JP2008148132A - Data distribution system, apparatus and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To protect the privacy of the user in data distribution. <P>SOLUTION: The data distribution system is so constructed that a download proxy apparatus 20<SB>1</SB>transmits an apparatus determining value as a hash value of apparatus ID and license ID inherent in a client apparatus 10<SB>1</SB>to a content server apparatus 30<SB>1</SB>. In this manner, unlike before, since the apparatus ID inherent in the client is not given to a data distribution apparatus, the privacy of the user can be protected at the time of data distribution. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a data distribution system, apparatus, and program for distributing data to a user. For example, the present invention relates to a data distribution system, apparatus, and program that can protect a user's privacy during data distribution.

  In recent years, with the development of a network society, devices that distribute content data and devices that receive distribution have become familiar. As a known technique for this type of data distribution, a standard called DTCP-IP (digital transmission content protection over internet protocol) has been established if it is limited to the transmission of content data in the home (for example, non-patented). Reference 1).

  DTCP-IP is a protection standard used between a data distribution apparatus that distributes content data and a legitimate client device that appropriately operates the content data in accordance with license information including an operation condition such as copy prohibition. In DTCP-IP, a data distribution apparatus performs mutual authentication and key exchange with a client device using a public key-based certificate, and transmits / receives encrypted data. Here, the data distribution apparatus confirms the authenticity of the client device using a public key-based certificate, and securely distributes the data by encryption.

  As described above, DTCP-IP has been established for data transmission in the home, and secure data distribution is realized using DTCP-IP using public key-based mutual authentication.

  However, DTCP-IP is limited to the transmission of content data in the home. When DTCP-IP is used for downloading from outside the home to the home, the device ID of the client device arranged in the home on the user side is notified to the data distribution device outside the home during mutual authentication. Therefore, there is a possibility that the privacy of the user is not protected.

For example, when the distribution server stores the download history in association with the device ID included in the public key certificate of the client device, and the user device ID can be associated with the user, the user The privacy will not be protected.
“Tech-on! Glossary of By Nikkei Electronics”, [online], Nikkei Electronics, [Search February 13, 2006], Internet <URL: http://techon.nikkeibp.co.jp/NE/word/ 050308.html> A. Fiat and M. Naor, Broadcast Encryption. In Advances in Cryptology-Crypto '93, Lecture Notes in Computer Science 773, Springer-Verlag, pp. 480-491. JPO homepage, reference room, standard description collection 2005.3.25, client information security technology, D-3-2 decoder revocation, http://www.jpo.go.jp/shiryou/s_sonota/hyoujun_gijutsu/info_sec_tech/ d-3-2.html, accessed on May 10, 2005 M. Naor, B. Pinkas, Efficient trace and revoke schemes, Financial Cryptography 2000, LNCS 1962, Springer-Verlag, pp. 1-20, 2001. Japanese Patent Application No. 2005-146066, Nos. 22-41, etc. Japanese Patent Application No. 2005-16146 JP 2004-320562 A

  As described above, in the conventional data distribution technology, the device ID on the user side is notified to the data distribution apparatus, so that there is a possibility that the privacy of the user is not protected. For this reason, a technique capable of protecting the privacy of users at the time of data distribution is desired.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a data distribution system, apparatus, and program capable of protecting the privacy of a user during data distribution.

  A first aspect of the present invention is a data distribution system comprising a data distribution server device and a data distribution client device, wherein the devices can communicate with each other. Server-side storage means for storing “encrypted content data”, “license information relating to use permission of the content data” and “data decryption key for decrypting the encrypted content data”; Means for encrypting the license agreement information by the revocation function of the broadcast cryptosystem so as to invalidate the broadcast encryption / decryption key, and transmitting the obtained encrypted license agreement information to the data distribution client device; When the group signature and the device determination value are received from the data distribution client device, the group signature is verified. And when the verification result of the group signature is valid, means for generating a digital signature for the device determination value and the license information, and use license information including the device determination value, the license information, and the digital signature When the verification result of the group signature and the means for transmitting to the data distribution client device are valid, an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key is transmitted to the data distribution client device. And means for transmitting the encrypted content data to the data distribution client device when the verification result of the group signature is valid. The data distribution client device includes: The broadcast encryption / decryption key and the public key encryption client public key certificate Ant-side storage means, and upon receiving the encrypted license information from the data distribution server device, the encrypted license information is decrypted with the broadcast encryption / decryption key to obtain license information, "Hash value generated by hash operation from value obtained by concatenating license ID in information and device ID in client public key certificate" or "hash from value obtained by concatenating device ID and license element information" Means for generating a device determination value as a “hash value generated by calculation” and a group signature based on the license information obtained by the decryption, and the group signature and the device determination value are transmitted to the data distribution server device; Means for transmitting, means for receiving the usage permission information from the data distribution server apparatus, and receiving the encrypted content data from the data distribution server apparatus. Means for receiving the encrypted data decryption key from the data distribution server device, decrypting the encrypted data decryption key with the session key to obtain a data decryption key, the use permission information, Means for storing encrypted content data, encrypting and storing a data decryption key obtained by the decryption, a device determination value generated from the use permission information and the device ID, and included in the use permission information Means for verifying that the device determination value matches, and when the verification result of the device determination value is valid, the data decryption key obtained by decrypting the encrypted and stored data decryption key and the stored use And means for decrypting and using the encrypted content data based on permission information.

  In the first invention, a collection of devices is expressed as a “system”. However, the present invention is not limited to this, and a “device”, “method”, “program” or It can be expressed as “computer-readable storage medium”.

(Function)
In the first invention, the client device transmits a device determination value as a hash value between the client-specific device ID and the license information or a hash value between the license ID and the device ID to the data distribution device. In contrast, since the device ID unique to the client is not notified to the data distribution apparatus, the privacy of the user can be protected during data distribution.

  As described above, according to the present invention, privacy of users can be protected during data distribution.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Note that each of the following devices and devices can be implemented in either a hardware configuration or a combination configuration of hardware resources and software for each device and each device. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

  The following terms such as “... key”, “... certificate”, “... random number”, “... value”, “... signature”, “... ID” and “... message” are appropriately referred to as “data” or The term “information” may be read as a new term. That is, “... key data” or “... key information”, “... certificate data” or “... certificate information”, “... random number data” or “... random number information”, “... value data” or “... It may be read as "value information", "... signature data" or "... signature information", "... ID data" or "... ID information", "... message data" or "... message information".

(First embodiment)
1 and 2 are schematic views showing the configuration of the data distribution system according to the first embodiment of the present invention. Internet In this data delivery system, a plurality of client devices 10 _1, 10 ₂ and connected to become client device LAN1 ₁ such as a single download proxy device 20 ₁ is home local network via a router device 2 ₁ It is connected to an external network such as 3.

Similarly, a plurality of client devices _{103, 104} and one other client device download proxy device 20 ₂ is connected to the LAN1 ₂ such another home local network via a router device 2 ₂ Internet 3 is connected.

A plurality of content server devices (data distribution devices) 30 ₁ to 30 ₃ are connected to the Internet 3. A group public key and a broadcast encryption key are distributed from the license server device 4 to the content server devices 30 ₁ to 30 ₃ . The download proxy devices 20 ₁ and 20 ₂ are shipped by the manufacturer factory 5 with group signature key information and the like mounted thereon.

The client devices 10 ₁ to 10 ₄ are shipped by the manufacturer factory 5 with a public key certificate and the like mounted thereon. The manufacturer factory 5 has received the group signature key information and the public key certificate from the license server device 4 in advance. For convenience of explanation, the license server device 4 is a device that serves as both a group signature group administrator, a broadcast encryption system administrator, and a public key certificate authority. Instead, it may be implemented by being shared by different license server devices.

Each client device 10 ₁ to 10 ₄ is a plurality of client devices that can identify each a device ID, because that is the same hardware configuration as each other, by way of the client device 10 ₁ Representative examples described To do. Similarly, each download proxy device 20 _1, 20 ₂ because it has been the same hardware configuration as each other, will be described by way of download proxy device 20 ₁ Representative examples. Since that is the respective contents server apparatus 301 _{to 303} are the same hardware to each other, the content server apparatus 30 ₁ will be described as an representative example.

Here, the client device 10 _1, the secret information storage unit 11, the content information storage section 12, and a download request section 13, receiving section 14 and the content use part 15.

  The secret information storage unit 11 is a storage device as a hardware resource that can be read / written from the download request unit 13 and can be read from the content use unit 15, and includes a device ID unique to the client device, a device public key The client certificate including the license server signature, the device private key corresponding to the device public key, and the license server public key are stored in advance.

It should be noted that the client certificate is a public key certificate of the client device 10 _1. The client certificate, device private key, and license server public key are issued from the license server device 4 and written in advance at the manufacturer factory 5.

  The content information storage unit 12 is a storage device as a hardware resource that can be written from the reception unit 14 and can be read from the content use unit 15, and includes permission information, an encryption / decryption key, and an encrypted data body. Stored in association with each other.

  The download request unit 13 has the following functions (f13-1) to (f13-5).

(f13-1) After generating the download proxy request message M1 by referring to the secret information storage unit 11 and writing it in the secret information storage unit 11 by the user's operation, the download proxy request message M1 is downloaded to the download proxy device 20 Function to send to ₁ .
As shown in FIG. 3, the download proxy request message M1 includes a download request ID, download data information, a first random number RA, and a client certificate. The download request ID is an ID that is consistently used for transmission and reception between the client and the download proxy starting from this request message. The download data information is information indicating the encrypted data body to be downloaded and its data decryption key, and includes, for example, a content server name, a file name, and a payment approval ID. The first random number RA generates a download request section 13, and is used to authenticate the download proxy unit 20 _1. The client certificate is a client public key certificate in the secret information storage unit 11, and includes a device ID unique to the client, a device public key, and a license server signature.

(f13-2) download request after sending the message M1, the ability to write a request response message M2 to the confidential information storage unit 11 receives from the download proxy unit 20 _1.
As illustrated in FIG. 4, the request response message M2 includes a download request ID, a download proxy certificate, a first digital signature SA, and a second random number RB. Download proxy certificate is a public key certificate download proxy device 20 ₁ is held, the download proxy unit 20 ₁ of a device ID, and includes a proxy public key and the license server signature. First digital signature SA is a digital signature generated from the download request message M1 on the basis of the proxy secret key of the download proxy unit 20 _1. Second random number RB are the download proxy unit 20 ₁ is generated and used to authenticate the client device 10 _1.

(f13-3) The download proxy certificate (license server signature) in the request response message M2 is verified with the license server public key in the secret information storage unit 21, and the first digital signature SA is public key of the download proxy certificate Function to verify with.

When (f13-4) each verification result is justifiable, after writing the confidential information storage unit 11 and generates the client verification request message M3, the ability to send client verification request message M3 to the download proxy unit 20 _1.
As shown in FIG. 5, the client verification request message M3 includes a download request ID and a second digital signature SB. The second digital signature SB is a digital signature generated from the request response message M2 based on the client private key.

(f13-5) function of writing the confidential information storage unit 11 receives the download request establishment message M4 from the download proxy unit 20 _1.
As shown in FIG. 6, the download request establishment message M4 includes a download request ID and a start / stop flag. The start / stop flag is a flag indicating “start” when the verification result of the digital signature SB is valid and indicating “stop” when the verification result is invalid.

Receiving unit 14, the download proxy unit separately license information from the 20 _1, a function of receiving an encrypted decryption key and the encrypted data itself, these license information, the content information in association with each other the encoded decoding key and the encrypted data body And a function of writing in the storage unit 12.

  The content use unit 15 has a function of reading the license information, the encryption / decryption key, and the encrypted data body in the content information storage unit 12, and a function of using the read encrypted data body according to the license information.

  Specifically, the content using unit 15 has the following functions (f15-1) to (f15-4).

(f15-1) By the operation of the operator, the content server certificate in the license information is verified based on the license server public key in the secret information storage unit 11, and based on the server public key in the content server certificate The fourth digital signature SD is verified, a device determination value generated based on the permission ID in the permission information and the device ID in the client certificate stored in the secret information storage unit 11, and the device determination value in the permission information A function that verifies that and match.
(f15-2) A function for determining whether or not the content of the usage process matches the access control information in the license information when the verification result is valid.
(f15-3) A function of decrypting the encrypted decryption key based on the device public key in the secret information storage unit 11 and decrypting the encrypted data body based on the obtained data decryption key only when it is compatible.
(f15-4) A function of using (eg, reproducing) the content data body obtained by decryption by the operation of the operator.

On the other hand, the download proxy unit 20 ₁ is provided with a confidential information storage unit 21, the request establishing part 22, the download request section 23, the key exchange section 24 and the downloading unit 25.

The secret information storage unit 21 is a storage device as a hardware resource that can be read / written from the request establishment unit 22, the download request unit 23, the key exchange unit 24, and the download unit 25, and is a group for generating a group signature. Signature key information (member certificate, member secret key, group public key), unique key information corresponding to broadcast encryption, download proxy certificate, proxy secret key corresponding to proxy public key included in download proxy certificate, broadcast A type encryption / decryption key and a license server public key are stored. Incidentally, the download proxy certificate is a public key certificate of the download proxy unit 20 ₁ includes download proxy unique device ID, and proxy public key and the license server signature. The download proxy certificate, proxy private key, group signature key information, and license server public key are issued from the license server device 4 and written in advance at the manufacturer factory 5. Broadcast decryption key is updated as needed from the content server apparatus 30 ₁ when downloading the data body.

  The request establishing unit 22 has the following functions (f22-1) to (f22-6).

(f22-1) function of writing the confidential information storage unit 21 from the client device 10 ₁ receives the download proxy request message M1.

(f22-2) A function of verifying the client certificate (license server signature) in the download proxy request message M1 with the license server public key in the secret information storage unit 21.

(f22-3) when verification is correct, after writing the confidential information storage unit 21 generates a request response message M2 with reference to the secret information storage unit 21, the request response message M2 to the client device 10 ₁ Ability to send.

(f22-4) function of writing the confidential information storage unit 21 receives the client verification request message M3 from the client device 10 _1.

(f22-5) A function of verifying the second digital signature SB in the client verification request message M3 with the device public key of the client certificate.

(f22-6) when the verification result of the second digital signature SB is legitimate, after writing the confidential information storage unit 21 generates a download request establishment message M4, sends the download request establishment message M4 to the client device 10 ₁ And a function for starting the download request unit 23.

  The download request unit 23 has the following functions (f23-1) to (f23-2).

(f23-1) When activated by the request establishing unit 22, the download request message M5 is generated and written to the secret information storage unit 21 while referring to the secret information storage unit 21, and then the download request message M5 is transmitted to the content server. function of transmitting to the device 30 _1.

  As shown in FIG. 7, the download request message M5 includes a download request ID, download data information, a broadcast encryption key version, and a third random number RC.

  As the download request ID and the download data information, the value of the download proxy request message M1 in the secret information storage unit 21 is used. The third random number RC is generated by the download request unit 23.

(f23-2) A function of starting the key exchange unit 24 after the transmission of the download request message M5.

  The key exchange unit 24 has the following functions (f24-1) to (f24-6).

(f24-1) receives a broadcast decryption keys latest version from the content server apparatus 30 ₁ function of writing the confidential information storage unit 21.

(f24-2) function of writing the confidential information storage unit 21 receives the encrypted license containing information message M6 from the content server apparatus 30 _1.

As shown in FIG. 8, the encrypted license element information message M6 includes a download request ID, an encrypted license element information body, a content server certificate, a third digital signature SC, and a fourth random number RD. The download request ID is the same value as the download request ID in the download request message M5. The encrypted license element information body obtains a hash value HA of the message “license ID, data ID, access control information”, and license element information (license ID, data ID, access control) including the obtained first hash value HA. Information, first hash value HA) is encrypted with a broadcast encryption key. License ID is for the content server apparatus 30 ₁ is generated as an ID of the access control information issued by the download. The data ID is the ID of the content data that is the subject of this license information. The access control information indicates a control condition when the client device 10 ₁ is to access the data. For example, it is possible to transfer to another legitimate device, whether to move, etc. The third digital signature SC is a digital signature generated from the download request message M5 with the content server private key.

(f24-3) A function of obtaining the license information by decrypting the encrypted license information body in the encrypted license information message M6 based on the broadcast encryption / decryption key in the secret information storage unit 21.

(f24-4) The first hash value HA in the license information is verified based on the license information, the content server certificate is verified based on the license server public key in the secret information storage unit 21, and the content server certificate A function of verifying the third digital signature SC based on the content server public key in the document.

(f24-5) If these verification results are invalid (error), the download request is canceled. If the verification results are valid, an authentication key exchange message M7 is generated and written in the secret information storage unit 21, and then this authentication is performed. ability to send the key exchange message M7 to the content server apparatus 30 _1.

  As shown in FIG. 9, the authentication key exchange message M7 includes a download request ID, a device determination value, key exchange information, and a group signature.

  Here, the device determination value is a hash value generated by hash calculation from a value obtained by concatenating the permission ID and the device ID of the client certificate. The device determination value is not limited to this, and may be a hash value generated by hash calculation from a value obtained by concatenating the device ID of the client certificate and the license information. In addition, the device determination value is not limited to the hash value generated by the hash operation, and may be generated by any algorithm (from any of the above concatenated values) as long as it is an algorithm that makes it difficult to estimate the device ID. The generated value is available. The key exchange information is an encrypted session key obtained by generating a session key and encrypting it with the content server public key in the content server certificate. The session key sharing method is not limited to this. For example, any key sharing method such as a Diffie-Hellman key sharing method can be used. The group signature is generated from the signature target message M7-1 including the download request ID, the license information body, the device determination value, the key exchange information, and the fourth random number RD, based on the group signature key information in the secret information storage unit 21. Is done. Instead of the signature object message M7-1 including both the device determination value and the key exchange information, as shown in FIG. 10 or FIG. 11, the signature object message M7-2 not including the key exchange information, or the device determination value The signature target message M7-3 that does not include the message may be used. That is, the signature target message includes one or both of the device determination value and the key exchange information in addition to the download request ID, the license information body, and the fourth random number RD.

(f24-6) A function of starting the download unit 25 after transmitting the authentication key exchange message M7.

  The download unit 25 has the following functions (f25-1) to (f25-7).

(f25-1) encrypted decryption key license signing messages M8 received from the content server apparatus 30 ₁ function of writing the confidential information storage unit 21.

  The encryption / decryption key permission signature message M8 includes a download request ID and session key encryption information as shown in FIG. The session key encryption information is obtained by encrypting a message including the fourth digital signature SD, the data decryption key, and the second hash value HB with a session key obtained by decrypting the key exchange information. The fourth digital signature SD is generated from the target message M8-1 based on the content server private key. The target message M8-1 of the fourth digital signature SD includes a permission ID, a device determination value, a data ID, and access control information. The data decryption key is a key used for decrypting the encrypted data body. The second hash value HB is a hash value of a value obtained by concatenating the fourth digital signature SD and the data decryption key.

(f25-2) A function of decrypting the session key encryption information based on the session key in the secret information storage unit 21 to obtain the fourth digital signature SD, the data decryption key, and the second hash value HB.

(f25-3) The second hash value HB is verified based on the fourth digital signature SD and the data decryption key, and the fourth digital signature based on the content server public key of the content server certificate in the secret information storage unit 12 Function to verify SD.

(f25-4) A function of generating permission information M9 and writing it in the secret information storage unit 21 when each verification result is valid.

  As shown in FIG. 13, the permission information M9 includes a permission ID, a device determination value, a data ID, access control information, a fourth digital signature SD, and a content server certificate.

(f25-5) A function of encrypting the data decryption key based on the device public key of the client certificate and writing the obtained encrypted decryption key in the secret information storage unit 21.

(f25-6) a transmission request of the encrypted data body transmitted to the content server apparatus 30 _1, function of writing the confidential information storage unit 21 receives the encrypted data body from the content server apparatus 30 _1.

(f25-7) license information M9 in the secret information storage unit 21, a function of transmitting the encrypted decryption key and the encrypted data body individually client device 10 _1.

On the other hand, the content server apparatus 30 ₁ is provided with a confidential information storage unit 31, content information storage unit 32, receiving unit 33, the key exchange unit 34 and the download unit 35.

The secret information storage unit 31 is a storage device as a hardware resource that can be read / written from the reception unit 33 and can be read from the download unit 35, and includes a device ID unique to the content server, a content server public key, and A content server certificate including a license server signature, a content server private key corresponding to the content server public key, a license server public key, a group public key, a broadcast encryption / decryption key, and a broadcast encryption / decryption key are stored in advance. ing. In addition, the content server certificate is a public key certificate of the content server apparatus 30 _1. The content server certificate, content server private key, license server public key, and group public key are issued from the license server device 4 and written in advance at the manufacturer factory 5. The group public key is public key information for verifying the group signature.

  The content information storage unit 32 is a storage device as a hardware resource that can be read from the key exchange unit 34 and the download unit 35. For each content to be distributed, the encrypted data body, the license information, and the data decryption key are stored. Stored in association with each other. The encrypted data body is encrypted data obtained by encrypting content data, for example. The license information is information related to the use permission of the content data. Specifically, as described above, the message of “license ID, data ID, access control information” and the first hash value HA obtained from this message. (License ID, data ID, access control information, first hash value HA). Note that the license element information is not limited to this, and for example, the first hash value HA may be omitted. The data decryption key is key information for decrypting the encrypted data.

  The receiving unit 33 has the following functions (f33-1) to (f33-3).

(f33-1) function of writing the confidential information storage unit 21 receives the download request message M5 from the download proxy unit 20 _1.

(f33-2) Check the broadcast version of the decryption key of the download request message in M5, at the latest version, the download proxy unit 20 ₁ the latest broadcast decryption key in the secret information storage unit 31 Ability to send.

(f33-3) A function for starting the key exchange unit 34 after confirming the version of the broadcast encryption / decryption key.

  The key exchange unit 34 has the following functions (f34-1) to (f34-5).

(F34-1) The encrypted license information message M6 is generated and written to the secret information storage unit 31 with reference to the secret information storage unit 31 and the content information storage unit 32, and then the encrypted license information message M6 is stored. function of transmitting to the download proxy unit 20 _1. The encrypted license information body included in the encrypted license information message M6 is stored in the content storage unit 31 by the revocation function of the broadcast encryption method so as to invalidate the broadcast encryption / decryption key to be invalidated. Obtained by encrypting the license information.

(F34-2) function of writing the confidential information storage unit 31 receives the authentication key exchange message M7 from the download proxy unit 20 _1.

(f34-3) A function of verifying the group signature in the authentication key exchange message M7 based on the group public key in the secret information storage unit 31.

(f34-4) When the verification result is invalid, the download is stopped, and when the verification result is valid, the session exchange key is decrypted by decrypting the key exchange information based on the content server private key in the secret information storage unit 31. Function to get.

(f34-5) A function of starting the download unit 35 after obtaining the session key.

  The download unit 35 has the following functions (f35-1) to (f35-3).

(f35-1) The encryption / decryption key license signature message M8 is generated and written to the secret information storage unit 31 with reference to the secret information storage unit 31 and the content information storage unit 32, and then the encryption / decryption key license signature message M8 is written. function of transmitting to the download proxy unit 20 _1.

(f35-2) in response to the transmission request received from the download proxy unit 20 _1, the ability to transmit the encrypted data body of the content information in the storage unit 32 to the download proxy unit 20 _1.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG. 14 and the flowchart of FIG.

(download)
In the client device 10 _1, the download request section 13, the operation of the user, with reference to the secret information storage unit 11, the download request ID, download data information, download proxy request including the first random number RA and client certificate A message M1 is generated and written in the secret information storage unit 11.

Thereafter, the download request section 13 transmits the download proxy request message M1 to the download proxy unit 20 ₁ (ST1).

On the other hand, in the download proxy unit 20 _1, the request establishment unit 22 writes the secret information storage unit 21 receives the download proxy request message M1.

  The request establishing unit 22 verifies the client certificate in the download proxy request message M1 with the license server public key in the secret information storage unit 21.

  When the verification result is valid, the request establishment unit 22 generates a request response message M2 including the download request ID, the download proxy certificate, the first digital signature SA, and the second random number RB while referring to the secret information storage unit 21. And writes it in the secret information storage unit 21.

Thereafter, the request establishing part 22 sends the request response message M2 to the client device 10 ₁ (ST2).

In the client device 10 ₁ is written into the secret information storage unit 11 the download request section 13 receives the request response message M2.

  Next, the download request unit 13 verifies the download proxy certificate in the request response message M2 with the license server public key in the secret information storage unit 21, and verifies the first digital signature SA with the public key of the download proxy certificate. To do.

When each verification result is valid, the download request unit 13 generates a client verification request message M3 including the download request ID and the second digital signature SB and writes the client verification request message M3 in the secret information storage unit 11. Thereafter, the download request section 13 transmits the client verification request message M3 to the download proxy unit 20 ₁ (ST3).

In the download proxy unit 20 ₁ is written into the secret information storage unit 21 requests establishment unit 22 receives the client verification request message M3.

  The request establishing unit 22 verifies the second digital signature SB in the client verification request message M3 with the device public key of the client certificate.

  When the verification result of the second digital signature SB is valid, the request establishment unit 22 generates a download request establishment message M4 including a download request ID and a start / stop flag and writes it in the secret information storage unit 21.

Thereafter, the request establishing part 22 sends the download request establishment message M4 to the client device 10 ₁ (ST4).

In the client device 10 _1, the download request section 13 writes the secret information storage unit 11 receives the download request establishment message M4.

On the other hand, in the download proxy unit 20 _1, while the download request section 23 refers to the secret information storage unit 21, a download request ID, and the download request message M5 containing download data information, broadcast encryption key version and a third random number RC Generate and write to the secret information storage unit 21. Thereafter, the download request section 23 transmits the download request message M5 to the content server apparatus 30 ₁ (ST5).

On the other hand, in the content server apparatus 30 _1, receiving unit 33 writes the secret information storage unit 21 receives the download request message M5.

Reception unit 33 checks the broadcast version of the decryption key in the download request message M5, at the latest version, the download proxy unit 20 ₁ the latest broadcast decryption key in the secret information storage unit 31 Transmit (ST6).

In the download proxy unit 20 ₁ is written into the secret information storage unit 21 the key exchange section 24 receives a broadcast decryption keys the latest version.

On the other hand, in the content server apparatus 30 _1, the key exchange section 34, with reference to the secret information storage unit 31 and content information storage unit 32, the download request ID, the encrypted license containing information body, the content server certificate, third An encrypted license information message M6 including the digital signature SC and the fourth random number RD is generated and written to the secret information storage unit 31.

Thereafter, the key exchange unit 34 transmits the encrypted license containing information message M6 to the download proxy unit 20 ₁ (ST7).

In the download proxy unit 20 _1, the key exchange section 24 writes the secret information storage unit 21 receives the encrypted license containing information message M6.

  The key exchange unit 24 decrypts the encrypted license element information body in the encrypted license element information message M6 based on the broadcast encryption / decryption key in the secret information storage unit 21, and the permission ID, data ID, access control information, and The license information including the first hash value HA is obtained.

  The key exchange unit 24 verifies the first hash value HA in the license information based on the license information, verifies the content server certificate based on the license server public key in the secret information storage unit 21, and The third digital signature SC is verified based on the content server public key in the certificate.

  The key exchange unit 24 stops the download request when these verification results are invalid (error), and authenticates the key exchange message including the download request ID, device determination value, key exchange information, and group signature when the verification results are valid. M7 is generated and written to the secret information storage unit 21.

  At this time, the device determination value is a hash value, and is generated by hash calculation from a value obtained by concatenating the permission ID and the device ID of the client certificate. The key exchange information is generated by generating a session key and encrypting the session key with the content server public key in the content server certificate. Further, the group signature is generated from the signature target message M7-1 including the download request ID, the license information body, the device determination value, the key exchange information, and the random number RD, based on the group signature key information in the secret information storage unit 21. (ST8).

Thereafter, the key exchange unit 24 transmits the authentication key exchange message M7 to the content server apparatus 30 ₁ (ST9).

In the content server apparatus 30 _1, the key exchange unit 34 writes the secret information storage unit 31 receives the authentication key exchange message M7.

  The key exchange unit 34 verifies the group signature in the authentication key exchange message M7 based on the group public key in the secret information storage unit 31.

  When the verification result is invalid, the key exchange unit 34 stops the download, and when the verification result is valid, the key exchange unit 34 decrypts the key exchange information based on the content server private key in the secret information storage unit 31 and decrypts the session key. Get. Thereafter, the key exchange unit 34 activates the download unit 35.

  The download unit 35 generates an encryption / decryption key permission signature message M8 including the download request ID and the session key encryption information while referring to the secret information storage unit 31 and the content information storage unit 32, and stores the encrypted request in the secret information storage unit 31. Write.

  At this time, the session key encryption information is generated by encrypting a message including the fourth digital signature SD, the data decryption key, and the second hash value HB with the session key obtained by decrypting the key exchange information. The fourth digital signature SD is generated from the target message M8-1 based on the content server private key. The target message M8-1 of the fourth digital signature SD includes a permission ID, a device determination value, a data ID, and access control information. The data decryption key is a key used for decrypting the encrypted data body. The second hash value HB is a hash value of a value obtained by concatenating the fourth digital signature SD and the data decryption key.

Thereafter, the download unit 35 transmits the encrypted decryption key license signing message M8 to the download proxy unit 20 ₁ (ST11).

In the download proxy unit 20 _1, downloading unit 25 writes the encrypted decryption key license signing message M8 to the confidential information storage unit 21.

  The download unit 25 decrypts the session key encryption information based on the session key in the secret information storage unit 21 to obtain the fourth digital signature SD, the data decryption key, and the second hash value HB.

  The download unit 25 verifies the second hash value HB based on the fourth digital signature SD and the data decryption key, and based on the content server public key of the content server certificate in the secret information storage unit 12 Verify SD.

  When each verification result is valid, the download unit 25 generates a license information M9 including a license ID, a device determination value, a data ID, access control information, a fourth digital signature SD, and a content server certificate, and generates a secret information storage unit Write to 21. Further, the download unit 25 encrypts the data decryption key based on the device public key of the client certificate, and writes the obtained encrypted decryption key in the secret information storage unit 21.

Thereafter, the download unit 25 sends the transmission request of the encrypted data body to the content server apparatus 30 ₁ (ST12), receives the encrypted data body from the content server apparatus 30 ₁ (ST13).

Download section 25 transmits the license information M9 in the secret information storage unit 21 to the client device 10 ₁ (ST14). Further, the download unit 25 transmits the encrypted decryption key in the secret information storage unit 21 to the client device 10 ₁ (ST15). Further, the download unit 25 transmits the encrypted data body in the confidential information storage unit 21 to the client device 10 ₁ (ST16).

In the client device 10 _1, the receiving unit 14, separately license information from the download proxy unit 20 ₁ receives the encrypted decryption key and the encrypted data itself, these license information, an encrypted decryption key and the encrypted data body Write in the content information storage unit 12 in association with each other.

(Content use)
In the client device 10 _1, the content section 15 determines the operation of the operator, whether or not there is permission information M9 in the content information storage section 12 (ST21).

  If there is no permission information M9 as a result of the determination in step ST21, the content using unit 15 ends the process. If there is permission information M9, the content using section 15 opens the permission information M9 (ST22). A permission ID, a device determination value, a data ID, access control information, a fourth digital signature SD, and a content server certificate are obtained.

  Subsequently, the content using unit 15 verifies the content server certificate in the license information based on the license server public key in the secret information storage unit 11 (ST23).

  The content utilization unit 15 ends the process when the verification result of step ST23 is invalid, but verifies the fourth digital signature SD based on the server public key in the content server certificate when the verification result of step ST23 is valid. (ST24).

  The content utilization unit 15 ends the process when the verification result of step ST24 is invalid, but when the verification result of step ST24 is valid, the content ID and the client certificate stored in the secret information storage unit 11 Based on the device ID in the device, the device determination value in the license information is verified (ST25).

  The content utilization unit 15 ends the process when the verification result at step ST25 is invalid, but when the verification result at step ST25 is valid, the content utilization unit 15 determines whether or not the content of the utilization process conforms to the access control information in the license information. Determine (ST26).

  The content utilization unit 15 decrypts the encryption / decryption key based on the device public key in the secret information storage unit 11 only when the determination result in step ST26 is “compatible” (ST27), and the obtained data decryption key The encrypted data body is decrypted based on

  The content use unit 15 uses and processes the content data body obtained by the decryption by the operation of the operator (ST28).

According to the present embodiment as described above, the public key certificate within a local area, such as home LAN11 that does not require anonymity, performs authentication of the component interconnect between the client device 10 ₁ and the download proxy unit 20 ₁ .

Thereafter, when downloading from the content server apparatus 30 ₁ on the external network of the Internet 3 or the like, the content server apparatus 30 _1, anonymous authentication download proxy device 20 ₁ by the group signature generated for the download proxy unit 20 ₁ As a result, the anonymity of authentication is ensured, and at the same time, the clients 10 ₁ and 10 ₂ do not need to have a high information processing capability required for the group signature. Therefore, it is possible to realize by using the client device 10 ₁ of the low processing capability.

Further, explicitly by passing the device determination value generated from the licensed ID and the device ID to the content server apparatus 30 ₁ without putting, letting the device ID to the content server apparatus 30 ₁ a device ID of the client device 10 ₁ without, it is possible to issue a license information identifying the client device 10 _1. Here, unlike the prior art, because the client-specific device ID is not notified to the content server apparatus 30 _1, when the data distribution, it is possible to protect the user's privacy.

Further, the content server apparatus 30 _1, the revocation capabilities of the broadcast encryption scheme described in Patent Document 1 or the like, is possible to easily disable the download proxy unit 20 ₁ that has leaked group signature key (member private key) it can.

  Note that the broadcast encryption method described in Patent Document 1 is as follows, for example.

That is, as a broadcast encryption method, a technique is known in which a decryption key is distributed to all members belonging to a group in advance, and a ciphertext that can be decrypted only after a specific decryption key is generated (for example, Non-patent documents 2 to 4).

  The broadcast encryption method is widely applied to limited reception of pay broadcasts and limited playback of DVDs to users registered in advance. Specifically, a broadcast encryption key is stored in advance in a broadcast receiver or DVD player, and the contents of a pay broadcast or DVD are encrypted by a broadcast encryption method, so that a specific (for example, registered) The content can be viewed only on a broadcast receiver and a DVD player (for which a viewing fee has been paid). As can be seen from these application examples, the calculation amount of encryption and decryption of the broadcast encryption method is designed to be very small so that broadcast and reproduction can be performed in real time.

  The broadcast encryption method is composed of the following five functions. (1) Secret information generation function Init: Security information is input and secret information S necessary for generating an encryption key and a decryption key is output. (2) Decryption key generation function DKeyGen: The secret information S is input, and a different decryption key Ki is output for each member. (3) Encryption key generation function EKeyGen: Inputs secret information S and information for specifying a decryptable decryption key (or information for specifying a decryption key to be revoked), and outputs an encryption key Kv. (4) Encryption function E: Inputs an encryption key and a message, and outputs a ciphertext. (5) Decryption function D: Inputs a decryption key and ciphertext, and outputs a decrypted message. However, when the decryption key is revoked, a message different from NG or the original message is output.

That is, the content server apparatus 30 of _the present embodiment, by using a revocation function of such a broadcast encryption scheme (revoked function), the download proxy unit 20 ₁ that has leaked group signature key (member private key) It can be easily disabled.

(Second Embodiment)
FIGS. 16 and 17 are schematic views showing the configuration of the data distribution system according to the second embodiment of the present invention. The same parts as those in FIGS. 1 and 2 are denoted by the same reference numerals, and detailed description thereof is omitted. Here, the different parts are mainly described. In the following embodiments, the same description is omitted.

That is, the present embodiment is a modification of the first embodiment, leave download data directly local data server from the external content server 30 _1, then the local data server to the client device 10 ₁ In this mode, data is streamed. Specifically instead of the download proxy unit 20 ₁ shown in FIG. 1, it is provided with a local data server 40 _1.

Here, the local data server device 40 ₁ has substantially the same functions each unit of 21'～25 'respective units 21 to 25 of the download proxy unit 20 ₁ described above, further, the content information storage unit 26 and the streaming unit 27 I have.

  The secret information storage unit 21 ′ holds the local data server certificate and the local data server secret key in place of the download proxy certificate and the proxy secret key in the secret information storage unit 21 described above, and further stores the client certificate. Has been.

  The local data server certificate is a public key certificate including a device ID unique to the local data server, a local data server public key, and a license server signature. The local data server certificate, the local data server private key, and the license server public key are issued from the license server device 4 and written in advance at the manufacturer factory 5. The local data server private key is a private key corresponding to the local data server public key included in the local data server certificate.

  The request establishment unit 22 has the functions (f22-1) to (f22-6) described above, and activates the streaming unit 27 instead of the function to activate the download request unit 23 in the function (f22-6). It has a function to do.

  Accordingly, instead of the messages M1 to M4 related to the download request described above, as shown in FIGS. 18 to 21, each message M1 ′ to M4 ′ using “streaming” instead of “download”, and “download” Instead of “proxy certificate”, message M2 ′ using “local data server certificate” is used.

  The download request unit 23 has the above-described functions (f23-1) to (f23-2). In the function (f23-1), instead of the function activated by the request establishment unit 22, the operation of the operator It has a function activated by.

  The key exchange unit 24 has the functions (f24-1) to (f24-6) described above.

  The download unit 25 has the functions (f25-1) to (f25-6) described above. In the functions (f25-4) to (f25-6), the license information M9, the encryption / decryption key, and the encrypted data The writing destination of the main body is the content information storage unit 26, and the function (f25-7) for transmitting the permission information M9, the encryption / decryption key, and the encrypted data main body is omitted.

  The content information storage unit 26 is a storage device as a hardware resource that can be written from the download unit 25 and can be read from the streaming unit 27, and the license information, the encryption / decryption key, and the encrypted data body are mutually connected. Associated and stored.

Streaming unit 27 is activated to request establishment unit 22 has a function for streaming transmission permission information M9 of the content information in the storage unit 26, the decryption key and the encrypted data body individually client device 10 _1. As the access control information in the permission information M9, for example, the content that data transfer for streaming reproduction is permitted to two client devices at the same time may be provided.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG.

First, in advance in the local data server device 40 _1, the content between the content server apparatus 30 _1, by executing the steps ST5~ST13 described above, the license information M9, the encrypted decryption key and the encrypted data body Write to the information storage unit 26.

Then, in the client device 10 _1, between the local data server device 40 _1, by executing the same steps ST1'～ST4 'and step ST1~ST4 described above, to establish a streaming request. Note that “equivalent” means that steps ST1 ′ to ST4 ′ use the word “streaming” instead of the word “download” in each message M1 ′ to M4 ′, and replace it with “download proxy certificate”. This means that the processing is the same as in steps ST1 to ST4 described above except that the “local data server certificate” is used.

The establishment of a streaming request, the local data server device 40 _1, the request establishment unit 22 starts streaming unit 27.

Streaming unit 27 transmits as in step ST14~ST15 described above, the license information M9 and decryption key of the content information storage unit 26 respectively to the client device 10 ₁ (ST14, ST15).

Thereafter, the streaming unit 25 streaming transmits the encrypted data body of the content information in the storage unit 26 to the client device 10 ₁ (ST16 ').

In the client device 10 _1, the receiving unit 14, and separately permission information from the local data server device 40 ₁ receives the encrypted decryption key and the encrypted data body, associate these license information and the encrypted decryption key together content In addition to writing to the information storage unit 12, the encrypted data body is sent to the content use unit 15.

  The content utilization unit 15 performs streaming reproduction of the encrypted data body by executing steps ST21 to ST28 described above.

According to the present embodiment as described above, the local data server device 40 _1, leave download data directly from the external content server 30 _1, then, in the form of streaming transmission data to the client device 10 ₁ Even if it deform | transforms, the effect of 1st Embodiment can be acquired.

Further, the access control information, the case of providing the content data transfer is permitted, such as for the client device to the streaming playback of up to two simultaneous, data local data server 40 ₁ is downloaded, a plurality of clients Share and access. This is advantageous when centrally managing the encrypted data body in the local network.

Data transfer to the client device performs mutual authentication and key exchange based on public key certificates between the local data server device 40 ₁ and the client device 10 ₁ (ST1'~ST4 '), a local data server device while 40 ₁ to obtain a device public key from the client device 10 ₁ can be realized by a DTCP-IP equivalent technologies such local data server 40 ₁ to pass data server public key to the client device 10 _1.

(Third embodiment)
Next, a data distribution system according to the third embodiment of the present invention will be described.
This embodiment is a modification of the second embodiment, and the local data server device 40 ₁ generates a plurality of device determination values corresponding to the plurality of client devices 10 ₁ and 10 ₂ , thereby In this form, the license information M9 for the client devices 10 ₁ and 10 ₂ can be obtained simultaneously.

  Accordingly, the authentication key exchange message M7 is configured to include a plurality of device determination values instead of one device determination value, as shown in any of FIGS. Similarly, the encryption / decryption key permission signature message M8 and the permission information M9 are configured to include a plurality of device determination values instead of one device determination value, as shown in FIG. 26 or FIG. 27, respectively.

Further, as the encryption / decryption key in the content information storage unit 26, the data decryption key is encrypted with the client public key of the client device 10 ₁ , 10 ₂ corresponding to each device determination value. The encryption / decryption key is stored.

According to the above configuration, in addition to the effect of the second embodiment, data local data server 40 ₁ is downloaded, accessible shared by the plurality of clients registered in the device determination value license information It becomes like this. This is advantageous when centrally managing the encrypted data body in the local network.
(Fourth embodiment)
28 and 29 are schematic views showing the configuration of a data distribution system according to the fourth embodiment of the present invention. This embodiment is a modification of the first embodiment, the client device 10 ₁ is configured to download data from the content server apparatus 30 ₁ without passing through the download proxy, and requires high processing capacity It has become a delegate form the majority of the computation of the group signature anonymous proxy device 50 _1.

Specifically, instead of the download proxy unit 20 ₁ shown in FIG. 1, it arranged a function of the download proxy unit 20 ₁ of each section 21,23,24,25 to the client device 10 ₁ and the Patent Document 2 It is provided anonymous proxy device 50 _1.

Here, the client device 10 ₁ is provided with a confidential information storage unit 21 ", the download request section 23, the key exchange section 24", the download section 25, the content information storage section 26 and the content using unit 15.

  The secret information storage unit 21 ″ is a combination of the storage contents of the secret information storage units 11 and 21 described above. In the storage contents of the storage information storage unit 21, instead of the download proxy certificate and the proxy secret key, the client A certificate and a device private key are stored.

  The download request unit 23 has the above-described functions (f23-1) to (f23-2). In the function (f23-1), instead of the function activated by the request establishment unit 22, the operation of the operator It has a function activated by.

Key exchange unit 24 'has a function each described above (f24-1) ~ (f24-6), delegate the function (f24-5), the majority of the computation of the group signature anonymous proxy device 50 ₁ In addition, when generating a group signature, the key exchange unit 24 ″ executes an operation based on the group public key and the member secret key in the group signature key information. On the other hand, anonymous proxy device 50 _1, of the group signature key information, execute the operation based on the member certificate and the group public key.

  The download unit 25 has the functions (f25-1) to (f25-6) described above. In the functions (f25-4) to (f25-6), the license information M9, the encryption / decryption key, and the encrypted data The writing destination of the main body is the content information storage unit 26, and the function (f25-7) for transmitting the permission information M9, the encryption / decryption key, and the encrypted data main body is omitted.

  The content information storage unit 26 is a storage device as a hardware resource that can be written from the download unit 25 and can be read from the content use unit 15, and includes permission information, an encryption / decryption key, and an encrypted data body. Stored in association with each other.

  The content use unit 15 has the functions (f15-1) to (f15-4) described above. In each function, the secret information storage unit 21 ″ is used instead of the secret information storage unit 11, and the content information Instead of the storage unit 12, a content information storage unit 26 is used.

On the other hand, anonymous proxy apparatus 50 ₁ includes a signature generation information storage unit 41 and the group signature generation function unit 42.

Signature generation information storage unit 41 is a storage device as a read / writable hardware resources from group signature generation function unit 42, the member certificate sent from the client device 10 _1, the group public key and calculation of the middle Calculation parameters and the like are stored.

Group signature generation function unit (auxiliary arithmetic unit) 42 is a functional unit for assisting a group signature generation by the client device 10 _1, when generating a group signature, the member certificate and the group transmitted from the client device 10 ₁ performs an operation based on a public key (operation which is not based on the member secret key), it has a function that returns the operation result to the client device 10 _1.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG.

First, in the client device 10 _1, between the content server apparatus 30 _1, by executing the steps ST5~ST7 described above, and writes the received encrypted license containing information message M6 to the secret information storage unit 21 " .

Then, in the client device 10 _1, as before, the key exchange section 24 "is decoded based on the encrypted license containing information body of the encrypted license containing information message M6 to broadcast decryption key, license containing get information.

  As described above, the key exchange unit 24 ″ verifies the first hash value HA in the license information, verifies the content server certificate, and verifies the third digital signature SC.

  The key exchange unit 24 ″ stops the download request when these verification results are invalid (error), and authenticates the key exchange including the download request ID, device determination value, key exchange information, and group signature when the verification results are valid. The generation process of the message M7 is started.

The key exchange unit 24 ″ generates a device determination value (ST8-1).
The key exchange section 24 "is, to exchange information required to generate group signature with the anonymous proxy device 50 ₁ (ST8-2). At this time, the key exchange section 24", the member certificate and the group pass the public key to the anonymous proxy device 50 _1, but do not pass a member secret key to an anonymous proxy device 50 _1. The anonymous proxy device 50 ₁ executes the calculation based on the member certificate and the group public key does not perform the calculation using member private key (since member private key is not, can not be executed).

Supplementally, the generation of a group signature requires two types of calculations: a calculation using a member certificate and a group public key, and a calculation using a member private key. Of these two types of calculation, delegate who calculations using the member certificates and the group public key anonymous proxy device 50 _1.

Anonymous proxy device 50 _1, based on the transfer information to and from the key exchange section 24 ", generates a group signature (ST8-3), and transmits the resulting group signature to the client device 10 ₁ (ST8- 4).

  Here, the delegation calculation (request calculation) of the group signature between steps ST8-2 to ST8-4 is, for example, as follows when the technique described in Patent Document 2 is used. In addition, when the patent document 2 is withdrawn without being disclosed, in addition to the following description, for example, refer to the group signature request calculation technique described in the patent document 3 or the like which is the background art of the patent document 2. Also good.

(Step ST8-2)
The key update unit 24 ″ has a member certificate (cert = (A, e) (where A = (a ^x a ₀ ) ^{1 / e} mod n, e is a prime number, and x is a member secret key)) and group disclosure. key (pk = (n, a, a 0, y, g, h)) to be transmitted to the anonymous proxy device 50 _1.

Note that n = pq, p = 2p ′ + 1, and q = 2q ′ + 1 (where p ′ and q ′ are prime numbers of L _p bits, and Lp is a security parameter). Also, a ∈ QR (n), a ₀ ∈ QR (n), g ∈ QR (n), and h ∈ QR (n) (where QR (n) is a quadratic residue group of n). y = g ^x mod n.

Anonymous proxy device 50 _1, the group signature generating function unit 42, the member certificate, the random number information r_1~r_4 chosen group public key and random, certificate-related information based on w (T _1, T _2, T ₃ ) and calculation parameters (d ₁ ′, d ₂ , d ₃ , d ₄ ) are generated, and the certificate-related information and calculation parameters are transmitted to the key exchange unit 24 ″.

Where T ₁ = Ay ^w mod n,
T ₂ = g ^w mod n,
^{_{T 3 = g e h w mod}} n.
d ₁ '= T ₁ ^{r_1} / y ^{r_3} mod n (where _ represents a subscript)
d ₂ = T ₂ ^{r_1} / g ^{r_3} mod n,
d ₃ = g ^{r_4} mod n,
d ₄ = g ^{r_1} h ^{r_4} mod n.
Upon receiving this certificate-related information and calculation parameters, the key exchange unit 24 ″ uses the hash function H (g‖... ‖M) based on the member secret key (x) and the message (m) to obtain the member signature (c , S2) and transmits this member signature to the anonymous proxy device 50 _1. Note that the message (m) here is the download request ID, the license information body, the device determination value, the key exchange information, the random number RD. The message to be signed M7-1.

D ₁ = d ₁ '/ a ^{r_2} mod n,
c = H (g‖h‖y‖a ₀ ‖a‖T ₁ 2T ₂ ‖T ₃ ‖d ₁ ‖d ₂ ‖d ₃ ‖d ₄ ‖m) (where ‖ represents the concatenation of data)
s ₂ = r ₂ −c (x−2 ^{λ_1} ) (where λ ₁ is a system parameter)
(Step ST8-3)
In anonymous proxy device 50 _1, the group signature generating function unit 42, on the basis of this member signing and member certificate, generates the member signature-related information _{(s 1, s 3, s} 4).

S ₁ = r ₁ −c (e−2 ^{γ_1} ) (where γ ₁ is a system parameter),
s ₃ = r ₃ −cew,
s ₄ = r ₄ -cw.
The group signature generation function unit 42 also includes a group signature (σ = (T ₁ , T ₂ , T ₃ , s ₁ , s ₂ , s ₃ , s) composed of the member signature related information, the certificate related information, and the member signature. ₄ , c)) is generated.

(Step ST8-4)
Thereafter, the anonymous proxy device 50 _1, the group signature generating function unit 42 transmits the group signature key exchange section 24 to ". The above is the processing from step ST8-4.

In the client device 10 _1, the key exchange section 24 "receives the group signature. Thus, the key exchange section 24", the authentication key exchange message including download request ID, equipment determination value, key exchange information, the group signature M7 generates and secret information storage unit 21 "is written in. Thereafter, the key exchange section 24 'transmits the authentication key exchange message M7 to the content server apparatus 30 ₁ (ST9).

Hereinafter, in the client device 10 _1, between the content server apparatus 30 _1, by executing the steps ST10~ST13 described above, the resulting permission information M9, content information encryption decryption key and the encrypted data body The data is written in the storage unit 26 (ST17).

  The content using unit 15 performs the use processing of the encrypted data body by executing the above-described steps ST21 to ST28.

According to the present embodiment as described above, the client device 10 ₁ is configured to download data from the content server apparatus 30 ₁ without passing through the download proxy, and, group signature requiring a high information processing capability of computation be modified to delegate form most anonymous proxy device 50 _1, it is possible to obtain the same effect as the first embodiment.

Supplementally, in the present embodiment has the key information of the client device 10 ₁ Group signature, during downloading data from a content server device 30 _1, the majority of the computation of the group signature which require high information processing capability Can be delegated to an anonymous proxy.

Further, in the present embodiment, a high information processing capability as compared to the client device 10 ₁ of the first embodiment to the client device 10 ₁ is needed, because it can individually disable client device by the broadcast type cryptographic, the Safety can be improved as compared with the first embodiment.

(Fifth embodiment)
31 and 32 are schematic views showing the configuration of a data distribution system according to the fifth embodiment of the present invention. This embodiment is a modification of the fourth embodiment, the client device 10 ₁ is configured to download data from the content server apparatus 30 ₁ without passing through the download proxy, and, of the client device 10 ₁ Group signature Get has a form that does not delegate to anonymous proxy device 50 _1.

Specifically omitted anonymous proxy apparatus 50 ₁ shown in FIGS. 29 and 30, instead of the majority of the delegate key exchange section 24 "of the computation of the group signature generation, in FIG. 1 with a group signature generation function The described key exchange unit 24 is provided.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG.

First, in the client device 10 _1, between the content server apparatus 30 _1, by executing the steps ST5~ST13 described in FIG. 14, the obtained license information M9, encrypted decryption key and the encrypted data The main body is written into the content information storage unit 26 (ST17).

  The content using unit 15 performs the use processing of the encrypted data body by executing the above-described steps ST21 to ST28.

According to the present embodiment as described above, the client device 10 ₁ is configured to download data from the content server apparatus 30 ₁ without passing through the download proxy, and client device 10 ₁ anonymous proxy device to calculate the group signature be in the form which is not delegated to 50 _1, it is possible to obtain the same effect as the first embodiment.

In the present embodiment, although the client device 10 ₁ requires information processing capability of a group signature, since such download proxy device 20 ₁ and the anonymous proxy device 50 ₁ is not required, a client device connected to LAN11 When only one unit is used, it can be realized at a low cost.

(Sixth embodiment)
34 and 35 are schematic views showing the configuration of a data distribution system according to the sixth embodiment of the present invention.

The present embodiment is a modification of the first embodiment, in which the client device also functions as a download proxy. Specifically, and a client device 10 provided local data server 40 ₁ instead of _1, the client and the download proxy unit 20 ₁ that combines the functions of the client device and the download proxy apparatus shown in FIG.

Client and the download proxy unit 20 _1, the secret information storage unit 21 ", the request establishing part 22, the download request section 23, the key exchange unit 24, the download section 25, the content information storage section 12, receiving section 14, the content section 15, and A transmission request unit 16 is provided.

  The secret information storage unit 21 ″ is a combination of the storage contents of the secret information storage units 11 and 21 described above, and stores the client certificate and the device secret key in addition to the storage contents of the storage information storage unit 21. .

  The request establishment unit 22, the download request unit 23, the key exchange unit 24, and the download unit 25 have the functions described in the first embodiment.

Content information storage unit 12, receiving unit 14 and the content using unit 15 has a function described in the first embodiment, unlike the first embodiment, it is located on the client and the download proxy unit 20 ₁ .

Transmission requesting unit 16, the operation of the operator, is a request for streaming transmission of such encrypted data body in the local data server 40 _1.

On the other hand, the local data server 40 ₁ is roughly has a configuration including a streaming unit 17 in place of the content use part 15 described above. Local data server 40 ₁ More specifically, the secret information storage unit 11, the content information storage section 12, and a download request section 13, the receiving unit 14 and the streaming unit 17.

  Here, the secret information storage unit 11 stores a local data server certificate and a local data server secret key instead of the client certificate and the device secret key.

  The content information storage unit 12, the download request unit 13, and the reception unit 14 have the functions described in the first embodiment.

Streaming unit 17 receives a request for streaming transmission from the client and the download proxy unit 20 _1, the license information M9 of the content information storage section 12, encrypts the decryption key and the encrypted data body individually client and the download proxy unit 20 ₁ has the function of streaming transmission.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG.

First, in the data distribution system, perform the steps ST1~ST4 described in FIG. 14 between the local data server device 40 ₁ and the client and the download proxy unit 20 _1, the client and the download proxy unit 20 ₁ and the content server run Similarly the step ST5~ST13 between device 30 ₁ performs similarly to step ST14~ST16 between the local data server device 40 ₁ and the client and the download proxy unit 20 _1.

Thus, writing in the local data server device 40 _1, the resulting permission information M9, the encrypted decryption key and the encrypted data body in the content information storage section 12 (ST17).

Thereafter, in the client and the download proxy unit 20 _1, the transmission requesting unit 16, the operator's operation, requests the streaming transmission of such encrypted data body in the local data server 40 _1.

In the client and the download proxy unit 20 _1, the streaming unit 17 receives a request for streaming transmission, permission information M9 of the content information storage section 12, encrypts the decryption key and individual clients and the download proxy encrypted data body stream transmitted to the device 20 ₁ (ST18).

In the client and the download proxy unit 20 _1, the receiving unit 14, permission information separately receives the encrypted decryption key and the encrypted data itself, the content information storage section 12 in association with these license information and the encrypted decryption key to each other And the encrypted data body is sent to the content using unit 15.

  The content using unit 15 performs the use processing of the encrypted data body by executing the above-described steps ST21 to ST28.

According to the present embodiment as described above, provided the local data server device 40 ₁ in place of the client device 10 _1, variations in the form in which the client device with a client and the download proxy unit 20 ₁ which also functions download proxy Even so, the same effect as the first embodiment can be obtained.

The client device is suitable for a download proxy based on a group signature when it has a high calculation capability such as reproducing a high-resolution, high-compression moving image or generating a three-dimensional composite image. On the other hand, since the data server normally does not require high information processing capability, the present embodiment is highly effective in implementation.
(Seventh embodiment)
37 and 38 are schematic views showing the configuration of a data distribution system according to the seventh embodiment of the present invention.

This embodiment is a modification of the fourth embodiment, anonymous proxy device 50 ₁ is in the form also functions of the client device.

Anonymous proxy device 50 ₁ Specifically, in addition to the components 41 and 42 described above, and a secret information storage unit 11 ', the content information storage unit 12, receiving unit 14 and the content use part 15. Accordingly, in the client device 10 _1, the streaming unit 27 is provided instead of the content use part 15.

  Next, the operation of the data distribution system configured as described above will be described with reference to the sequence diagram of FIG.

First, in the data distribution system, between the client device 10 ₁ and the content server apparatus 30 _1, perform the steps ST5~ST7 described above, between the client device 10 ₁ and the anonymous proxy device 50 _1, above and executing step ST8-1~ST8-4 were, between the client device 10 ₁ and the content server apparatus 30 _1, by which to perform the steps ST9~ST13 described above, in the client device 10 _1, the download section 25 However, the obtained permission information M9, the encryption / decryption key, and the encrypted data body are written in the content information storage unit 26.

Next, in the anonymous proxy device 50 _1, the operator's operation, and transmits the streaming transmission request (not shown) to the client device 10 _1.

In the client device 10 _1, the streaming unit 27 receives the streaming transmission request, the license information M9 of the content information in the storage unit 26, the decryption key and the encrypted data body individually client and the download proxy unit 20 ₁ Streaming transmission is performed (ST14 to ST16 ′).

In anonymous proxy device 50 _1, the receiving unit 14, separately license information, upon receiving the encrypted decryption key and the encrypted data body is written in the content information storage section 12 in association with these license information and the encrypted decryption key to each other At the same time, the encrypted data body is sent to the content use unit 15. The content using unit 15 performs the use processing of the encrypted data body by executing the above-described steps ST21 to ST28.

According to the present embodiment as described above, in addition to the effects of the fourth embodiment, it is possible to use the content with anonymous proxy device 50 _1.

The client device is suitable for a download proxy based on a group signature when it has a high calculation capability such as reproducing a high-resolution, high-compression moving image or generating a three-dimensional composite image. On the other hand, since the data server normally does not require high information processing capability, the present embodiment is highly effective in implementation.
Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the data delivery system which concerns on the 1st Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a schematic diagram which shows the structure of the download proxy request message in the embodiment. It is a schematic diagram which shows the structure of the request response message in the same embodiment. It is a schematic diagram which shows the structure of the client verification request message in the same embodiment. It is a schematic diagram which shows the structure of the download request establishment message in the same embodiment. It is a schematic diagram which shows the structure of the download request message in the same embodiment. It is a schematic diagram which shows the structure of the encryption license element information message in the same embodiment. It is a schematic diagram which shows the structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the deformation | transformation structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the deformation | transformation structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the structure of the encryption / decryption key permission signature message in the same embodiment. It is a schematic diagram which shows the structure of the permission information in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the data delivery system which concerns on the 2nd Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a schematic diagram which shows the structure of the streaming proxy request message in the embodiment. It is a schematic diagram which shows the structure of the request response message in the same embodiment. It is a schematic diagram which shows the structure of the client verification request message in the same embodiment. It is a schematic diagram which shows the structure of the streaming request establishment message in the same embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the deformation | transformation structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the deformation | transformation structure of the authentication key exchange message in the embodiment. It is a schematic diagram which shows the structure of the encryption / decryption key permission signature message in the same embodiment. It is a schematic diagram which shows the structure of the permission information in the embodiment. It is a schematic diagram which shows the structure of the data delivery system which concerns on the 4th Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the data delivery system which concerns on the 5th Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the data delivery system which concerns on the 6th Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the data delivery system which concerns on the 7th Embodiment of this invention. It is a schematic diagram which shows the structure of the data delivery system in the embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment.

Explanation of symbols

1 ₁ , 1 ₂ ... LAN, 2 ₁ , 2 ₂ ... router device, 3 ... Internet, 4 ... license server device, 5 ... manufacturer factory, 10 ₁ to 10 ₄ ... client device, 11, 21, 21 ', 21 " , 31 ... Secret information storage unit, 12, 32, 26 ... Content information storage unit, 13, 23 ... Download request unit, 14 ... Reception unit, 15 ... Content use unit, 16 ... Transmission request unit, 17, 27 ... Streaming unit , 20 ₁ , 20 ₂ ... Download proxy device, 22... Request establishment unit, 24, 24 ″, 34... Key exchange unit, 25, 35 ... download unit, 30 ₁ , 30 ₂ . 40 _1, 40 2 _... local data server device, 41 ... signature generation information storage unit, 42 ... group signature generation function unit, ₅₀ 1, 50 2 _... anonymous proxy device

Claims (5)

A data distribution system comprising a data distribution server device and a data distribution client device, wherein the devices can communicate with each other,
The data distribution server device
Server-side storage in which “encrypted content data obtained by encrypting content data”, “license information regarding use permission of the content data” and “data decryption key for decrypting the encrypted content data” are stored Means,
The license element information is encrypted by the revocation function of the broadcast encryption method so as to invalidate the broadcast type encryption / decryption key to be invalidated, and the obtained encrypted license element information is transmitted to the data distribution client device Means to
Means for verifying the group signature upon receipt of the group signature and device determination value from the data distribution client device;
Means for generating a digital signature for the device determination value and the license information when the verification result of the group signature is valid;
Means for transmitting usage permission information including the device determination value, the license information and the digital signature to the data distribution client device;
Means for transmitting to the data distribution client device an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key when the verification result of the group signature is valid;
Means for transmitting the encrypted content data to the data distribution client device when the verification result of the group signature is valid,
The data distribution client device includes:
Client-side storage means for storing “the broadcast encryption / decryption key of the broadcast encryption method” and “the client public key certificate of the public key encryption method”;
Means for receiving the encrypted license information from the data distribution server device, decrypting the encrypted license information with the broadcast encryption / decryption key, and obtaining the license information;
“Hash value generated by hash operation from the value obtained by concatenating the license ID in this license element information and the device ID in the client public key certificate” or “concatenating the device ID and the license element information” Means for generating a device determination value as a hash value generated by a hash operation from the obtained value,
Means for generating a group signature based on the license information obtained by the decryption, and transmitting the group signature and the device determination value to the data distribution server device;
Means for receiving the usage permission information from a data distribution server device;
Means for receiving the encrypted content data from a data distribution server device;
Means for receiving the encrypted data decryption key from the data distribution server device, decrypting the encrypted data decryption key with the session key, and obtaining a data decryption key;
Means for storing the use permission information and the encrypted content data, and encrypting and storing the data decryption key obtained by the decryption;
Means for verifying that a device determination value generated from the use permission information and the device ID matches a device determination value included in the use permission information;
When the verification result of the device determination value is valid, the encrypted content data is decrypted based on the data decryption key obtained by decrypting the encrypted data decryption key and the stored use permission information. A data distribution system characterized by comprising means for using. A data distribution server device capable of communicating with a data distribution client device,
Server-side storage in which “encrypted content data obtained by encrypting content data”, “license information regarding use permission of the content data” and “data decryption key for decrypting the encrypted content data” are stored Means,
The license element information is encrypted by the revocation function of the broadcast encryption method so as to invalidate the broadcast type encryption / decryption key to be invalidated, and the obtained encrypted license element information is transmitted to the data distribution client device Means to
The data distribution client device decrypts the encrypted license information with a broadcast encryption / decryption key to obtain license information, and “a license ID in the license information and a device ID in the client public key certificate” To generate a device determination value as a hash value generated by a hash operation from a value obtained by concatenating and a hash value generated by a hash operation from a value obtained by concatenating the device ID and the license information, When the group signature is generated based on the obtained license information and the group signature and the device determination value are transmitted, the group signature and the device determination value are received from the data distribution client device. A means of verifying,
Means for generating a digital signature for the device determination value and the license information when the verification result of the group signature is valid;
Means for transmitting usage permission information including the device determination value, the license information and the digital signature to the data distribution client device;
Means for transmitting to the data distribution client device an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key when the verification result of the group signature is valid;
A data distribution server device comprising: means for transmitting the encrypted content data to the data distribution client device when the verification result of the group signature is valid. A data distribution client device capable of communicating with a data distribution server device,
Client-side storage means for storing “the broadcast encryption / decryption key of the broadcast encryption method” and “the client public key certificate of the public key encryption method”;
The data distribution server device encrypts the license information related to the use permission of the content data by the revocation function of the broadcast encryption method so that the broadcast encryption / decryption key to be invalidated is invalidated, and the obtained encryption Means for decrypting the encrypted license information with the broadcast encryption / decryption key and receiving the license information, when the encrypted license information is received from the data distribution server device when transmitting the license information;
“Hash value generated by hash operation from the value obtained by concatenating the license ID in this license element information and the device ID in the client public key certificate” or “concatenating the device ID and the license element information” Means for generating a device determination value as a hash value generated by a hash operation from the obtained value,
Means for generating a group signature based on the license information obtained by the decryption, and transmitting the group signature and the device determination value to the data distribution server device;
When the data distribution server device verifies the group signature and the verification result is valid, the data distribution server device generates a digital signature for the device determination value and the license information, and the device determination value, the license information, and the digital Means for receiving the license information from the data distribution server device when the license information including a signature is transmitted;
Means for receiving the encrypted content data from the data distribution server device when the data distribution server device transmits the encrypted content data when the verification result of the group signature is valid;
When the data distribution server device transmits an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key when the verification result of the group signature is valid, Means for receiving an encrypted data decryption key and decrypting the encrypted data decryption key with the session key to obtain a data decryption key;
Means for storing the use permission information and the encrypted content data, and encrypting and storing the data decryption key obtained by the decryption;
Means for verifying that a device determination value generated from the use permission information and the device ID matches a device determination value included in the use permission information;
When the verification result of the device determination value is valid, the encrypted content data is decrypted based on the data decryption key obtained by decrypting the encrypted data decryption key and the stored use permission information. A data distribution client device comprising: means for use. A program used for a data distribution server device capable of communicating with a data distribution client device,
A computer of the data distribution server device;
Server-side storage in which “encrypted content data obtained by encrypting content data”, “license information regarding use permission of the content data” and “data decryption key for decrypting the encrypted content data” are stored means,
The license element information is encrypted by the revocation function of the broadcast encryption method so as to invalidate the broadcast type encryption / decryption key to be invalidated, and the obtained encrypted license element information is transmitted to the data distribution client device Means to
The data distribution client device decrypts the encrypted license information with a broadcast encryption / decryption key to obtain license information, and “a license ID in the license information and a device ID in the client public key certificate” To generate a device determination value as a hash value generated by a hash operation from a value obtained by concatenating the device ID or a hash value generated by a hash operation from a value obtained by concatenating the device ID and the license information, When the group signature is generated based on the obtained license information and the group signature and the device determination value are transmitted, the group signature and the device determination value are received from the data distribution client device. Means to verify,
Means for generating a digital signature for the device determination value and the license information when the verification result of the group signature is valid;
Means for transmitting usage permission information including the device determination value, the license information and the digital signature to the data distribution client device;
Means for transmitting to the data distribution client device an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key when the verification result of the group signature is valid;
Means for transmitting the encrypted content data to the data distribution client device when the verification result of the group signature is valid;
Program to function as. A program used for a data distribution client device capable of communicating with a data distribution server device,
A computer of the data distribution client device;
Client-side storage means for storing “the broadcast encryption / decryption key of the broadcast encryption method” and “the client public key certificate of the public key encryption method”;
The data distribution server device encrypts the license information related to the use permission of the content data by the revocation function of the broadcast encryption method so that the broadcast encryption / decryption key to be invalidated is invalidated, and the obtained encryption Means for decrypting the encrypted license information using the broadcast encryption / decryption key upon receiving the encrypted license information from the data distribution server device when transmitting the license information;
“Hash value generated by hash operation from the value obtained by concatenating the license ID in this license element information and the device ID in the client public key certificate” or “concatenating the device ID and the license element information” Means for generating a device determination value as a “hash value generated by a hash operation from the obtained value”,
Means for generating a group signature based on the license information obtained by the decryption, and transmitting the group signature and the device determination value to the data distribution server device;
When the data distribution server device verifies the group signature and the verification result is valid, the data distribution server device generates a digital signature for the device determination value and the license information, and the device determination value, the license information, and the digital Means for receiving the license information from the data distribution server device when the license information including the signature is transmitted;
Means for receiving the encrypted content data from the data distribution server device when the data distribution server device transmits the encrypted content data when the verification result of the group signature is valid;
When the data distribution server device transmits an encrypted data decryption key obtained by encrypting the data decryption key with a communication session key when the verification result of the group signature is valid, Means for receiving an encrypted data decryption key and decrypting the encrypted data decryption key with the session key to obtain a data decryption key;
Means for storing the use permission information and the encrypted content data, and encrypting and storing the data decryption key obtained by the decryption;
Means for verifying that a device determination value generated from the use permission information and the device ID matches a device determination value included in the use permission information;
When the verification result of the device determination value is valid, the encrypted content data is decrypted based on the data decryption key obtained by decrypting the encrypted data decryption key and the stored use permission information. Means to use,
Program to function as.

Images