes executed on each node. Speaking of TCP / IP, it corresponds to a TCP layer. In the network layer, a function to perform communication between two nodes is provided. By using this function, a virtual communication path without error is provided between two processes (applications). It is the role of the layer. In other words, data can be sent at the network layer, but there is no guarantee that the data will reach the other party. There is no guarantee that the data will arrive correctly in the order of transmission. Therefore, it is this layer that provides an error-free communication path for ease of use for applications. If necessary, resend / restore data. There has been no example in which the encryption process is applied to the transport layer of the fourth layer.

  The session layer of the fifth layer is a layer that defines the procedure of a session (from the start to the end of communication), and is a layer that establishes a connection between applications and enables communication. A socket arranged in this layer means a network address that combines an IP address corresponding to an address in the network of the computer and a port number that is a sub-address of the IP address. When connecting computers, be sure to specify a socket (a pair of IP address and port number). As shown in FIG. 9, SSL, which is a conventional typical encrypted communication technology, realizes encrypted communication in this session layer.

  In FIG. 9, the sixth layer and the seventh layer are omitted, but in brief explanation, the presentation layer of the sixth layer represents the representation method and code of data exchanged in the session (from the start to the end of communication). This is a layer that regulates encryption and encryption. In the TCP / IP protocol, there is no portion corresponding to this layer, and normally, the application itself handles stream data processing.

  The seventh application layer is a layer for defining the exchange of data between applications, and there is no portion corresponding to this layer in the TCP / IP protocol. For example, it is a layer that defines a common data structure and the like necessary for exchanging data between applications such as an e-mail format and an internal structure of a document.

FIG. 9 is an example of a standard protocol provided with SSL as an encryption processing protocol.
Among typical encryption communication technologies in the past, in SSL, digital certificates using RSA (Rivest Shamir Adleman: an acronym for three developers) public key cryptography at the mutual authentication level The common key encryption technique such as DES is used for data encryption. Since this SSL is in the session layer of the fifth layer, it depends on a specific application.

SSL is an encryption technology in the session layer of the fifth layer, and encrypts data such as the WWW (World Wide Web) that is currently widely used on the Internet, so that privacy-related information and corporate secret information can be safely It is for sending and receiving. However, SSL is ineffective against various attacks on TCP / IP by unauthorized intruders of networks called hackers and crackers, so-called DoS attacks (Denial of Service). When a DoS attack to the TCP / IP protocol stack, for example, a TCP disconnection attack is performed, the TCP session is cut and the SSL service is stopped. Since SSL is an encryption protocol implemented in a layer (fifth layer) above TCP / IP (fourth layer, third layer), it cannot prevent a DoS attack on TCP / IP.
In addition, since SSL supports only a specific port of TCP, it is not possible to perform cryptographic communication on all TCP ports. SSL is controlled in source units (URL units, folder units).

  Furthermore, SSL is problematic in that it is not compatible with applications. An application uses a socket (5th layer) as a program interface when performing Internet communication. For this reason, when an application uses SSL (5th layer), this socket interface must be changed to an SSL interface. Therefore, SSL does not have application compatibility.

  SSL is encrypted to ensure security, but once it is received by the host computer, it is decrypted, so it is not possible to ensure security within the host computer.

  FIG. 10 is a system configuration diagram of copyright data distribution by a communication system using a conventional SSL. The copyright data here may be any copyright data that can be distributed electronically, such as audio data such as music, video data such as a movie, and text data such as an electronic book. In this example, a computer device 80 as a copyright data distribution server and a computer device 90 as a client that receives copyright data are configured, and the server-side computer device 80 is connected via communication means such as the Internet. And the client-side computer device 90 are connected so that they can communicate bidirectionally. The communication path may be either wired or wireless.

  The client computer 90, which is a terminal device operated by a user who purchases copyright data as a product, includes an encryption unit 91 that realizes an SSL function for encrypting and decrypting communication, and copyright data processing. An application execution unit 92 that executes a program, a key input unit 94 that operates a copyright data processing program, inputs personal information, and the like, and a display unit 93 that displays a copyright data reception status and the like. Although not shown, a memory or the like for storing the copyright data received is also provided.

  The server-side computer device 80, which is a terminal device on the merchant side that distributes copyright data that is a product, has an encryption unit 85 that realizes an SSL function for encrypting and decrypting communication, and a copyright data distribution program An application execution unit 83 to be executed, a magnetic memory 84 that stores data necessary for distributing copyright data and the copyright data itself, a display unit 81 that displays a distribution status, and a printer 82 are included. The server side may include a key input unit.

  In the configuration shown in FIG. 10, encrypted data is transferred between the encryption unit 85 on the server side computer device 80 side and the encryption unit 91 on the client side computer device 90. Therefore, even if data is illegally read in the middle of a communication path connecting the server and the client, data such as copyright data and personal information is encrypted, so that unauthorized use can be prevented. When this SSL function is used, the client-side application execution unit 92 treats it as clear text, which is unencrypted data. Similarly, the server-side application execution unit 83 treats the data as plain text that is unencrypted data, and also stores the personal information necessary for distribution of copyright data in the memory 84 in plain text. It is common.

  FIG. 11 is a flowchart showing a data flow when copyright data is distributed by a communication system using a conventional SSL. The left side of FIG. 11 shows processing at the server, and the right side of FIG. 11 shows processing at the client. FIG. 12 is a diagram showing an actual data flow by the communication system using the SSL, and data a, b,..., S indicate data transmitted in each state.

  Hereinafter, processing examples will be described with reference to FIGS. 11 and 12. First, the server starts authentication processing (step S11), and when authentication is completed, authentication information (server certificate) is obtained from the certificate authority ( Step S12, data a). Thereafter, when a commercial transaction is started between the server and the client (steps S13 and S31), the client acquires authentication information from the server (step S32, data b). Here, based on the acquired authentication information, it is determined whether or not it is the correct partner (step S33). If it is not the correct partner, the copyright data distribution process ends (step S34).

  If the server recognizes that it is the correct partner, the server transmits information about the product (copyright data) that can be distributed to the client (step S14, data c, d, e, f). The client receives the merchandise information (step S35), displays the merchandise based on the received merchandise information, confirms the merchandise, and determines whether or not to purchase (step S36). Here, if there is no user operation for confirming the product purchase, the process is terminated (step S37), and if there is a user operation for confirming the product purchase, the purchase procedure is started (step S38). .

  As the purchase procedure, for example, a credit card number, an address, a name, a telephone number, and other personal information used for settlement of the purchase price are input by key operation or the like (step S39). The input data g is sent to the program processing unit for data processing (step S40). The data including the personal information subjected to the data processing is transmitted to the server side as data i encrypted by the encryption unit 91 by SSL.

  When the server-side encryption unit receives the data i encrypted by SSL (step S15), the server decrypts the data, sends the decrypted data j to the execution unit of the copyright data distribution program, and is included in the transmission data. The personal information is taken in (step S16), and the requested copyright data is distributed (transmitted) to the client (step S17, data m, n, o, p). Even when this copyright data is transmitted, plaintext copyright data o transmitted as SSL-encrypted data n by the server side encryption unit and decrypted by the client side encryption unit is obtained. The plaintext copyright data p is captured. If the copyright data can be correctly received by the client, the reception completion is displayed (step S42), and the copyright data purchase process at the client is terminated (step S43). The personal information captured on the server side is stored in a magnetic memory or the like by the file system on the server side (step S18, data k, l).

  Thereafter, the server moves to a billing process for the purchase price to the user who purchased the copyright data, retrieves stored personal information (step S19, data g, r), and displays information related to the billing (step S20, data s) If necessary, the displayed billing information is printed, and a billing process based on credit card information or the like is performed (step S21).

Japanese Patent Application Laid-Open No. 2004-228561 discloses that data communication is performed using SSL in an encryption process.
JP 2004-48458 A

  However, in the conventional copyright data distribution processing using SSL, since the data is surely encrypted on the transmission path between the server and the client, the safety of the data during the transmission is ensured. The copyright data stored in the client or server is not encrypted. If the stored copyright data is illegally extracted, the copyright is not protected. There is a problem of unauthorized use. Conventional encryption processing applied at the time of copyright data distribution cannot cope with such an illegal act.

  That is, for example, as shown in FIG. 12, in the server, the copyright data to be distributed is in plain text until it is sent to the encryption unit, and in the client, after the received data is decrypted, it is all in plain text. It is processed. Therefore, after receiving, the copyright cannot be protected.

  An object of the present invention has been made in view of the above-described problems, and an object thereof is to prevent unauthorized use of copyright data when copyright data is distributed.

  The present invention provides a transport layer in each of a client computer and a server computer in the case of performing copyright data distribution by communicating data related to distribution of copyright data between a client computer and a server computer. In order to perform communication by encrypting the protocol located in the communication path, the encryption and decryption logic corresponding to both ends of the communication path is determined in advance or dynamically, and at least the payload of the protocol as the information unit to be transmitted / received Encryption and decryption using the transport layer protocol by performing protocol encryption to encrypt and transmit according to the agreed encryption logic and performing protocol decryption to decrypt according to the agreed decryption logic Communication based on logic To apply the cormorant processing.

  After applying such processing, the client computer stores the received encrypted copyright data as encrypted and decrypts it using the transport layer protocol when the data is needed. I tried to take it out.

  According to the present invention, when copyright data is distributed, the copyright data does not exist in plain text on the client side, and protection of the copyright data functions effectively.

  Hereinafter, an embodiment of the present invention will be described with reference to FIGS. In the present embodiment, a copyright data distribution server computer is installed by a vendor that sells copyright data, and a copyright data distribution (reception) client computer that is a terminal device on the user side is installed on the server. Then, access is made via the Internet or the like, and processing relating to distribution such as ordering, receiving, and settlement of the price of copyright data as a product is performed. The copyright data here may be any copyright data that can be distributed electronically, such as audio data such as music, video data such as a movie, and text data such as an electronic book.

  FIG. 1 is a system configuration diagram of the communication system of this example. In this example, it is composed of a computer device 10 as a copyright data distribution server and a computer device 20 as a copyright data receiving client, and TCP2 previously proposed by the present applicant (trademark registration pending). Is applied to a process of encrypting a protocol located in the transport layer and performing communication. In the following description, the encryption in this example may be referred to as TCP2. Details of the encryption processing by TCP2 will be described later.

  First, with reference to FIG. 1, the structure of the server computer apparatus 10 and the client computer apparatus 20 for copyright data distribution of this example is demonstrated. The server-side computer device 10, which is a terminal device on the merchant side that sells copyright data, includes an encryption unit 15 that realizes a TCP2 function for encrypting and decrypting data in the transport layer, and a copyright data distribution program. An application execution unit 13 to be executed, a magnetic memory 14 for storing data related to distribution of copyright data and copyright data, a display unit 11 for displaying a distribution status, and a printer 12 are included. Here, it is assumed that the encryption unit 15 also performs communication processing in layers below the transport layer. The server side may include a key input unit. The magnetic memory 14 may also be configured to store data by other storage (recording) means. The data stored in the storage means such as the magnetic memory 14 is configured such that the data encrypted by the encryption unit 15 that realizes the TCP2 function can be stored while being encrypted by the TCP2 function. . When data that has been encrypted is stored, for example, the storage unit manages the stored data. In the case of this example, the copyright data to be distributed is previously encrypted by the TCP2 function and stored in the memory 14.

  A client-side computer device 20, which is a terminal device operated by a user who receives copyright data distribution, includes an encryption unit 21 that realizes a TCP2 function for encrypting and decrypting data in the transport layer, An application execution unit 22 that executes a copyright data processing program, a display unit 23 that displays various types of copyright data reception status, a key input unit 24 that operates the copyright data processing program, inputs personal information, and the like Consists of. Here, it is assumed that the encryption unit 21 also performs communication processing in layers below the transport layer. Although not shown, a memory for storing data is also provided. In the case of this example, the data stored in the memory is configured such that the data encrypted by the encryption unit 21 realizing the TCP2 function can be stored as encrypted. When data that has been encrypted is stored, for example, the storage unit manages the stored data.

  The configuration shown as the server-side computer device 10 and the client-side computer device 20 shown in FIG. 1 is a configuration viewed from the function of performing copyright data distribution in this example. A personal computer device, a server computer device, and the like are used, and an encryption processing unit, an application execution unit, a memory, and the like are configured by using arithmetic processing means and storage means included in those computer devices. However, instead of using a general-purpose computer device, it may be configured as a dedicated data processing device that distributes (receives) copyright data in this example.

  Further, when communication is performed between the server side computer device 10 and the client side computer device 20 by performing TCP2 encryption processing, as shown in FIG. 1, a TCP2 installation server 30 prepared in advance on the network is installed. It is necessary to install data necessary for TCP2 encryption processing. Details of the installation process will also be described later.

  Next, TCP2 encryption processing performed by the encryption units 15 and 12 in the computer apparatuses 10 and 20 will be described. FIG. 2 shows a protocol stack used in this embodiment.

  As shown in FIG. 2, the protocol stack used in this example is a NIC (Network Interface Card) driver 1 in a layer corresponding to the physical layer (first layer) and the data link layer (second layer) of the OSI 7 layer. Are arranged. As described above, the driver 1 is a driver of an interface card for connecting hardware such as a computer to a network, and the contents thereof are data transmission / reception control software. For example, a LAN board or a LAN card for connecting to Ethernet (trademark) corresponds to this.

  IP2 exists in the third network layer. A TCP emulator 3 is arranged in the transport layer (fourth layer) above IP2. The TCP emulator 3 functions to switch between “TCPsec” 3b, which is a protocol for performing encrypted communication, and “TCP” 3a, which is a normal communication protocol, according to applications.

  The most characteristic point in the processing of this example is that a commercial transaction using TCP2 in which an encrypted communication protocol of TCPsec3b is installed in this transport layer (fourth layer).

  A session interface (fifth layer), which is an upper layer of the transport layer (fourth layer), is provided with a socket interface 4 for exchanging data with protocols such as TCP and UDP. The meaning of this socket is a network address that combines an IP address corresponding to an address in the network of a computer and a port number that is a sub-address of the IP address as described above. It consists of a single software program module (execution program, etc.) or a single hardware module (electronic circuit, electronic component, etc.) that is added or deleted collectively.

  The socket interface 4 provides a unified access method from a higher-level application, and maintains the same interface as in the past, such as argument types and types.

  The TCP emulator 3 has a function of preventing data leakage / falsification in the transport layer, that is, TCPsec 3b having functions such as encryption, integrity authentication and partner authentication, and such encryption, integrity authentication, and partner It has a function of distributing packets to any one of the normal protocols TCP3a having no function such as authentication. The TCP emulator 3 also serves as an interface with a socket, which is an upper layer. The basic encryption processing of TCP2 is described in detail in Japanese Patent Application No. 2003-290822 by the present applicant.

  Next, in the system configuration according to the present embodiment, a processing example when copyright data distribution is performed between a client and a server, flowcharts of FIGS. 3 to 5 and data transmission examples of FIGS. Will be described with reference to FIG. In the following description, data with reference numerals after 101 correspond to the states shown in the data transmission examples in FIGS.

  First, a preparation process until copyright data distribution by the communication system according to the present embodiment is started will be described with reference to a flowchart of FIG. 3 and a data transmission example of FIG. The left side of FIG. 3 shows processing at the server, and the right side of FIG. 3 shows processing at the client.

  When the copyright data distribution preparation process is started (step S101), the server issues registration requests 101 and 102 to the TCP2 installation server 30 from the server, as shown in FIG. The installation data 103 necessary for the encryption process is acquired and installed (step S102). At this time, authentication 107 of server hardware information, administrator personal information, network information, and application information is performed and stored as encrypted data 108 in the encryption unit 15 (FIG. 1) (step S103). The server authentication process is terminated (step S104). The encryption unit 15 of the server 10 uses this information as authentication information, whether it is a computer that is enabled by TCP2, a network environment that is enabled, whether a valid person is operating the computer, It can be determined whether it is an application program.

  When the copyright data distribution process is started (step S111), the client issues registration requests 104 and 105 to the TCP2 installation server 30 as shown in FIG. The installation data 106 necessary for the encryption process is acquired and installed (step S112). At this time, authentication 109 of client hardware information, administrator personal information, and network information is performed and stored as encrypted data 110 in the encryption unit 21 (FIG. 1) (step S113). Is finished (step S114). The encryption unit 21 of the client 20 uses this information as authentication information, whether the computer is enabled by TCP2, a network environment to be enabled, whether a valid person is operating the computer, It can be determined whether it is an application program. The personal information also includes information including credit card information and bank card information necessary for payment processing for receiving copyright data distribution.

  Next, processing when copyright data distribution is started in the communication system of this example will be described with reference to the flowchart of FIG. 4 and the data transmission example of FIG. The left side of FIG. 4 shows processing at the server, and the right side of FIG. 4 shows processing at the client.

  In the server, as a copyright data distribution start process (step S121), there is a login operation (step S122), and it is determined from the logged-in input data 111 whether the user is a correct user in the TCP2 encryption unit 15. (Step S123) If the user is not correct, the process is terminated (Step S124). If the user is correct, the TCP2 encryption unit 15 is activated to enable the communication function of the copyright data distribution server (step S125).

  The client also has a login operation (step S142) as a copyright data distribution start process (step S142), and it is determined from the logged-in input data 112 whether the user is a correct user in the encryption unit 21 of TCP2. (Step S143) If the user is not correct, the process is terminated (Step S144). If the user is correct, the TCP2 encryption unit 21 is activated to enable the communication function of the client (step S145).

  In this state, when the client accesses the server, the server transmits copyright data information (product information) 113 and 114 prepared as products (step S126), and the client transmits the transmitted product information. The product information 115, 116 is sent from the encryption unit 21 to the client, and the product is displayed (step S146).

  Then, after the user operating the client confirms the displayed product (copyright data), the client side determines whether or not there is a purchase operation (step S147). In step S148, the copyright data distribution is terminated. If there is a purchase operation, the purchase data 117 is sent to the copyright data processing program, and the copyright data processing program starts the purchase procedure (step S149). When the purchase procedure is started and the user selects necessary information in the copyright data processing program, the copyright data processing program makes an inquiry 118 of personal information to the encryption unit 21 (step S150).

  At this time, the encryption unit 21 of TCP2 confirms whether the request is from a correctly authenticated program (step S151), and if it is not a correct program, the reading of personal information is terminated (step S152). If it is a correct program, the personal information 120 encrypted and stored is issued and sent to the copyright data processing program (step S153), and the personal information 121 that has been encrypted with TCP2 is returned to plain text. Without being sent to the server side (step S154). At this time, since the personal information has already been encrypted, encryption by the encryption unit 21 is not performed.

  When this personal information is received by the TCP2 encryption unit 15 of the server (step S127), the received personal information 122 is taken into the copyright data distribution program in the server without being encrypted (step S128). Data is transmitted (step S129). The received personal information 123, 124 is sent to the magnetic memory 14 via the file system, the encrypted personal information is stored (step S130), and the distribution process is terminated (step S131).

  The copyright data transmitted in step S129 is already encrypted data, and is sent as encrypted copyright data 125, 126, 127, 128, 129 as shown in FIG. The reception of copyright data is displayed (step S155), the copyright data is recorded in a magnetic memory or the like (step S156), and the processing on the client side is terminated (step S157).

  In this way, data necessary for distribution of personal information and the like sent from the client to the server is stored in the magnetic memory via the file system while being encrypted with TCP2, so that the data accumulated in the server is illegally extracted. Even if it is, it cannot be decrypted. Also, the copyright data to be distributed is also transmitted in the state already encrypted by TCP2 by the server, and the encrypted copyright data is stored on the client side as encrypted. It is possible to effectively prevent unauthorized use of the right data.

  Next, after the copyright data is distributed in the communication system of this example, the billing process on the server side will be described with reference to the flowchart of FIG. 5 and the data flow of FIG.

  The billing process on the server side is performed periodically, for example, and when the billing process is started (step S161), the distribution program takes out the personal information 134, 135 that is still encrypted (step S162), The personal information 136 is sent to the TCP2 encryption unit 15 to request decryption (step S163). Here, the TCP2 encryption unit 15 determines whether or not the request is from a correctly authenticated program (step S164), and if not correct, does not perform decryption (step S165). If the request is from a properly authenticated program, decryption 137 is performed as shown in FIG. 8, the decrypted personal information 138 is sent to the distribution program, and billing information 139 is displayed by the processing of the distribution program ( In step S166), a slip to be used for billing is printed if necessary (step S167), sent to the department that performs the billing operation, and the billing process is terminated (step S168).

  Further, as shown in FIG. 8, when using (reproducing, displaying, etc.) the copyright data received on the client side, the encrypted copyright data 131 and 132 recorded in the memory are taken out. The TCP2 encryption unit 21 issues a decryption key necessary for decryption, decrypts it using the decryption key, and extracts the decrypted plaintext copyright data 133. , Processing such as playback and display. In this case, the encryption unit 21 of TCP2 performs a process of preventing unauthorized use of copyright data by issuing a decryption key only when an authentication process such as user authentication is correctly authenticated.

  By processing in this way, when distributing copyright data, the copyright data is not stored in plain text on either the server side or the client side, which is extremely safe. Can distribute copyright data. Further, not only the copyright data itself but also information necessary for distribution such as personal information is not stored in a plain text state, and the safety of these data is ensured.

  Note that the present invention is not limited to the above-described embodiment, and needless to say, includes more embodiments without departing from the gist of the present invention. Further, in the above-described embodiment, the description has been made on the assumption that the copyright data distribution (reception) processing program is installed in the computer device constituting the server or client. However, the processing described in the above-described embodiment The same function may be realized by preparing a business transaction program for performing the above and installing the program in various computer devices. In this case, the copyright data distribution (reception) processing program may be distributed to users via various media such as disks and memories, or may be transmitted and distributed via the Internet.

It is a system configuration diagram of copyright data distribution by a communication system according to an embodiment of the present invention. It is explanatory drawing which shows the example of the protocol stack used for the communication system by one embodiment of this invention. It is a process flowchart figure which shows the process of the preparation until it starts the copyright data delivery by the communication system by one embodiment of this invention. It is a flowchart of the process example at the time of implementing copyright data delivery by the communication system by one embodiment of this invention. It is a flowchart of the claim process after implementing copyright data delivery by the communication system by one embodiment of this invention. It is explanatory drawing which shows the process of the preparation until it starts the copyright data delivery by the communication system by one embodiment of this invention. It is explanatory drawing which shows the flow of data at the time of implementing copyright data distribution by the communication system by one embodiment of this invention. It is explanatory drawing which shows the data flow until it charges after implementing copyright data delivery by the communication system by one embodiment of this invention. It is explanatory drawing which shows the protocol stack of the standard communication using the conventional SSL. It is a system block diagram of copyright data distribution by the communication system using the conventional SSL. It is a flowchart of the example of a process by copyright data distribution by the communication system using the conventional SSL. It is explanatory drawing which shows the data flow of the copyright data delivery by the communication system using the conventional SSL.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... NIC driver, 2 ... IP, 3 ... TCP emulator, 3a ... TCP, 3b ... TCPsec, 4 ... Socket, 10 ... Copyright data distribution server computer apparatus, 11 ... Display part, 12 ... Printer, 13 ... Application execution , 14 ... Magnetic memory, 15 ... Encryption unit (TCP2 encryption processing), 20 ... Client computer device, 21 ... Encryption unit (TCP2 encryption processing), 22 ... Application execution unit, 23 ... Display unit, 24 ... Key input unit, 30 ... TCP2 installation server, 80 ... server computer device for copyright data distribution, 81 ... display unit, 82 ... printer, 83 ... application execution unit, 84 ... magnetic memory, 85 ... encryption unit (SSL encryption) Processing), 90 ... client computer apparatus, 91 ... encryption unit (SSL encryption processing) , 92 ... application execution unit, 93 ... display unit, 94 ... key input unit

Claims (6)

In a copyright data distribution system that distributes copyright data by communicating data related to the distribution of copyright data between a client computer and a server computer.
In order to perform communication by encrypting a protocol located in the transport layer between each of the client computer and the server computer,
Arranging means for negotiating corresponding encryption and decryption logic at both ends of the communication path;
Protocol encryption means for encrypting and transmitting at least the payload of the protocol according to the encryption logic negotiated by the agreement means, among packets as information units to be transmitted and received,
Protocol decryption means for decrypting the received payload of the encrypted protocol according to the decryption logic negotiated by the agreement means;
The communication based on the encryption and decryption logic is performed using the transport layer protocol, and the client computer stores the received copyright data encrypted according to the encryption logic as encrypted. When the stored copyright data is used, the decryption logic decrypts the copyright data distribution system.   2. The copyright data distribution system according to claim 1, wherein the protocol located in the transport layer is TCP or UDP, and processing for encryption and decryption is performed on the TCP or UDP.   The copyright data stored in an encrypted state in the client computer can be decrypted by the decryption logic issuing a decryption key only when the protocol decrypting means can correctly authenticate. The copyright data distribution system according to claim 1, wherein: In a copyright data distribution method for distributing copyright data by communicating data related to distribution of copyright data between a client computer and a server computer,
In order to perform communication by encrypting a protocol located in the transport layer between each of the client computer and the server computer,
An agreement step to negotiate in advance or dynamically the corresponding encryption and decryption logic at both ends of the communication path;
A protocol encryption step of encrypting and transmitting a protocol corresponding to at least a TCP or UDP payload among the packets as information units to be transmitted and received according to the encryption logic negotiated by the agreement step;
A protocol decryption step for decrypting the received encrypted protocol according to the decryption logic negotiated by said agreement step;
The communication based on the encryption and decryption logic is performed using the transport layer protocol, and the client computer stores the received copyright data encrypted according to the encryption logic as encrypted. A copyright data distribution method, wherein when the stored copyright data is used, the decryption logic decrypts the copyright data.   The copyright data stored in the client computer in an encrypted state can be decrypted by the decryption logic issuing a decryption key only when the protocol decryption step is correctly authenticated. The copyright data distribution method according to claim 4, wherein the copyright data is distributed. In a copyright data distribution communication program for communicating copyright data distribution between a client computer and a server computer, and realizing copyright data distribution,
In order to perform communication by encrypting a protocol located in the transport layer between each of the client computer and the server computer,
A function to negotiate in advance or dynamically the corresponding encryption and decryption logic at both ends of the communication path;
A protocol encryption function for encrypting and transmitting a protocol corresponding to at least a TCP or UDP payload in accordance with the encryption logic decided by the agreement, among packets serving as information units to be transmitted and received,
A protocol decryption function for decrypting the received encrypted protocol according to the decryption logic negotiated by the agreement;
The communication based on the encryption and decryption logic is performed using the transport layer protocol, and the client computer stores the received copyright data encrypted according to the encryption logic as encrypted. A copyright data distribution communication program comprising a function of decrypting by using the decryption logic when using the stored copyright data.

Images