JP2006195973A - Data processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a data processing apparatus for storing specialized contents for a device concerned not limited by storage medium capacity and for moving the contents to the medium permitting to replay by using another device. <P>SOLUTION: The data processing apparatus includes a first medium storing content data, a memory storing control information for using the content, and a recording/reproducing unit for a second medium. On receiving a request for backing-up the content, the recording/reproducing unit writes the content data on a second medium. The memory maintains the control information for using the content without changing any content. When a request for restoring the content is received, control information for using the content that permits a user to use the content is stored in the memory, and the content data is stored in the second medium, the recording/reproducing unit reads out the content data from the second medium and writes the data to the first medium. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a technology for backing up and moving content.

  In recent years, the digitization of content has progressed. For example, domestic and foreign BS, CS, terrestrial and CATV programs are digitized and transmitted. These programs can be digitally recorded on a tape, a disk or the like.

  Digital transmission and digital recording can be densified using compression techniques compared to analog transmission and analog recording. For example, if radio waves for one channel of analog television broadcasting are used, standard image quality digital video data for three channels can be transmitted. Here, the analog television broadcasting has a standard image quality employing an interlace method (480i) having 480 effective scanning lines.

  Also, high-quality digital video data can be transmitted using radio waves for one channel of analog television broadcasting. “High image quality” means, for example, a progressive method (480p) with 480 effective scanning lines, a progressive method (720p) with 720 effective scanning lines, and an interlace method (1080i) with 1080 effective scanning lines. Say.

  When digital compression is used, 5.1 channel audio data can also be sent. 5.1 channels are the front right, center front, left front, right rear and left rear channels, and the low frequency channel (0.1 channel) whose frequency band is about 1/10 (0 to 200 Hz) compared to the 5 channels. Is counted).

  In addition to video / audio data, data such as characters, control information, and programs can be transmitted by digitization, so that the user can enjoy different ways from analog transmission.

  Since digital content is digital data, there is an advantage that it can be copied without deterioration as in analog. However, unlimited copying of content infringes the copyright of the content creator. For this reason, a digital recording device is required to have a copyright protection function.

  For example, in BS, broadband CS, and terrestrial digital broadcasting in Japan, the content to be protected must be protected based on the ARIB standard. That is, the content specified for protection by the digital copy control descriptor and the content use descriptor included in the broadcast MPEG-TS stream is stored in a storage medium (for example, a hard disk device, a semiconductor memory, etc.) built in the receiver. Etc.) must be processed so that it can only be played back by that device (for example, encryption).

  Although backup of content is permitted, it is inconvenient if the backed-up content can be restored (restored) to other devices without limitation. Therefore, it is necessary that the backed up content can be restored only to that device and cannot be restored to other devices and played back by other devices.

  Further, the content broadcast as “copying only for one generation” is updated to “recopy prohibited” and stored. “Recopy prohibited” content is allowed to be moved to only one recording medium approved by the ARIB standard. The move is a process of copying the content of the move source to the move destination and then making the move source content unreproducible.

  For example, Patent Document 1 discloses a content backup method. According to this backup method, it is possible to back up copy-prohibited music and video content that are properly obtained and stored in a storage medium such as an HDD while maintaining the concept of copy prohibition.

  In the conventional backup method, two recording media each having unique identification information are used. The procedure for backing up the original data recorded on the first recording medium is as follows. First, the first encrypted information recorded on the first recording medium is read. The first encrypted information is encrypted based on the identification information (ID1) attached to the first recording medium. Then, the read first encrypted information is encrypted based on the identification information (ID2) attached to the second recording medium for backup, and the second encrypted information is generated. The second encrypted information is recorded on the second recording medium.

  The procedure for restoring backed up data is as follows. First, the second encrypted information is read from the second recording medium. The second encrypted information is decrypted based on the identification information of the second recording medium, and the first encrypted information is restored. The first encrypted information is recorded on the first recording medium. Further, the first and second recording media are authenticated, and when both are authenticated as regular recording media, reading of the respective encrypted information from the first and second recording media is permitted.

  Data read from the second recording medium is demodulated and decoded based on the identification information of the second recording medium. The decrypted information, that is, the information encrypted with the unique identification information of the first recording medium is written to the first recording medium. As a result, information encrypted only by the identification information of the first recording medium is written to the first recording medium. Note that since both the above-described reading and writing are performed by performing mutual authentication, there is no illegal copy.

  By these processes, the state that there is only one “recopy prohibited” content that can be used is maintained, and the copyright is appropriately protected.

  By the way, regarding the move process, an attack that invalidates copyright protection, that is, a save / restore attack or a replay attack is known. The principle of this attack method is to back up before the user moves the content. Then, regular move processing is executed. As a result, the content of the move source is disabled for reproduction. Thereafter, the user restores the backed up content to the move source. Then, the original content can be reproduced again. Of course, the content moved by the regular move process can also be reproduced. If the user repeats the above operation, any number of “recopy prohibited” contents can be duplicated from one “recopy prohibited” content, and recopying is practically possible.

  Therefore, Patent Document 2 discloses a move method that can prevent such a save / restore attack.

  In this move method, content stored in the recording medium or usage control information (content availability management table) is bound to the recording medium using information in the security area provided in the recording medium. When the content on the recording medium is moved, the information in the security area is rewritten and the content or the usage control information is bound again. Then, the bound information is validated only when the information in the security area has a value at the time of binding, and the bound information is invalidated if the information in the security area is different from the value at the time of binding.

According to this method, information in the security area is changed by the move, and the content or the content availability state management table is rebound. Therefore, even if the content or usage control information is backed up before moving the content in the recording medium to another recording medium, an unbinding error occurs when the backup content is returned to the original recording medium. It becomes unavailable. Therefore, it is possible to realize the movement of contents between recording media in which a save / restore attack is prevented.
JP 2001-166999 A JP 2002-63074 A

  However, since the content backup is not allowed in the above-described process for preventing the save / restore attack, the content purchased by the user cannot be restored when the storage medium is damaged for some reason. This is detrimental to the user.

  In addition, there are other problems that cannot be backed up. The amount of data of digital broadcast content is generally large, and the storage capacity of the storage medium is limited. It is still not practical to store such content for a long period of time. Therefore, it is preferable that the content is saved in another recording medium so that it can be deleted from the storage medium at any time. For this purpose, a backup is necessary.

  Note that, as a backup destination or move destination recording medium, it is preferable that MPEG-TS content can be recorded in that format. This is because the contents can have high image quality and can hold various control information for copyright protection and the like. However, even if the content is down-converted to standard image quality, it is also necessary to be able to back up and move to other recording media such as inexpensive DVDs.

  However, it should be noted that copyright protection may be restricted depending on the recording format of the recording medium of the backup destination or the move destination. For example, if the recording medium is a DVD, various control information for copyright protection or the like embedded in the MPEG-TS of digital broadcasting cannot be stored in the MPEG-PS format stream of the DVD. Therefore, when the DVD is used as a recording medium for the move destination, there arises a problem that the contents of various control information are not reflected.

  An object of the present invention is to enable backup as a content dedicated to the device without being restricted by the capacity of the storage medium, while following the content protection rule of “copying only for one generation”.

  A data processing apparatus according to the present invention includes a first medium that stores content data, a memory that stores usage control information for controlling usage of the content, an interface unit that receives a request regarding the usage of the content, A recording / reproducing unit capable of writing data to the two media and reading the data written on the second medium. When the interface unit receives the backup request for the content, the recording / reproducing unit writes the data of the content to the second medium, and the memory holds the usage control information without being changed. When the interface unit receives the restore request for the content, usage control information enabling the use of the content is stored in the memory, and the content data is written to the second medium. If so, the recording / playback unit reads the content data from the second medium and writes the content data to the first medium.

  The data processing apparatus may further include an accumulation processing unit that erases data of the first medium. When the interface unit receives the content deletion request, the storage processing unit may delete the data of the content, and the memory may hold the usage control information without changing it.

  The data processing apparatus may further include a control unit that changes contents of the usage control information. The storage processing unit is capable of reading data from the first medium, and usage control information indicating that the interface unit receives a move request for the content and permits the memory to use the content. Is stored, the accumulation processing unit reads out and outputs the data of the content from the first medium, and the control unit changes the usage control information to indicate that the use of the content is not permitted. The content data may be stored in the memory and written to one of the second recording medium and a third recording medium different from the second recording medium.

  The data of the content may be encrypted by a method that can be decrypted by unique decryption information. When the decryption information is stored as the usage control information in the memory, the recording / reproducing unit may read the encrypted data from the second medium and write it to the first medium.

  The data processing apparatus may further include a control unit that changes contents of the usage control information. The accumulation processing unit can read data of the first medium, the interface unit receives a move request for the content, and the decryption information is stored as the usage control information in the memory. The storage processing unit reads out and outputs the data of the content from the first medium, the control unit disables the decryption information, and transmits the content data to the second recording medium and You may write in one of the 3rd recording media different from the said 2nd recording media.

  The data processing apparatus may further include a decryption unit that decrypts the content data based on the decryption information. The content data decrypted by the decryption unit may be written to at least one of the second recording medium and a third recording medium different from the second recording medium.

  When the interface unit receives a content storage request, the storage processing unit generates usage control information corresponding to the new content, and enables usage of the new content, The new content data may be written to the first medium.

  The content data may include copy control information for prohibiting re-copying.

  The memory stores usage control information in which the number of times content can be used is specified, the interface unit receives a checkout request for the content, and the memory has a usage count of 1 or more. Is stored, the recording / playback unit writes the content data to the second medium, and the memory stores the usage control information in which the usable count is reduced by one. When the interface unit receives the content check-in request, the recording / reproducing unit disables the data of the content written in the second medium, and the memory has the usable number of times. The usage control information increased by 1 may be stored.

  The data processing apparatus may further include an accumulation processing unit that erases data of the first medium. When the interface unit receives the content deletion request, the storage processing unit may delete the data of the content, and the memory may hold the usage control information without changing it.

  According to the present invention, it is possible to realize backup and restoration of content while protecting the copyright of the content. Specifically, in the content backup process, usage control information for controlling usage of the content is retained as it is. In the restore process, the content is restored on condition that there is usage control information indicating that the content can be used. Since only the device that performed the backup process can restore the content, data backed up by a certain device is not restored to another device. As a result, the copyright of the content can be reliably protected.

  Further, when the content is moved, the usage control information is changed to a content indicating that the usage of the content is not permitted, and is retained thereafter. Therefore, even if a malicious user backs up the content in an attempt to perform a save / restore attack, the content can no longer be restored after the move. Therefore, a save / restore attack can be effectively prevented.

  According to the data processing apparatus of the present invention, while following the content protection rule of “only one generation can be copied”, storage of content dedicated to the device that is not limited by the capacity of the storage medium and movement to a medium that can be played back by other devices Can be achieved.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, terms used in this specification are defined. Next, the concept of the present invention will be described, and then the hardware configuration common to the data processing devices of the embodiments will be described.

A. Definition of term storage: Refers to writing data in a storage area or a medium having a storage element and holding the data in a readable state.

  Recording: To store data on a recording medium so that it can be played back on a predetermined playback device. The “predetermined playback device” here is not limited to a device that has recorded data, and includes other devices having a playback function. The recording medium can be removed from the recording device (removable) and has a form that can be recognized independently from the device. Examples of the recording medium are a magnetic tape, an optical disk, a removable hard disk, and a semiconductor recording medium.

  Storing (Bound Recording): means that a device stores data in a recording medium so that it can be played back only by that device. The “recording medium” here is assumed to be a recording medium (for example, a built-in hard disk or a built-in semiconductor memory) built in a device that is not generally intended to be used after being removed. For example, when a device stores content data in a recording medium, it means “accumulation” that only the device can be decrypted and stored in the internal hard disk. However, as long as the above definition is satisfied, data can be stored even on a removable recording medium.

  Copy: Data stored on one recording medium is copied and stored on another recording medium.

  Move: Refers to moving data stored in one recording medium to the other recording medium for storage. When copying from one recording medium to another medium is not permitted (in the case of “recopy prohibited” etc.), the data stored in the original recording medium cannot be reproduced after the move is executed. The data on the destination recording medium can be reproduced. As long as it cannot be reproduced, it does not matter whether the data remains in the original recording medium. For example, “copying” content data stored on a recording medium to another recording medium and then disabling the content stored on the original recording medium is a “move” To do.

  “Data” to be recorded, stored, copied, and moved includes not only content data but also management information for controlling the reproduction of the content. Content data and management information are managed as separate files on the file system of each recording medium.

B. Conceptual Diagrams of the Present Invention FIGS. 1A-1D illustrate the concept of processing according to the present invention. The present invention makes it possible to store, reproduce, move, back up, and restore content while protecting the copyright of the content.

  FIG. 1A illustrates the principle of content storage and playback according to the present invention. Assume that the content is a digital broadcast program. The content received in the tuner 1 in the “copy only for one generation” state is encrypted after being updated to the “recopy prohibited” state and stored as the encrypted content 3 in the device 2. At this time, usage control information 4 is also generated in the device 2. This information is stored in its internal memory or the like so that it cannot be tampered from outside the device 2.

  The usage control information 4 is used for controlling the usage of content. In this specification, “use” of content means content reproduction and movement. “Controlling” use of content indicates whether to permit or prohibit the reproduction / move of the content. When accumulated from the tuner 1, a value for permitting reproduction is set.

  In the embodiment described later, the usage control information 4 is embodied as usage permission information (Permission information) and content key information (or decryption information). The availability information is information regarding permission indicating whether to permit the use. The content key information is information related to decryption indicating whether or not decryption of the encrypted content is permitted.

  The encrypted content 3 can be reproduced based on the usage control information 4. When reproduction is permitted in the usage control information 4, reproduction is permitted in the decision block 5, and reproducible content 6 is output. The determination block 5 is actually provided in the device 2.

  FIG. 1B illustrates the principle of content movement according to the present invention. The encrypted content 3 stored in the device 2 can be moved to another recording medium (for example, a DVD) only when the availability information of the content indicates availability.

  The move is performed based on, for example, CPRM (Copy Protection Right Management) standard. The moved content becomes the content 8 that can be played back by another device compliant with the CPRM standard.

  With the move, the usage control information 4 corresponding to the content is invalidated. There are various modes of “invalidation”. For example, regarding the availability information described later, it means changing to a value indicating the prohibition of use of the content. As for content key information (or decryption information), it means deletion of the information itself or changing the content to a value that cannot be decrypted.

  FIG. 1C illustrates the principle of content backup and restore according to the present invention. The encrypted content 3 stored in the device 2 can be backed up to another recording medium (here, the recording medium 7). At this time, the usage control information 4 is held in the device 2 as it is without being changed. Since the usage control information 4 is bound to the device 2, it is not recorded on the recording medium 7.

  The encrypted content 3 on the recording medium 7 cannot be played back using another playback device. The reason is that only the device 2 that performed the backup can decrypt the encrypted content 3.

  On the other hand, after backup, the encrypted content 3 of the device 2 may be erased or data may be damaged. At this time, the usage control information 4 is not changed, and only the data of the encrypted content 3 is deleted from the device 2.

  When the encrypted content 3 is backed up, the encrypted content 3 recorded on the recording medium 7 can be restored to the device 2 after the encrypted content 3 of the device 2 is erased. The usage control information 4 is not changed during restoration.

  After restoration, the device 2 can control its use based on the usage control information 4. Therefore, if the usage control information 4 indicates that playback is possible, playback is permitted in decision block 5 and playable content 6 is output.

  FIG. 1D shows a principle for prohibiting reproduction of the encrypted content 3 that has been illegally restored. For example, it is assumed that the encrypted content 3 restored by another device is stored in the recording medium 7.

  At this time, even if the encrypted content 3 is restored to the device 2 by the same method as in FIG. 1C, the device 2 does not have the usage control information 4 corresponding to the content. Since the determination block 5 operates based on the usage control information 4, the reproduction of the encrypted content 3 for which the usage control information 4 does not exist is not permitted.

  Based on the above principle, content can be backed up while prohibiting the use of content backed up or moved by a save / restore attack.

  The outline of the configuration and operation of the apparatus for realizing the above-described principle of the present invention will be described below.

C. Hardware Configuration of Data Processing Device In this specification, an embodiment of the data processing device will be described as a DVD recorder incorporating a hard disk drive (HDD).

  FIG. 2 shows a hardware configuration of the HDD built-in DVD recorder 101. First, components of the HDD built-in DVD recorder 101 (hereinafter referred to as “recorder 101”) will be described.

  The recorder 101 includes a digital tuner 11, an analog-digital converter (ADC) 12, an MPEG-2 encoder (MPEG-2ENC) 13, a PS / TS processing unit 14, a DVD drive 15a, an HDD 15b, and an MPEG-2. A decoder (MPEG-2DEC) 16, a graphic control unit 17, a processing memory 18 of the graphic control unit 17, a digital-analog converter (DAC) 19, an instruction receiving unit 25, and an interface (I / F) unit 26 And a memory card control unit 27 and a system control unit 30. These components can exchange data with each other via the control bus 23 and / or the data bus 24. The control bus 23 is used for transmission of control signals, and the data bus 24 is used for transmission of data.

  FIG. 2 shows a DVD 28 and an SD memory card 29 for convenience of explanation. The DVD 28 and the SD memory card 29 are not constituent elements of the recorder 101 but are recording media that can be attached to and detached from the recorder 101.

  Hereinafter, the function of each component will be described. The digital tuner 11 demodulates a broadcast signal containing a digital signal to obtain an MPEG2 transport stream (TS). From the TS, a TS (partial TS) including data relating to a specific program is constructed and output.

  The ADC 12 converts an external analog signal into a digital signal. The MPEG-2 encoder 13 encodes the digital signal into MPEG-2TS. The PS / TS processing unit 14 mutually converts MPEG-2TS and MPEG-2PS.

  The DVD drive 15a writes data to the DVD 28 and reads data from the DVD. This data is content data, for example. The HDD 15b writes data to the hard disk and reads data from the hard disk. It is also possible to erase data on the hard disk. The HDD 15b has, for example, an IDE (Integrated Drive Electronics) interface.

  The MPEG-2 decoder 16 decodes the MPEG-2 signal to generate a baseband signal. The graphic control unit 17 converts the resolution and the aspect ratio, and superimposes a still image generated by the device on the baseband signal. The processing memory 18 is used to temporarily hold data related to the processing of the graphic control unit 17. The DAC 19 converts the digital signal output from the graphic control unit 17 into an analog signal.

  The system control unit 30 controls the overall operation of the recorder 101. The system control unit 30 includes a program ROM 20, a CPU 21, a RAM 22a, and a nonvolatile RAM 22b.

  The program ROM 20 stores one or more computer programs for the recorder 101 to operate. The CPU 21 is a central processing chip that functions as a computer. The computer program stored in the program ROM 20 is expanded on the RAM 22a and executed. As a result, the CPU 21 realizes processing (for example, control processing, encryption processing, decryption processing) according to the program. The nonvolatile RAM 22b can retain the stored contents even when the power of the recorder 101 is turned off, and stores data generated by the CPU or the like.

  The instruction receiving unit 25 receives an instruction from the user. The I / F unit 26 is an interface that performs communication with the outside, and performs communication conforming to, for example, USB and IEEE 1394 standards. The memory card control unit 27 controls data transmission / reception with the memory card.

  Next, an outline of the operation of the recorder 101 will be described.

  First, the operation when the recorder 101 stores the digital broadcast program (content) in the HDD 15b is as follows. The recorder 101 demodulates a broadcast signal containing a digital signal by the digital tuner 11 and outputs a partial TS to the data bus 24. The partial TS is subjected to processing such as encryption by the CPU 21, sent to the HDD 15 b via the data bus 24 and stored.

  Second, the operation when the recorder 101 moves the content stored in the HDD 15b to the DVD 28 is as follows. The recorder 101 sends the content data (encrypted partial TS) stored in the HDD 15 b to the CPU 21 via the data bus 24. The CPU 21 decrypts the encryption. The PS / TS processing unit 14 converts the decoded partial TS data into MPEG2PS and returns it to the CPU 21 again. The CPU 21 performs encryption processing necessary for recording the DVD on the MPEG2PS. Thereafter, the DVD drive 15a writes the encrypted MPEG2PS on the DVD. When the writing to the DVD 28 is completed, the CPU 21 sends an instruction to the HDD 15b to delete the partial TS data of the content.

  Third, the operation when the recorder 101 backs up the content stored in the HDD 15b to the DVD 28 is as follows. The recorder 101 sends the data (encrypted partial TS) stored in the HDD 15 b to the DVD drive 15 a via the data bus 24. Then, the DVD drive 15a records the received data on the DVD 28 as it is. Data backed up on the DVD 28 can be restored to the HDD 15b again in the reverse order.

  It is necessary to record video / audio data in a program stream format on a DVD. However, in the backup, since the encrypted partial TS is written as simple data, it is not necessary to convert it into a program stream format.

  Fourth, the operation when the recorder 101 reproduces the content recorded on the DVD 15a is as follows. The recorder 101 sends the MPEG2PS data to the MPEG-2 DEC 16 via the DVD drive 15a and the data bus 24, and decodes it into a baseband signal (digital signal). At this time, the decryption of the encryption is also performed in the MPEG-2 DEC16. Then, the graphic controller 17 converts the resolution and the aspect ratio, and superimposes the still image generated by the device on the baseband signal as necessary. Thereafter, the DSC 19 converts the digital signal into an analog signal and outputs it.

  The recorder 101 can also play back the content recorded on the HDD 15b. The operation at this time is substantially the same as the operation when reproducing the content recorded on the DVD 15a. The difference is that content data is stored in the HDD 15b and that the partial TS encrypted by the MPEG-2 DEC 16 is decoded.

  The outline of the configuration and operation of the recorder 101 has been described. Hereinafter, each embodiment using the recorder 101 will be described.

(Embodiment 1)
1-1. Function of Recorder 101 FIG. 3 shows a functional block configuration of the recorder 101 according to the present embodiment. The recorder 101 includes a digital broadcast receiving unit 102, a storage processing unit 103, a storage medium 104, a memory 106, a recording unit 108, a control unit 111, a user interface unit 112, a cryptographic processing unit 113, and a first processing unit. Recording / reproducing unit 2801.

  The outline of the function of each component will be described below. The digital broadcast receiving unit 102 receives a digital broadcast and outputs an MPEG2 partial TS as content.

  The storage processing unit 103 stores the content 105 in the storage medium 104, reads out the content stored in the storage medium 104, and deletes it. The memory 106 holds availability information 107 for each content.

  The encryption processing unit 113 encrypts the content output from the accumulation processing unit 103 for recording on the recording medium 109. The recording unit 108 records the encrypted content 105 as the content 110 on the first recording medium 109. The first recording / reproducing unit 2801 records and reproduces the content 105 stored in the storage medium 104 on the second recording medium 2802.

  The correspondence between the components shown in FIG. 3 and the components shown in FIG. 2 will be described. The digital broadcast receiving unit 102 corresponds to the digital tuner 11 in FIG. The accumulation processing unit 103, the encryption processing unit 113, and the control unit 111 correspond to the CPU 21. This means that the CPU 21 operates as the accumulation processing unit 103, the encryption processing unit 113, and the control unit 111. The storage medium 104 corresponds to the HDD 15b, and the memory 106 corresponds to the nonvolatile RAM 22b.

  The recording unit 108 and the first recording / reproducing unit 2802 correspond to the DVD drive 15a. The first recording medium 109 and the second recording medium 2802 are DVDs 28. The user interface unit 112 corresponds to and is realized by the CPU 21, the instruction receiving unit 25, and the graphic control unit 17.

1-2. Outline of Operation of Recorder 101 A digital broadcast receiving unit 102 receives a digital broadcast, demodulates it, and decrypts it if it is encrypted. The MPEG2-transport stream (TS) is obtained by decoding.

  In MPEG2-TS, a plurality of programs may be multiplexed. In addition to the elementary streams of video and audio, an information table collectively called program specific information (PSI) and program arrangement information (Service Information: SI) is also included. The digital broadcast receiving unit 102 reconstructs this TS into an MPEG2-partial TS that includes only one piece of program information, and outputs it.

  Also, information relating to copyright protection is checked from the PSI / SI information, and states such as “copy prohibited”, “copying possible for one generation”, “copying possible without restriction”, and the like are detected. The storage processing unit 103 updates the content in the “copy only for one generation” state to the “recopy prohibited” state, stores the content in the storage medium 104 in a manner in which unauthorized access is not possible, and reads and erases it. A description of the method in which unauthorized access is impossible will be given later.

  The “copy prohibited” content may be stored in the storage medium 104 in such a manner that unauthorized access is impossible only for 90 minutes after reception. However, it must be erased after 90 minutes. Content that can be copied without restriction conditions may be freely stored in the storage medium 104.

  The memory 106 holds the content availability information 107 in a manner that cannot be tampered with illegally. The recording unit 108 records the content 105 stored in the storage medium 104 on the first recording medium 109.

  The first recording / playback unit 2801 records the content stored in the storage medium 104 in a manner that prevents unauthorized access to the second recording medium 2802, and also records the content on the second recording medium 2802. The content is reproduced and stored in the storage medium 104 again.

  The control unit 111 controls the accumulation processing unit 103, the memory 106, the recording unit 108, the first recording / reproducing unit 2801, and the like according to user operations via the user interface unit 112.

  When there is a storage request for content that is restricted to “copying only for one generation”, the storage processing unit 103 updates the content to a “recopy prohibited” state and stores it in the storage medium 104 for use. Is stored in the memory 106.

  When there is a move request for a content subject to the restriction of “recopy prohibited”, the content is stored in the storage medium 104 by the storage processing unit 103 only when the content availability information 107 indicates that the content can be used. The content 105 is read, the content is recorded on the first recording medium 109 by the recording unit 108, and the availability information 107 of the content held in the memory 106 is changed to unavailable. Further, the content stored in the storage medium 104 may be deleted.

  When there is a content erasure request, control is performed so as to erase the content 105 stored in the storage medium 104 without changing the content availability information 107 held in the memory 106.

  Further, when the recorder 101 further includes an output unit (not shown) or is connected to a content display device (not shown), it is possible to respond to a content reproduction request. When there is a content reproduction request, the operation is performed only when the availability information 107 of the “recopy prohibited” content indicates availability. In other words, the content 105 stored in the storage medium 104 is read by the storage processing unit 103, and the content is displayed on the display device or output from the output unit. At this time, the content of the content availability information 107 held in the memory 106 is not changed.

  The output unit includes, for example, analog output terminals (NTSC composite, component, etc.) compatible with CGMS-A and macrovision, HDMI (High-Definition Multimedia Interface) terminals compatible with HDCP (High-Bandwidth Digital Content Protection), There are IEEE1394 terminal, 10BASE-T terminal, 100BASE-TX terminal, 1000BASE-T terminal, etc. corresponding to DTCP (Digital Transmission Content Protection). The display device is, for example, a CRT, a liquid crystal display device, or a plasma display device.

  When outputting “recopy prohibited” content, the copy control information of CGMS-A and DTCP is set to “recopy prohibited” or “copy prohibited”. A macrovision signal is added to the analog signal according to the APS (Analog Protection System bits) bit of the content. This protects the output contents.

  Further, when there is a content backup request, the content stored in the storage medium 104 is recorded on the second recording medium 2802 via the first recording / playback unit 2801. At this time, the content availability information 107 held in the memory 106 is not changed.

  If there is a content restore request, the content recorded on the second recording medium 2802 by the recording / playback unit 2801 only when the availability information 107 of the content held in the memory 106 indicates that the content can be used. Are read and stored in the storage medium 104 again. Also at this time, the availability information 107 of the content held in the memory 106 is not changed.

1-3. Details of Each Component of Recorder 101 FIG. 4 shows a functional block configuration of the digital broadcast receiver 102. The digital broadcast receiving unit 102 includes an RF signal processing unit 201, a decoding unit 202, a management information generation unit 203, and an MPEGTS processing unit 204.

  The RF signal processing unit 201 demodulates the received digital broadcast wave RF signal and outputs MPEG2-TS. The decryption unit 202 decrypts the encrypted MPEG2-TS (transport stream) output from the RF signal processing unit 201.

  The management information generation unit 203 generates management information from MPEG2-TS. More specifically, MPEG-TS includes a management information table called a program map table PMT. The management information generation unit 203 configures management information related to copyright related information in the management information table.

  For example, the MPEGTS processing unit 204 selects only data related to a designated program from MPEG2-TS in which a plurality of programs are multiplexed, and generates an MPEG2-partial TS (partial transport stream).

  Here, management information (copy status descriptor) generated by the management information generation unit 203 will be described in detail.

  FIG. 5A shows an example of the data structure of the management information (copy status descriptor). This management information is also called copyright protection information. FIG. 5B shows a detailed configuration of the Private_data_byte field in the management information.

  6A to 6G show definitions of values that can be specified in each field in the Private_data_byte field and their meanings. Which value is taken is based on the settings of the digital copy control descriptor (Digital Copy Control Descriptor) and the content availability descriptor (Content Availability Descriptor) included in the PMT.

  The copy status descriptor generated as the management information is sent to the MPEGTS processing unit 204 and inserted into the first loop of the two types of loop structures provided in the PMT.

  Since this management information is necessary for storage, which will be described later, and for copying and moving to a removable recording medium, the management information is also stored in a management information file on the storage medium 104 in a unique format. If these copyright protection information can be falsified, the content can be illegally used. Therefore, measures such as encryption, addition of a check code for detecting tampering, and recording in an area inaccessible by the user are taken.

  Whether or not storage is possible and the storage method follow the copyright information of the content. FIG. 7 shows the relationship between copyright protection information, storage on a storage medium, digital recording on a removable recording medium, and a move.

  When digital_recording_control_data of the digital copy control descriptor is “10” and “only one generation can be copied”, the copy control information on the storage medium is stored as “recopy prohibited”. In this case, the content is stored by a method that cannot be illegally accessed. Content stored as “re-copy prohibited” should not be copied to a recording medium, but can be moved.

  The move can be performed only on one recording medium that is built-in or digitally connected. In the middle of the move operation, content having a length exceeding 1 minute must not be reproducible simultaneously on both the move source and the move destination. After the move is completed, usable content must not remain at the same time on both the move source and the move destination. That is, after the move is finished, the original content of the move is disabled. These realization methods will be described later.

  Next, the accumulation processing unit 103 will be described with reference to FIG. FIG. 8 shows a functional block configuration of the accumulation processing unit 103. The accumulation processing unit 103 includes an encryption unit 1201, a drive control unit 1202, and a decryption unit 1203. These functions are realized by the CPU 21 in FIG. 2 for the encryption unit 1201, the drive control unit 1202, and the decryption unit 1203.

  The encryption unit 1201 encrypts the content that can be copied for only one generation by a method that requires specific decryption information for at least each device or content. At this time, the encryption unit 1201 also generates the availability information described later. The drive control unit 1202 stores the encrypted content (hereinafter referred to as “encrypted content”) in the storage medium 104. In addition, the control unit 1202 reads the encrypted content stored in the storage medium 104 and deletes it. The decryption unit 1203 decrypts the encrypted content.

  FIG. 9 shows a more detailed configuration of the encryption unit 1201 and the decryption unit 1203. This configuration is used when content is encrypted and decrypted by a method that requires unique decryption information for each device.

  The encryption unit 1201 includes a content encryption unit 1302 and a setting unit 1303 that sets availability information, and holds a device unique key 1301. The decryption unit 1203 has a content decryption unit 1304 and holds a device unique key 1301. Note that the device unique key 1301 does not have to be held by each of the encryption unit 1201 and the decryption unit 1203, and may be mounted so as to share the same key.

  The content encryption unit 1302 encrypts the content using the management information and the device unique key 1301. Since the encryption method may be device-specific, any encryption may be used as long as the encryption strength can be secured. For example, in the encryption of AV contents, common key block ciphers such as DES, MULTI2, MISTY, C2, and AES are often used.

  The device unique key 1301 is mounted so that a value unique to the device is not exposed to the outside. As a mounting method, for example, processing related to encryption is performed inside a certain semiconductor, and data such as a device unique key and other keys related to other keys cannot be accessed from outside the semiconductor. The device unique key 1301 is encrypted using a unique encryption and stored in a nonvolatile storage device (flash memory or the like) outside the encryption processing semiconductor. The device unique key encrypted at the time of use is read into the encryption processing semiconductor, and the original encryption is decrypted and used inside the encryption processing semiconductor.

  The management information includes the copyright management information stored in the copy status descriptor described above, content identification information, title, genre, content time length, recording date and time, source information (for digital broadcasting, broadcast station name, etc.) Content attribute information such as short format program description, detailed program description, resolution, viewing age limit, and associated URL.

  The management information may be arranged as a header at the beginning of the content, or may be stored in a table format separately from the content. Alternatively, a part may be a header and the rest may be a separate table. However, if the copyright management information and content identification information are tampered with, they can be used illegally.

  Therefore, for example, management information that needs to be prevented from falsification may be arranged in the header portion of the content and incorporated into block encryption using a CBC (Cipher Block Chaining) mode. As a result, even if the header part remains unencrypted, if this part is tampered with, subsequent ciphers cannot be correctly decrypted, and unauthorized use can be prevented.

  Alternatively, a file for storing only management information separately from the content may be created and the file may be encrypted. Alternatively, the hash value of the file content may be calculated and recorded together with the file, and the hash value of the file content may be calculated again when the file is referenced and compared with the recorded hash value. This makes it possible to detect tampering.

  The setting unit 1303 sets content availability information. The availability information is generated for each content and stored in the memory 106. The contents of the availability information will be described in detail later.

  The encrypted content is stored in the storage medium 104 via the drive control unit 1202. The recording format at this time can be determined independently. Therefore, the bit string of the partial TS of the encrypted content can be recorded as it is, and the image quality and sound quality are not deteriorated and related data is not lost.

  A management information file is also recorded in the storage medium 104 via the drive control unit 1202. As described above, the storage medium 104 is assumed to be the HDD 15b (FIG. 2), but other recording media, for example, a flash memory using a PCMCIA (Personal Computer Memory Card International Association) interface may be used.

  Although the storage medium 104 is fixed in the recorder 101, the user can open and remove the housing. Then, the encrypted content can be backed up to another medium by connecting the storage medium 104 to a personal computer or the like. However, such actions do not infringe copyright. The reason is that the encrypted content (and management information file) is backed up, and the encryption is decrypted only by the decryption unit 1203. Therefore, encrypted content backed up on another medium cannot be viewed as content other than the recorder 101.

  The encrypted content 1204 stored in the storage medium 104 is read by the drive control unit 1202 as necessary, and is decrypted by the content decrypting unit 1304 using the device unique key 1301. At this time, related management information is also read as necessary. When a hash value is added to prevent management information from being falsified, falsification is detected, and if it is found that falsification has occurred, predetermined measures are taken. For example, use of the content is prohibited or reproduction is allowed, but movement is prohibited.

  The stored encrypted content 1204 is deleted by the drive control unit 1202 as necessary. The erasure is executed by deleting the arrangement information of the encrypted content 1204 from the file arrangement table (not shown) of the storage medium 104, for example. In addition, the data of the encrypted content 1204 may be overwritten with other data in order to erase it with certainty.

  In FIG. 9, the encryption / decryption process when unique decryption information is required for each device has been described. However, unique decryption information can be set for each content.

  FIG. 10 shows a configuration for encrypting and decrypting content by a method that requires unique decryption information for each content. Differences from the configuration of FIG. 9 will be described. The encryption unit 1201 further includes a key generation unit 1401 and a key encryption unit 1402. The decryption unit 1203 further includes a key decryption unit 1404.

  When there is a content accumulation request, the key generation unit 1401 generates a unique content key for each content. Specifically, a key having a predetermined bit length is generated using a random number generation function.

  The key encryption unit 1402 encrypts the content key using the device unique key 1301. Any encryption method may be used because the encryption method may be unique to the device. For example, DES, MULTI2, MISTY, C2, AES, etc. of common key encryption are used.

  The content encryption unit 1302 encrypts the partial TS and management information using the content key. The storage medium 104 stores the encrypted content and the encrypted content key via the drive control unit 1202.

  The stored encrypted content 1204 and encrypted content key 1403 are read by the drive control unit 1202 as necessary. The decryption unit 1203 first decrypts the encrypted content key 1403 using the device unique key 1301 to obtain a content key. Using this content key, the encrypted content 1204 is decrypted to obtain the original non-encrypted content. At this time, related management information is also read and decoded as necessary.

  The configuration and processing shown in FIG. 10 are more complicated than the configuration and processing shown in FIG. However, there is an advantage that the processing can be speeded up if the encryption method is not changed when copying or moving the content. This is because the encrypted content may be transferred as it is, and decryption and re-encryption are unnecessary. However, it is necessary to decrypt the content key once and re-encrypt it with the copy destination device unique key.

  Next, FIG. 3 will be referred to again. The memory 106 holds content availability information in a manner that cannot be tampered with illegally.

  For example, the memory 106, the control unit 111, and the setting unit 1303 in FIG. 10 may be integrated as a single semiconductor circuit as a method in which the content availability information cannot be tampered with. That is, it means that the CPU 21 and the nonvolatile RAM 22b shown as separate elements in FIG. 2 are integrated (for example, the nonvolatile RAM 22b is incorporated in the CPU 21). Then, the memory 106 of this circuit may be configured so as not to be physically accessible from the outside, and access may be permitted only from the setting unit 1303 and the control unit 111 by a predetermined method.

  When there is a content accumulation request, the usage setting unit 1303 stores the content availability information 107 indicating that the content is available in the memory 106, and when there is a content move request, the control unit 111 stores The content availability information 107 held in 106 is changed to unusable, and in other cases, the change of the availability information 107 is prohibited.

  Note that this can be realized without integrating the memory 106, the control unit 111, and the setting unit 1303. For example, at least a part of terminals of any semiconductor circuit is arranged at a position where a signal cannot be easily extracted (for example, a lower surface of a semiconductor package such as a ball grid array package), and wiring between the terminals of the semiconductor circuit is arranged on the substrate. What is necessary is just to arrange | position to an interior. Alternatively, a part of the semiconductor terminals may be solidified with resin, and the wiring between the semiconductor terminals may be arranged in the interior of the substrate. Thereby, access from the outside can be physically prevented.

  When the setting unit 1303, the memory 106, and the control unit 111 are not a single semiconductor, mutual authentication is performed when communication is performed between the semiconductors. Unauthorized access may be prevented.

  A check value may be used to prevent unauthorized falsification of content availability information. For example, FIG. 11 shows a configuration that employs a falsification preventing method using a check value.

  Here, the check value is information for detecting whether the checked information has been tampered with. For example, a check value using a one-way function may be used. The one-way function is a function that is easy to calculate the function f but difficult to calculate the inverse function if. For a one-way function G (d1, d2) that requires arguments d1 and d2, use a value that combines availability information that is a checked value and a check counter value for d1, and a device unique key for d2. Let C = G (d1, d2) be a check value. Even if the availability information d2 and the check value C can be accessed, it is difficult to obtain the function G and the device unique key d2 from them. If the availability information is falsified to d2 ′, the check value obtained from the falsified value is C ′ = G (d1, d2 ′), but is different from the original check value C, so both are compared. Thus, falsification of d2 ′ can be detected.

  The setting unit 1303 includes an information generation unit 1501 that generates availability information, a check value generation unit 1502, a check unit 1503, and a check counter 1504.

  The check value generation unit 1502 generates a check value 1505 by the above-described method. The check value 1505 is stored in the memory 106 together with the availability information 107 described later.

  The control unit 111 includes an information change unit 1506, a check value generation unit 1507, and a check unit 1508. The check value generation units 1502 and 1507, and the check units 1503 and 1508 can be shared because they perform the same processing. The check counter 1504 is provided at a position where the user cannot access (for example, a flash memory inside the LSI).

  In this configuration, the check counter 1504 can change the check counter value each time a check value is generated by the check value generation unit 1502 or 1507. Thereby, even if both the availability information 107 and the check value 1505 are saved in advance at the same time in order to replace the old value, such falsification can be prevented.

  In the method of using the check value as shown in FIG. 11, only the value of the check counter 1504 needs to be stored in a storage location inaccessible to the user, and the availability information and the check value may be accessible by the user. The implementation of storage locations that are not user-accessible is generally costly and has limited capacity. Therefore, only the check counter can be held in a storage location that is not accessible to the user, and the memory 106 can be assigned to a part of the storage medium 104, for example. It is possible to implement such a method that does not cost.

  Next, the availability information will be described. FIG. 12A shows an example of availability information. In FIG. 12A, the content identification information and the availability flag are set as a set, and the availability of four contents is shown.

  The content identification information is information for uniquely identifying content within the device, and has a data width of N bits, for example. The value of the content identification information is sequentially increased for the stored content.

  The availability flag indicates whether or not the content can be used. For example, 1 indicates that the content can be used and 0 indicates that the content cannot be used. Furthermore, the current number of availability flags is also stored.

  In mounting, for example, as shown in FIG. 12A, the address 0000000h is used as the number of the availability flag, and the address after 0000001h is used as content identification information by combining the address information and the bit position information. The availability flag is arranged at the corresponding bit position of the address. In other words, 8-digit content identification information is configured by assigning address information to the upper 7 digits and assigning bit position information to the eighth digit. FIG. 12B shows that the number of availability flags is 4, and that four pieces of content identification information 00000010h to 00000013h are valid. Of these, the content identification information 00000012h is unavailable and the other three are available. Note that h at the end of the address indicates that it is expressed in hexadecimal.

  Next, the encryption processing unit 113 will be described in detail.

  FIG. 13 shows a functional block configuration of the cryptographic processing unit 113. The encryption processing unit 113 is realized by the CPU 21. However, it may be realized using a coprocessor dedicated to cryptographic processing.

  In order to describe the information recorded on the first recording medium 109, various other components are also shown in FIG. In the following description, it is assumed that the first recording medium 109 is DVD-RAM, DVD-RW, or DVD-R, and the content is encrypted and recorded by the CPRM method.

  Hereinafter, the configuration and operation of the encryption processing unit 113 will be described.

  The encryption processing unit 113 includes a device key set 1701, an MKB processing unit 1702, a conversion unit 1703, a key generation unit 1704, an encryption unit 1705, a PS conversion unit 1706, and an encryption unit 1707.

  The device key set 1701 is a set of 16 device keys, and is distributed from CPRM licensors to manufacturers. The licensor assigns keys so that all 16 device keys do not match between devices. The device key set is built into the device so that it does not leak. This is defined as a license condition.

  The MKB processing unit 1702 generates a media key Km from the device key set 1701 and the media key block (MKB) 1708 of the first recording medium 109. The conversion unit 1703 converts the media key Km with the media ID 1709 to generate the media unique key Kmu. The key generation unit 1704 generates a title key Kt as necessary. The encryption unit 1705 encrypts the title key with the media unique key Kmu. The PS conversion unit 1706 converts the content of the partial TS into MPEGPS (program stream). The encryption unit 1707 encrypts the output of the PS conversion unit 1706 with the title key Kt. Through the processing of each component described above, the title key and content data are encrypted and recorded on the first recording medium 109. The PS conversion unit 1706 is realized using the PS / TS processing unit of FIG.

  The following information is recorded on the first recording medium 109. That is, a media key block (MKB) 1708, a media ID 1709, an encrypted title key 1710, a management information file 1711, and an encrypted content 1712.

  The MKB 1708 is data such as an encrypted key bundle obtained by encrypting the media key Km with a device key issued by the licensor. The MKB 1708 is written to the first recording medium 109 by a method that cannot be tampered with when the first recording medium 109 is manufactured. The MKB is manufactured by using data calculated by a new media key Km for every fixed number (1 million for DVD).

  The media ID 1709 is unique data that differs for each recording medium, and is written in the first recording medium 109 using a method that cannot be tampered with at the stage of manufacturing the recording medium.

  The content, the encrypted title key, and the management information file encrypted for recording on the first recording medium 109 are recorded on the first recording medium 109 via the recording unit 108.

  The management information file 1711 stores a part of the management information read by the drive control unit 1202 of the accumulation processing unit 103. FIG. 14 shows an example of the data structure of the management information file 1711.

  Since the content data is recorded on the DVD, the management information file 1711 is recorded in accordance with the program stream of the video recording standard. This management information file 1711 is called an RDI (Real-time Data Information) pack and has a size of 2048 bytes, similar to the content AV pack. In the RDI pack, copyright information is stored in the CGMS field, the APSTB field, and the EPN field. The CGMS field stores digital_recording_control_data included in the broadcast content.

  However, if the digit_recording_control_data is “copyable for only one generation”, it is updated and stored in the storage medium 104 with “recopy prohibited”, so “recopy prohibited” is also displayed in the CGMS field of the RDI pack. Stored. APS_control_data is stored in the APSTB field, and Encryption_mode (however, the logical setting is reversed) is stored in the EPN field. The RDI pack is not encrypted, but measures are taken to prevent tampering.

  Next, how the data recorded on the first recording medium 109 is reproduced will be described with reference to FIG. 13 again. Although the first playback device 1713 is illustrated in FIG. 13 for the sake of convenience, this need not be a device different from the recorder 101. A typical recorder also has a playback function. Therefore, it can be said that the first playback device 1713 is substantially included in the recorder 101.

  The first playback device 1713 includes a device key set 1714, an MKB processing unit 1715, a conversion unit 1716, decoding units 1717 and 1718, and an MPEG decoding unit 1719.

  The MKB processing unit 1715 generates a media key Km from the device key set 1714 and the media key block (MKB) 1708 of the first recording medium 109. Then, the conversion unit 1716 converts the media key Km with the media ID 1709 to generate the media unique key Kmu.

  Next, the decryption unit 1717 decrypts the encrypted title key 1710 with the media unique key Kmu. Then, the decryption unit 1718 decrypts the encrypted content 1712 with the title key Kt. Finally, the MPEG decoding unit 1719 decodes the decrypted content (MPEG2-PS). Content is output by the processing of each component described above.

  When the “recopy prohibited” in the CGMS field shown in FIG. 14 is altered to “copy allowed without restriction”, the playback device 1713 determines that the content is non-encrypted. Therefore, the actually encrypted content is sent as it is to the MPEG decoding unit 1719 and is not correctly decoded.

  Also, since the APSTB field is used as a part of the encryption key by the encryption unit 1707, a correct encryption key cannot be obtained from the altered value of the APSTB field. Therefore, it is not decoded correctly in this case. In the EPN field, check data is stored in DCI_CCI_Verfication_Data. By using this data, tampering can be detected.

  Finally, the function of the first recording / playback unit 2801 will be described. The user interface unit 112 will be described later with reference to FIG.

  The first recording / playback unit 2801 records the content stored in the storage medium 104 on the second recording medium 2802. In the present embodiment, the second recording medium 2802 is one of DVD-R, DVD-RW, and DVD-RAM.

  When content is stored in a manner that prevents unauthorized access to the storage medium 104, the content is encrypted with a device-specific key or content key. Accordingly, if the first recording / playback unit 2801 records the content of the storage medium 104 on the second recording medium 2802 while being encrypted, unauthorized access is impossible.

  The format for recording the encrypted content on the second recording medium 2802 by the first recording / playback unit 2801 may be unique as long as it can be read and written by the device. The recording in the first recording / playback unit 2801 does not need to be compatible with a stream recording format (for example, a DVD-Video format or a DVD-VideoRecording format), and may simply be read and written as a data file. Therefore, the bit string of the partial TS of the encrypted content can be recorded as it is, and the image quality and sound quality are not deteriorated and the related data is not lost. Further, there is no need to convert MPEG2-partial TS to MPEG2-PS.

  When the content is encrypted with the content key or when the management information file exists, the encrypted content key and the management information file may be recorded on the second recording medium 2802 together with the encrypted content.

  In order to more effectively prevent unauthorized access, the first recording / playback unit 2801 may encrypt the encrypted content by another method. Further, when the management information file is stored in the storage medium 104, it is convenient to store the management information file without encryption in order to easily know the content information. However, in the case of performing backup recording on the second recording medium 2802, it is only necessary to be able to use it when restored to the recorder 101. Therefore, it is preferable to perform encryption recording using the unique information of the recorder 101.

  It should be noted here that there are restrictions imposed when content is recorded on the first recording medium 109. Many recording media have application standards as well as physical standards for the recording media themselves. This is to ensure compatibility of recording and reproduction between devices. However, in application standards whose main purpose is real-time recording / reproduction, there are cases where restrictions on image quality and sound quality are imposed depending on the data transfer speed. For example, the DVD-Video standard and the DVD-Video Recording standard are limited to recording up to standard resolution. In addition, there is a standard that supports MPEG2-PS with an emphasis on compatibility with package media, and MPEG2-TS used in broadcasting or the like cannot be recorded as it is. In this way, dubbing and moving according to application standards may be accompanied by various restrictions.

1-4. Operation Procedure of Recorder 101 FIG. 15 shows an operation procedure of the recorder 101. The types of operations shown in FIG. 15 are content accumulation, move, erase, backup, and restore. The recorder 101 can also execute other processing such as reproduction processing and editing processing.

  Hereinafter, each step of FIG. 15 will be described. A detailed description regarding the processing of each step will be described later with reference to FIGS.

  First, in step S1, the instruction receiving unit 25 (FIG. 2) receives a content operation request from the user. Here, the content operation is content accumulation, move, erase, backup, and restore. In the present specification, the requests corresponding to each are a storage request, a move request, an erase request, a backup request, and a restore request.

  In step S2, the CPU 21 determines the type of content operation. If it is an accumulation request, the process proceeds to step S3. If it is a move request, the process proceeds to step S4. If it is an erase request, the process proceeds to step S5. If it is a backup request, the process proceeds to step S6.

  In step S3, the CPU 21 accumulates the content in the HDD 15b, and also generates availability information indicating “usable” and stores it in the nonvolatile RAM 22b. Thereafter, the accumulation process ends.

  In step S4, the CPU 21 determines whether or not the availability information is “usable”. If “unusable” is indicated, the CPU 21 terminates the process because it cannot accept the move request. On the other hand, if the availability information indicates “usable”, the process proceeds to step S8.

  In step S8, the CPU 21 moves the content stored in, for example, the HDD 21b to another recording medium. When the move is completed, in the next step S9, the availability information in the recorder 101 corresponding to the content is set to “unusable”.

  In step S5, the CPU 21 deletes the content from the recorder 101, for example, by deleting the content data stored in the HDD 15b. At this time, the availability information is not changed and is held in the nonvolatile RAM 22b as it is. Thereafter, the process ends.

  In step S <b> 6, the CPU 21 determines whether the availability information is “usable”. If “unusable” is indicated, the CPU 21 terminates the process because it cannot accept the backup request. This is because there is no need to allow backups as long as usage is no longer allowed.

  On the other hand, if the availability information indicates “usable”, the process proceeds to step S10. In step S10, the CPU 21 backs up the content to another recording medium. At this time, the availability information is not changed and is held in the nonvolatile RAM 22b as it is. Thereafter, the process ends.

  In step S <b> 7, the CPU 21 determines whether the availability information is “usable”. If “unusable” is indicated, the CPU 21 terminates the processing because it cannot accept the restore request. It is assumed that the content availability information does not exist in the nonvolatile RAM 22b. For example, when the user tries to restore content backed up by a device other than the recorder 101. At this time, naturally, the restore request cannot be accepted, so the CPU 21 ends the process.

  On the other hand, if the availability information indicates “usable”, the process proceeds to step S11. At this time, it means that the content has been backed up by the processes of steps S6 and S10.

  In step S11, the CPU 21 restores the content from another recording medium. At this time, no change is made to the availability information on the nonvolatile RAM 22b. Therefore, the availability information of the content at the time of backup is applied to the content as it is.

1-5. Details of the operation of the recorder 101 according to the user's operation Hereinafter, the processing of each step shown in FIG. 15 will be described more specifically. First, a specific configuration for a user to give a request for content operation will be described.

  FIG. 16 shows a functional block configuration of the user interface unit 112. The user interface unit 112 includes a display video generation unit 1901, a synthesis unit 1902, and a reception unit 1903.

  The display video generation unit 1901 corresponds to the CPU 21 in FIG. 2, the composition unit 1902 corresponds to the graphic control unit 17, and the reception unit 1903 corresponds to the instruction reception unit 25.

  A display video generation unit 1901 receives user display data from each part of the recorder 101 or reads display data stored in advance from a memory to generate a GUI video (such as a menu screen). This GUI video is output as a GUI signal.

  The synthesizing unit 1902 superimposes or switches the video signal when the received content or accumulated content is played back by the recorder 101 and the display video of the display video generating unit 1901 and outputs the video to the outside of the recorder 101. Generate a signal. This video signal is displayed as a video on the display device 1904. A display device 1904 is a device that displays a video signal of the recorder 101 and is, for example, a television or a liquid crystal projector. When the display video generation unit 1901 does not operate (for example, when viewing content), no GUI signal is generated. At that time, only the video signal of the content is output.

  A receiving unit 1903 receives a user request via a remote controller 1905 attached to the recorder 101. And the control signal according to the request | requirement is output.

  The remote controller 1905 includes a key for controlling the recorder 101, and transmits a control signal based on the key operation to the recorder 101 using infrared rays, radio waves, and the like. The remote controller 1905 is provided with at least a function selection key 1906, an up arrow key 1907, a down arrow key 1908, a left arrow key 1909, a right arrow key 1910, an enter key 1911, a program guide key 1912, and an accumulation key 1913. It has been.

  In FIG. 16, the display device 1904 and the remote controller 1905 are separate from the recorder 101, but may be incorporated in the recorder 101. For example, the display device 1904 may be a liquid crystal display device provided in the recorder 101, and the remote controller 1905 may be a button provided in a casing (not shown) of the recorder 101.

  Next, with reference to FIG. 17 to FIG. 22, a specific operation procedure when the user requests content accumulation, move, erase, backup, and restore will be described. The reproduction of content corresponding to content accumulation will also be described.

1-5-1. Processing based on content storage operation The procedure of digital broadcast content storage operation is as follows. First, the program guide key 1912 of the remote controller 1905 in FIG. 16 is pressed to call up the program guide screen. FIG. 17 shows an example of a program guide screen. Source information (broadcast station name), recording date and time (broadcast date and time), genre, copyright management information, title, short format program description as part of the management information of the currently selected program on the upper left A program guide for each broadcasting station is displayed below the displayed program guide.

  The program currently selected in the program guide is highlighted. In FIG. 17, “Sometimes Momotaro” broadcast from 17:00 on the DDD television is selected.

  The user uses the arrow keys on the program guide screen to select a program (content) to be stored. If the accumulation key 1913 is pressed while a certain program is selected, an accumulation request is issued immediately if the selected program is currently being broadcast, and an accumulation reservation is made if the program is scheduled to be broadcast in the future. In the case of an accumulation reservation, an accumulation request is issued at the reservation time.

  If there is a content accumulation request, step S3 in FIG. 15 is executed. Specifically, the control unit 111 causes the digital broadcast receiving unit 102 to generate a partial TS and management information for the content. For example, when the digital_recording_control_data field of the content digital copy control descriptor indicates “10” (only one generation can be copied), the content is encrypted by the encryption unit 1201 and stored in the storage medium 104 as “recopy prohibited”. The

  In addition, the control unit 111 causes the setting unit 1303 to set availability information indicating that the content can be used in the memory 106. The setting unit 1303 (FIG. 11) sets the availability information in the following procedure.

  First, as preparation, it is determined whether unauthorized tampering has been performed on the content so far. The check value generation unit 1502 reads the availability information 107 of other contents already held in the memory 106, generates a check value from the availability information 107 and the value held in the check counter 1504, and checks Part 1503. The check unit 1503 reads the current check value 1505 stored in the memory 106 and compares it with the check value generated by the check unit 1503.

  If the two do not match, the availability information 107 or the check value 1505 has been falsified, so an abnormality process is performed. As the abnormal process, for example, the abnormal process is displayed to the user, and all the contents accumulated up to that point are made unavailable. The number of availability information may be returned to the initial value.

  If both match, it can be seen that the availability information 107 has not been tampered with. Therefore, the previous availability information 107 can be used. The check unit 1503 notifies the information generation unit 1501 of the check result.

  The information generation unit 1501 handles a value obtained by increasing the current number of pieces of availability information as one as content identification information of newly accumulated content. This number of availability information is sent to the content encryption unit 1302 (FIG. 9) for use as part of the management information of the content. An availability flag for an address corresponding to the new content identification information is set to be usable. This availability information is held as new availability information 107 in the memory 106. The value of the check counter 1504 is also updated. The check value generation unit 1502 generates a new check value using the new availability information and the check counter value, and stores the new check value in the memory 106 as the check value 1505.

  Through the above-described processing, the content is accumulated and the availability information is generated.

1-5-2. After the processing content based on the content reproduction operation is accumulated, the content can be reproduced. As a reproduction procedure, first, the menu screen is called by pressing the function selection key 1906 of the remote controller 1905 of FIG. Use the arrow keys on the menu screen to select “Playback” and press the Enter key 1911 to call up the playback screen. FIG. 18 shows an example of a display screen for playback operation. The title of reproducible content is displayed on the screen.

  When displaying a reproducible title, identification information, a title, a copy protection status, and the like are acquired by referring to the management information of the stored content. First, the control unit 111 checks the current availability information 107.

  The check value generation unit 1507 reads the availability information 107 of the content already held in the memory 106, generates a check value from the availability information 107 and the value held in the check counter 1504, and the check unit 1508. Send to. The check unit 1508 reads the current check value 1505 stored in the memory 106 and compares it with the check value generated by the check unit 1503.

  If the two do not match, the availability information 107 or the check value 1505 has been falsified, so an abnormality process is performed. As the abnormal processing, for example, all the contents accumulated so far are made unusable.

  If the two match, the availability information 107 is not falsified and is known to be valid, so the availability information 107 can be used. The control unit 111 generates display data for content that can be moved and played back using the management information and the valid availability information 107, and notifies the user interface unit 112 of the data.

  As a result, when the content exists in the storage medium 104, the presence of reproducible content is displayed, but when it does not exist, it is not displayed. Further, when the content is in the “recopy prohibited” state, the availability information of the content is confirmed. Even when the availability information indicates “unusable”, it is not displayed as reproducible content.

  On the playback screen, the user uses the arrow keys of the remote controller 1905 to select playback content. In the example of FIG. 18, “Momotaro” is highlighted to indicate that it is selected. When the enter key 1911 is pressed in this state, the selection of “Momotaro” is determined. Then, “Momotaro” is read from the storage medium 104 and displayed on a display device (not shown) or output from an output unit (not shown). In the reproduction operation, the availability information is not changed.

1-5-3. Processing Based on Content Move Operation Next, the move operation will be described. The procedure for the move operation is as follows. First, the function selection key 1906 of the remote controller 1905 in FIG. Use the arrow keys on the menu screen to select “Dubbing” and press the Enter key 1911 to call up the dubbing screen. The move is assigned to the dubbing screen as a kind of dubbing (copying).

  FIG. 19 shows an example of a display screen for the move operation. The title of the content to be dubbed and moved is displayed on the left side of the screen, and whether the content is content to be moved or dubbed is displayed on the left side of the title.

  When displaying the title of the content of the move source, identification information, title, copy protection status, etc. are acquired by referring to the management information of the stored content. Based on the identification information, it is confirmed whether the content exists in the storage medium 104. If it exists, it is displayed as the move source content, but not displayed if it does not exist. Further, when the content is in the “recopy prohibited” state, the availability information of the content is confirmed. If the content is not available, it is not displayed as the move source content. These processes are the same as the processes performed in the process based on the content reproduction operation.

  FIG. 19 shows that the move operation is selected for two contents, “Momotaro” and “Urashima Muro”, and the dubbing operation is selected for the content “Kintaro”.

  When a move operation is selected for content stored in the “Recopy prohibited” state, the content availability information is changed to “unusable” after the move, and the content in the storage medium 104 is invalid It becomes.

  On the other hand, when the dubbing operation is selected for the content stored in the “Copyable without restriction” state, the content can be used continuously after the dubbing.

  On the dubbing screen, the user first selects the dubbing / move source content using the arrow keys of the remote controller 1905. In the example of FIG. 19, “Momotaro” is highlighted to indicate that it is selected. When the enter key 1911 is pressed in this state, the selection of “Momotaro” is determined. In order to select another content in succession, the content to be selected may be highlighted and determined with the enter key 1911. When the content is selected, the recorder 101 checks whether or not the dubbing / moving destination recording medium has enough free space. If the free space is insufficient, “Recorder has insufficient free space. Please replace it or erase unnecessary recordings on the DVD. "Is displayed and the content is not selected.

  When the enter key 1911 is pressed twice in succession, a confirmation message “Start move. Press the enter key” is displayed at the bottom of the screen. Here, when the enter key 1911 is pressed again, a start instruction for moving “Momotaro” from the storage medium 104 to the recording medium 116 is issued.

  If there is a content move request, steps S4, S8 and S9 in FIG. 15 are executed. Since step S4 is determination of availability information, steps S8 and S9 will be described in detail below with a specific example.

  Hereinafter, an operation of moving the content of the partial TS from the storage medium 104 to the first recording medium 109 via the recording unit 108 will be described.

  The move operation is performed according to the following procedure. (1) Execution of encryption key preprocessing, (2) recording of encrypted content 1712 on the first recording medium 109, (3) change of availability information (change to unavailable), (4) first Recording information of the encrypted content 1712 and the encrypted title key 1710 on the recording medium 109 and enabling the recording.

  First, encryption key pre-processing will be described. The encryption processing unit 113 reads the media key block (MKB) 1708 shown in FIG. 13 from the first recording medium 109. The MKB processing unit 1702 uses the device key in the device key set 1701 to decrypt the MKB 1708 to obtain the media key Km.

  However, if a certain device key is leaked and disclosed, it becomes possible to create an unauthorized device or software that can decrypt the content using this device key. In order to prevent such unauthorized use, the MKB data corresponding to the leaked device key is replaced with different data. This prevents the correct media key Km from being obtained from the leaked device key. In other words, by using the MKB, it is possible to invalidate unauthorized devices and unauthorized software using the leaked device key.

  The media key Km is common to many recording media. Therefore, the encryption processing unit 113 reads the media ID 1709 from the first recording medium 109 and converts the media key using the media ID 1709 by the conversion unit 1703, thereby creating a media unique key Kmu unique to each recording medium. The above is the encryption key preprocessing.

  The procedure for recording content management information on the first recording medium 109 using the encryption key is as follows.

  The area for recording the encrypted title key 1710 of the first recording medium 109 has a capacity for one encrypted title key. The encryption processing unit 113 reads a title key status flag (not shown) of the first recording medium 109, and whether or not the encrypted title key is not yet recorded on the first recording medium 109 by this flag. Inspect whether.

  In the case where the encrypted title key is not yet recorded in the encrypted title key 1710 area of the first recording medium 109, the key generation unit 1704 generates a new key using the random number generation function. . In the case of a medium in which an encrypted title key is already recorded in the encrypted title key 1710 area, the encryption processing unit 113 reads the encrypted title key 1710 of the first recording medium 109 and decrypts it (not shown). However, the title key Kt is extracted using the media unique key Kmu in the same configuration as the decryption unit 1717 of the first recording medium playback unit 1713).

  The PS conversion unit 1706 converts the content of MPEG2-partial TS into MPEG2-PS data. The converted MPEG2-PS data is encrypted by the encryption unit 1707 using the title key Kt and recorded in the encrypted content 1712 area of the recording medium 116. A part of the management information is stored in the management information file 1711. An example of the management information file 1711 is as shown in FIG. With the above processing, recording of the encrypted content 1712 and the management information file 1711 is completed.

  At this time, access information to the encrypted content 1712 and the like are not yet recorded on the first recording medium 109. Therefore, even if the first recording medium 109 is taken out from the recorder 101, the encrypted content 1712 is still unusable. In a state where the encrypted title key is not yet recorded in the encrypted title key 1710 area, the key generation unit 1704 encrypts the title key Kt by the encryption unit 1705 using the media unique key Kmu. The cipher uses C2 cipher.

  Thereafter, the information changing unit 1506 changes the availability information of the content in the memory 106 to unavailable and stores it again in the memory 106. Then, the check counter 1504 updates the counter value and sends it to the check value generation unit 1507 together with new availability information to generate a new check value. The new check value is also stored in the memory 106. By these processes, the content stored in the storage medium 104 becomes unusable.

  After disabling the content availability information, the recording unit 108 records access information to the encrypted content 1712 and the like on the first recording medium 109. For example, in the file system of the first recording medium 109, the address information of the previously recorded AV pack and RDI pack is written in a predetermined file arrangement table (not shown), and the title information of the encrypted content 1712 is recorded. A navigation information file (not shown) to be written is written, or pointer information of the file arrangement table is written to the navigation information file.

  In the case of a medium in which the encrypted title key is not yet recorded in the encrypted title key 1710 area, the title key Kte encrypted by the encryption unit 1705 is stored in the encrypted title key 1710 area. Record.

  As described above, the contents of the first recording medium 109 become usable, and the move process is completed. Note that the encrypted content in the storage medium 104 may be deleted after the end of recording of access information or the like is confirmed.

  As described above, first, after the encrypted content is copied to the first recording medium 109 and the availability information of the content is disabled, the access information to the encrypted content 1712 and the like is stored in the first recording medium 109, and the like. By following the procedure of recording the content, it is possible to satisfy the rule that, during the move operation, the content of the length exceeding 1 minute must not be playable simultaneously on both the move source and the move destination. it can.

  If the content cannot be copied due to a medium failure of the first recording medium 109, the user is notified of abnormal processing, and a move request is made without changing the availability information, check counter value, check value, etc. The process for is terminated.

  In addition, abnormal processing is performed even if the processing is interrupted because the power is turned off after disabling the content availability information and before confirming the end of recording of access information and the like. Is called. In this case, neither the content of the storage medium 105 nor the encrypted content 1712 of the first recording medium 109 can be used. This will cause a loss to the user. In order to prevent this, after the power is turned on again, the accumulation processing unit 103 returns the availability information of the content to be usable, and makes the content of the storage medium 105 usable.

  After the move operation is completed, the content can be played back from the first recording medium 109 using the first playback device 1713. That is, the title key Kt is decrypted using the device key set 1714 to the decryption unit 1717, and the decrypted unit 1718 decrypts the encrypted content 1712 based on the title key Kt. The obtained data (MPEG2-PS stream) is decoded into a baseband signal by the MPEG decoding unit 1719, and becomes a viewable content 1720.

  In the above description, the case of one DVD as the recording medium of the dubbing / moving destination has been described. However, if other recording media such as an SD memory card can be used, a plurality of dubbing / moving destination recording media may be displayed on the dubbing screen. The user can select one dubbing / moving destination from the list.

1-5-4. Processing Based on Content Erasing Operation Next, the erasing operation will be described. The procedure for the erasing operation is as follows. First, the function selection key 1906 of the remote controller 1905 is pressed to call up the menu screen. Use the arrow keys on the menu screen to select “Erase”, and press the Enter key 1911 to call up the erase screen.

  FIG. 20 shows an example of a display screen for the erasing operation. The title of the erasable content is displayed on the screen.

  When displaying the title of erasure, identification information, title, copy protection status, etc. are acquired by referring to the management information of the stored content. Based on the identification information, it is confirmed whether the content exists in the storage medium 104. If it exists, it is displayed as an erasable content, but not displayed if it does not exist. Further, when the content is in the “recopy prohibited” state, the availability information of the content is confirmed, and if it is not available, it is not displayed as erasable content.

  In the erase screen, first, the user selects erase content using the arrow keys of the remote controller 1905. In the example of FIG. 20, “Momotaro” is highlighted to indicate that it is selected. When the enter key 1911 is pressed in this state, the selection of “Momotaro” is determined. When another content is selected subsequently, the content display is highlighted, and the determination key 1911 may be used. When the enter key 1911 is pressed twice in succession, a confirmation message “Start erasing. Press the enter key” is displayed at the bottom of the screen. If the enter key 1911 is pressed again, “Momotaro” is deleted from the storage medium 104. In the erasing operation, the availability information is not changed.

1-5-5. Processing Based on Content Backup Operation Next, the backup operation will be described. The backup operation procedure is as follows. First, the function selection key 1906 of the remote controller 1905 is pressed to call up the menu screen. Use the arrow keys on the menu screen to select “BACKUP” and press the ENTER key 1911 to call up the backup screen.

  FIG. 21 shows an example of a display screen for backup operation. The backup source content is displayed on the left side of the screen. Whether the content is deleted from the storage medium 104 after backup is displayed on the right side of the title column, and the size of the content is displayed on the right side.

  When displaying the title of the content of the backup source, the identification information, title, copy protection status, etc. are acquired by referring to the management information of the stored content. Based on the identification information, it is checked whether or not the content exists in the storage medium 104. If it exists, it is displayed as the backup source content, but not displayed if it does not exist. Further, when the content is in the “recopy prohibited” state, the availability information of the content is confirmed, and when the content is not available, it is not displayed as the backup source content. On the right side of the screen, the usage status of the second recording medium 2802 as the backup destination is displayed. In FIG. 21, 1280 M (megabytes) has already been written, the backup designation is 789 M, and the remaining is 2631 M.

  On the backup screen, the user first selects the title of the backup source content using the arrow keys of the remote controller 1905. In the example of FIG. 21, “Momotaro” is highlighted to indicate that it is selected. When the enter key 1911 is pressed in this state, the selection of “Momotaro” is determined. This determination is reflected in the designated capacity state display of the second recording medium 2802 which is the right backup destination. After this, the arrow key is used to move to the erasure column, and when the enter key 1911 is pressed, a circle is displayed in the erasure column, indicating that the backup medium is erased. In order to select another content in succession, the content to be selected may be highlighted and determined with the enter key 1911. When the content is selected, the recorder 101 checks whether the second recording medium 2802 as the backup destination has sufficient free space. If the free space is insufficient, the recorder 101 displays a warning message and selects the content. I won't let you.

  When the enter key 1911 is pressed twice in succession, a confirmation message “Start backup. Press the enter key” is displayed at the bottom of the screen. When the enter key 1911 is pressed again, a start instruction for backing up “Momotaro” from the storage medium 104 to the second recording medium 2802 is issued.

  When there is a content backup start instruction, the control unit 111 reads the content 105 stored in the storage medium 104 by the storage processing unit 103, and the content is stored in the second recording medium 2802 by the recording / playback unit 2801. Record in encrypted form. If there is a management information file, the management information file of the content is also recorded on the second recording medium 2802. At this time, in order to identify which device the backup is made from, a predetermined value is encrypted using the device specific information and recorded in a predetermined position of the management information file. The content availability information 107 held in the memory 106 is not changed. Further, when the content is designated to be deleted, the content is deleted.

  The availability information is not changed in the backup operation. Therefore, if the user restores the content backed up on the second recording medium 2802 to the storage medium 104, the content can be used again in the recorder 101.

1-5-6. Processing Based on Content Restore Operation Next, the restore operation will be described. The procedure for the restore operation is as follows. First, the function selection key 1906 of the remote controller 1905 is pressed to call up the menu screen. Use the arrow keys on the menu screen to select “Restore” and press the Enter key 1911 to call up the restore screen.

  FIG. 22 shows an example of a display screen for the restore operation. The restore source content is displayed on the screen. The size of the content is displayed on the right side of the title column.

  When displaying the title of the content to be restored, whether the information at the predetermined position is decrypted with the device specific information with reference to the management information of the content backed up on the second recording medium 2802, and a predetermined value can be obtained. Check if. If the predetermined value is not obtained, it can be understood that the content backed up on the second recording medium 2802 is not backed up by the device. Therefore, a warning is displayed on the user interface unit 112 that backup has been performed by another device, and restoration is stopped. If a predetermined value is obtained, the identification information, title, copy protection status, and the like are acquired because the data has been backed up by the device. Based on the identification information, it is confirmed whether or not the content exists in the second recording medium 2802. If it exists, it is displayed as the restore source content, but if it does not exist, it is not displayed. Further, when the content is in the “recopy prohibited” state, the availability information of the content in the memory 106 is confirmed. If the content is not available, it is not displayed as the restore source content.

  On the restore screen, first, the user selects the title of the restore source content using the arrow keys of the remote controller 1905. In the example of FIG. 21, “Momotaro” is highlighted to indicate that it is selected. When the enter key 1911 is pressed in this state, the selection of “Momotaro” is determined. In order to select another content in succession, the content to be selected may be highlighted and determined with the enter key 1911. When the content is selected, the recorder 101 checks whether or not the free space of the storage medium 104 that is the restore destination is sufficient. If the free space is insufficient, the recorder 101 displays a warning message and does not select the content.

  When the enter key 1911 is pressed twice in succession, a confirmation message “Start restoration. Press the enter key” is displayed at the bottom of the screen. Here, when the enter key 1911 is pressed again, a start instruction for restoring “Momotaro” from the second recording medium 2802 to the storage medium 104 is issued.

  When there is an instruction to start restoring content, the control unit 111 causes the recording / playback unit 2801 to read the content 2803 recorded on the second recording medium 2802 as encrypted, and the storage processing unit 103 to read the content. It is stored in the storage medium 104. If there is a management information file, the management information file of the content is also recorded in the storage medium 104. The content availability information 107 held in the memory 106 is not changed.

  Therefore, if the content restored by the user to another recording medium is restored to the storage medium 104, the content can be used again in the recorder 101.

  If the content is backed up to another recording medium by performing the above-described backup processing, the content can be reliably restored even if the storage medium 104 is replaced with a new storage medium due to a failure or the like. Can do. This is because the availability information essential for the restoration process is stored in a recording medium (for example, the nonvolatile RAM 22b) different from the storage medium 104 so that it cannot be tampered with. Since the computer program for performing the backup process is also stored in a recording medium (for example, program ROM 20) different from the storage medium 104, the recorder 101 can execute the above-described restore process.

  In the present embodiment, when content backup / restore is performed between the storage medium 104 and the second recording medium 2802, it is confirmed that the content availability information indicates availability. This is because user convenience is considered, and backup and restoration may be performed without confirming the availability information of the content. In this case, when the content restored to the storage medium 104 is to be used for reproduction, move, etc., it cannot be used if the availability information is unavailable.

  In the present embodiment, the first recording medium 109 and the second recording medium 2802 are any one of DVD-R, DVD-RW, and DVD-RAM, but this is an example. In any case, it is not necessary to have a special encryption recording mechanism, and it is only necessary to be able to record digital data. Therefore, various recording media can be used.

  For example, in the case of a disc, a recordable compact disc (CD-R, CD-RW), a mini disc (MD), Hi-MD, a digital versatile disc (DVD-RAM, DVD-RW, DVD-R), + RW, + R, A Blu-ray Disc (hereinafter referred to as BD), HD-DVD, iVDR (Information Versatile Disc for Removable usage), etc. can be used. As the semiconductor media, a secure digital memory card (SD memory card), a memory stick, a memory stick pro, and the like can be used. Further, there are D-VHS, dcc, etc. for tape.

  Needless to say, the present invention can be applied to various recording media to be developed in the future. In the present embodiment, the recording medium shows one type of example, but it is also possible to support a plurality of recording media and set the selected medium as an operation target.

  Although the first recording medium 109 and the second recording medium 2802 are provided separately, the same recording medium may be used. At that time, the components that record data on the recording medium of the recording unit 108 and the first recording / reproducing unit 2801 can also be used. Furthermore, the entity of the recording unit 108 and the first recording / reproducing unit 2801 may be the same. In the case of move processing, recording is performed in a stream format that can be reproduced by other playback devices, and in the case of backup processing, recording may be performed using a recording method that can be used only when restored to the recorder 101.

  According to the above processing, both content storage dedicated to the device that is not limited by the capacity of the storage medium and movement to a medium that can be played back by other devices are also achieved while complying with the content protection rule of “only one generation can be copied”. Can be achieved. Furthermore, since backup media are supported, backup and restore can be performed easily.

  In the present embodiment, an example of encrypting content when moving content to the first recording medium has been shown, but it is not essential to encrypt and record when moving to the first recording medium. . For example, when the content is music content, there is a possibility of using a mini disc (MD) as the first recording medium. In MD, content is compressed and recorded by the ATRAC method, but it is not encrypted.

(Embodiment 2)
2-1. Function of Recorder 101 FIG. 23 shows a functional block configuration of the recorder 101 according to the present embodiment. The recorder 101 of this embodiment controls the use of content using “decryption information” instead of the “usability information” according to the first embodiment. That is, “decryption information” is one of the usage control information.

  In FIG. 23, constituent elements having the same functions as those of the recorder according to the first embodiment (for example, FIG. 3) are denoted by the same reference numerals. In the description of this embodiment, descriptions of functions and configurations common to the recorder according to Embodiment 1 are omitted.

  The encryption unit 2401 of the recorder 101 encrypts the content by a method that requires the decryption information 2404 unique to each content. The storage medium 104 stores the encrypted content 2402. Further, the memory 106 holds the decryption information 2404 in a manner that cannot be accessed illegally. The decryption unit 2403 decrypts the encrypted content 2402 using the decryption information 2404. The encryption unit 2401 and the decryption unit 2403 correspond to the CPU 21 shown in FIG.

2-2. An outline of the operation of the recorder 101 The control unit 111 includes an encryption unit 2401, a drive control unit 1202, a decryption unit 2403, a memory 106, a recording unit 108, and a first recording according to a user operation via the user interface unit 112. The playback unit 2801 and the like are controlled.

  When there is a content storage request, the control unit 111 causes the encryption unit 2401 to encrypt the content, and causes the drive control unit 1202 to store the encrypted content in the storage medium 104. Then, the control unit 111 stores the decryption information 2404 of the encrypted content in the memory 106.

  When there is a content move request, the control unit 111 reads the encrypted content 2402 stored in the storage medium 104 by the drive control unit 1202 only when the content decryption information 2404 exists in the memory 106. The decryption unit 2403 decrypts the encrypted content using the decryption information 2404 of the encrypted content. Then, the control unit 111 causes the recording unit 108 to record the decrypted content on the first recording medium 109 and invalidates the decryption information 2404 of the content held in the memory 106.

  When there is a content deletion request, the decryption information 2404 of the content held in the memory 106 is not changed, and the encrypted content 2402 stored in the storage medium 104 is deleted.

  When there is a content backup request, the content stored in the drive control unit 104 is recorded on the second recording medium 2802 via the first recording / playback unit 2801. At this time, the decryption information 2404 of the content held in the memory 106 is not changed.

  If there is a content restore request, the content recorded on the second recording medium 2802 by the recording / playback unit 2801 only when the decryption information 2404 of the content held in the memory 106 is usable. Are read and stored in the storage medium 104 again. Also at this time, the decryption information 2404 of the content held in the memory 106 is not changed. The meaning that the content decryption information 2404 can be used is synonymous with the fact that the content can be used.

  When the recorder 101 further includes a content display device (not shown) and an output unit (not shown), it is possible to respond to a content reproduction request. In this case, only when the decryption information 2404 of the content is available, the drive control unit 1202 reads the content 2402 stored in the storage medium 104, and the decryption unit 2403 decrypts the content. The image is displayed on the display device and output from the output unit. At this time, the decryption information 2404 of the content held in the memory 106 is not changed.

  When the recorder 101 further includes a content display device (not shown) and an output unit (not shown), it is possible to respond to a content reproduction request. In this case, only when the decryption information 2404 of the content is available, the drive control unit 1202 reads the content 105 stored in the storage medium 104 and displays the decryption unit 2403 content on the display device. And output from the output unit. At this time, the decryption information 2404 of the content held in the memory 106 is not changed.

2-3. Details of Each Component of Recorder 101 FIG. 24 shows more detailed configurations of the encryption unit 2401 and the decryption unit 2403. This configuration is used when content is encrypted and decrypted by a method that requires unique decryption information for each device. For convenience of explanation, the memory 106 and the drive control unit 1202 are also shown.

  The encryption unit 2401 includes a key generation unit 1401 and a content encryption unit 1302. The decryption unit 2403 has a content decryption unit 1304. These functions are in principle the same as the components having the same names shown in FIG.

  Specifically, when there is a content accumulation request, the key generation unit 1401 generates a random number to generate a unique content key having a predetermined bit length. Furthermore, the key generation unit 1401 also issues content identification information corresponding to the number of generations every time a key is generated according to the number of pieces of decryption information generated so far. The combination of the content key and content identification information is sent to the memory 106 as decryption information 2404 and held in the memory 106. Decryption information 2404 is generated for each content. The decryption information 2404 is held in the memory 106 by a method that cannot be accessed illegally. This holding method will be described in detail later.

  FIG. 25 shows a table in which a plurality of pieces of decryption information 2404 are registered. The content keys are held in association with the content identification information, and are arranged in ascending order of the content identification information.

  In the present embodiment, the decryption information is invalidated when the content is moved. Specifically, the decryption information corresponding to the moved content is deleted. For example, in the example of FIG. 25, the content identification information whose least significant digits are 3, 5, and 6 and its content key do not exist. This means that the content corresponding to the content identification information has been deleted as a result of the move.

  Note that the decryption information may be invalidated by rewriting the content key value to another value. What value is rewritten is arbitrary. For example, all the bits of the content key to be disabled may be set to 0 or 1. By setting a rule that such a value is not used as a regular content key in advance, it can be easily determined whether or not it can be used. Similarly to FIG. 12B, the number of pieces of decoding information may be provided at the beginning of the decoding information.

  FIG. 24 will be referred to again. The content encryption unit 1302 encrypts the MPEG2-partial TS of the content using the content key and management information. The encrypted content is stored in the storage medium 104 via the drive control unit 1202. The recording format at this time can be determined independently. When generating a management information file storing management information, a management information file (not shown) is also stored in the storage medium 104 via the drive control unit 1202.

  Even if the encrypted content is backed up to another medium by the user, the encrypted content can be decrypted only by the decrypting unit 1304 and cannot be used as content other than the recorder 101.

  The stored encrypted content 240 is read by the drive control unit 1202 as necessary. Also, the decryption information 2404 (content key) is read from the memory 106. The decrypting unit 2403 decrypts the encrypted content 240 using this content key, and returns it to the original non-encrypted content. At this time, related management information is also read and decoded as necessary.

  The stored encrypted content 2402 is deleted by the drive control unit 1202 as necessary. The erasing method is as described in the first embodiment.

  Next, a method in which the content decryption information 2404 in the memory 106 cannot be accessed illegally will be described. In the first embodiment, a method has been described in which the memory 106, the control unit 111, and the setting unit 1303 are integrated or not integrated so that the availability information cannot be tampered with illegally. The same applies to the present embodiment. The control unit 111 and the setting unit 1303 may be replaced with the encryption unit 2401 and the decryption unit 2403, respectively.

  As another method in which the content decryption information cannot be tampered with illegally, a check value may be used. For example, FIG. 26 shows a configuration that employs a falsification preventing method using a check value. The check value is as described with reference to FIG.

  In FIG. 11, check value processing is performed in the setting unit 1303 in the encryption unit 1201. In the present embodiment, no setting unit is provided in the encryption unit 2401. Therefore, in FIG. 26, the check value is processed in the encryption unit 2401.

  Hereinafter, differences between the configuration according to the first embodiment (FIGS. 10 and 11) and the configuration according to the present embodiment (FIG. 26) will be described. In FIG. 26, the encryption unit 2401 further includes a decryption information generation unit 2701, and the decryption unit 2403 further includes a decryption information change unit 2702. The encryption unit 2401 and the decryption unit 2403 are provided, for example, in the same semiconductor, and are mounted so as not to be illegally accessed for the encryption process and the check value process. In the present embodiment, it is assumed that processing is performed using the configuration shown in FIG.

2-4. Operation Procedure of Recorder 101 The processing based on this embodiment is similar to the processing of the recorder according to Embodiment 1 (FIG. 15). In the first embodiment, the availability information 107 is used. However, in this embodiment, the decryption information 2404 is used instead of the availability information 107. Hereinafter, each process of accumulation, move, erase, backup, and restore will be described in detail. It is assumed that the user inputs requests for storage, move, delete, backup, and restore processes via the user interface unit 112. A specific method for inputting a request using the user interface unit 112 is as described in the first embodiment.

2-5-1. When there is a content accumulation request by a processing user based on the content accumulation operation , the encryption unit 2401 first determines whether or not unauthorized tampering has been performed on the content so far. Check.

  The check value generation unit 1502 reads the current decoding information 2404 that is already held in the memory 106, and generates a check value from the decoding information 2404 and the value held in the check counter 1504. The check value is sent to the check unit 1503. The check unit 1503 reads the current check value 1505 stored in the memory 106 and compares it with the check value generated by the check unit 1503.

  If they do not match, the decryption information 2404 or the check value 1505 has been tampered with, so an abnormality process is performed. The abnormality process is as described in the first embodiment.

  If they match, it can be seen that the decryption information 2404 has not been tampered with. Therefore, the previous decryption information 2404 can be used. The check unit 1503 notifies the decryption information generation unit 2701 of the check result.

  The key generation unit 1401 generates a unique content key for each content. The generated content key is encrypted by the key encryption unit 1402 using the device unique key 1301. The encrypted content key is then sent to the decryption information generation unit 2701.

  Since the decryption information generation unit 2701 has received a notification that the check results of the check values by the check unit 1503 match, the decryption information generation unit 2701 generates new decryption information by adding the encrypted content key to the previous decryption information. To do. The generated decryption information is held in the memory 106.

  In addition, the decryption information generation unit 2701 notifies the check counter 1504 that new decryption information is to be generated, and the check counter 1504 that receives the notification updates the check count value. The check value generation unit 1502 generates a new check value using the generated decryption information and the updated check count value, and stores the new check value in the memory 106.

  Subsequent processing for the content accumulation request is the same as the processing in the first embodiment. That is, the control unit 111 causes the digital broadcast receiving unit 102 to generate a partial TS and management information of the content. For example, when the digital_recording_control_data field of the content digital copy control descriptor indicates “10” (only one generation can be copied), the content is encrypted by the encryption unit 2401 and stored in the storage medium 104 as “recopy prohibited”. The

  Through the above processing, the content is accumulated and the decryption information is generated.

2-5-2. When there is a content move request by a processing user based on a content move operation, the decryption unit 2403 first checks whether the decryption information 2404 has been tampered with. This process is the same as the process when a storage request is received. Only when the check unit 1508 matches the current check value 1505 stored in the memory 106 with the check value generated by the check unit 1508, the move process is performed.

  The decryption unit 2403 sends the decryption information (encrypted content key) of the content that has been instructed to move from the user interface unit 112 to the key decryption unit 1404 and decrypts it using the device unique key 1301. Also, the decryption unit 2403 reads the encrypted content for which the move instruction has been given from the storage medium 104 via the drive control unit 1202 and decrypts it using the content key obtained from the key decryption unit 1404. At this time, the management information is also decrypted as necessary.

  The control unit 111 controls the recording unit 108 to move the decrypted content to the first recording medium 109.

  When the content can be copied to the first recording medium 109, control information notifying the fact is notified to the decryption unit 2403. The decryption information changing unit 2702 disables the decryption information of the content and stores it in the memory 106. Also, the check counter 1504 is updated and sent to the check value generation unit 1507 together with new decryption information to generate a new check value. The new check value is also stored in the information holding unit 106.

  When the first recording medium 109 protects the content by encryption or the like, after the storage of the decryption information and the check value in the memory 106 is completed, the information that makes the content of the first recording medium 109 available ( For example, information related to a key for decrypting the content encryption is written in the recording medium 109. Further, the encrypted content stored in the storage medium 104 may be erased.

  If the first recording medium 109 cannot copy the content due to a medium failure or the like, the user is notified as abnormal processing, and decryption information (content key), check counter value, check value, etc. The process for the move request is terminated without changing.

2-5-3. Processing Based on Content Reproduction Operation When there is a request to reproduce the accumulated content, the decryption unit 2403 checks whether the decryption information 2404 has been tampered in the same manner as the processing at the start of accumulation. When the content has not been tampered with, the decrypting unit 2403 decrypts the content that has been instructed to be reproduced. The decoding method is the same as the decoding method during the move process. Then, it is displayed on the display device or output from the output unit. At this time, the check counter 1504, the check value 1505, and the decryption information 2404 need not be changed.

2-5-4. When there is a request for erasing the stored content based on the content erasing operation , the control unit 111 instructs to erase the selected content from the storage medium 104. At this time, the decryption information 2404 is not changed. Therefore, if the user removes the storage medium 104, connects it to another device (for example, a personal computer), and restores the content backed up to another recording medium to the storage medium 104, the content can be used again in the recorder 101. become.

2-5-5. When there is an instruction to start processing content backup based on the content backup operation , the decryption unit 2403 confirms whether the decryption information 2404 has been falsified, that is, whether the decryption information can be used. To do. Upon confirming that it can be used, the control unit 111 causes the drive control unit 1202 to read the encrypted content 2402 stored in the storage medium 104, and the recording / playback unit 2801 encrypts the content to the second recording medium 2802. Let it be recorded. If there is a management information file, the management information file of the content is also recorded on the second recording medium 2802. At this time, in order to identify which device the backup is made from, a predetermined value is encrypted using the device specific information and recorded in a predetermined position of the management information file. The decryption information 2404 of the content held in the memory 106 is not changed. Further, when the content is designated to be deleted, the content is deleted from the storage medium 104.

  The decryption information is not changed in the backup operation. Therefore, if the user restores the content backed up on the second recording medium 2802 to the storage medium 104, the content can be used again in the recorder 101.

2-5-6. The decryption unit 2403 also confirms whether or not the decryption information 2404 is usable when there is an instruction to start restoring the process content based on the content restore operation . When it is confirmed that the content can be used, the control unit 111 causes the recording / playback unit 2801 to read the content 2803 recorded on the second recording medium 2802 as encrypted, and the first recording / playback unit 2801 to read the content. Re-accumulate in the accumulation medium 104. If there is a management information file, the management information file of the content is also recorded in the storage medium 104. The decryption information 2404 of the content held in the memory 106 is not changed.

  Therefore, if the content restored by the user to another recording medium is restored to the storage medium 104, the content can be used again in the recorder 101.

  In the present embodiment, it is confirmed in advance that content decryption information can be used when backing up and restoring content between the storage medium 104 and the second recording medium 2802. . This is because user convenience is considered, and backup and restoration may be performed without confirming the decryption information of the content. In this case, if the content restored in the storage medium 104 is to be used for reproduction, move, etc., it cannot be used if the decryption information cannot be used.

(Embodiment 3)
The recorder according to the present embodiment is configured by further providing a second recording / reproducing unit for backing up and restoring the availability information in the configuration of the recorder of the first embodiment. This is mainly intended for dealing with a case where the memory 106 becomes unusable due to trouble or the like.

  FIG. 27 shows a functional block configuration of the recorder 101 according to the present embodiment. The recorder 101 further includes a second recording / reproducing unit 3202. Further, the memory 106 further holds special information 3201. In the recorder 101 according to the present embodiment, the description of the first recording / playback unit 2801 and the second recording medium 2802 is omitted, but this means that whether or not these are included is arbitrary. To do.

  The recorder 101 can back up the availability information to the third recording medium 3203 and restore the backed availability information. Specifically, the second recording / reproducing unit 3202 of the recorder 101 records the availability information 107 in the memory 106 on the third recording medium 3203 by a method that cannot be tampered with. Further, the second recording / reproducing unit 3202 also records a check value 3205 on the third recording medium 3203. Then, the second recording / reproducing unit 3202 restores the availability information 3204 recorded on the third recording medium 3203 to the memory 106.

  The second recording / reproducing unit 3202 corresponds to the CPU 21 shown in FIG. On the other hand, the third recording medium 3203 is a DVD 28 or an SD memory card 29. When the third recording medium 3203 is the DVD 28, the DVD drive 15a is interposed between the second recording / reproducing unit 3202 and the third recording medium 3203. When the third recording medium 3203 is the SD memory card 29, the memory card control unit 27 is interposed between the second recording / reproducing unit 3202 and the third recording medium 3203.

  Hereinafter, a configuration and processing for backing up the availability information held in the memory 106 to the third recording medium 3203 will be described.

  FIG. 28 shows a more detailed configuration of the memory 106, the second recording / reproducing unit 3203, and the third recording medium 3203. Special information 3201 is held in the memory 106.

  The special information 3201 is information that can be referred to by the second recording / reproducing unit 3203 and cannot be accessed by the user. As long as this condition is satisfied, any value may be stored in the special information 3201. The special information 3201 is updated to a new value when the content move process is successful. The special information 3201 is information for generating a check value as described later, and can be said to be a kind of key information. The special information 3201 is also called a disposable key (nonce).

  The second recording / playback unit 3203 includes a check value generation unit 3301, a check unit 3302, and a restore control unit 3303.

  The check value generation unit 3301 generates a check value based on the availability information 107 in the memory 106 or the availability information 3204 in the third recording medium 3203 and the special information 3201. This check value is recorded on the third recording medium 3203.

  The check unit 3302 compares the check value generated by the check value generation unit 3301 with the check value 3305 recorded on the third recording medium 3203.

  The restore control unit 3303 restores the availability information 3204 recorded on the third recording medium 3203 to the memory 106 according to the comparison result of the check unit 3302.

  In FIG. 27, the special information 3201 is held in the memory 106, but may be held in the setting unit 1303 as in the check counter 1504 in FIG.

  First, the configuration shown in FIG. 28 will be described. After that, processing for backup recording of availability information on the third recording medium 3203 will be described.

  The second recording / reproducing unit 3202 records the availability information 107 on the third recording medium 3203. At this time, management information such as device identification information, recording date / time, and backup recording serial number (backup number) may be recorded in a predetermined position of the availability information, for example, in the header portion. These pieces of information are used for obtaining attribute information of availability information when restoring availability information.

  The recorder 101 may also store the availability information backup date and time, the identification information of the third recording medium 3203, and the like. The identification information of the third recording medium 3203 includes, for example, a medium unique number written at the time of recording medium manufacture, a title name of a medium input by a user at the time of recording, a title name of content related to availability information, and the like.

  When the recording of the availability information is successful, a check value is generated using the special information 3201 and the availability information 107. The check value uses a check value using a one-way function. For a one-way function G (d1, d2) that requires arguments d1 and d2, d1 is a value obtained by combining availability information that is a checked value and special information, and d2 is a device-specific key (not shown). ) And C = G (d1, d2) is set as a check value. The generated check value is recorded on the third recording medium 3203. The special information 3201 is updated to a new value by the control unit 111 at least when the content move process is successful in order to prevent a save / restore attack.

  Next, the procedure of the backup operation for the availability information is as follows. The user first calls the availability information backup screen using the remote controller 1905.

  FIG. 29 shows an example of a display screen for the availability information backup operation. In FIG. 29, the DVD display is highlighted to indicate that the DVD is selected. Since “SD” is described in addition to the DVD, it is understood that the recorder 101 can be loaded with both a DVD and an SD memory card. The user can select either one as the third recording medium 3203.

  Also, the backup number and the availability information update date and time are displayed on the screen. The six-digit number to the left of the backup number hyphen is a value associated with the special information 3201.

  The special information 3201 is updated to a new value when the content move process is successful. The value to the right of the hyphen is updated when the availability information is changed during a period when the special information 3201 is a certain value, that is, between when a certain content is moved and when the next content is moved. . This update occurs when new content is accumulated. The update date / time of the availability information is also updated when the availability information is changed between the move of a certain content and the move of the next content. The value to the right of the hyphen is recorded with special information.

  On the availability information backup screen, first, the user uses the remote controller 1905 to select a backup destination recording medium. When the recording medium is selected, the second recording / reproducing unit 3202 checks whether or not the free space of the third recording medium 3203 as the availability information backup destination is sufficient, and warns if the free space is insufficient. A message is displayed and the recording medium is not selected.

  When the enter key 1911 is pressed twice in succession, a confirmation message “Starting availability information backup. Please press the enter key” is displayed at the bottom of the screen. Here, when the enter key 1911 is pressed again, a start instruction for backing up the availability information to the third recording medium 3203 is issued.

  When there is an availability information backup start instruction, the second recording / reproducing unit 3202 records the availability information and the check value on the third recording medium 3203.

  Next, a process for restoring the availability information backed up on the third recording medium 3203 will be described. First, the second recording / reproducing unit 3202 checks whether the availability information 3204 is the latest and not falsified based on the check value recorded on the third recording medium 3203.

  The check value generation unit 3301 reads the availability information 3304 and generates a check value together with the special information 3201. The check unit 3302 compares the generated check value with the check value 3305 recorded on the third recording medium 3203 and notifies the restoration control unit 3303 of the comparison result.

  If the comparison results match, the availability information 3204 recorded on the third recording medium 3203 is recorded in the memory 106 as being the latest and not falsified.

  If the comparison results do not match, a warning message is displayed on the user interface unit 112 on the assumption that the availability information 3204 recorded on the third recording medium 3203 is not the latest or has been tampered with. Cancel processing.

  The check value generation unit 3301 and the check unit 3302 included in the second recording / playback unit 3202 need to be mounted so that the contents of the processing, intermediate results, and the like are not accessed illegally. For example, the encryption unit 1201 and the decryption unit 1203 may be stored in one LSI.

  The procedure for restoring the availability information is as follows. First, the user uses the remote controller 1905 to call up the availability information restore screen.

  FIG. 30 shows an example of a display screen for the availability information restore operation. In FIG. 30, a recording medium from which availability information is restored is displayed on the screen.

  When displaying the recording medium from which the availability information is restored, the management information of the availability information backed up on the third recording medium 3203 is referred to and the device identification information is confirmed. If the identification information of the device is not obtained, it can be understood that the content backed up on the third recording medium 3203 is not backed up by the device. Therefore, a warning is displayed on the user interface unit 112 that the backup has been made by another device, and the availability information restoration is stopped. If a predetermined value is obtained, it is backed up by the device, so a backup number, recording date and time, etc. are acquired. Further, using the check value 3305, it is confirmed whether or not the availability information 3204 is the latest and not tampered. If it is confirmed, it is displayed as the availability information restoration source recording medium, but cannot be confirmed. Is not displayed.

  Furthermore, the right part from the hyphen is checked in the backup number of the availability information. If this portion is different from the latest value recorded on the device side, it indicates that new content has been accumulated between the time when a certain content is moved and the time when the next content is moved. That is, the restoration of the availability information is permitted, but there is no availability information corresponding to the newly accumulated content, and there is a possibility that these contents cannot be used. A message to this effect is displayed to the user via the user interface unit 112.

  In FIG. 30, information on a recordable storage medium such as “Backup numbers 000003-0001 to 000003-0003 can be restored” is presented. This information is used by the third recording medium 3203. Regardless of whether or not it is possible, the display may be performed based on the identification information of the backed-up recording medium stored in the recorder 101. Further, although the backup number is displayed in FIG. 30, the title of the recording medium may be displayed based on the storage of the recorder 101.

  On the availability information restore screen, first, the user uses the remote controller 1905 to select the availability information restore source recording medium. When the enter key 1911 is pressed in this state, the selection of the recording medium is decided.

  When the enter key 1911 is pressed twice in succession, a confirmation message “Starting restoration of availability information. Press the enter key” is displayed at the bottom of the screen. When the enter key 1911 is pressed again, a start instruction for restoring the availability information 3204 from the third recording medium 3203 to the memory 106 is issued.

  When there is an instruction to start restoration of availability information, the availability information 3204 recorded on the third recording medium 3203 is read by the second recording / reproducing unit 3203 and held in the memory 106. Also, in the memory 106, only when the right part of the backup number from the hyphen is different from the latest value recorded on the device side, the check value 1504 is recalculated using the restored availability information 107 and re-calculated. The calculated value is held in the memory 106. The reason for performing this process is that it is necessary to eliminate the mismatch of check values that occurs when the restored availability information 107 is used. However, this recalculation process makes it impossible to use the content stored after backing up the availability information.

  In the present embodiment, when restoring the availability information from the third recording medium 3203 to the memory 106, it is confirmed in advance that the availability information can be restored. This is because user convenience is considered, and restoration may be performed without confirming the availability information. In this case, when the availability information is to be restored from the third recording medium 3203, if the check values do not match, the restoration cannot be performed.

  According to the present embodiment, not only the content but also the availability information can be backed up, so that the availability information and the content can be restored even if the memory information is lost due to an accident or the like.

  In the present embodiment, the backup / restore of the availability information has been described. However, the backup / restore of the decryption information according to the second embodiment can also be performed. For example, FIG. 31 shows a configuration for backing up and restoring the decryption information 2404 to the third recording medium 3203. The operation of this recorder may be performed by replacing the availability information with the decoding information in the description of the recorder 101 according to the present embodiment. Therefore, description of each component and description of operation | movement are abbreviate | omitted. However, it is necessary to prevent unauthorized access to the decryption information even when it is backed up. Therefore, when the non-encrypted decryption information is held by a method that cannot access the memory 106, when decryption information is recorded on the third recording medium, an additional protection by encryption or the like is added. is required.

  In the present embodiment, the availability information is backed up at a timing instructed by the user via the user interface unit 112. However, the backup may be performed at another timing. For example, when the availability state is changed in a state where the third recording medium 3203 is recordable, that is, when a recordable medium is loaded in the medium drive or slot, the availability information is automatically displayed. You may make it back up.

  When the third recording medium 3203 is loaded, the recorded contents of the medium are inspected, and if the availability information is not backed up or the backup is old, the latest availability information is automatically obtained. You may make it back up. In addition, the user may be able to set in advance via the user interface unit 112 whether or not to perform such automatic backup. By automatically backing up the availability information, it becomes possible to cope with recovery from damage whenever trouble occurs in the memory 106.

  In the present embodiment, the third recording medium 3203 for backing up the availability information is an independent medium. However, the third recording medium 3203 may be backed up to the first recording medium 109. FIG. 32 shows a configuration example for backing up the availability information to the first recording medium 109. Note that the description of the first recording / reproducing unit 2801 and the second recording medium 2802 is omitted for the same reason as in FIG.

  The second recording / reproducing unit 3203 corresponds to the DVD drive 15 a of FIG. 2, and the first recording medium 109 corresponds to the DVD 28.

  In the recorder 101 shown in FIG. 32, the second recording / playback unit 3202 performs writing relating to the movement of the decrypted content to the first recording medium 109 and writing / reading relating to backup restoration of the availability information and check values. Also at this time, if the availability status is changed while a recordable medium is loaded in the drive or slot for the first recording media 109, the availability information may be automatically backed up.

  Also, when the first recording medium 109 is loaded, the recorded contents of the medium are inspected, and if the availability information is not backed up or the backup is old, the latest availability information is automatically obtained. You may back up. In addition, the user may be able to set in advance via the user interface unit 112 whether or not to perform such automatic backup.

  By sharing a recording medium that backs up availability information and a recording medium that moves stored content, the drive (second recording / playback unit 3202) of the recording medium can be shared, and the size and price of the device can be reduced. Can be achieved.

  Further, various information may be moved to the first recording medium 109 and backed up. For example, FIG. 33 shows a configuration example for moving content to the first recording medium 109 and backing up the availability information 2404 and the encrypted content of the storage medium 104. 33 corresponds to the DVD drive 15a in FIG. 2, and the first recording medium 109 corresponds to the DVD 28. The second recording / reproducing unit 3203 in FIG.

  In FIG. 33, writing relating to the movement of the decrypted content to the first recording medium 109, writing / reading relating to the backup restoration of the availability information 3204 and the check value 3205, and writing / reading of the encrypted content 2402 accumulated in the accumulation medium 104 are performed. The second recording / reproducing unit 3202 carries out. Also in this case, when the availability state 2404 is changed in a state where a recordable medium is loaded in the drive or slot for the first recording medium 109, the availability information 2404 is automatically backed up. May be. Also, when the first recording medium 109 is loaded, the recorded contents of the medium are inspected, and if the availability information is not backed up or the backup is old, the latest availability information is automatically obtained. You may make it back up. In addition, the user may be able to set in advance via the user interface unit 112 whether or not to perform such automatic backup.

  By sharing a recording medium that backs up availability information, a recording medium that moves the stored content, and a recording medium that backs up the stored content, the drive of the recording medium (second recording / playback unit 3202) is shared. Therefore, it is possible to reduce the size and price of the equipment. Further, by automatically backing up the availability information, it is possible to cope with recovery from damage whenever trouble occurs in the memory 106.

  In the first to third embodiments, the first recording medium 109 is, for example, a DVD-RAM, a DVD-RW, or a DVD-R, and the content is encrypted and recorded by the CPRM method. However, the present invention is not limited thereto. What is not done is as described above.

  As another example, a configuration when encryption recording is performed on an SD memory card by the CPRM method is shown. Since the SD memory card can store a plurality of encrypted title keys on a medium unlike a DVD, the encryption method of the storage medium 104 is set to the same encryption method as that of the SD memory card, so that the encryption is not changed. There is an advantage that the move can be executed at high speed.

  FIG. 34 shows a modified example of the configuration of the encryption processing unit 113 shown in FIG. This modification is employed when the first storage medium 109 shown in FIG. 3 is an SD memory card.

  The encryption processing unit 113 includes a device key set 3901, an MKB decryption processing unit 3902, a conversion unit 3903, a card authentication unit 3904, and an encryption unit 3905. The MKB decryption processing unit 3902 generates a media key Km from the media key block (MKB) 3906 and the device key set 3901. The conversion unit 3903 generates a media unique key Kmu by converting the media key Km with the media ID 3907. The card authentication unit 3904 authenticates the card using the media unique key Kmu. The encryption unit 3905 encrypts the title key with the media unique key Kmu.

  The first recording medium 109 includes a media key block (MKB) 3906, a media ID 3907, a media unique key Kmu 3908, a device authentication unit 3909 that authenticates the device using the media unique key Kmu, and an encrypted title key 3910. A management information file 3911 and an encrypted content 3912.

  The MKB 3906 is data such as an encrypted key bundle, which is a collection of media keys encrypted with various device keys. At the manufacturing stage, the data is written on the first recording medium 109 by a method that cannot be tampered with. The MKB is manufactured using data calculated with a new media key Km for every fixed number (100,000 for an SD memory card). The media ID is unique data that differs for each recording medium, and is written in the first recording medium 109 using a method that cannot be tampered with at the stage of manufacturing the recording medium. The media unique key Kmu is generated by converting a media key using a media ID. The media unique key Kmu has a different value for each medium and cannot be directly read or written from the outside of the card.

  Second playback apparatus 3913 includes a device key set 3914, an MKB decryption processing unit 3915, a conversion unit 3916, a card authentication unit 3917, decryption units 3918 and 3919, and an MPEG decode unit 3920. The MKB decryption processing unit 3915 generates a media key Km from the media key block (MKB) 3906 and the device key set 3914. The conversion unit 3916 converts the media key Km with the media ID 3907 to generate the media unique key Kmu. The card authentication unit 3917 authenticates the card using the media unique key Kmu. The decrypting unit 3918 decrypts the encrypted title key using the session key obtained in the authentication process. The decryption unit 3919 decrypts the encrypted content 3912 with the title key Kt. The MPEG decoding unit 3920 decodes the decrypted content (MPEG2-PS).

  In FIG. 34, the second playback device 3913 is shown for convenience, but this need not be a device different from the recorder 101. A typical recorder also has a playback function. Therefore, it can be said that the second playback device 3913 is substantially included in the recorder 101.

  Hereinafter, an operation of moving the content of the partial TS from the storage medium unit 104 to the first recording medium 109 via the recording unit 108 will be described.

  The move operation is performed according to the following procedure. (1) Execution of encryption key pre-processing, (2) recording of encrypted content 3912 on the first recording medium 109, (3) change of availability information (change to unavailable), (4) first Recording information of the encrypted content 3912 and the encrypted title key 3910 are recorded on the recording medium 109 and available.

  First, encryption key pre-processing will be described. However, the description of the processing until the media unique key Kmu unique to the recording medium is generated is the same as described with reference to FIG.

  In the recording unit 108 and the first recording medium 109, the card authentication unit 3904 and the device authentication unit 3909 mutually authenticate that the other party is a valid device or card by using the media unique key Kmu. The authentication will be described later with reference to FIG. In this authentication process, the card authentication unit 3904 and the device authentication unit 3909 exchange random numbers, and generate a session key Ks using this. The above is the encryption key preprocessing.

  The procedure for recording the encrypted content or the like on the first recording medium 109 using the encryption key is as follows.

  When the first recording medium 109 is an SD memory card, the area for recording the encrypted title key 3910 has a capacity for storing a plurality of encrypted title keys. Therefore, the content key used for encryption recording on the storage medium 104 can be used as it is as the title key Kt. The encryption processing unit 113 reads the encrypted MPEG2-PS data from the storage medium 104. Since the title key used for encrypting the file is recorded on the first recording medium 109 as the encrypted title key 3910, the encrypted MPEG2-PS of the first data file 107 is directly used for the first recording. It can be recorded in the encrypted content 3912 area of the medium 109. This eliminates the need for re-encryption processing and only requires reading from the storage medium 104 and recording on the first recording medium 109, thus enabling high-speed recording. Part of the management information is stored in the management information file 3911.

  Thereafter, the availability information of the content in the memory 106 is changed to unavailable. This is as described above. This makes the content unusable.

  The encryption unit 3905 reads the decrypted content key. The title key Kt is encrypted by the encryption unit 3905 with the session key Ks. The cipher uses C2 cipher.

  The encryption processing unit 113 records the title key Kte encrypted by the encryption unit 3905 in the area of the encrypted title key 3910 of the first recording medium 109.

  As described above, the content of the first recording medium 109 becomes usable. The drive control unit 1202 may delete the encrypted content 1204 that has been disabled.

  After the move operation from the storage medium 104 to the first recording medium 109 is completed, the management information file and the encrypted content in the storage medium 104 are disabled. Therefore, the storage medium 104 may be deleted to ensure the storage capacity.

  However, for example, the first recording medium 109 may have a function of moving to another storage medium or recording medium like an SD memory card. In this case, when the availability information 107 held in the memory 106 is simply disabled, the encrypted content is not deleted and moved back from the first recording medium 109 to the storage medium 104. By returning the availability information to availability, the move back can be performed at high speed.

  In this case, the storage medium 104 stores the identification information of the encrypted content and the media ID 3907 of the first recording medium 109 to which the encrypted content is moved in a system area that cannot be accessed by the user. Use it to determine if it is a moveback.

  Further, if the user intends to move back the first data file 107 or the second data file 109 previously moved to the first recording medium 109, the system area of the storage medium 104 indicates that the move back is scheduled. And the storage medium 104 controls the encrypted content to be disabled but not deleted.

  The first recording medium 109 for which the move operation has been completed can be played back using the second playback device 3913. In the case of reproduction, the title key Kt is decrypted using the device key set 3914 to the decryption unit 3918, and the encrypted content 3912 is decrypted using the title key Kt by the decryption unit 3919. The obtained MPEG2-PS stream is decoded into a baseband signal by the MPEG decoding unit 3920 and becomes content 3921.

  In the first to third embodiments, an example in which the storage medium 104 is incorporated in the recorder 101 has been described. However, the storage medium 104 is not necessarily incorporated in the recorder 101. For example, an external storage medium that allows mutual authentication with the recorder 101 and allows access to the stored data only when authentication is established may be used.

  FIG. 35 shows an example in which the storage medium 104 of FIG. 3 is arranged outside. In FIG. 35, the same components as those in FIG.

  The recorder 101 has a medium authentication unit 4002. The storage medium 4001 includes a device authentication unit 4003.

  FIG. 36 shows detailed configurations of the medium authentication unit 4002 and the device authentication unit 4003. The medium authentication unit 4002 and the device authentication unit 4003 perform mutual authentication using the media unique key used in FIG. 13 or FIG. 34, and generate a session key when the authentication is successful. The session key is used when content is stored and read between the storage processing unit 103 and the storage medium. In FIG. 36, the configuration for generating the media unique key is omitted, but it is the same as FIG. 13 and FIG.

  The medium authentication unit 4002 includes a first random number generation unit 4101, conversion units 4102, 4014 and 4015, and a comparison unit 4103. The first random number generator 4101 generates a random number C1. The conversion unit 4102 converts the random number C1 and the media unique key Kmu with a one-way function. The comparison unit 4103 compares the outputs of the conversion units 4102 and 4106. The conversion unit 4104 converts the random number C2 and the media unique key Kmu with a one-way function. The conversion unit 4105 converts the random numbers C1 and C2 with a one-way function to generate a session key Ks.

  On the other hand, the device authentication unit 4003 includes conversion units 4106, 4108, and 4110, a random number generation unit 4107, and a comparison unit 4109. The conversion unit 4106 converts the random number C1 and the media unique key Kmu with a one-way function. The random number generator 4107 generates a random number C2. The conversion unit 4108 converts the random number C2 and the media unique key Kmu with a one-way function. The comparison unit 4109 compares the outputs of the conversion units 4104 and 4108. The conversion unit 4110 converts the random numbers C1 and C2 with a one-way function to generate a session key Ks.

  The mutual authentication procedure will be described below.

  First, the recorder 101 authenticates the storage medium 104. The medium authentication unit 4002 uses the first random number generation unit 4101 to generate a random number C1. The random number C1 is sent to the conversion unit 4102 and also sent to the device authentication unit 4003. The conversion unit 4102 receives the random number C1 and the media unique key Kmu as the one-way function G, and obtains G (C1, Kmu) as the conversion output. Similarly, the conversion unit 4106 in the device authentication unit 4003 also receives the random number C1 and the media unique key Kmu as an input of the one-way function G, and obtains G (C1, Kmu) as the conversion output. The converted output obtained by the conversion unit 4106 is sent back from the device authentication unit 4003 to the medium authentication unit 4002 as a response to the random number C1. This response is compared with the conversion output obtained by the conversion unit 4102 in the medium authentication unit 4002 in the comparison unit 4103 in the medium authentication unit 4002. If the two match, the recorder 101 can authenticate that the storage medium 4001 is a regular medium. If no response is returned from the device authentication unit 4003 within a predetermined time or if the comparison results do not match, a problem has occurred somewhere in the media unique key generation process or the authentication process procedure. Authentication fails and unauthorized access is prevented.

  Next, the storage medium 104 authenticates the recorder 101. The device authentication unit 4003 uses the second random number generation unit 4107 to generate a random number C2. The random number C2 is sent to the conversion unit 4108 and also sent to the medium authentication unit 4002. In the conversion unit 4108, the random number C2 and the media unique key Kmu are input to the one-way function G, and G (C2, Kmu) is obtained as a conversion output. Similarly, the conversion unit 4104 in the medium authentication unit 4002 also receives the random number C2 and the media unique key Kmu as the one-way function G, and obtains G (C2, Kmu) as the conversion output. The conversion output obtained by the conversion unit 4104 is sent back from the medium authentication unit 4002 to the device authentication unit 4003 as a response to the random number C2. This response is compared with the conversion output obtained by the conversion unit 4108 in the device authentication unit 4003 in the comparison unit 4109 in the device authentication unit 4003. If the two match, the storage medium 4001 can authenticate that the recorder 101 is a legitimate device. If a response is not returned from the medium authentication unit 4002 within a predetermined time, or if the comparison results do not match, there is a problem somewhere in the media unique key generation process or the above authentication process procedure. Authentication fails and unauthorized access is prevented.

  When the authentication of the storage medium 4001 and the recorder 101 succeeds each other, the random numbers C1 and C2 are converted by the respective conversion units 4105 and 4106 by a one-way function, and the converted output G (C1 and C2) is converted into the session key Ks And The session key Ks is used as an encryption key for encrypting these data when content and related information are transmitted and received between the recorder 101 and the storage medium 4001. Since the session key Ks has a different value every time mutual authentication is performed, the communication between the recorder 101 and the storage medium 4001 is intercepted and stored in another device. Even if an attempt is made to use impersonation, the encryption key has been changed and decryption cannot be performed on the receiving side, thereby preventing unauthorized access.

  In this way, unauthorized access to the storage medium 104 can be prevented using the mutual authentication and the session key generated at that time.

  In the first and second embodiments, the second recording medium 2802 that backs up the content stored in the storage medium 104 protects the content with encryption in order to prevent unauthorized access. Mutual authentication may be performed.

  FIG. 37 shows the functional block configuration of the recorder 101 and the second recording medium 2802 that implement backup by mutual authentication. In FIG. 37, the same components as those in FIG. In addition, the same components as those in FIG. A recorder 101 shown in FIG. 37 has a recording medium drive unit 4201.

  The procedure of mutual authentication is the same as the procedure described with reference to FIGS. The second recording is performed by encrypting information (for example, content and related information) exchanged between the recording medium drive unit 4201 and the second recording medium 2802 using the session key Ks obtained by the mutual authentication. Unauthorized access to the content recorded on the medium 2802 can be prevented.

  In the first and second embodiments, the example in which the encrypted content recorded on the second recording medium 2802 is restored to the storage medium 104 has been described. However, it may be directly reproduced or moved to the first recording medium 109 without being restored to the storage medium 104. It is possible to operate regardless of the free capacity of the storage medium 104 by directly reproducing and moving. For this selection, for example, direct playback and move options may be provided on the restore screen shown in FIG.

  In any of the first and second embodiments, the first recording / reproducing unit may be configured to handle a plurality of second recording media 2802 together. That is, for example, when the second recording medium is a disk medium, a plurality of disk media may be controlled collectively using a magazine type disk drive device capable of storing a plurality of disk media. As a result, content of a large amount of data that does not fit on a single disc medium can be automatically divided and backed up to a plurality of discs, or the content that has been divided and backed up can be restored, played back, or moved continuously. . In particular, when high-resolution video is stored in the storage medium 104, a single DVD can only be backed up for a short time of about 20-30 minutes. However, it is possible to back up content for about 2 hours by using a magazine-type drive. Therefore, it is possible to respond to movie backup without stress.

  Furthermore, in recent years, methods called “check-out” and “check-in” are known as methods for using content stored in a storage medium in other media. “Check-in” and “check-out” are used in, for example, SD audio which is one of applications using an SD memory card.

  Explain the principle of check-out and check-in. First, a counter corresponding to the content stored in the storage processing unit is provided, and when the content is stored, the counter is set to a predetermined value (for example, “3”). Each time the content is copied to another recording medium, the counter is decremented by one. Copying content to another recording medium is called “checkout”.

  When checking out, the content identification information is written to another recording medium together with the content itself by a method that cannot be tampered with. Since the device-specific ID is included in the identification information, the device that has checked out the content can be uniquely identified. Here, “a method that cannot be tampered” refers to, for example, writing in a secret area provided in the SD card. The “secret area” is an area in which only a device that has succeeded in mutual authentication can read and write, and a user cannot directly read and write. Checkout is possible until the counter reaches zero.

  Conversely, returning the content checked out to another recording medium to the original storage processing unit is called “check-in”. Check-in is possible only for the medium on which the content is checked out. That is, a device including a medium to be checked in checks whether or not the content has been checked out from the device based on the device unique ID included in the content identification information before checking in. The check-in is performed only when it is confirmed that the content is checked out from the device.

  When the check-in is performed, the content on the recording medium is disabled. Then, based on the identification information of the content recorded on the recording medium, the corresponding counter held in the accumulation processing unit is specified, and the value of the counter is incremented by one.

  When such a counter is used, the availability information described in the first to third embodiments can be expanded to a plurality. Furthermore, by providing content identification information to the recording medium, a kind of bidirectional move from the recording medium to the storage processing unit is realized as a check-in.

  Hereinafter, an example in which check-out and check-in are applied to the configuration of the first embodiment will be described. The configuration at this time is basically the same as FIG. However, since the “usability flag” shown in FIG. 12A can define only two values of 0 or 1, it is necessary to use a counter that can define two or more values. For example, FIG. 38 shows a modification of the available information.

  In FIG. 38, “usable / unusable information” is indicated because it is possible to determine whether or not the information can be used depending on whether the value is “other than 0” or “0”. However, here, values such as “1” and “2” included in “other than 0” are also important information indicating the number of times they can be used. Therefore, in the following, this availability information is referred to as “usable number information”.

  Next, the operation of the recorder 101 corresponding to “checkout” and “checkin” will be described with reference to FIG. 3 and FIG.

  When there is a content accumulation request from the user, the setting unit 1303 included in the encryption unit 1201 of the accumulation processing unit 103 generates usable number information corresponding to the content.

  First, as preparation, it is determined whether unauthorized tampering has been performed on the content so far. This determination process is as already described in connection with the first embodiment except that “usable number information” is used instead of “usability information”. The current check value 1505 stored in the memory 106 is compared with the check value generated by the check unit 1503. As a result, if the two do not match, an abnormality process is performed, and if the two match, the available number information can be used. If they match, the accumulation process continues. Note that the available number information may be returned to the initial value at the time of abnormality processing.

  In the subsequent processing, the information generation unit 1501 sets the value obtained by incrementing the total number of current usable number information by one as the content identification information of the newly accumulated content. This information is sent to the content encryption unit 1302 (FIG. 9). The usable number information of the address corresponding to the new content identification information is set to a predetermined value (for example, “3”). The predetermined value may be supplied together with the content by the content provider as content ancillary information, or a predetermined value may be set when there is no information from the content provider.

  The available number information is newly added to the memory 106 and held. Also, the value of the check counter 1504 is updated. The check value generation unit 1502 generates a new check value using the new usable number information and the check counter value, and stores the new check value in the memory 106 as the check value 1505.

  Through the above-described processing, the content is accumulated and the availability information is generated.

  Next, processing when a content checkout request or content reproduction request is made by the user will be described. The recorder 101 receives a checkout request via the user interface unit 112.

  Also in these processes, first, it is determined whether or not unauthorized tampering has been performed on the content so far. This process is the same as the process that is initially performed when the above accumulation request is received. The following processing is executed only when it is determined that the usable number information has not been falsified and is valid.

  When there is a checkout request, the contents that can be checked out are displayed on the user interface unit 112. Then, the control unit 111 controls the storage processing unit 103, the recording unit 108, and the like for the content for which a checkout request has been issued from the user interface unit 112, and the Have a checkout process.

  As a result of this processing, when the content can be copied to the first recording medium 109, the information changing unit 1506 reduces the usable number information of the content by 1 and stores it in the memory 106, and updates the check counter 1504. , The new usable number information is sent to the check value generation unit 1507 to generate a new check value. The new check value is also stored in the memory 106.

  When the first recording medium 109 protects the content by encryption or the like, the number information that can be used in the memory 106 and the information that makes the content of the first recording medium 109 available after the storage of the check value is completed. (For example, information related to a key for decrypting the content encryption) is written in the recording medium 109.

  The content identification information is configured by combining, for example, the unique ID of the recorder 101 and the content identification information.

  If the first recording medium 109 cannot copy the content due to a medium failure or the like, the user is notified as abnormal processing and the usable number information, check counter value, check value, etc. are not changed. The process for the checkout request is terminated. Thereby, a check-out operation is realized.

  When there is a check-in request, the check-in content stored in the first recording medium 109 is displayed on the user interface unit 112. At this time, it is only necessary to check the content identification information stored in the first recording medium 109 and select and display only the content identification information including the unique ID of the recorder 101. The control unit 111 controls the accumulation processing unit 103, the recording unit 108, and the like for the content for which the user interface unit 112 has instructed a check-in, and checks the content for which the user interface unit 112 has instructed the check-in. In process is executed. That is, the information changing unit 1506 increments the usable number information of the content by 1 and stores it in the memory 106, updates the check counter 1504, and sends it to the check value generating unit 1507 together with the new usable number information to generate a new check value. To do. The new check value is also stored in the memory 106.

  When the first recording medium 109 protects the content by encryption or the like, the content of the first recording medium 109 is made available before the storage of the usable number information and the check value in the memory 106 is completed. Information (for example, information related to a key for decrypting content encryption) is erased from the recording medium 109. Alternatively, the content itself may be deleted. Thereby, a check-in operation is realized.

  The data processing apparatus and method according to the present invention can store content dedicated to the device that is not limited by the capacity of the storage medium and can be played back by other devices while complying with the content protection rule of “Copying only one generation”. Therefore, it is useful as a storage and recording device.

It is a figure which shows the concept of the process by this invention. It is a figure which shows the concept of the process by this invention. It is a figure which shows the concept of the process by this invention. It is a figure which shows the concept of the process by this invention. It is a figure which shows the hardware constitutions of DVD recorder 101 with a built-in HDD. It is a figure which shows the structure of the functional block of the recorder 101 by Embodiment 1. FIG. FIG. 2 is a diagram showing a functional block configuration of a digital broadcast receiving unit 102. (A) is a figure which shows the example of the data structure of a copy status descriptor (copy status descriptor), (b) is a figure which shows the detailed structure of the Private_data_byte field in management information. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the definition of the value which can be prescribed | regulated to each field in the Private_data_byte field, and its meaning. It is a figure which shows the relationship between copyright protection information, accumulation | storage to a storage medium, digital recording to a removable recording medium, and a move. 3 is a diagram showing a functional block configuration of an accumulation processing unit 103. FIG. It is a figure which shows the more detailed structure of the encryption part 1201 and the decoding part 1203. It is a figure which shows the structure for encrypting and decrypting a content by the method which requires the decoding information intrinsic | native for every content. It is a figure which shows the structure which employ | adopted the tampering prevention method using a check value. It is a figure which shows an example of availability information. It is a figure which shows the number of availability flags, and effective content identification information. FIG. 3 is a diagram illustrating a functional block configuration of an encryption processing unit 113. 6 is a diagram illustrating an example of a data structure of a management information file 1711. FIG. 3 is a flowchart showing an operation procedure of the recorder 101. It is a figure which shows the structure of the functional block of the user interface part. It is a figure which shows an example of a program schedule screen. It is a figure which shows an example of the display screen for reproduction | regeneration operation. It is a figure which shows an example of the display screen for move operation. It is a figure which shows an example of the display screen for deletion operation. It is a figure which shows an example of the display screen for backup operation. It is a figure which shows an example of the display screen for a restore operation. It is a figure which shows the structure of the functional block of the recorder 101 by Embodiment 2. FIG. It is a figure which shows the more detailed structure of the encryption part 2401 and the decoding part 2403. FIG. It is a figure which shows the table in which the some decoding information 2404 was registered. It is a figure which shows the structure which employ | adopted the tampering prevention method using a check value. It is a figure which shows the structure of the functional block of the recorder 101 by embodiment. FIG. 11 is a diagram showing a more detailed configuration of a memory 106, a second recording / reproducing unit 3203, and a third recording medium 3203. It is a figure which shows an example of the display screen for availability information backup operation. It is a figure which shows an example of the display screen for use availability information restore operation. 22 is a diagram illustrating a configuration for backing up and restoring decryption information 2404 to and from a third recording medium 3203. FIG. 6 is a diagram illustrating a configuration example for backing up availability information to a first recording medium 109. FIG. It is a figure which shows the example of a structure for moving the content with respect to the 1st recording medium 109, and performing backup of the availability information 2404 and the encryption content of the storage medium 104. FIG. It is a figure which shows the example which changed the structure of the encryption process part 113 shown in FIG. It is a figure which shows the example which has arrange | positioned the storage medium 104 of FIG. 3 outside. FIG. 11 is a diagram illustrating detailed configurations of a medium authentication unit 4002 and a device authentication unit 4003. It is a figure which shows the structure of the functional block of the recorder 101 and 2nd recording medium 2802 which implement | achieve the backup by mutual authentication. It is a figure which shows the modification of usable information.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Recorder 102 Digital broadcast receiving part 103 Storage processing part 104 Storage medium 106 Memory 108 Recording part 111 Control part 112 User interface part 113 Encryption processing part 2801 1st recording / reproducing part

Claims (10)

A first medium storing content data;
A memory storing usage control information for controlling usage of the content;
An interface unit for receiving a request regarding use of the content;
A recording / reproducing unit capable of writing data to the second medium and reading the data written on the second medium,
When the interface unit receives a backup request for the content, the recording / playback unit writes the data of the content to the second medium, and the memory holds the usage control information without being changed,
When the interface unit receives the restore request for the content, usage control information enabling the use of the content is stored in the memory, and the content data is written to the second medium. The recording / playback unit reads the content data from the second medium and writes the content data to the first medium. A storage processing unit for erasing the data on the first medium;
The storage unit according to claim 1, wherein when the interface unit receives the content erasure request, the accumulation processing unit erases the data of the content, and the memory holds the usage control information without being changed. Data processing device. A control unit for changing the content of the usage control information;
The accumulation processing unit can read the data of the first medium,
When the interface unit receives a move request for the content and usage control information indicating that the use of the content is permitted is stored in the memory, the accumulation processing unit receives the content from the first medium. Data is read and output,
The control unit changes the usage control information indicating that the use of the content is not permitted and stores it in the memory,
The data processing apparatus according to claim 2, wherein the content data is written to one of the second recording medium and a third recording medium different from the second recording medium. The data of the content is encrypted by a method that can be decrypted by unique decryption information,
The recording / playback unit reads the encrypted data from the second medium and writes the encrypted data to the first medium when the decryption information is stored as the usage control information in the memory. The data processing apparatus described. A control unit for changing the content of the usage control information;
The accumulation processing unit can read the data of the first medium,
When the interface unit receives the content move request and the decryption information is stored as the usage control information in the memory, the accumulation processing unit reads the content data from the first medium. Output,
The control unit disables the decryption information,
The data processing apparatus according to claim 4, wherein the content data is written to one of the second recording medium and a third recording medium different from the second recording medium. A decrypting unit for decrypting the content data based on the decryption information;
6. The data processing apparatus according to claim 5, wherein the content data decrypted by the decrypting unit is written to at least one of the second recording medium and a third recording medium different from the second recording medium.   When the interface unit receives a content storage request, the storage processing unit generates usage control information corresponding to the new content, and enables usage of the new content, The data processing apparatus according to claim 2, wherein the new content data is written to the first medium.   The data processing apparatus according to claim 1, wherein the content data includes copy control information that prohibits re-copying. The memory stores usage control information in which the number of times content can be used is specified,
When the interface unit receives the content check-out request and the usage control information indicating that the usable count is 1 or more is stored in the memory, the recording / playback unit Data is written to the second medium, and the memory stores usage control information in which the usable count is reduced by 1,
When the interface unit receives the check-in request for the content, the recording / playback unit disables the data of the content written in the second medium, and the memory has the usable count of 1 The data processing apparatus according to claim 1, wherein the increased usage control information is stored. A storage processing unit for erasing the data on the first medium;
10. The storage processing unit according to claim 9, wherein when the interface unit receives the content erasing request, the storage processing unit erases the data of the content, and the memory holds the usage control information without being changed. Data processing device.

Images