JP2006129441A - Method for transmission of contents usage right information, contents usage right information providing device capable of utilizing the method, and contents usage right information receiving device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the efficiency of processing for encrypting and inputting/outputting data to be kept secret between a recorder and a host device. <P>SOLUTION: A license-data transmitter (in a case of recording, a recording device, and in a case of readout, a storage device) verifies a certificate C[KPdx] (the license-data receiver and the license-data transmitter will be represented by "x" and "y", respectively) of a license-data receiver (in a case of recording, a storage device, and in a case of readout, a reproducing device), following which the license-data transmitter transmits a certification C[KPdy] thereof to the license-data receiver in the form of challenge information E(KPdx, Kcy)//C[KPdy]. Then, the license-data receiver verifies the certificate C[KPdy] of the license-data transmitter. Only in a case that the license-data transmitter device has been authorized, the license-data receiver transmits the session information E(Kcy, E(KPdy, Ksx)//KPpx) to the license-data transmitter in response to the challenge information. The license-data transmitter provides the license data to the license-data receiver using the key Ksx and KPpx thus received. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a data input / output technology, and more particularly to a technology for encrypting and inputting data that should be kept secret between a storage device and a host device.

  For example, in Patent Document 1, a device that handles license data in an unencrypted state is a server device, a memory card (storage device), or a decoder (use device) as a content data distribution system that increases the confidentiality of license data. It is classified into three devices, and license data transmission / reception between the devices (server device and storage device, storage device and using device) is performed by constructing an encrypted communication path between the two devices that transmit and receive license data. The recording device, the storage device, and the using device are provided with a TRM (Tamper Resistant Module) that can handle encrypted license data.

  In constructing an encrypted communication path, a device that first receives license data (referred to as a license receiving device) transmits a certificate including a public key to a device that provides license data (referred to as a license providing device). Then, the license providing device verifies this certificate. As a result of the verification, if the certificate from the license receiving device is a regular certificate and is not invalidated by the certificate revocation list, Key exchange is performed between devices using the public key included in the certificate. The license providing apparatus transmits license data encrypted with the key transmitted from the license receiving apparatus in the key exchange to the license receiving apparatus.

  The TRM is a circuit module in which confidentiality is physically protected, and is configured to restrict exchange of license data with other devices other than via an encrypted communication path.

  When acquiring license data, the memory card is mounted on a terminal device that can communicate with the server device, and receives license data from the server device via the terminal device. Further, when using the content, the memory card is attached to a terminal device incorporating a decoder, and transmits license data to the decoder via the terminal device.

As described above, in content distribution services, copyright protection related to content is thoroughly implemented by encrypting content data and concealing license data. By thoroughly protecting the content copyright in this way, the content to be distributed can be added to the line-up with peace of mind, and as a result, the needs of users who receive the distribution service can be satisfied more widely. It becomes like this.
JP 2004-133654 A

  As described above, in the conventional content distribution system, it is not necessary to pay attention to the safety of the server device that is the license providing device. Even if fake license data is recorded on a storage device that is a license receiving device by a fake server device pretending to be a server device, this act does not mean the outflow of content, that is, the content right holder Did not threaten his rights. Even in reproduction, even if fake license data is supplied to a utilization device that is a license receiving device due to impersonation of a storage device that is a license providing device, normal encrypted content data is not reproduced. In other words, the impersonation of the license providing device did not cause the rights of the content rights holder to be lost due to the outflow of content.

  However, when a recorder that digitally records a video signal or video data using this copyright protection function is considered as a license providing device, a recorder whose safety is impaired (originally normal, but for some reason its safety It is necessary to consider a fake recorder). Generally, a recorder receives content to be recorded as broadcast or line input (RCF terminal, S terminal, IEEE1394, etc.). These contents need to be recorded in the storage device while keeping the protection requirements predetermined for each input method and the recording conditions multiplexed on the signal itself. A recorder that does not satisfy these conditions should be considered as a device that cannot protect the rights of the content rights holder. If such a license providing device cannot stop providing a license, the storage device that is the license receiving device should refuse to input such license data. Similarly, the utilization device should refuse to provide license data from a storage device whose security has been compromised or a false storage device.

  The present invention has been made in view of such circumstances, and its purpose is to input and output content safely and accurately when data to be concealed is input and output between the storage device and the host device. It is an object of the present invention to provide a recording device and a host device that can be used.

  In view of the above problems, the present invention has the following features. That is, the license data can be safely and accurately input / output between the license providing device (recorder or storage device) and the license receiving device (storage device or using device), and the license receiving device is safe. This provides a function of rejecting recording of license data from a license providing apparatus or a fake license providing apparatus in which the license is compromised.

  One embodiment of the present invention relates to a content usage information transmission method. This content usage information transmission method is a method for transmitting and receiving content usage information including a content key for decrypting encrypted content data, and first step of establishing an encrypted communication path for transmitting and receiving the content usage information And a second step of transmitting and receiving the content usage information using the encrypted communication path, wherein the first step includes a first proof that the source of the content usage information is a transmission destination of the content usage information Authenticating the destination by acquiring and verifying a certificate; authenticating the source by the destination acquiring and verifying a second certificate of the source; The transmission is performed by encrypting a first symmetric key with a first public key included in one certificate and transmitting and receiving between the transmission source and the transmission destination. Sharing the first symmetric key between the transmission destination and the transmission destination, and when the transmission destination is approved by the transmission source and the transmission source is approved by the transmission destination, By encrypting the second symmetric key with the second public key included in the certificate and the first symmetric key, and transmitting and receiving between the source and the destination, the source and the destination And the second symmetric key is shared, and the second step is executed when the second symmetric key is shared between the transmission source and the transmission destination. .

  The content usage information receiving device provides a function of rejecting the recording of license data from a license usage information providing device or a fake content usage information providing device whose safety has been impaired, thereby ensuring the safety of the device handling the content usage information. The rights of the authors and the like can be appropriately protected.

  The second step includes a step in which the transmission source encrypts the content usage information with at least the second symmetric key and transmits it to the transmission destination when the timing for transmitting the content usage information has arrived. But you can.

  The step of sharing the second symmetric key encrypts and transmits the third public key of the transmission destination together with the second symmetric key, and the first step uses the third public key to transmit a third public key. The second step may include a step in which the transmission source encrypts the content usage information with at least the third symmetric key and transmits it to the transmission destination.

  The first symmetric key may be issued by either the transmission source or the transmission destination, and the second symmetric key may be issued by the other. As a result, even when one of the devices is an unauthorized device, it is possible to prevent leakage of the content usage information, thereby improving safety.

  The third symmetric key may be held at the transmission source and the transmission destination after the second step is finished, and used when the content usage information is transmitted next time. The first step may be omitted when it is time to transmit the content usage information. As a result, when content usage information is repeatedly transmitted and received, it is possible to quickly encrypt and transmit and receive using only the common key encryption algorithm without sacrificing safety. Further, when the content usage information is continuously transmitted and received, the processing can be speeded up without sacrificing safety by omitting the authentication processing.

  The third symmetric key may be destroyed when the encrypted communication path is disconnected. For example, when the connection between the devices is canceled or one of the power supplies is turned off, and the encrypted communication path once established cannot be maintained, the third symmetric key is discarded, and the encryption The communication path may be disconnected. Thereby, the safety | security of encryption communication is securable.

  The second symmetric key may be newly issued when the next content usage information is transmitted after the end of the second step, and may be shared between the transmission source and the transmission destination. Since the content usage information is encrypted with the newly issued second symmetric key every time the content usage information is transmitted, leakage of the content usage information can be prevented, and safety can be improved.

  Another aspect of the present invention relates to a content use information providing apparatus. The content usage information providing device is a content usage information providing device that provides content usage information including a content key for decrypting encrypted content data to the content usage information receiving device, and certifies from the content usage information receiving device. A verification means for acquiring a certificate and verifying the validity of the certificate, a certificate transmission means for transmitting its own certificate to the content use information receiving apparatus, and a first public key included in the certificate A first symmetric key sharing unit that shares a first symmetric key with the content use information receiving device, and the verification unit approves the content use information receiving device and uses the content. When the information receiving apparatus approves the own certificate, the information receiving apparatus uses the second public key and the first symmetric key included in the certificate to When the second symmetric key sharing means for sharing the second symmetric key with the content usage information receiving apparatus, the encryption means for encrypting the content usage information, and the second symmetric key are shared The content use information transmitting means for transmitting the content use information encrypted by the encryption means to the content use information receiving apparatus.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content usage information receiving device is a content usage information receiving device that receives content usage information including a content key for decrypting encrypted content data from the content usage information providing device, and certifies from the content usage information providing device. A certificate means for obtaining a certificate and verifying the validity of the certificate; a certificate sending means for sending its own certificate to the content usage information providing apparatus; and a first public key included in the certificate A first symmetric key sharing unit that shares a first symmetric key with the content usage information providing device, and the verification unit approves the content usage information providing device and uses the content. When the information providing apparatus approves the own certificate, the information providing apparatus uses the second public key and the first symmetric key included in the certificate to A second symmetric key sharing means for sharing a second symmetric key with the content information providing apparatus, and the content usage information encrypted when the second symmetric key is shared, Content usage information receiving means received from a usage information providing apparatus, and decryption means for decrypting the encrypted content usage information.

  Still another aspect of the present invention relates to a content use information providing apparatus. This content usage information providing device is a content usage information providing device that provides content usage information to a content usage information receiving device that receives content usage information including a decryption key for decrypting and using encrypted content data. , Encrypted with an interface for exchanging data with the content use information receiving device, an authentication data holding unit for holding own authentication data, and a first public key included in the own authentication data Temporarily generated when communicating with the content use information receiving device, a secret key holding unit that holds a secret key for decrypting data, an authentication unit that authenticates authentication data supplied from the outside, and an authentication key A symmetric key generation unit for generating a first symmetric key, and a second public key included in the authentication data supplied from the outside. A first encryption unit that encrypts data with a key; a first decryption unit that decrypts data with a first symmetric key generated by the symmetric key generation unit; and a first decryption unit that decrypts data with the secret key. 2 decryption units, a second encryption unit that encrypts data using the third public key supplied from the outside, and a third encryption that encrypts data using the second symmetric key supplied from the outside And a control unit, and when transmitting information on either the content usage information or the key shared with the content usage information receiving device in order to transmit the content usage information, The authentication data of the content use information receiving device is received via the interface, the received authentication data is given to the authentication unit, and the content is received by the authentication unit. When it is determined that the authentication data of the information receiving device is valid, the symmetric key generation unit is instructed to generate the first symmetric key, and the first encryption unit generates the first symmetric key. The first symmetric key encrypted with the public key of 2 and the authentication data held in the authentication data holding unit are connected via the interface, and the first public key is output. When the first encrypted data encrypted with a key is data obtained by encrypting one of the second symmetric key and the third public key, the first encrypted data, the first encrypted data, The data obtained by concatenating the data obtained by concatenating the other symmetric key of the second symmetric key and the other of the third public keys not included in the first encrypted data with the first symmetric key is the second symmetric key. Through the interface as encrypted data Or when the first encrypted data is data obtained by encrypting both the second symmetric key and the third public key, the first encrypted data is further Data encrypted with the first symmetric key is received as second encrypted data via the interface, the received second encrypted data is given to the first decryption unit, and key information is given to the third The third encrypted data sequentially encrypted with the public key and the second symmetric key are output via the interface, and the authentication unit verifies the received authentication data with the authentication key. The verification result is given to the control unit, the second public key included in the received authentication data is given to the first cipher unit, and the first cipher unit uses the first symmetric key. In the second public key The first encryption unit decrypts the second encrypted data with the first symmetric key, and the first encryption unit included in the decrypted data When data is given to the second decryption unit and the decrypted data includes the third public key, the third public key is given to the second encryption unit, or the decrypted data When the second symmetric key is included, the second symmetric key is given to the third encryption unit, and the second decryption unit uses the first secret key to transfer the first encrypted data to the third encryption unit. When the decrypted data includes the third public key, the third public key is given to the second encryption unit, or the decrypted data includes the second symmetric key The second symmetric key is provided to the third encryption unit, and the second symmetric key An encryption unit encrypts the key information with the third public key and gives the key information to the third encryption unit, and the third encryption unit transmits the key information encrypted with the third public key. The third encrypted data further encrypted with the second symmetric key is generated and given to the control unit.

  The control unit may end the process when the authentication unit determines that the authentication data is not valid.

  The content usage information providing apparatus may further include a storage unit that stores the encrypted content data and the content usage information, and the storage unit includes a first storage unit that stores the encrypted content data; A second storage unit that stores content usage information, and the second storage unit may be configured by a tamper-resistant structure.

  The content information providing apparatus may further include a content encryption unit that encrypts content data to generate the encrypted content data, and a usage information generation unit that generates content usage information for the encrypted content data.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content use information receiving device is a content use information receiving device that acquires content use information for decrypting and using the encrypted content data from the content use information providing device, and the content use information receiving device. An interface for controlling the exchange of data, an authentication data holding unit for holding its own authentication data, and a first secret key for decrypting data encrypted with the first public key included in the authentication data A first secret key holding unit that holds the second public key holding unit, a second public key holding unit that holds the second public key set in the device, and a data for decrypting the data encrypted by the second public key A second secret key holding unit for holding a second secret key, and a first decryption for decrypting the data encrypted by the first public key with the first secret key An authentication unit that authenticates authentication data provided from outside by an authentication key, a first encryption unit that encrypts data using a third public key provided from outside, and a first provided from outside A second encryption unit that encrypts data using the symmetric key, a symmetric key generation unit that generates a second symmetric key that is temporarily generated during communication of the content use information providing device, and the second A second decryption unit for decrypting the data encrypted with the symmetric key, a third decryption unit for decrypting the data encrypted with the second public key with the second secret key, and a control The content usage information, or when receiving information on either of the keys shared with the content usage information providing device in order to receive the content usage information, the control unit, Recognition The authentication data held in the data holding unit is transmitted to the content usage information providing apparatus via the interface, the first symmetric key encrypted with the first public key, and the content usage information The authentication data of the providing device is received from the interface, the received first encrypted symmetric key is given to the first decryption unit, and the authentication data of the content usage information providing device is given to the authentication unit When the authentication unit determines that the authentication data of the content usage information providing apparatus is valid, the authentication unit instructs the symmetric key generation unit to generate the second symmetric key, and the third public key When the first encrypted data encrypted in step 1 is data obtained by encrypting either the second symmetric key or the second public key, the first encryption data Data obtained by concatenating data, the second symmetric key, and the other public key of the second public key that is not included in the first encrypted data is encrypted with the first symmetric key. Data is output as second encrypted data via the interface, or the first encrypted data is data obtained by encrypting both the second symmetric key and the second public key. In this case, the first encrypted data is output as the second encrypted data by encrypting the first encrypted data with the first symmetric key, and the key information is output as the second public key and the Third encrypted data sequentially encrypted with a second symmetric key is received via the interface, and the received third encrypted data is given to the second decryption unit, 1 decoding unit The first symmetric key encrypted with a public key of 1 is decrypted with the first secret key and the first symmetric key is given to the first encryption unit, and the authentication unit receives the received The authentication data is verified with the authentication key, the verification result is given to the control unit, the third public key included in the received authentication data is given to the first encryption unit, and the first encryption unit Encrypts one or both of the second symmetric key and the second public key with the third public key to generate the first encrypted data, and the second encryption unit includes: , Data obtained by concatenating the first encrypted data, the second symmetric key, and the other public key that is not included in the first encrypted data among the second symmetric key, or the first The encrypted data of 1 is encrypted and the second encrypted data is The second decryption unit decrypts the third encrypted data with the second symmetric key and provides the third decryption unit with the third decryption unit. Is characterized in that the key information is extracted by decrypting the data given from the second decryption unit.

  The control unit may end the process when the authentication unit determines that the authentication data is not valid.

  The content use information receiving device may further include a storage unit that stores the encrypted content data and the content use information, and the storage unit includes a first storage unit that stores the encrypted content data; A second storage unit that stores content usage information, and the second storage unit may be configured by a tamper-resistant structure.

  The content usage information receiving device may include a content decrypting unit that decrypts the encrypted content data using a decryption key included in the content usage information, and a playback unit that plays back the content data decrypted by the content decrypting unit. .

  The features of the present invention and the technical significance thereof will become more apparent from the following description of embodiments. However, the following embodiment is only one embodiment of the present invention, and the meaning of the present invention or the terms of each constituent element is limited to those described in the following embodiment. is not.

  According to the present invention, the reception side can prohibit the use of a defective recorder or a defective storage device.

Embodiments of the present invention will be described below with reference to the drawings.
(First embodiment)
FIG. 1 shows an overall configuration of a data management system 10 according to the first embodiment. The data management system 10 includes a recording device 100 that controls recording of data in the storage device 200, a playback device 300 that controls playback of data recorded in the storage device 200, and a storage device 200 that records and holds data.

  The storage device 200 according to the present embodiment includes not only a storage medium that holds data but also a controller that controls input / output of data between a host device such as the recording apparatus 100 or the playback apparatus 300 and the storage medium. Is a drive-integrated storage device. In the present embodiment, a hard disk drive will be described as an example of the storage device 200.

  The conventional hard disk drive is generally used by being fixedly connected to one host device, but the storage device 200 of the present embodiment is a host device such as the recording device 100 and the playback device 300. It is comprised so that attachment or detachment is possible. That is, the storage device 200 of the present embodiment can be removed from the host device and carried in the same manner as a CD or DVD, and the storage device 200 includes a recording device 100, a playback device 300, a recording / playback device capable of recording and playback, and the like. A storage device that can be shared between host devices.

  As described above, the storage device 200 according to the present embodiment is assumed to be connected to a plurality of host devices. For example, the storage device 200 is connected to a host device of a third party other than the owner and recorded therein. Data may be read out.

  When it is assumed that contents to be protected by copyright such as music and video, confidential data such as corporate and personal information are recorded on the storage device 200, the confidential data leaks to the outside. In order to prevent this, it is preferable to provide the storage device 200 itself with a configuration for appropriately protecting data and to have a sufficient tamper resistance function.

  From such a viewpoint, the storage device 200 according to the present embodiment has a configuration for encrypting and exchanging confidential data when the confidential data is input and output with the host device. Further, in order to store confidential data, a confidential data storage area different from a normal storage area is provided, and the confidential data storage area is configured to be accessible only through a cryptographic engine provided in the storage device 200. . This cryptographic engine inputs / outputs secret data only to / from a host device verified as having a legitimate authority. Hereinafter, such a data protection function is also referred to as a “secure function”. With the above configuration and function, the confidential data recorded in the storage device 200 can be appropriately protected.

  In order to make the most of the characteristics of the storage device 200 as a removable medium, it is preferable that normal data can be input / output even by a host device that does not support the secure function. Therefore, the storage device 200 according to the present embodiment supports ATA (AT Attachment), which is a standard of ANSI (American National Standards Institute), in order to maintain compatibility with the conventional hard disk, and the secure function described above. Is realized as an ATA extension instruction.

  Hereinafter, a case where content data such as video is recorded and reproduced will be described as an example of confidential data input / output. Although the content data itself may be handled as confidential data, in the present embodiment, the content data is encrypted, and the encrypted content data itself is recorded as normal data in the storage device 200. Then, data (license data and data) including a key for decrypting the encrypted content (referred to as a content key) and information (referred to as a usage rule) related to content reproduction control, license use, transfer, and copy control. Is input / output as secret data using the secure function described above. As a result, while maintaining sufficient tamper resistance, data input / output can be simplified, processing speed can be increased, and power consumption can be reduced. Here, the license data includes a license ID for specifying the license data in addition to the content key and the usage rule.

  Hereinafter, of the commands issued by the host device such as the recording device 100 and the playback device 300 to the storage device 200, the extended command for the secure function is also referred to as “secure command”, and the other commands are also referred to as “normal command”. Call.

  FIG. 2 shows an internal configuration of the recording apparatus 100 according to the embodiment. This configuration can be realized in hardware by a CPU, memory, or other LSI of an arbitrary computer, and in software, it is realized by a program having a recording control function loaded in the memory. So, functional blocks that are realized by their cooperation are drawn. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The recording apparatus 100 mainly includes a controller 101, a storage interface 102, a cryptographic engine 103, an encryptor 104, a content encoder 105, and a data bus 110 that electrically connects them.

  The content encoder 105 codes the content acquired online or offline into a predetermined format. Here, video data acquired from a broadcast wave or the like is coded in the MPEG format.

  The encryptor 104 issues license data LIC including a content key for decrypting the encrypted content, and encrypts the content coded by the content encoder 105 using this content key. The encrypted content is recorded in the storage device 200 via the data bus 110 and the storage interface 102. The issued license data LIC is notified to the encryption engine 103 and recorded in the storage device 200 via the encryption engine 103.

  The cryptographic engine 103 controls cryptographic communication with the storage device 200 in order to input the license data LIC to the storage device 200. The storage interface 102 controls data input / output with the storage device 200. The controller 101 comprehensively controls the components of the recording apparatus 100.

  FIG. 3 shows an internal configuration of the playback apparatus 300 according to the embodiment. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof.

  The playback apparatus 300 mainly includes a controller 301, a storage interface 302, a cryptographic engine 303, a decoder 304, a content decoder 305, and a data bus 310 that electrically connects them.

  The storage interface 302 controls data input / output with the storage device 200. The cryptographic engine 303 controls cryptographic communication with the storage device 200 in order to receive the license data LIC including the content key from the storage device 200.

  The decryptor 304 decrypts the encrypted content read from the storage device 200 with the content key included in the license data LIC obtained from the storage device 200.

  The content decoder 305 decodes and outputs the content decoded by the decoder 304. For example, if the content is in MPEG format, the video signal and the audio signal are restored from the content, the video signal is output to a display device (not shown), and the audio signal is output to a speaker (not shown). The controller 301 comprehensively controls the components of the playback device 300.

  FIG. 4 shows an internal configuration of the storage device 200 according to the embodiment. The storage device 200 mainly includes a controller 201, a storage interface 202, a cryptographic engine 203, a tamper resistant storage unit 204, a normal data storage unit 205, and a data bus 210 that electrically connects them.

  The storage interface 202 controls data input / output with the recording device 100 and the playback device 300. The cryptographic engine 203 controls cryptographic communication for inputting / outputting secret data such as license data LIC including a content key between the recording device 100 and the playback device 300. The normal data storage unit 205 is a normal storage area for recording encrypted content, normal data, and the like. The tamper resistant storage unit 204 is a confidential data storage area for recording confidential data such as license data LIC including a content key. The normal data storage unit 205 is directly accessed (data input / output) from the outside, but the tamper-resistant storage unit 204 is configured so that it cannot be accessed (data input / output) through the cryptographic engine 203. The controller 201 comprehensively controls the components of the storage device 200.

  Here, the key used in this embodiment will be described. In the present embodiment, the key is expressed as a character string starting with a capital letter “K”. When the second character is lowercase “c” or “s”, it represents a symmetric key (common key). In the case of “c”, it is a challenge key, and is a temporally symmetric key generated at the transmission source of the encrypted data. In the case of “s”, it is a session key, which is a temporal symmetric key generated at the transmission destination of the encrypted data.

  When the second character is capital “P”, it indicates a public key of the public key cryptosystem. This key always has a corresponding secret key, and this secret key has a notation excluding the second letter capital letter “P” from the notation of the public key.

  When the character string indicating the key includes a lowercase “d”, it indicates that the key is assigned to each group of devices. If the character string indicating the key includes a lowercase letter “p”, it indicates that the key is assigned to each device. Each is given as a pair of a public key and a private key, and the public key given for each group is given as a public key certificate with an electronic signature.

  The character described at the end of the character string indicating the key, for example, “2” of the public key KPd2, is a symbol for identifying the cryptographic engine to which the key is given. In the present embodiment, when the provision destination is clear, the numbers “1”, “2”, and “3” are written, and the key is provided from other than the encryption engine and the provision destination is unknown. When not specified, it is expressed by English characters such as “x” and “y”. In this embodiment, “1” is used as the identification symbol for the cryptographic engine 103 of the recording device 100, “2” is used as the identification symbol for the cryptographic engine 203 of the storage device 200, and the cryptographic engine 303 of the playback device 300 is identified. Each symbol “3” is used.

  FIG. 5 shows an internal configuration of the cryptographic engine 103 of the recording apparatus 100 shown in FIG. The cryptographic engine 103 includes a certificate verification unit 120, a random number generation unit 121, a first encryption unit 122, a first decryption unit 123, a second decryption unit 124, a second encryption unit 125, a third encryption unit 126, and a certificate output unit. 127 and a local bus 130 that electrically connects at least some of these components.

  The certificate verification unit 120 verifies the certificate C [KPd2] acquired from the storage device 200. The certificate C [KPd2] includes plaintext information (referred to as “certificate body”) including the public key KPd2 and an electronic signature attached to the certificate body. This electronic signature is obtained by applying a calculation result of a hash function to the certificate body (this calculation process is referred to as “hash calculation”), and a root key Ka of a certificate authority (not shown) as a third party. Data encrypted by. The root key Ka is a private key that is strictly managed by the certificate authority and serves as a secret key of the certificate authority.

  The certificate verification unit 120 holds a verification key KPa that is paired with the root key Ka. This verification key KPa is a public key for verifying the validity of the certificate. The verification of the certificate is judged by the validity of the certificate and the validity of the certificate. The verification of the validity of the certificate is a process of comparing the calculation result of the hash function for the certificate body of the certificate to be verified with the result of decrypting the electronic signature with the verification key KPa. It is judged that. The certificate verification unit 120 maintains a certificate revocation list (CRL) that is a list of invalid certificates, and the CRL checks whether the certificate to be verified is valid. It is judged that it is effective when it is not described. The process of judging the validity and validity of a certificate and approving a valid certificate is called verification.

  If the verification is successful, the certificate verification unit 120 retrieves the public key KPd2 of the storage device 200, transmits it to the first encryption unit 122, and notifies the verification result. If verification fails, a verification error notification is output.

  The certificate output unit 127 outputs the certificate C [KPd1] of the recording apparatus 100. This certificate includes a certificate body including the public key KPd1 of the recording apparatus 100 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority, similarly to the certificate of the storage device 200.

  The random number generator 121 generates a challenge key Kc1 that is temporarily used to perform cryptographic communication with the storage device 200. By generating the challenge key Kc1 with a random number each time encrypted communication is performed, the possibility that the challenge key Kc1 is overlooked can be minimized. The generated challenge key Kc1 is transmitted to the first encryption unit 122 and the first decryption unit 123.

  In order to notify the storage device 200 of the challenge key Kc1, the first encryption unit 122 encrypts the challenge key Kc1 with the public key KPd2 of the storage device 200 extracted by the certificate verification unit 120, and encrypts the challenge key E (KPd2, Kc1) is generated. Then, the encrypted challenge key E (KPd2, Kc1) is combined with the certificate C “KPd1” output from the certificate output unit 127 to be challenge information E (KPd2, Kc1) // C “KPd1”. . Here, the symbol “//” indicates data concatenation, and E (KPd2, Kc1) // C [KPd1] combines the encryption challenge key E (KPd2, Kc1) and the certificate C [KPd1] side by side. Shows the data string. E indicates an encryption function, and E (KPd2, Kc1) indicates that the challenge key Kc1 is encrypted with the public key KPd2.

  The first decryption unit 123 decrypts the data encrypted with the challenge key Kc1. The session key Ks2 issued by the storage device 200 and the public key KPp2 held by the storage device 200 are supplied from the storage device 200 as session information E (Kc1, E (KPd1, Ks2) // KPp2). The 1 decryption unit 123 acquires the challenge key Kc1 generated by the random number generation unit 121, decrypts the session information, and extracts the encrypted session key E (KPd1, Ks2) and the public key KPp2. The extracted public key KPp2 and encrypted session key E (KPd1, Ks2) are transmitted to the second encryption unit 125 and the second decryption unit 124, respectively.

  The second decryption unit 124 decrypts the data encrypted with its own public key KPd1 with the secret key Kd1 paired with the public key KPd1. Since the session key Ks2 is transmitted as the encrypted session key E (KPd1, Ks2) from the first decryption unit 123, the second decryption unit 124 decrypts this and extracts the session key Ks2. The extracted session key Ks1 is transmitted to the third encryption unit 126.

  The second encryption unit 125 acquires the license data LIC including the content key issued when the encryptor 104 encrypts the content, and uses the license data LIC with the public key KPp2 of the storage device 200 to which the license data is provided. Encrypt and generate E (KPp2, LIC). The generated E (KPp2, LIC) is transmitted to the third encryption unit 126.

  The third encryption unit 126 further encrypts E (KPp2, LIC) transmitted from the second encryption unit 125 with the session key Ks2 issued by the storage device 200, and encrypts the license data E (Ks2, E (KPp2, LIC)).

  In FIG. 5, among the components of the cryptographic engine 103, the certificate verification unit 120, the first encryption unit 122, the first decryption unit 123, and the third encryption unit 126 are electrically connected by the local bus 130. It is connected to the data bus 110 of the recording apparatus 100 via the local bus 130. Various modifications can be considered in the form of connecting each component, but in this embodiment, the challenge key Kc1 generated by the random number generation unit 121, the session key Ks2 received from the storage device 200, and its own Consideration is given so that the secret key Kd1 does not directly flow out to the data bus 110. Thereby, it is possible to prevent each key used in the cryptographic engine 103 from leaking to the outside through other components of the recording apparatus 100 and improve the security.

  FIG. 6 shows the internal configuration of the cryptographic engine 303 of the playback apparatus 300 shown in FIG. The cryptographic engine 303 includes a certificate output unit 320, a random number generation unit 321, a certificate verification unit 322, a first decryption unit 323, a first encryption unit 324, a second encryption unit 325, a second decryption unit 326, and a third decryption unit. 327 and a local bus 330 that electrically connects at least some of these components.

  The certificate output unit 320 outputs the certificate C [KPd3] of the playback device 300. The certificate may be held by the certificate output unit 320 or may be held in a certificate holding unit (not shown) and read out. The certificate is composed of a certificate body including the public key KPd3 of the playback apparatus 300 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority, similarly to the certificate of the storage device 200.

  The random number generator 321 generates a session key Ks3 that is temporarily used for performing cryptographic communication with the storage device 200. The generated session key Ks3 is transmitted to the first encryption unit 324 and the second decryption unit 326.

  The certificate verification unit 322 verifies the certificate C [KPd2] of the storage device 200 extracted by the first decryption unit 323. Since the detailed processing of the verification has been described above, the description thereof is omitted here.

  The first decryption unit 323 decrypts the data encrypted with the public key KPd3 with the secret key Kd3. At the time of reproduction, the challenge key Kc2 issued by the storage device 200 is encrypted by the public key KPd3 of the reproduction device 300 and supplied from the storage device 200, so the first decryption unit 323 decrypts it with its own private key Kd3. Then, the challenge key Kc2 is taken out. The extracted challenge key Kc2 is transmitted to the second encryption unit 325.

  The first encryption unit 324 encrypts data with the public key KPd2 extracted from the certificate C [KPd2] of the storage device 200. In order to notify the storage device 200 of the session key Ks3, the session key Ks3 generated by the random number generator 321 is encrypted to generate an encrypted session key E (KPd2, Ks3). The generated encrypted session key E (KPd2, Ks3) is transmitted to the second encryption unit 325.

  The second encryption unit 325 encrypts the data with the challenge key Kc2 extracted by the first decryption unit 323. The encrypted session key E (KPd2, Ks3) transmitted from the first encryption unit 324 and its own public key KPp3 are concatenated and encrypted to obtain session information E (Kc2, E (KPd2, Ks3) // KPp3 ) Is generated.

  The second decryption unit 326 decrypts the data encrypted with the session key Ks3. Since the license data is supplied from the storage device 200 as encrypted license data E (Ks3, E (KPp3, LIC)) that is double-encrypted with the public key KPp3 and the session key Ks3, the second decryption unit 326 The decryption is performed using the session key Ks3 generated by the random number generation unit 321 and the result is transmitted to the third decryption unit 327.

  The third decryption unit 327 decrypts the data encrypted with the public key KPp3. The result of the second decryption unit 326 is decrypted with the secret key Kp3 paired with the public key KPp3, and the license data LIC is extracted. The extracted license data LIC is transmitted to the decryptor 304, and the decryptor 304 decrypts the encrypted content using the content key included in the license data LIC.

  In the cryptographic engine 303 shown in FIG. 6, various modifications can be considered in the form of connecting each component. In this embodiment, the session key Ks3 generated by the random number generator 321 and the public key are paired. Are configured so that the private keys Kd3 and Kp3 and the session key Ks2 received from the storage device 200 do not flow on the data bus 310, so that the decryption key used in the cryptographic engine 303 is leaked to the outside. To prevent that.

  FIG. 7 shows an internal configuration of the cryptographic engine 203 of the storage device 200 shown in FIG. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof. The cryptographic engine 203 includes a control unit 220, a random number generation unit 221, a certificate output unit 222, a certificate verification unit 223, a first decryption unit 224, a first encryption unit 225, a second encryption unit 226, a second decryption unit 227, The third decryption unit 228, the third encryption unit 229, the fourth decryption unit 230, the fifth decryption unit 231, the fourth encryption unit 232, the fifth encryption unit 233, and at least a part of these components are electrically connected. A local bus 240 is provided.

  The control unit 220 mediates data input / output between the control of the internal configuration of the cryptographic engine 203 and the external configuration in accordance with an instruction from the controller 201 of the storage device 200.

  The random number generator 221 generates a session key Ks2 or a challenge key Kc2 that is temporarily used for encrypted communication with the recording device 100 or the playback device 300 by random number calculation. Specifically, when the storage device 200 provides license data, a challenge key Kc2 is generated, and when the storage device 200 receives provision of license data, a session key Ks2 is generated.

  The certificate output unit 222 outputs the certificate C [KPd2] of the storage device 200. The certificate may be held by the certificate output unit 222, or may be held in a predetermined storage area of the storage device 200, for example, the tamper resistant storage unit 204, and read out. The certificate includes a certificate body including the public key KPd2 of the storage device 200 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority.

  The certificate verification unit 223 verifies a certificate provided from the outside. Specifically, the certificate C [KPd1] acquired from the recording device 100 and the certificate C [KPd3] acquired from the playback device 300 are verified with the verification key KPa. Since the detailed processing of the verification has been described above, the description thereof is omitted here.

  The first decryption unit 224 decrypts the data encrypted with its own public key KPd2. Specifically, at the time of recording, since the challenge key Kc1 issued by the recording device 100 is encrypted with the public key KPd2 of the storage device 200 and supplied from the recording device 100, it is decrypted with its own secret key Kd2. Then, the challenge key Kc1 is taken out. The extracted challenge key Kc1 is transmitted to the second encryption unit 226.

  The first encryption unit 225 encrypts data with the public key KPd1 of the recording apparatus 100. Specifically, the session key Ks2 generated by the random number generation unit 221 is encrypted with the public key KPd1, and an encrypted session key E (KPd1, Ks2) is generated. The public key KPd1 of the recording apparatus 100 used here is extracted from the certificate C [KPd1] of the storage device 200 by the control unit 220 and transmitted via the local bus 240.

  The second encryption unit 226 performs encryption for encrypting data with the challenge key Kc1 generated by the recording apparatus 100. Specifically, the encrypted session key E (KPd1, Ks2) received from the first encryption unit 225 is concatenated with its own public key KPp2, encrypted with the challenge key Kc1, and session information E (Kc1, E (KPd1) , Ks2) // KPp2).

  The second decryption unit 227 decrypts the encrypted data using the session key Ks2 generated by the random number generation unit 221. Specifically, the license data LIC is received as E (Ks2, E (KPp2, LIC)) from the recording device 100 in a form encrypted twice with the public key KPp2 and the session key Ks2, and this is received as the session key. Decoding is performed using Ks2, and the result is transmitted to the third decoding unit 228.

  The third decryption unit 228 decrypts the data encrypted with its own public key KPp2. The license data E (KPp2, LIC) encrypted with the public key KPp2 transmitted from the second decryption unit 227 is decrypted with its own private key Kp2 paired with the public key KPp2, and the license data LIC is extracted.

  The extracted license data LIC is supplied to the data bus 210 via the local bus 240 and the control unit 220, and is stored in the tamper resistant storage unit 204 in accordance with an instruction from the controller 201.

  The third encryption unit 229 encrypts the data with the public key KPd3 of the playback device 300. Specifically, when providing license data to the playback device 300, the challenge key Kc2 issued by the random number generator 221 with the public key KPd3 extracted from the certificate C [KPd3] received from the playback device 300 Is encrypted to generate an encryption challenge key E (KPd3, Kc2). The generated encryption challenge key E (KPd3, Kc2) is transmitted to the control unit 220 via the local bus 240. The control unit 220 combines this and its own certificate C [KPd2] output from the certificate output unit 222 to generate challenge information E (KPd3, Kc2) // C [KPd2].

  The fourth decryption unit 230 decrypts the data encrypted with the challenge key Kc2 issued by the random number generation unit 221. The session information E (Kc2, E (KPd2, Ks3) // KPp3) received from the playback device 300 is decrypted with the challenge key Kc2 generated by the random number generation unit 221, and the encrypted session key E (KPd2, Ks3) and playback are performed. The public key KPp3 of the device 300 is taken out. The extracted encrypted session key E (KPd2, Ks3) and public key KPp3 are transmitted to the fifth decryption unit 231 and the fourth encryption unit 232, respectively.

  The fifth decryption unit 231 decrypts the data encrypted with its own public key KPd2. Specifically, the encrypted session key E (KPd2, Ks3) transmitted from the fourth decryption unit 230 is decrypted with its own secret key Kd2, and the session key Ks3 issued by the playback device 300 is extracted. The extracted session key Ks3 is transmitted to the fifth encryption unit 233.

  The fourth encryption unit 232 encrypts data with the public key KPp3 of the playback device 300. When providing license data to the playback apparatus 300, the license data LIC is encrypted with the public key KPp3 received from the playback apparatus 300. The license data LIC is read from the tamper resistant storage unit 204 in accordance with an instruction from the controller 201 and transmitted to the fourth encryption unit 232 via the data bus 210, the control unit 220, and the local bus 240.

  The fifth encryption unit 233 encrypts the data with the session key Ks3 issued by the playback device 300. Specifically, the license data encrypted with the public key KPp3 of the playback device 300 in the fourth encryption unit 232 with the session key Ks3 is further encrypted to obtain encrypted license data E (Ks3, E (KPp3, LIC). )).

  8 and 9 show a procedure until the recording apparatus 100 records the license data LIC in the storage device 200. FIG.

  First, the controller 101 of the recording apparatus 100 issues a certificate output command to the storage device 200 (S102). When the controller 201 of the storage device 200 normally accepts the certificate output command (S104), the controller 201 instructs the cryptographic engine 203 to output the certificate, reads the certificate C [KPd2] from the cryptographic engine 203, and sends it to the recording device 100. Output (S106).

  Upon obtaining the certificate C [KPd2] from the storage device 200, the controller 101 sends it to the cryptographic engine 103 of the recording device 100 (S108). When the cryptographic engine 103 receives the certificate C [KPd2] of the storage device 200 (S110), the certificate verification unit 120 verifies the certificate with the verification key KPa (S112). If the certificate is not approved (N in S112), the certificate verification unit 120 transmits a verification error notification to the controller 101 (S190). When the controller 101 receives the error notification (S192), it ends the process abnormally.

  If the certificate is approved (Y in S112), the cryptographic engine 103 generates a challenge key Kc1 by the random number generation unit 121 and transmits the generated challenge key Kc1 to the first encryption unit 122 and the first decryption unit 123. To do. The first decryption unit 123 holds the challenge key Kc1 inside (S114). The first encryption unit 122 encrypts the challenge key Kc1 with the public key KPd2 of the storage device 200 to generate an encrypted challenge key E (KPd2, Kc1). This is combined with its own certificate C [KPd1] from the certificate output unit 127 to generate challenge information E (KPd2, Kc1) // C [KPd1], which is sent to the controller 101 (S116). ).

  Upon receiving the challenge information E (KPd2, Kc1) // C [KPd1] (S118), the controller 101 issues a challenge information verification command to the storage device 200 (S120). In the storage device 200, when the controller 201 receives the challenge information verification command, the controller 201 requests input of challenge information E (KPd2, Kc1) // C [KPd1] (S122). In response to this request, the controller 101 of the recording apparatus 100 outputs challenge information E (KPd2, Kc1) // C [KPd1] to the storage device 200 (S124).

  When the storage device 200 receives the challenge information E (KPd2, Kc1) // C [KPd1] (S126), in the cryptographic engine 203, the control unit 220 causes the challenge information E (KPd2, Kc1) // C [KPd1]. The certificate C [KPd1] is taken out from the certificate and transmitted to the certificate verification unit 223. The certificate verification unit 223 verifies the transmitted certificate C [KPd1] with the verification key KPa, and transmits the verification result to the control unit 220 (S128). When the certificate is not approved (N in S128), the certificate verification unit 223 notifies the control unit 220 of a verification error notification, and the control unit 220 notifies the controller 201. Then, the controller 201 transmits a verification error notification to the controller 101 via the storage interface 202 (S194). When the controller 101 receives the error notification (S192), it ends the process abnormally.

  When the certificate is approved (Y in S128), the control unit 220 obtains the public key KPd1 and the encrypted challenge key E (KPd2, Kc1) from the challenge information E (KPd2, Kc1) // C [KPd1]. The data is taken out and transmitted to the first encryption unit 225 and the first decryption unit 224, respectively. The first encryption unit 225 holds the transmitted public key KPd1. The first decryption unit 224 decrypts the transmitted encrypted challenge key E (KPd2, Kc1) with its own secret key Kd2, and takes out the challenge key Kc1 (S130). Then, the challenge key Kc1 extracted by the first decryption unit 224 is held in the second encryption unit 226 (S132).

  On the other hand, when the processing of the challenge information verification command is completed in the storage device 200, the controller 101 of the recording apparatus 100 issues a session information generation command to the storage device 200 (S134). In the storage device 200, when the controller 201 accepts the session information generation command (S136), in the cryptographic engine 203, the random number generation unit 221 generates the session key Ks2 according to the instruction of the control unit 220, and the generated session key Ks2 is 2 is transmitted to the first decryption unit 227 and the first encryption unit 225. Then, the second decryption unit 227 holds this session key Ks2 (S138).

  The first encryption unit 225 encrypts the session key Ks2 with the held public key KPd1, generates an encrypted session key E (KPd1, Ks2), and transmits it to the second encryption unit 226. The second encryption unit 226 concatenates the encrypted session key E (KPd1, Ks2) and its own public key KPp2, encrypts them with the challenge key Kc1 held in step S132, and stores the session information E (Kc1, E (KPd1, Ks2) // KPp2) is generated (S140).

  On the other hand, when the processing of the session information generation command is completed in the storage device 200, the controller 101 of the recording apparatus 100 issues a session information output command (S142). In the storage device 200, when the session information output command is received (S144), the controller 201 reads the session information E (Kc1, E (KPd1, Ks2) // KPp2) from the cryptographic engine 203, and the controller 101 of the recording apparatus 100. (S146).

  Upon receiving the session information E (Kc1, E (KPd1, Ks2) // KPp2) from the storage device 200, the controller 101 sends it to the cryptographic engine 103 (S148). When the cryptographic engine 103 receives the session information E (Kc1, E (KPd1, Ks2) // KPp2) from the controller 101 (S150), the first decryption unit 123 uses the session information E ( The encrypted session key E (KPd1, Ks2) and the public key KPp2 of the storage device 200 are extracted by decrypting Kc1, E (KPd1, Ks2) // KPp2). Then, the second decryption unit 124 decrypts the encrypted session key E (KPd1, Ks2) extracted by the first decryption unit 123 with its own secret key Kd1, and extracts the session key Ks2 (S152).

  Subsequently, in the second encryption unit 125 of the encryption engine 103, the license data LIC issued by the encryptor 104 is encrypted with the public key KPp2 of the storage device 200. Then, in the third encryption unit 126, the license data LIC encrypted by the second encryption unit 125 is further encrypted by the session key Ks2 issued by the storage device 200, and the encrypted license data E (Ks2, E (KPp2 , LIC)) and sends it to the controller 101 (S154).

  Upon receiving the encrypted license data E (Ks2, E (KPp2, LIC)) (S156), the controller 101 issues a license data write command to the storage device 200 (S158). The license writing command is accompanied by an address that designates a recording position on the tamper resistant storage unit 204. Here, the address indicates a logical address and does not directly specify the recording position in the tamper-resistant storage unit 204, but the controller records the data recorded by specifying the address so that it can be read by specifying the same address. 201. However, the physical address directly indicating the position in the tamper resistant storage unit 204 may be used.

  When the storage device 200 receives the license write command (S160), the storage device 200 requests the controller 101 of the recording apparatus 100 to input the encrypted license data, and the controller 101 of the recording apparatus 100 performs the encryption in response to this request. The license data E (Ks2, E (KPp2, LIC)) is output to the storage device 200 (S162). When the storage device 200 receives the encrypted license data E (Ks2, E (KPp2, LIC)) (S164), it transmits this to the second decryption unit 227 in the cryptographic engine 203.

  The second decryption unit 227 decrypts the encrypted license data E (Ks2, E (KPp2, LIC)) with the session key Ks2 held therein, and the license data E (() encrypted with its own public key KPp2. KPp2, LIC) is taken out. Then, the extracted encrypted license data E (KPp2, LIC) is transmitted to the third decryption unit 228. The third decryption unit 228 decrypts this with the public key KPp2 and the paired secret key Kp2, retrieves the license data LIC (S166), and supplies it to the data bus 210 via the local bus 240 and the control unit 220. The controller 201 performs a storage process of storing the license data supplied to the data bus 210 at a specified address in the tamper resistant storage unit 204 (S168).

  On the other hand, after the processing of the license data write command is completed in the storage device 200, the controller 101 determines whether to continue recording license data (S170).

  When license data is continuously recorded (Y in S170), the process proceeds to step S134, and the procedure is started from issuing a session information generation command. This is a procedure for reducing the processing by sharing the certificate verification processing when recording a plurality of license data. Here, it is assumed that the license data is continuously recorded, but it is not always necessary to record the next license data immediately after recording one license data. The encryption engine 103 and the storage device 200 share the same challenge key Kc1, specifically, the first decryption unit 123 of the encryption engine 103 of the recording device 100 and the second encryption of the encryption engine 203 of the storage device 200. Any timing may be used as long as the unit 226 holds the same challenge key Kc1.

  Even if the license data is continuously recorded, there is no problem even if the procedure is started from step S102. If the license data is not recorded subsequently (N in S170), the process ends normally.

  With the above procedure, the license data necessary for decrypting and playing back the encrypted content is recorded in the storage device 200. The encrypted content is normal data and is directly stored in the normal data storage unit 205 of the storage device 200 by a normal command. The description of the normal data storage process is omitted.

  Note that the recording order of the license data and the encrypted content data may be any first. Further, the license data may be recorded by dividing and issuing the secure command during the free time when recording the encrypted content data. Note that the procedure until the recording apparatus 100 shown in FIGS. 8 and 9 records the license data in the storage device 200 is an example in the case of normal processing transition.

  10 and 11 show a procedure until the playback device 300 reads license data from the storage device 200. FIG. First, the controller 301 of the playback device 300 makes a certificate output request to the cryptographic engine 303 (S302). When the cryptographic engine 303 receives the transmission request (S304), the certificate output unit 320 sends the certificate C [KPd3] to the controller 301 (S306). Upon receiving the certificate C [KPd3] from the cryptographic engine 303 (S308), the controller 301 issues a certificate verification command to the storage device 200 (S310).

  When the storage device 200 receives the certificate verification command (S312), the storage device 200 requests the input of the certificate, and the controller 301 of the playback device 300 responds to the request with the certificate C [KPd3] received from the cryptographic engine 303. Is output to the storage device 200 (S314). When the storage device 200 receives the certificate C [KPd3] (S316), the storage device 200 transmits the certificate C [KPd3] to the internal encryption engine 203. In the cryptographic engine 203, the certificate verification unit 223 verifies the certificate C [KPd3] with the verification key KPa according to the instruction of the control unit 220 (S318). When the certificate is not approved (N in S318), the certificate verification unit 223 transmits a verification error notification to the controller 301 via the control unit 220, the controller 201, and the storage interface 202 (S390). When the controller 301 receives the error notification (S392), it abnormally ends the process. On the other hand, when the certificate C [KPd3] is approved (Y in S318), the control unit 220 of the cryptographic engine 203 extracts the public key KPd3 from the certificate C [KPd3] and transmits it to the third cryptographic unit 229. . The third encryption unit 229 holds this public key KPd3 (S320).

  On the other hand, when the storage device 200 approves the certificate C [KPd3] of the cryptographic engine 303 in the storage device 200, the controller 301 issues a challenge information generation command to the storage device 200 (S322). Then, the storage device 200 receives the challenge information generation command (S324). In the cryptographic engine 203, the random number generation unit 221 generates a challenge key Kc 2 in accordance with an instruction from the control unit 220, and transmits the generated challenge key Kc 2 to the third encryption unit 229 and the fourth decryption unit 230. The fourth decryption unit 230 holds the challenge key Kc2 inside (S326). Then, the third encryption unit 229 generates an encrypted challenge key E (KPd3, Kc2) obtained by encrypting the challenge key Kc2 with the public key KPd3 held in step S320. Then, it receives its own certificate C [KPd2] from the certificate output unit 222 and concatenates it with the encrypted challenge key E (KPd3, Kc2) to generate challenge information E (KPd3, Kc2) // C [KPd2]. (S328).

  On the other hand, when the processing of the challenge information generation command is completed in the storage device 200, the controller 301 of the playback device 300 issues a challenge information output command (S330). Then, when the storage device 200 receives the challenge information output command (S332), the controller 201 retrieves the challenge information E (KPd3, Kc2) // C [KPd2] from the cryptographic engine 203 by the controller 201, and the controller 301 of the playback device 300. (S334).

  Upon receiving the challenge information E (KPd3, Kc2) // C [KPd2], the controller 301 sends it to the cryptographic engine 303 (S336). When the cryptographic engine 303 receives the challenge information E (KPd3, Kc2) // C [KPd2] (S338), in the cryptographic engine 303, the certificate verification unit 322 verifies the certificate with the verification key KPa (S340). ). When the certificate is not approved (N in S340), the certificate verification unit 322 transmits a verification error notification to the controller 301 (S394). When the controller 301 receives the error notification (S392), it abnormally ends the process.

  On the other hand, if the certificate is approved (Y in S340), the first decryption unit 323 of the cryptographic engine 303 decrypts the encrypted challenge key E (KPd3, Kc2) with its own private key Kd3 and challenges key Kc2 Is taken out (S342). Subsequently, the extracted challenge key Kc2 is held in the second encryption unit 325 (S344).

  On the other hand, the controller 301 issues a license read command to the storage device 200 (S346). The license read command is accompanied by an address that designates a read position in the tamper resistant storage unit 204. Upon receipt of the license read command (S348), the storage device 200 reads the license data LIC stored at the specified address of the tamper resistant storage unit 204, and the read license data LIC is the fourth of the cryptographic engine 203. It is held in the encryption unit 232 (S350).

  On the other hand, the controller 301 makes a transmission request for session information to the cryptographic engine 303 (S352). When the cryptographic engine 303 receives this transmission request (S353), in the cryptographic engine 303, the random number generation unit 321 generates a session key Ks3 and transmits it to the first encryption unit 324 and the second decryption unit 326. The second decryption unit 326 holds this session key Ks3 inside (S354). Then, the first encryption unit 324 encrypts the session key Ks3 with the public key KPd2 of the storage device 200 extracted from the certificate C [KPd2], and generates an encrypted session key E (KPd2, Ks3). The generated encrypted session key E (KPd2, Ks3) is transmitted to the second encryption unit 325. The second encryption unit 325 concatenates its own public key KPp3 and encrypts it with the challenge key Kc2 held in step S344 to generate session information E (Kc2, E (KPd2, Ks3) // KPp3). Then, it is sent to the controller 301 (S356). When the controller 301 receives the session information E (Kc2, E (KPd2, Ks3) // KPp3) from the cryptographic engine 303 (S358), it issues a session information processing command to the storage device 200 (S360).

  When the storage device 200 receives the session information processing command (S362), the storage device 200 requests the input of session information, and the controller 301 of the playback device 300 responds to the request with the session information E (Kc2, E (KPd2, Ks3) // KPp3) is output to the storage device 200 (S364). When the storage device 200 receives the session information E (Kc2, E (KPd2, Ks3) // KPp3) (S366), the storage device 200 transmits it to the fourth decryption unit 230 of the cryptographic engine 203. The fourth decryption unit 230 decrypts the transmitted session information E (Kc2, E (KPd2, Ks3) // KPp3) with the challenge key Kc2 held in step S326. Then, the encrypted session key E (KPd2, Ks3) and the public key KPp3 of the playback device 300 are extracted and transmitted to the fifth decryption unit 231 and the fourth encryption unit 232, respectively. Next, the fifth decryption unit 231 decrypts the transmitted encrypted session key E (KPd2, Ks3) with its own private key Kd2 paired with its own public key KPd2, and the session key issued by the playback device 300 Ks3 is extracted and transmitted to the fifth encryption unit 233 (S368). The fourth encryption unit 232 encrypts the license data LIC held in step S350 with the public key KPp3 of the transmitted reproduction device 300, and transmits this to the fifth encryption unit 233. The fifth encryption unit 233 encrypts the encrypted license data E (KPp3, LIC) generated by the fourth encryption unit 232 with the session key Ks3 transmitted from the fifth decryption unit 231, and encrypts the license data E ( Ks3, E (KPp3, LIC)) is generated (S370).

  On the other hand, when the processing of the session information processing command is completed in the storage device 200, that is, when encrypted license data is generated, the controller 301 of the playback device 300 issues an encrypted license output command (S372). In the storage device 200, when the encrypted license output command is received (S374), the controller 201 extracts the encrypted license data E (Ks3, E (KPp3, LIC)) from the cryptographic engine 203, and the controller 301 of the playback device 300. (S376).

  Upon receiving the encrypted license data E (Ks3, E (KPp3, LIC)) from the storage device 200, the controller 301 sends it to the cryptographic engine 303 (S378). When the cryptographic engine 303 receives the encrypted license data (S380), the second decryption unit 326 decrypts the encrypted license data E (Ks3, E (KPp3, LIC)) with the session key Ks3 held in step S354, The decoding result E (KPp3, LIC) is sent to the third decoding unit 327. The third decryption unit 327 decrypts the private key Kp3 that is paired with the public key KPp3, and extracts the license data LIC (S382). The license data is sent to the decryptor 304 (S384), and is used when the decryptor 304 decrypts the encrypted content data. With the above procedure, license data for decrypting the encrypted content is read from the storage device 200 by the playback device 300.

  On the other hand, if the controller 301 wants to continuously read other license data (Y in S386), the controller 301 can proceed to step S346 and start the procedure from issuing the license read command. This is a procedure for reducing the processing by sharing the certificate verification processing when reading a plurality of license data. The license data is continuously read out. However, it is not always necessary to perform the next reading immediately after reading out one license data. A state in which the cryptographic engine 303 and the storage device 200 share the challenge key Kc2, specifically, the second cryptographic unit 325 of the cryptographic engine 303 of the playback device 300 and the fourth decrypting unit of the cryptographic engine 203 of the storage device 200 Any timing may be used as long as 230 holds the same challenge key Kc2. Even if the license data is continuously read out, there is no problem even if the procedure is started from step S302. Subsequently, when no other license data is read (N in S386), the controller 301 ends normal processing.

  Copy the license data recorded on the storage device 200 to another storage device (the license data recorded on the storage device 200 can be used) or move (delete or invalidate the license data recorded on the storage device 200) Recording process can be provided. If another storage device that newly records license data has the same function, the license may be transferred between the storage devices in the same procedure, and the license may be recorded from the storage device 200 to the other storage device. Obviously we can do it. In this case, the transfer of the license from the storage device 200 to the other storage device includes the use of the license from the storage device 200 to the playback device 300 and the transfer of the license from the other storage device to the storage device 200. It functions in the same manner as license recording from the recording apparatus 100 to the storage device 200.

  According to the above embodiment, the license data transmission source (recording device 100 during recording, storage device 200 during reading) is the license data transmission destination (storage device 200 during recording, and playback device 300 during reading). After verifying the certificate C [KPdx] (where x is the destination of the license data and y is the source of the license data), the source certificate C [KPdy] of the license data is the challenge information E (KPdx, Kcy). ) // C [KPdy] is sent from the transmission source to the transmission destination, and the transmission source certificate C [KPdy] is verified at the transmission destination. At this time, if it is verified that the transmission source device is not valid, the processing is interrupted and the provision of license data can be refused.

  Here, the verification related to the so-called “spoofing attack” will be described. When the challenge information is forged as a spoofing attack, the certificate C [KPdy] is forged and the challenge key Kcy is forged. If the certificate C [KPdy] is forged, the certificate C [KPdy] is revealed by verification, and the forged certificate C [KPdy] is not approved.

  When the challenge key Kcy is forged, the public key KPd2 of the storage device 200 can be easily extracted from the certificate C [KPd2], so that the encrypted challenge key E (KPdx, Kcy) is the fake challenge key Kcz. It is easy to use fake challenge information E (KPdx, Kcz) // C [KPdy] replaced with encryption challenge information E (KPdx, Kcz) based on impersonation attack (z is fake). Since the certificate C [KPdy] is a regular certificate, the transmission destination of the license data accepts the fake challenge key Kcz. In this case, in return data transfer, the second public key KPp2 of the storage device 200 is extracted from the session information E (Kcz, E (KPdy, Ksx) // KPpx) using the fake challenge key Kcz. However, since the session key Ksx is still encrypted with the public key KPdy of the legitimate device, the session key Ksx cannot be extracted. Since provision of the license data requires the session key Ksx, the provision of license data is not received by such a spoofing attack.

  The public key KPpx extracted by this impersonation attack is a key that does not cause a problem even if it is disclosed. Therefore, safety is not threatened by this attack.

  As in the present embodiment, the license data can be provided only when the transmission destination of the license data authenticates the validity of the transmission source and the transmission source apparatus is valid, and the transmission source apparatus If it is not valid, the provision of license data can be refused.

  In this embodiment, the session information is E (Kcy, E (KPdy, Ksx) // KPpx), but E (Kcy, E (KPdy, Ksx // KPpx)) is also E (Kcy, The same effect can be obtained with Ksx // E (KPdy, KPpx)).

  That is, as the session information encrypted using the public key KPdy extracted from the certificate C [KPdy] of the transmission source verified by the transmission destination of the license data, from the transmission destination of the license data to the transmission source of the license data, At least one of the two keys to be transmitted, that is, at least one of the public key KPpx and the session key Ksx is encrypted, and a key that is not subject to encryption with the public key KPdy and encrypted data with the public key KPdy The data encrypted with the challenge key Kcy can be used as session information.

  The verification related to the “spoofing attack” when the session information is E (Kcy, Ksx // E (KPdy, KPpx)) will be described.

  When the certificate C [KPdy] is forged, the same as described above. When the challenge key Kcy is forged, in the return data transfer, the session key is decrypted from the session information E (Kcz, Ksx // E (KPdy, KPpx)) with the fake challenge key Kcz and generated by the storage device 200. Ksx can be taken out. However, since the public key KPpx is still encrypted with the public key KPdy of the legitimate apparatus that is the license data transmission source, the public key KPpx of the license data transmission destination cannot be extracted. Further, even if the transmission destination public key KPpx is extracted, data encrypted using this key cannot be inferred without the secret key Kpx managed uniquely by the transmission source of the license data. Therefore, the license data is not compromised by such a spoofing attack. Since the session information is E (Kcy, E (KPdy, Ksx // KPpx)), the description is omitted.

  In this embodiment, the license data including the content key is encrypted and transmitted using the second public key KPpx of the license data transmission destination and the session key Ksx generated by the transmission destination of the license data. Although the license data has been described as E (Ksx, E (KPpx, LIC)), the encryption order is not a problem, and even the encrypted license data E (KPpx, E (Ksx, LIC)) is no exception.

  Further, when a configuration is made to share a further key Kt related to the transmission of the license data, the additional key to be transmitted from the license data transmission source to the license transmission destination is transmitted to the license transmission destination for the purpose of key sharing. The second public key KPpx and the session key Ksx generated by the transmission destination of the license data may be encrypted and transmitted. In this case, for example, instead of the license data, a new disposable symmetric key Kt that is temporally generated and used by the license transmission source is used as both the second public key KPpx and the session key Ksx as the transmission destination of the license data or Either one is encrypted before sending. In the embodiment, the license data LIC is transmitted as the encrypted license data E (Ksx, E (KPpx, LIC)), but the encrypted license data E (Ksx, E (Kt, LIC)) can be used to eliminate encryption processing using the public key encryption algorithm from the second and subsequent encryption processing when the license data is repeatedly transmitted. Continuous high-speed transfer can be achieved. That is, the key Kt is used for transmission of a plurality of license data LICs. Further, it may be encrypted license data E (Kt, E (Ksx, LIC)). Such a case is no exception, and it is no exception if a new key is exchanged using the disposable symmetric key Kt. However, as the session information, two keys of the license data transmission destination, the second public key KPpx and the session key Ksx, are transmitted to the license data transmission source, and the content key is double-encrypted with these two keys. (License data) or key exchange for sending license data, and finally the content key (license data) can be sent from the license data source to the license data destination. You may go.

(Second Embodiment)
FIG. 12 shows a configuration of a recording / reproducing apparatus 400 according to the second embodiment. In the present embodiment, the recording apparatus 100 and the reproducing apparatus 300 in the first embodiment are realized as one recording / reproducing apparatus 400.

  The recording / reproducing apparatus 400 of this embodiment includes a controller 401, a storage interface 402, a recording unit 403, a reproducing unit 404, and a data bus 410 that electrically connects at least some of these components.

  The recording unit 403 includes the configuration of the recording device 100 according to the first embodiment illustrated in FIG. 2, and the reproducing unit 404 includes the configuration of the reproducing device 300 according to the first embodiment illustrated in FIG. In the figure, the same reference numerals are assigned to the same components as those in the first embodiment.

  The first cryptographic engine 103 corresponds to the cryptographic engine 103 of the recording device 100 in the first embodiment, and the second cryptographic engine 303 corresponds to the cryptographic engine 303 of the playback device 300 in the first embodiment. The internal configuration of the first cryptographic engine 103 is the same as the cryptographic engine 103 of the first embodiment shown in FIG. 5, and the internal configuration of the second cryptographic engine 303 is the same as that of the first embodiment shown in FIG. This is the same as the internal configuration of the encryption engine 303 of the embodiment.

  The controller 401 has the functions of both the controller 101 of the recording apparatus 100 and the controller 301 of the playback apparatus 300 in the first embodiment. The storage interface 402 controls data input / output with the storage device 200, and the data bus 410 electrically connects the configuration of the recording / playback apparatus 400.

  The operation of the recording / reproducing apparatus 400 in the present embodiment is the same as that in the first embodiment, and the recording apparatus 100 and the reproducing apparatus 300 are connected to the recording / reproducing apparatus 400 in the operation described in the first embodiment. Further, the controller 101 and 301 are replaced with the controller 401, the storage interface 102 and 302 are replaced with the storage interface 402, and the data buses 110 and 310 are replaced with the data bus 410, respectively.

  In the present embodiment, the recording unit 403 and the playback unit 404 include the first cryptographic engine 103 and the second cryptographic engine 303, respectively. However, the same functional blocks in these cryptographic engines may be shared. In this case, the configuration is the same as the cryptographic engine 203 in the storage device 200 shown in FIG. 7 in the first embodiment.

(Third embodiment)
FIG. 13 shows a configuration of a content distribution system according to the third embodiment. In the present embodiment, the recording device 100 in the first embodiment is realized as a distribution server 500 that distributes content and a terminal device 520 that receives the content. In the figure, the same components as those of the recording apparatus 100 according to the first embodiment are denoted by the same reference numerals.

  The distribution server 500 includes a cryptographic engine 103, a communication device 502, a content database 503, a license database 504, a user database 505, a controller 501 that controls them, and a data bus 510 that electrically connects them. The terminal device 520 includes a controller 101, a storage interface 102, a communication device 521, and a data bus 522 that electrically connects them. The distribution server 500 and the terminal device 520 are connected by the Internet 20 as an example of a network via the communication devices 502 and 521, respectively.

  The cryptographic engine 103 of the distribution server 500 has the same function as the cryptographic engine 103 of the first embodiment. The controller 101 and the storage interface 102 of the terminal device 520 are the same as the controller 101 of the first embodiment. It has the same function as the storage interface 102.

  The content database 503 holds content provided to the user. The license database 504 holds license data including a content key used for encrypting content. In this embodiment, the content is already encrypted with the content key and stored in the content database 503. However, the content before encryption is stored in the content database 503, and the distribution server 500 stores the first content. The content encoder 105 and the encryptor 104 included in the recording apparatus 100 according to the embodiment may be further provided, and the content may be read from the content database 503, encoded, and encrypted.

  The user database 505 holds information on a user who is a content providing destination. For example, the user's personal information, the user's terminal device 520 address, content purchase history, billing information, and the like may be held. The controller 501 reads encrypted content from the content database 503 in response to a user request and provides it to the user. Then, when the license data for decrypting the content is provided to the user by the encryption engine 103, the user database 505 is updated to charge for the content provision.

  In this embodiment, if the data bus 510, the communication device 502, the Internet 20, the communication device 521, and the data bus 522 are the data bus 110 in the first embodiment having the electrically connected configuration, The configuration is the same as that of the first embodiment. The procedure of the cryptographic input / output process of this embodiment is the same as that of the first embodiment.

  In the present embodiment, communication between the cryptographic engine 103 and the controller 101 is performed via the Internet 20, but as described with reference to FIGS. 8 and 9, data is always transmitted between the cryptographic engine 103 and the controller 101. Therefore, high tamper resistance can be realized.

  Content playback can be performed by attaching the storage device 200 to the playback device 300 in the first embodiment or the recording / playback device 400 in the second embodiment. Further, the terminal device 520 may be configured to include the playback unit 404 of the recording / playback device 400 in the second embodiment, and playback may be performed.

  As mentioned above, although embodiment which concerns on this invention was described, this embodiment is an illustration, this invention is not limited to this embodiment, The combination of each of those component and each processing process is carried out. It will be appreciated by those skilled in the art that various modifications are possible and that such modifications are within the scope of the present invention.

  For example, in the above-described embodiment, the functional block for performing encryption and the functional block for performing decryption are separately provided in the cryptographic engine, but the circuit may be shared by these components. As a result, the circuit scale can be reduced, contributing to downsizing and low power consumption.

  The embodiments of the present invention can be appropriately modified in various ways within the scope of the technical idea shown in the claims.

It is a figure which shows the whole structure of the data management system which concerns on 1st Embodiment. 1 is a diagram illustrating an internal configuration of a recording apparatus according to a first embodiment. It is a figure which shows the internal structure of the reproducing | regenerating apparatus concerning 1st Embodiment. It is a figure which shows the internal structure of the storage device which concerns on 1st Embodiment. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the internal structure of the recording / reproducing apparatus which concerns on 2nd Embodiment. It is a figure which shows the internal structure of the content delivery system which concerns on 3rd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Recording apparatus 200 Storage device 300 Playback apparatus 400 Recording / playback apparatus 500 Distribution server 520 Terminal apparatus

Claims (23)

A method for transmitting and receiving content usage information including a content key for decrypting encrypted content data,
A first step of establishing an encrypted communication path for transmitting and receiving the content usage information;
A second step of transmitting and receiving the content usage information using the encrypted communication path,
The first step includes
Authenticating the transmission destination by obtaining and verifying a first certificate of the transmission destination of the content usage information by a transmission source of the content usage information;
Authenticating the source by the destination obtaining and verifying a second certificate of the source;
The first symmetric key is encrypted with the first public key included in the first certificate, and is transmitted / received between the transmission source and the transmission destination, so that the Sharing one symmetric key;
When the transmission destination is approved by the transmission source and the transmission source is approved by the transmission destination, the second public key and the first symmetric key included in the second certificate Including the step of sharing the second symmetric key between the transmission source and the transmission destination by encrypting the symmetric key of 2 and transmitting and receiving between the transmission source and the transmission destination,
The content usage information transmission method, wherein the second step is executed when the second symmetric key is shared between the transmission source and the transmission destination.   The second step includes a step in which the transmission source encrypts the content usage information with at least the second symmetric key and transmits the content usage information to the transmission destination when it is time to transmit the content usage information. The content usage information transmitting method according to claim 1, wherein: The step of sharing the second symmetric key is performed by encrypting and transmitting and receiving the third public key of the destination together with the second symmetric key,
The first step further comprises sharing a third symmetric key with the third public key;
The content usage information according to claim 1, wherein the second step includes a step in which the transmission source encrypts the content usage information with at least the third symmetric key and transmits the encrypted content usage information to the transmission destination. Transmission method.   4. The content according to claim 2, wherein one of the transmission source and the transmission destination issues the first symmetric key, and the other issues the second symmetric key. 5. Usage information transmission method.   4. The third symmetric key is held at the transmission source and the transmission destination after the second step is finished, and is used when the content usage information is transmitted next time. The content usage information transmission method described in 1.   6. The content usage information transmission method according to claim 1, wherein when the timing for transmitting the content usage information has arrived, the first step is omitted.   The second symmetric key is newly issued when the next content usage information is transmitted after the completion of the second step, and is shared between the transmission source and the transmission destination. 7. The content usage information transmission method according to any one of 1 to 6. A content use information providing device that provides content use information including a content key for decrypting encrypted content data to a content use information receiving device,
A verification means for acquiring a certificate from the content use information receiving device and verifying the validity of the certificate;
Certificate transmitting means for transmitting its own certificate to the content use information receiving device;
First symmetric key sharing means for sharing a first symmetric key with the content use information receiving device using a first public key included in the certificate;
When the verification unit approves the content use information receiving device and the content use information receiving device approves the own certificate, the second public key included in the certificate and the first A second symmetric key sharing means for sharing a second symmetric key with the content use information receiving device using a symmetric key;
Encryption means for encrypting the content usage information;
Content usage information transmitting means for transmitting the content usage information encrypted by the encryption means to the content usage information receiving device when the second symmetric key is shared;
A content use information providing apparatus comprising: The second symmetric key sharing means further shares a third public key together with the second symmetric key using the second public key and the first symmetric key,
The content usage information providing device further includes third symmetric key sharing means for sharing a third symmetric key with the content usage information receiving device using the third public key,
9. The content usage information providing apparatus according to claim 8, wherein the encryption unit encrypts the content usage information with the third symmetric key. The content usage information providing device includes:
A content usage information generating unit for generating the content usage information;
A content data encryption unit that encrypts the content data with the content key and outputs the encrypted content data;
The content usage information providing device according to claim 8 or 9, further comprising: The content usage information providing device includes:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information providing apparatus according to any one of claims 8 to 10, wherein the second storage unit has a tamper resistant structure. A content use information receiving device for receiving content use information including a content key for decrypting encrypted content data from a content use information providing device,
A verification means for acquiring a certificate from the content usage information providing apparatus and verifying the validity of the certificate;
Certificate transmitting means for transmitting its own certificate to the content usage information providing device;
First symmetric key sharing means for sharing a first symmetric key with the content usage information providing apparatus using a first public key included in the certificate;
When the verification unit approves the content usage information providing device and the content usage information provision device approves the own certificate, the second public key included in the certificate and the first A second symmetric key sharing means for sharing a second symmetric key with the content use information providing device using a symmetric key;
Content usage information receiving means for receiving the content usage information encrypted from the content usage information providing device when the second symmetric key is shared;
Decryption means for decrypting the encrypted content usage information;
A content use information receiving device comprising: The second symmetric key sharing means further shares a third public key together with the second symmetric key using the second public key and the first symmetric key;
The content use information receiving device further includes third symmetric key sharing means for sharing a third symmetric key with the content use information providing device using the third public key,
13. The content usage information receiving apparatus according to claim 12, wherein the decrypting unit decrypts the content usage information encrypted with the third symmetric key. The content use information receiving device is:
A content data decrypting unit for decrypting the encrypted content data with the content key;
The content use information receiving apparatus according to claim 12 or 13, further comprising: a reproduction unit that reproduces the content data decrypted by the content data decryption unit. The content use information receiving device is:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information receiving device according to any one of claims 12 to 14, wherein the second storage unit has a tamper resistant structure. A content usage information providing device that provides content usage information to a content usage information receiving device that receives content usage information including a decryption key for decrypting and using encrypted content data,
An interface for exchanging data with the content use information receiving device;
An authentication data holding unit that holds its own authentication data;
A secret key holding unit holding a secret key for decrypting data encrypted with the first public key included in the authentication data of the device;
An authentication unit for authenticating authentication data supplied from the outside by an authentication key;
A symmetric key generation unit that generates a first symmetric key that is temporarily generated during communication with the content use information receiving device;
A first encryption unit that encrypts data with a second public key included in the authentication data supplied from the outside;
A first decryption unit for decrypting data with the first symmetric key generated by the symmetric key generation unit;
A second decryption unit for decrypting data with the secret key;
A second encryption unit that encrypts data with a third public key supplied from the outside;
A third encryption unit that encrypts data using a second symmetric key supplied from the outside;
A control unit,
In the case of transmitting the content usage information or any information of the key shared with the content usage information receiving device in order to transmit the content usage information,
The controller is
The authentication data of the content usage information receiving device is received via the interface, the received authentication data is given to the authentication unit, and the authentication unit determines that the authentication data of the content usage information receiving device is valid When instructing the symmetric key generation unit to generate the first symmetric key,
Data obtained by concatenating the first symmetric key encrypted by the second public key and the authentication data held in the authentication data holding unit, generated in the first encryption unit, Output via the interface,
When the first encrypted data encrypted with the first public key is data obtained by encrypting either the second symmetric key or the third public key, the first encrypted data Data obtained by concatenating the data, the second symmetric key, and the other of the third public keys that are not included in the first encrypted data is encrypted with the first symmetric key When data is received as second encrypted data via the interface, or the first encrypted data is data obtained by encrypting both the second symmetric key and the third public key. , Receiving the first encrypted data, data encrypted with the first symmetric key as second encrypted data via the interface, and receiving the received second encrypted data in the first 1 to the decryption unit,
Outputting the third encrypted data obtained by sequentially encrypting the key information with the third public key and the second symmetric key via the interface;
The authentication unit verifies the received authentication data with the authentication key, gives the verification result to the control unit, and supplies the second public key included in the received authentication data to the first encryption unit. Give,
The first encryption unit encrypts the first symmetric key with the second public key and gives the encrypted key to the control unit,
The first decryption unit decrypts the second encrypted data with the first symmetric key, and gives the first encrypted data included in the decrypted data to the second decryption unit; When the third public key is included in the decrypted data, the third public key is given to the second encryption unit, or when the second symmetric key is included in the decrypted data, Providing the second symmetric key to the third encryption unit;
The second decryption unit decrypts the first encrypted data with the first secret key, and when the decrypted data includes the third public key, the second public key is used as the third public key. When the second symmetric key is given to the second cipher part or the decrypted data includes the second symmetric key, the second symmetric key is given to the third cipher part,
The second encryption unit encrypts the key information with the third public key and gives the key information to the third encryption unit,
The third encryption unit generates the third encrypted data obtained by further encrypting the key information encrypted with the third public key with the second symmetric key, and provides the third encrypted data to the control unit ,
A content use information providing apparatus characterized by the above. The control unit ends the process when the authentication unit determines that the authentication data is not valid.
The content usage information providing apparatus according to claim 16. A storage unit for storing the encrypted content data and the content usage information;
The storage unit
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The second storage unit is configured by a tamper resistant structure.
The content use information providing apparatus according to claim 16 or 17, characterized in that: The content information providing apparatus includes:
A content encryption unit that encrypts content data and generates the encrypted content data;
A usage information generating unit that generates content usage information for the encrypted content data;
The content use information providing apparatus according to claim 16 or 17, characterized in that: A content usage information receiving device that acquires content usage information for decrypting and using the encrypted content data from a content usage information providing device,
An interface for controlling the exchange of data with the content usage information providing device;
An authentication data holding unit that holds its own authentication data;
A first secret key holding unit that holds a first secret key for decrypting data encrypted with a first public key included in the authentication data;
A second public key holding unit for holding a second public key set in the device;
A second secret key holding unit for holding a second secret key for decrypting data encrypted with the second public key;
A first decryption unit for decrypting data encrypted with the first public key with the first secret key;
An authentication unit for authenticating authentication data provided from the outside by an authentication key;
A first encryption unit that encrypts data with a third public key provided from outside;
A second encryption unit for encrypting data with a first symmetric key provided from the outside;
A symmetric key generation unit for generating a second symmetric key that is temporarily generated during communication of the content use information providing device;
A second decryption unit for decrypting data encrypted with the second symmetric key;
A third decryption unit for decrypting data encrypted with the second public key with the second secret key;
A control unit,
When receiving either information of the content usage information or a key shared with the content usage information providing device to receive the content usage information,
The controller is
The authentication data held in the authentication data holding unit is transmitted to the content usage information providing apparatus via the interface, and the first symmetric key encrypted with the first public key and the content Authentication information of the usage information providing device is received from the interface, the received encrypted first symmetric key is given to the first decryption unit, and the authentication data of the content usage information providing device is sent to the authentication unit To
When the authentication unit determines that the authentication data of the content usage information providing apparatus is valid, the authentication unit instructs the symmetric key generation unit to generate the second symmetric key;
When the first encrypted data encrypted with the third public key is data obtained by encrypting either the second symmetric key or the second public key, the first encryption data Data obtained by concatenating data, the second symmetric key, and the other public key of the second public key that is not included in the first encrypted data is encrypted with the first symmetric key. Data is output as second encrypted data via the interface, or the first encrypted data is data obtained by encrypting both the second symmetric key and the second public key. In this case, the first encrypted data is output through the interface as data encrypted by the first symmetric key as second encrypted data,
The third encrypted data in which key information is sequentially encrypted with the second public key and the second symmetric key is received via the interface, and the received third encrypted data is To the second decoding unit;
The first decryption unit decrypts the first symmetric key encrypted with the first public key with the first secret key, and converts the first symmetric key into the first encryption unit. Give,
The authentication unit verifies the received authentication data with the authentication key, gives the verification result to the control unit, and supplies the third public key included in the received authentication data to the first encryption unit. Give,
The first encryption unit encrypts one or both of the second symmetric key and the second public key with the third public key to generate the first encrypted data;
The second encryption unit concatenates the first encrypted data and the other of the second symmetric key and the second public key that are not included in the first encrypted data. Or the first encrypted data is encrypted to generate the second encrypted data, which is given to the control unit,
The second decryption unit decrypts the third encrypted data with the second symmetric key and provides the decrypted data to the third decryption unit;
The third decryption unit decrypts the data given from the second decryption unit to extract the key information;
A content use information receiving apparatus characterized by the above. The control unit ends the process when the authentication unit determines that the authentication data is not valid.
21. The content use information receiving apparatus according to claim 20, wherein A storage unit for storing the encrypted content data and the content usage information;
The storage unit
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The second storage unit is configured by a tamper resistant structure.
The content use information receiving device according to claim 20 or claim 21, wherein A content decryption unit for decrypting the encrypted content data with a decryption key included in the content usage information;
A playback unit that plays back the content data decrypted by the content decryption unit,
The content use information receiving device according to claim 20 or claim 21, wherein

Images