JP2008278416A - Apparatuses, methods, and programs for data encryption processing and data decryption processing, and integrated circuit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that, in the prior art, when data for tampering detection are added, a data size is expanded. <P>SOLUTION: An encryption key is generated for encrypting data for tampering detection on the basis of data to detect tampering and a random number generated from a private key. The data for tampering detection created from ciphertext data are encrypted using the encryption key and sent. On a receiving side, the encryption key is generated on the basis of the data to detect tampering and the random number generated from the private key, and the received encrypted data for tampering detection are decrypted. The decrypted data for tampering detection are compared with data for tampering detection calculated from ciphertext, and presence/absence of data tampering or data error is detected. Thus, not only a data error on a communication path but also intensive data tampering of an object to detect tampering can be detected. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a data encryption processing apparatus capable of encrypting data in a format that can detect tampering on the transmission side and transmitting the encrypted data to the reception side and decrypting the data on the reception side to detect the presence or absence of data tampering.

  In recent years, digital contents such as movies and music have been distributed over a network, and digital contents received or stored in one device have been transferred to another device for use. In such cases, in order to protect the copyright of the digital content data that is distributed or transferred, copy control information that describes the number of copies that can be made by the sending device or server, usage conditions, etc. is added. In general, it is encrypted and sent via a transmission channel on a network or between devices. The device that has received the transmitted encrypted content data performs content decryption processing and uses content such as reproduction processing based on the added copy control information.

  In recent years, with the spread of high-speed networks to ordinary households, stream distribution services that receive, decode, and play back digital stream contents in real time have also become widespread. On the other hand, since the content is becoming higher in definition and larger in capacity, in order to stream such high-quality and large-capacity encrypted content data in real time, there is an encryption method capable of high-speed processing. It has been demanded.

  Here, since the copy control information added to the content is information that defines the usage conditions of the content, it is necessary to prevent tampering during transfer by some kind of encryption processing. In general, it is not possible to completely prevent data tampering during transfer simply by encrypting data. For example, in a block encryption method that encrypts data in a predetermined block unit, even if a part of the encrypted data is tampered with, the decrypted data differs from the original plaintext only in one block that includes the tampered part. Only. Therefore, even if the copy control information portion is falsified with respect to the encrypted data of the content data with the copy control information added at the head, only the data in the head block of the content data is broken. Therefore, for example, in the case of video data, there is a possibility that even if the copy control information has been changed, there is a video disturbance in the first few frames, and the video data can be reproduced without any trouble later.

  This problem becomes more prominent when the stream encryption method is used as the encryption method. In the stream encryption method, data is basically encrypted in 1-bit units. Therefore, for example, even if the first 8 bits of the encrypted content data are known to be copy control information and the encrypted content data in that portion is altered (bit inversion), the decrypted data has been altered. Only the copy control information part has a value different from the original plaintext data, and the other parts are completely the same as the original plaintext. That is, although the copy control information has been altered, the content can be reproduced without any trouble, and the copyright of the content is lost. The stream encryption method is effective for use in content stream distribution and the like because it can perform higher-speed encryption processing than the block encryption method, but the low resistance to data alteration as described above is particularly low. It becomes a problem.

  As a digital data alteration prevention method, a method using a message alteration detector is generally used. In this method, data for detecting data falsification (message falsification detector) is created on the transmission side based on secret data shared in advance on the transmission side and reception side. Then, the message alteration detector is added to the data to be transmitted and sent to the receiving side. On the receiving side, a message alteration detector is created from the received data in the same manner as on the transmitting side, and it is confirmed whether or not it matches the one added to the transmission data. If they match, it is determined that the transmission data has not been tampered with, and if they do not match, it is determined that tampering has occurred.

  However, the prior art has a problem that the data size of the transmission data increases because it is necessary to add a message alteration detector to the transmission data. This is particularly problematic when content data to be streamed or transferred is received, decoded, and reproduced in real time. For example, when content data is received in units of packets, adding a message alteration detector to each packet increases the data size per packet. For this reason, in order to make the number of communication packets per unit time the same, it is necessary to increase the communication band. Furthermore, in order for the receiving terminal to have the same number of processing packets per unit time, it is necessary to improve the processing performance of the terminal. As described above, both the communication cost and the terminal cost will increase, but the processing load on the receiving terminal side will increase, and it will not be able to handle content reception and playback in real time, causing skipping and skipping of video Fear also increases.

  The present invention solves the above-mentioned problems, and is a data encryption that can perform high-speed processing and can prevent the tampering of transferred data without adding data for detecting data tampering as in the prior art. An object is to provide a processing apparatus.

  In order to solve the conventional problem, a data encryption processing device of the present invention generates plaintext data by encrypting plaintext data, and the plaintext data includes alteration detection target data, and the data encryption processing device includes: A data encryption conversion unit that encrypts the plaintext data using key data to generate encrypted data, an error detection data generation unit that generates error detection data for the encrypted data, and the falsification detection An error detection data encryption key generation unit that generates an error detection data encryption key based on the target data and the key data, and encrypts the error detection data by using the error detection data encryption key to encrypt an error. An error detection data encryption unit that generates detection data; and ciphertext data that is generated and output based on the encrypted data and the encryption error detection data. And an outputting portion.

According to the data encryption processing apparatus of the present invention, data tampering detection can be performed by checking error detection data, so that data transferred without adding data tampering detection as in the prior art is transmitted. This has the effect of making it possible to prevent tampering.
In addition, the processing for detecting data alteration can be performed in parallel with the encryption and decryption processing of content data, so the increase in processing time due to the addition of data alteration detection processing can be minimized. There is also an effect of becoming.

  In addition, the data alteration detection method of the present invention is applied to a stream encryption method capable of high-speed encryption / decryption of data, so that stream encryption can be performed without impairing high-speed encryption processing performance, which is an advantage of the stream encryption method. This has a particularly remarkable effect of compensating for the low resistance to data alteration, which has been a drawback of the conversion method, and not requiring additional data for detecting alteration.

(Embodiment)
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(Data transmission system configuration)
FIG. 1 is a block diagram showing a configuration of a data transmission / reception system according to an embodiment of the present invention. This system performs authentication and key sharing with the data receiving device 2 and then encrypts and transmits the stream data, and encrypts stream data after performing authentication and key sharing with the data transmitting device 1. And a data receiving device 2 that reproduces or stores the data by decoding and decoding. Examples of the data transmission device 1 include a set-top box that receives broadcast waves such as digital television broadcasts and IP broadcasts and converts them into signals that can be viewed on a television, or a DVD that reads and decodes content data stored in media. (Digital Versatile Disk) player, DVD recorder, BD (Blu-ray Disk) player, BD recorder, and the like. Examples of the data receiving apparatus 2 include a television, a PC monitor, a DVD recorder, and a BD recorder that receive and display or store the converted or decoded content data.

  The data transmission device 1 includes a data encryption unit 10 that performs data encryption processing, an authentication key sharing processing unit 11 that performs mutual authentication and key sharing with the data reception device 2, and a data stream generation that generates a data stream to be transmitted. Part 12. In addition, the data reception device 2 includes a data decryption unit 20 that performs data decryption processing, an authentication key sharing processing unit 21 that performs mutual authentication and key sharing with the data transmission device 1, and a received and decrypted data stream. It comprises a data stream playback unit 22 that performs playback.

In this data transmission / reception system, the operation for the data transmission apparatus 1 to send stream data to the data reception apparatus 2 is as follows.
(1) Mutual authentication and key sharing The data transmission device 1 and the data reception device 2 perform mutual authentication. The authentication key sharing processing unit 11 of the data transmitting device 1 and the authentication key sharing processing unit 21 of the data receiving device 2 store authentication keys for authentication, respectively, and the authentication key sharing processing units 11 and 21 respectively Using the authentication key that you have, perform mutual key authentication. Note that the mutual authentication and key sharing methods are well known and will not be described in detail. There are various mutual authentication and key sharing methods, such as a method using a common key encryption method and a method using a public key encryption method. Any method may be used as long as key data can be shared. In this way, the authentication key sharing processing units 11 and 21 share the 128-bit secret key data K. Both share a 128-bit initial vector IV separately from the key data. Since the initial vector IV does not necessarily have to be secretly shared, either one may be randomly generated after mutual authentication and sent to the other party in plain text, or encrypted with the key data K You may send it.

(2) Encryption and transmission of stream data The data transmission apparatus 1 generates and encrypts stream data and transmits the stream data to the data reception apparatus 2. First, the stream data generation unit 12 generates plaintext stream data. Examples of the plaintext stream include received broadcast waves and data obtained by converting video / music content data read from a medium such as a DVD into a format that can be reproduced on the receiving device side. FIG. 2 shows an example of the structure of plaintext stream data. The plaintext stream data is composed of a plurality of packet data 50, 51,..., 52. Each packet data (illustrated by taking the packet data 51 as an example in FIG. 2) includes header data 510 and main data 511. It consists of. In this embodiment, the data size of each packet is 2048 bytes, and the packet data is composed of 2 bytes of header data and 2046 bytes of main data. Also, it is assumed that the header data 2 bytes is copy control information. The copy control information is determined based on a copy control rule set in advance in the original original content data when the stream data is generated, and set in the header data portion of each packet data constituting the stream data. To do. Next, the data encryption unit 10 performs an encryption process on the plaintext stream data using the initial vector IV and the key K input from the authentication key sharing processing unit 11, and converts the encrypted text stream data into the encrypted text stream data. Generate. Details of the plaintext stream data encryption processing will be described later. Then, the data transmission device 1 sends the ciphertext stream data to the data reception device 2. The data transmitting device 1 may send the ciphertext stream data to the data receiving device 2 after the encryption of all the stream data is completed, or the stream data subjected to the encryption process is sent in real time each time. May be sent to the data receiving device 2.

(3) Decryption and reproduction of encrypted stream data The data receiving device 2 decrypts the encrypted stream data received from the data transmitting device 1 based on the key K and the initial vector IV shared in the processing of (1). To generate decrypted text stream data and reproduce it. The data decryption unit 20 performs decryption processing on the received encrypted stream data using the initial vector IV and the key K input from the authentication key sharing processing unit 21, and generates decrypted text stream data. . Details of the decryption processing of the ciphertext stream data will be described later. When the decryption process is correctly performed, the decrypted text stream data matches the plain text stream data generated by the data stream generating unit 12 of the data transmitting apparatus 1. Next, the data stream reproduction unit 22 reproduces the decrypted text stream based on the copy control information of 2 bytes of header data included in the packet data of the decrypted text stream. The data receiving apparatus 2 may start the decryption process and the stream data reproduction process after receiving all the ciphertext stream data, or the ciphertext stream data received from the data transmitting apparatus 1 in real time. Decoding and playback processing may be performed.

Next, processing of the data encryption unit 10 will be described.
(Details of processing of the data encryption unit 10)
The data encryption unit 10 performs encryption processing on the plaintext stream data one packet at a time from the beginning, and repeatedly performs the encryption processing until the encryption processing of the final packet is completed. In this way, the result of performing the encryption processing on all the packets of plaintext stream data is output as ciphertext stream data. Hereinafter, a process in which the data encryption unit 10 encrypts one packet of plaintext packet data to generate one packet of encrypted packet data will be described.

  FIG. 3 is a block diagram illustrating an example of a detailed configuration of the data encryption unit 10. The data encryption unit 10 generates random data using the initial vector IV and the initial vector update unit 100 that generates a modified initial vector based on the number of packets that have been encrypted so far, and the key K and the modified initial vector. A random number generation unit 101 for performing the exclusive OR operation for performing an exclusive OR operation between the random number and the plaintext packet data, and a CRC for generating CRC (Cyclic Redundancy Check) data from the encrypted packet data. The calculation unit 103, the CRC encryption key generation unit 104 that generates a CRC encryption key for encrypting the CRC data, and the exclusive OR operation of the CRC encryption key and the CRC data are performed to generate the encrypted CRC data. It consists of an exclusive OR unit 105. Hereinafter, processing of the data encryption unit 10 will be described.

  The initial vector update unit 100 holds, as 128-bit numerical data N, a counter value indicating how many packets of plaintext stream data have been encrypted. At the start of the plaintext stream data encryption process, N = 0 (128 bits), and every time one packet encryption process is completed, 1 is added. The initial vector update unit 100 performs an exclusive OR operation between the 128-bit data N and the initial vector IV input from the authentication key sharing processing unit 11 to generate a modified initial vector 128 bits. Then, the modified initial vector is input to the random number generation unit 101. N is a value that changes every time one packet encryption process is performed, and the initial vector IV is a fixed value. Therefore, the modified initial vector always has a different value for each packet encryption process.

  The random number generation unit 101 performs random number generation processing using the key K and the modified initial vector. Here, as a random number generation processing method, Hitachi, Ltd. “Pseudorandom number generator MUGI specification Ver. 1.2 (December 18, 2001) http://www.sdl.hitachi.co.jp/ It is assumed that the random number generation method of “crypto / mugi / mugi_spj.pdf” (available from the URL on the right is http://www.sdl.hitachi.co.jp/crypto/mugi/mugi_spj.pdf). In this random number generation method, an arbitrary number of random numbers can be generated in units of 64 bits with the secret key K128 bits and the modified initial vector 128 bits as inputs. The random number generation unit 101 generates 64 bits × 34 random numbers based on the key K and the modified initial vector. The first and second random numbers are generated as CRCs, which will be described later as random numbers A and B, respectively. The 32 random numbers that are input to the key generation unit 104 and generated after the third are exclusive as random numbers R [0], R [1], R [2],. Input to the logical sum unit 102.

The CRC encryption key generation unit 104 performs the following calculation using the first 64-bit data P [0] of the plaintext packet data and the random numbers A and B input from the random number generation unit 101 to obtain the CRC encryption key KC. .
KC = T‖T
T = (P [0] (+) A) × B
Here, α‖β represents data obtained by concatenating data α and data β from the top in the order of α and β, and (+) represents an exclusive OR operation for each bit. Further, x represents multiplication on the finite field GF (2 ^ 64) by the irreducible polynomial x ^ (64) + x ^ 4 + x ^ 3 + x + 1. α ^ β means α to the power of β.

  To the exclusive OR unit 102, plain text packet data is input in this order as P [0], P [1],..., P [31] in 64-bit units from the beginning. The exclusive OR unit 102 uses the random numbers R [0], R [1], R [2],..., R [31] input from the random number generation unit 101 to the plaintext packet data. Then, the following exclusive OR operation is performed in units of 64 bits to calculate C [0], C [1],..., C [31], and these are concatenated in this order from the top, Encrypted data.

C [i] = P [i] (+) R [i] (i = 0, 1,..., 31)
The CRC calculation unit 103 calculates CRC data for the encrypted data output from the exclusive OR unit 102. Since the calculation method of CRC data is well known, it is omitted here. In the present invention, the size of the CRC data is not particularly limited, but in this embodiment, it is 64 bits, and the CRC polynomial is X ^ (64) + X ^ 4 + X ^ 3 + X + 1. That is, the CRC calculation unit 103 calculates a 64-bit CRC data CD for the encrypted data, and inputs the CRC data CD to the exclusive OR unit 105.

The exclusive OR unit 105 performs an exclusive OR operation between the CRC encryption key KC input from the CRC encryption key generation unit 104 and the CRC data CD input from the CRC calculation unit 103 to obtain the encrypted CRC data ED ( 64 bits). Then, ED is added to the encrypted data.
The encrypted data with encrypted CRC data generated as described above is output from the data transmitting apparatus 1 as encrypted packet data (2112 bits). The data transmitting apparatus 1 performs the above-described encryption processing in units of one packet data on all packet data included in the plaintext stream data to generate ciphertext stream data. Here, CRC data is data originally added to packet data in order to detect an error on the transmission path, and is added regardless of whether or not data tampering is checked. Therefore, in this method, the data size of the encrypted packet data does not increase by detecting falsification.

Next, processing of the data decoding unit 20 will be described.
(Details of processing of the data decoding unit 20)
The data decryption unit 20 decrypts the ciphertext stream data one packet at a time from the beginning, and repeats the decryption process until the decryption process of the final packet is completed. Hereinafter, a process in which the data decryption unit 20 decrypts one packet of ciphertext packet data to generate one packet of decrypted packet data will be described.

  FIG. 4 is a block diagram illustrating an example of a detailed configuration of the data decoding unit 20. The data decryption unit 20 generates random data using the initial vector IV and the initial vector update unit 200 that generates a modified initial vector based on the number of packets that have been decrypted so far, and the key K and the modified initial vector. A random number generation unit 201 that performs an exclusive OR operation between the random number and the encrypted packet data, a CRC calculation unit 203 that generates CRC data for data error detection from the encrypted packet data, A CRC encryption key generation unit 204 for generating a CRC encryption key for decrypting the encrypted CRC data, and performing an exclusive OR operation on the CRC encryption key and the encrypted CRC data to generate decrypted CRC data An exclusive OR unit 205, and a decrypted CR calculated from the CRC data calculated from the encrypted packet data using the encrypted CRC data and the CRC encryption key. Compared to the data consisting of the CRC check unit 206. which determines whether there is tampering or error in the encrypted packet data received. Hereinafter, processing of the data decoding unit 20 will be described.

The encrypted packet data consists of encrypted data and encrypted CRC data. The encrypted data is input to the exclusive OR unit 202 and the CRC calculation unit 203, and the encrypted CRC data is input to the exclusive OR unit 205. Entered.
The initial vector update unit 200 holds, as 128-bit numerical data N, how many packets of the ciphertext stream data have been decrypted. At the start of the decryption processing of the ciphertext stream data, N = 0 (128 bits), and every time one packet decryption processing is performed, 1 is added. The initial vector update unit 200 performs an exclusive OR operation between the 128-bit data N held as described above and the initial vector IV input from the authentication key sharing processing unit 21 to obtain a modified initial vector (128 bits). ) Is generated. Then, the modified initial vector is input to the random number generation unit 201. N is a value that changes every time one-packet decoding process is performed, and the initial vector IV is a fixed value. Therefore, the modified initial vector always has a different value for each packet decoding process.

  The random number generation unit 201 performs random number generation processing using the key K and the modified initial vector. The random number generation process uses the same process as the random number generation unit 101 of the data encryption unit 10. The random number generation unit 201 generates 64 bits × 34 random numbers based on the key K and the modified initial vector, and the first and second random numbers are generated as CRCs ciphers as random numbers A and B, which will be described later, respectively. The 32 random numbers input to the key generation unit 204 and generated after the third are exclusive as random numbers R [0], R [1], R [2],. Input to the logical sum unit 202.

  To the exclusive OR unit 202, the encrypted data is randomly input as C [0], C [1],..., C [31] in 64-bit units from the beginning. The exclusive OR unit 202 uses the random numbers R [0], R [1], R [2],..., R [31] input from the random number generation unit 201 to generate the encrypted packet data. On the other hand, the following exclusive OR operation is performed in units of 64 bits to calculate decoded data D [0], D [1],..., D [31], and these are processed in this order from the top. The concatenated data is decoded packet data (2048 bits). At this time, D [0] is calculated by the following calculation and input to the CRC encryption key generation unit 204 at the same time.

D [i] = C [i] (+) R [i] (i = 0, 1,..., 31)
The CRC encryption key generation unit 204, when the exclusive OR unit 202 finishes the process of C [0] in the above process and generates and inputs D [0], The following calculation is performed using the random numbers A and B input from the random number generation unit 101 to obtain the CRC encryption key KC.
KC = T‖T
T = (X [0] (+) A) × B
Here, α‖β represents data obtained by concatenating data α and data β from the top in the order of α and β, and (+) represents an exclusive OR operation for each bit. Further, x represents multiplication on the finite field GF (2 ^ 64) by the irreducible polynomial x ^ (64) + x ^ 4 + x ^ 3 + x + 1. α ^ β means α to the power of β.

The CRC calculation unit 203 calculates CRC data for the encrypted data. The CRC calculation unit 203 calculates a 64-bit CRC data CD for the encrypted data (2048 bits) by the same calculation method as the CRC calculation unit 103 of the data encryption unit 10 and inputs it to the exclusive OR unit 205. To do.
The exclusive OR unit 205 performs an exclusive OR operation between the CRC encryption key KC input from the CRC encryption key generation unit 204 and the encrypted CRC data ED included in the encrypted packet data, and performs decryption CRC Data DD (64 bits) is calculated and input to the CRC check unit 206.

  The CRC check unit 206 compares the CRC data input from the CRC calculation unit 203 with the decoded CRC data input from the exclusive OR unit 205 and determines whether or not they match. If they match, the decrypted packet data (2048 bits) is output from the data decrypting unit 20 assuming that the received encrypted packet data does not contain any errors or tampering. If they do not match, the decrypted packet data is discarded, assuming that the received encrypted packet data contains an error or falsification. That is, when the two do not match, the data decryption unit 20 does not output the decrypted packet data in response to the input of the encrypted packet data.

  The first two bytes (header data) of the packet data are copy control information, and in this method, alteration of this data can be detected. The reason will be described below. The data encryption unit 10 generates a CRC encryption key based on the first 64 bits (of which 16 bits are copy control information) and the random number generated by the random number generation unit 101. Further, the data decryption unit 20 generates a CRC encryption key based on the first 64 bits of the decrypted packet data (16 bits are copy control information) and the random number generated by the random number generation unit 201. Here, since the random number generation units 101 and 201 perform random number generation using the same key and modified initial vector, the random numbers used for generating the CRC encryption key are the same. Therefore, if the first 64 bits of the decrypted packet data are the same as the first 64 bits of the plaintext packet data, the same CRC encryption key is generated. Therefore, unless the first 64 bits are falsified and there is no error (bit inversion) in the encrypted packet data on the transmission path, the CRC check unit 206 determines OK and decrypts from the data decryption unit 20. Packet data is output. On the other hand, when the copy control information in the header portion is falsified on the transmission path, a different CRC encryption key from that at the time of data encryption is generated, so that different decrypted CRC data is calculated. Therefore, even if there is no error in the encrypted packet data on the transmission path, the CRC check unit 206 determines NG and the decrypted packet data is not output from the data decryption unit 20. Further, since an attacker who tries to falsify the copy control information does not know the secret key K, he cannot know the values of the random numbers A and B used for CRC encryption key generation. Therefore, after the copy control information has been tampered with, CRC data for the tampered encrypted packet can be calculated, but the corresponding CRC encryption key cannot be calculated. The encrypted CRC data for the encrypted packet data cannot be calculated. As described above, in this method, when the copy control information is falsified on the transmission path, it is possible to detect it on the data decoding side and not output the decoded data.

  Further, since the alteration detection is performed based on the same size data added instead of the CRC data originally added for communication error detection, there is no increase in the data amount due to the addition of the alteration detection data. Further, when the processing of the data encryption unit 10 is realized by hardware, the processing of the part “perform processing of the exclusive OR unit 102 and processing of the CRC calculation unit 103” (related to encryption of plaintext packet data) Processing) and the processing (processing for tampering detection) of the portion “processing the CRC encryption key generation unit 104 and processing the exclusive OR operation unit 105” can be performed in parallel. Thus, by detecting falsification, the data encryption process does not take much longer. Similarly, when the data decryption unit 20 is realized by hardware, “processing of the exclusive OR unit 202” and “processing of the CRC calculation unit 203” (both processing related to encryption of plaintext packet data). Since the processing (processing for tampering detection) of the portion “processing the CRC encryption key generation unit 204 and processing the exclusive OR operation unit 205” (processing for falsification detection) can be performed in parallel, By performing falsification detection, the data decoding process does not take much longer.

(Modification of the embodiment)
A modification in the embodiment of the present invention will be described.
FIG. 5 is a block diagram showing a configuration of a data transmission / reception system in a modification of the embodiment of the present invention. The configuration and the role of each unit are the same as the configuration of the data transmission / reception system described with reference to FIG. In the present modification, only the processes of the data encryption unit 30 and the data decryption unit 40 are different from those of the above-described embodiment. Therefore, the following description will be focused on the differences.

(Details of processing of the data encryption unit 30)
FIG. 6 is a block diagram illustrating a configuration of the data encryption unit 30. The data encryption unit 30 is different from the data encryption unit 10 only in the processing of the CRC encryption key generation unit 304. That is, in the data encryption unit 10, the CRC encryption key generation unit 104 generates a CRC encryption key based on the first 64 bits of the plaintext packet data, but in the data encryption unit 30, the CRC encryption key generation unit 304 Generates a CRC encryption key based on the first 64 bits of the encrypted packet data instead of the above data. For this purpose, in the CRC encryption key generation unit 304, the exclusive OR unit 302 performs an exclusive OR operation on the first 64-bit data of the plaintext packet data and the random number data input from the random number generation unit 301. It is necessary to perform CRC encryption key generation processing after generating bit-encrypted data. Since the other processing details are exactly the same as those of the data encryption unit 10, a description thereof will be omitted.

(Details of processing of the data decoding unit 40)
FIG. 7 is a block diagram showing a configuration of the data decoding unit 40. The data decryption unit 40 is different from the data decryption unit 20 only in the processing of the CRC encryption key generation unit 404. That is, in the data decryption unit 20, the CRC encryption key generation unit 204 generates a CRC encryption key based on the first 64 bits of the decrypted packet data, but in the data decryption unit 40, the CRC encryption key generation unit 404 generates a CRC encryption key based on the first 64 bits of the encrypted packet data instead of the above data. In the case of the data decryption unit 20, the exclusive OR unit 202 performs an exclusive OR operation on the first 64-bit data of the encrypted packet data and the random number data input from the random number generation unit 201, thereby performing 64-bit After generating the decrypted data, it is necessary to perform a CRC encryption key generation process using the data. However, in the data decryption unit 40 of this modification, the CRC encryption key generation processing is performed from the first 64 bits of the encrypted packet data input to the data decryption unit 40 without waiting for the processing of the exclusive OR unit 302. You can start. In this way, in this modification, since the CRC encryption key generation process can be started at an earlier timing, parallelization of the process related to data decryption and the process related to data alteration detection can be performed more efficiently. It is possible to perform the decryption process on the encrypted packet data at a higher speed.

(Other variations)
Needless to say, the present invention is not limited to the above-described embodiment. The following cases are also included in the present invention.
(1) The data size of each data and field is merely an example, and other data sizes may be used.

  (2) The random number generation method used in the random number generation unit is that a random number sequence is generated based on a certain source data (corresponding to a key and a modified initial vector in the embodiment), and the source data is the same. As long as the same random number sequence is always output, any method may be used. Examples of other random number generation methods include a method using PANAMA, a hash function, and a block cipher.

  (3) In the present embodiment, the presence or absence of an error is determined using CRC data. However, error correction may be performed, or error correction and error detection may be performed. When performing error correction, if the falsification detection target data is falsified, the CRC encryption key data changes significantly (the CRC encryption key to be originally calculated differs in a number of bits), so the decrypted CRC data is Bits that exceed the limit of error correction capability will change. Therefore, since error correction is not performed correctly, the packet data is broken and the content is not reproduced correctly. Therefore, it is possible to prevent falsification of the falsification detection target data. Further, when error correction and error detection are performed, packet data is discarded even if an error exceeding the limit of error correction capability is detected for the same reason as described above, so that the content cannot be reproduced. Therefore, it is possible to prevent falsification of the falsification detection target data.

  (4) In the present embodiment, a CRC encryption key is generated from 64-bit data including copy control information (16 bits) that is a target for falsification detection. It may be 64-bit data obtained by combining fixed values of bits. At this time, the 48-bit fixed value needs to be shared between the data encryption unit and the data decryption unit by some method (for example, determined in advance as a system fixed value). In this way, there are the following merits when CRC data is used not for error detection but for error correction. In the embodiment, even if an error occurs in one bit of 48 bits excluding copy control information (16 bits) out of the first 64 bits of packet data used for generating a CRC encryption key, the bit is inverted. The CRC encryption key is calculated as a completely different value. Therefore, the CRC data that is decoded as a result has a completely different value. Therefore, even though a 1-bit error has occurred, this is the same as an error that exceeds the limit of the error correction capability of the CRC, resulting in an error correction error and packet data being corrupted. That is, bit inversion occurs in a portion other than the data alteration detection target portion, and even if it is within the range of the error correction capability of the CRC, an error correction error may occur. However, in this modified example, since the CRC encryption key is generated only from the data to be detected for falsification, as described above, even if bit inversion occurs in a portion other than the falsification detection target, this is the CRC error correction capability. If it is within the range, it becomes possible to correct the error correctly. Further, the present invention is not limited to the above, and any data can be extracted from the data extracted from the packet data when generating the CRC key as long as at least a portion for which alteration detection is desired is included.

  (5) The processing of the CRC encryption key generation unit may not be the method of the embodiment. For example, encryption processing (for example, AES encryption or DES encryption) that encrypts or decrypts packet data that is input using an input random number as a key may be used. Alternatively, it may be a process of performing hash function processing (for example, SHA-1, MD5, SHA-256, etc.) on the data obtained by combining the data. Alternatively, it may be a secret conversion algorithm that is secretly shared between the data encryption unit and the data decryption unit.

  (6) The process for calculating the encrypted CRC data from the CRC encryption key and the CRC data may be other than the exclusive OR operation. For example, the result of arithmetic addition of a CRC encryption key and CRC data may be used as encrypted CRC data. At this time, the decrypted CRC data may be calculated by the process of subtracting the CRC encryption key from the encrypted CRC data. In addition to this, as long as the conversion for obtaining the encrypted CRC data from the CRC encryption key and the CRC data and the conversion for obtaining the decrypted CRC data from the encrypted CRC data and the CRC encryption key are in a reverse conversion relation, Such conversion may be used.

In addition, although a random number generated by a random number generator is used to generate a CRC encryption key, this may be any data that cannot be calculated or calculated by a person who alters the data. For example, it may be key data input to the random number generation unit.
(7) In this embodiment, the stream encryption method is used as the encryption / decryption processing of the packet data, but a block encryption method may be used. In this case, in the data encryption unit 10 of FIG. 3, the random number generation unit 101 and the exclusive OR unit 102 are replaced with a block encryption processing unit. At this time, the block encryption processing unit performs CES encryption processing of AES encryption using, for example, the key K and the modified initial vector. The CRC encryption key generation unit 104 may use the key K as data instead of the random number input from the random number generation unit 101.

  (8) As a CRC calculation method of the CRC calculation unit, a method other than the method of this embodiment may be used. At this time, depending on the CRC calculation method, the CRC data size (N bits) may not match the CRC encryption key size (M bits), but the CRC data size is larger than the CRC encryption key size. If it is small (N <M), the encrypted CRC data may be calculated using only N bits of the CRC encryption key. When the size of the CRC encryption key is larger than the CRC data size (N> M), the encrypted CRC data is obtained by concatenating a predetermined number of copies of the CRC encryption key data into N-bit data. Should be calculated.

  (9) In the present embodiment, the first and second random number data generated by the random number generation unit is used to generate the CRC encryption key, but this may be performed at an arbitrary timing such as the third or fourth. It may be a random number that is generated. However, it is necessary for the data encryption unit and the data decryption unit to share information on the timing at which the CRC encryption key is generated using the random number extracted.

  (10) Each of the above devices is specifically a computer system including a microprocessor, ROM, RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. A computer program is stored in the RAM or hard disk unit. Each device achieves its functions by the microprocessor operating according to the computer program. Here, the computer program is configured by combining a plurality of instruction codes indicating instructions for the computer in order to achieve a predetermined function.

  (11) A part or all of the components constituting each of the above devices may be configured by one system LSI (Large Scale Integration). The system LSI is a super multifunctional LSI manufactured by integrating a plurality of components on one chip, and specifically, a computer system including a microprocessor, a ROM, a RAM, and the like. . A computer program is stored in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program.

In addition, each part of the components constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or all of them.
Although the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used.

Further, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied.
(12) A part or all of the components constituting each of the above devices may be configured as an IC card that can be attached to and detached from each device or a single module. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

(13) The present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal composed of the computer program.
The present invention also provides a computer-readable recording medium such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc). ), Recorded in a semiconductor memory or the like. The digital signal may be recorded on these recording media.

In the present invention, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like.
The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.

In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, and executed by another independent computer system. It is good.
(14) The above embodiment and the above modifications may be combined.

  The data encryption processing device according to the present invention can detect falsification of copy control information included in the content being transmitted while realizing high-speed encryption processing and without adding data for falsification detection. Because it has features, it is useful for realizing data encryption processing devices for use in systems that require high-speed transmission, high-speed processing, and prevention of data tampering, such as streaming distribution systems for video and music content. is there.

The block diagram which shows the structure of the data transmission / reception system which concerns on embodiment of this invention The block diagram which shows the structure of the plaintext stream data which concerns on embodiment of this invention The block diagram which shows the structure of the data encryption part 10 which concerns on embodiment of this invention. The block diagram which shows the structure of the data decoding part 20 which concerns on embodiment of this invention. The block diagram which shows the structure of the data transmission / reception system which concerns on the modification of embodiment of this invention. The block diagram which shows the structure of the data encryption part 30 which concerns on the modification of embodiment of this invention. The block diagram which shows the structure of the data decoding part 40 which concerns on the modification of embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Data transmitter 2 Data receiver 10 Data encryption part 11 Authentication key sharing process part 12 Stream data generation part 20 Data decryption part 21 Authentication key share processing part 22 Stream data reproduction | regeneration part 100 Initial vector update part 101 Random number generation part 102 Exclusive OR section 103 CRC calculation section 104 CRC encryption key generation section 105 Exclusive OR section 200 Initial vector update section 201 Random number generation section 202 Exclusive OR section 203 CRC calculation section 204 CRC encryption key generation section 205 Exclusive logic Japanese part 206 CRC check part

Claims (8)

A data encryption processing device that encrypts plaintext data to generate ciphertext data, wherein the plaintext data includes alteration detection target data,
The data encryption processing device includes:
A data encryption conversion unit that encrypts the plaintext data using key data to generate encrypted data;
An error detection data generator for generating error detection data for the encrypted data;
An error detection data encryption key generation unit that generates an error detection data encryption key based on the falsification detection target data and the key data;
An error detection data encryption unit that encrypts the error detection data using the error detection data encryption key to generate encrypted error detection data;
A data cipher processing apparatus comprising: a ciphertext data output unit that creates ciphertext data based on the encrypted data and the encryption error detection data and outputs the ciphertext data. A data encryption processing method for generating plaintext data by encrypting plaintext data, wherein the plaintext data includes alteration detection target data,
The data encryption processing method includes:
A data encryption conversion step for generating encrypted data by encrypting the plaintext data using key data;
An error detection data generation step for generating error detection data for the encrypted data;
An error detection data encryption key generation step for generating an error detection data encryption key based on the falsification detection target data and the key data;
An error detection data encryption step for encrypting the error detection data using the error detection data encryption key to generate encrypted error detection data;
And a ciphertext data output step of generating and outputting ciphertext data based on the encrypted data and the encryption error detection data. A data encryption processing program for encrypting plaintext data to generate ciphertext data, wherein the plaintext data includes alteration detection target data,
The data encryption processing program is:
A data encryption conversion step for generating encrypted data by encrypting the plaintext data using key data;
An error detection data generation step for generating error detection data for the encrypted data;
An error detection data encryption key generation step for generating an error detection data encryption key based on the falsification detection target data and the key data;
An error detection data encryption step for encrypting the error detection data using the error detection data encryption key to generate encrypted error detection data;
A data encryption processing program comprising: a ciphertext data output step of generating and outputting ciphertext data based on the encrypted data and the encryption error detection data. An integrated circuit that encrypts plaintext data to generate ciphertext data, the plaintext data including falsification detection target data,
The integrated circuit comprises:
A data encryption conversion unit that encrypts the plaintext data using key data to generate encrypted data;
An error detection data generator for generating error detection data for the encrypted data;
An error detection data encryption key generation unit that generates an error detection data encryption key based on the falsification detection target data and the key data;
An error detection data encryption unit that encrypts the error detection data using the error detection data encryption key to generate encrypted error detection data;
An integrated circuit comprising: a ciphertext data output unit that creates ciphertext data based on the encrypted data and the encryption error detection data and outputs the ciphertext data. A data decryption processing device for decrypting ciphertext data to generate decrypted text data,
The ciphertext data includes encryption error detection data,
The data decoding processing device includes:
Decrypting the ciphertext data using key data to generate decrypted data, and the decrypted data includes a data decryption conversion unit including falsification detection target data;
An error detection data generation unit for generating error detection data for the ciphertext data;
An error detection data encryption key generation unit that generates an error detection data encryption key based on the falsification detection target data and the key data;
A tampering detection data decryption unit that decrypts the encryption error detection data using the error detection data encryption key to generate decryption error detection data;
An error detection data confirmation unit that determines whether there is an error or falsification in the ciphertext data based on the decryption error detection data and the error detection data;
A data decryption processing apparatus comprising: a decrypted text data output unit that creates and outputs decrypted text data based on the decrypted data. A data decryption method for decrypting ciphertext data to generate decrypted text data, wherein the ciphertext data includes encryption error detection data,
The data decoding processing method includes:
Decrypting the ciphertext data using key data to generate decrypted data, wherein the decrypted data includes a data decryption conversion step including alteration detection target data;
An error detection data generation step for generating error detection data for the ciphertext data;
An error detection data encryption key generation step for generating an error detection data encryption key based on the falsification detection target data and the key data;
A tampering detection data decryption step of decrypting the encryption error detection data using the error detection data encryption key to generate decryption error detection data;
An error detection data confirmation step for determining whether there is an error or falsification in the ciphertext data based on the decryption error detection data and the error detection data;
And a decrypted text data output step of generating decrypted text data based on the decrypted data and outputting the decrypted text data. A data decryption processing program for decrypting ciphertext data to generate decrypted text data, wherein the ciphertext data includes encryption error detection data,
The data decryption program is
Decrypting the ciphertext data using key data to generate decrypted data, wherein the decrypted data includes a data decryption conversion step including alteration detection target data;
An error detection data generation step for generating error detection data for the ciphertext data;
An error detection data encryption key generation step for generating an error detection data encryption key based on the falsification detection target data and the key data;
A tampering detection data decryption step of decrypting the encryption error detection data using the error detection data encryption key to generate decryption error detection data;
An error detection data confirmation step for determining whether there is an error or falsification in the ciphertext data based on the decryption error detection data and the error detection data;
And a decrypted text data output step for generating and outputting decrypted text data based on the decrypted data. An integrated circuit that decrypts ciphertext data and generates decrypted text data,
The ciphertext data includes encryption error detection data,
The integrated circuit comprises:
Decrypting the ciphertext data using key data to generate decrypted data, and the decrypted data includes a data decryption conversion unit including falsification detection target data;
An error detection data generation unit for generating error detection data for the ciphertext data;
An error detection data encryption key generation unit that generates an error detection data encryption key based on the falsification detection target data and the key data;
A tampering detection data decryption unit that decrypts the encryption error detection data using the error detection data encryption key to generate decryption error detection data;
An error detection data confirmation unit that determines whether there is an error or falsification in the ciphertext data based on the decryption error detection data and the error detection data;
An integrated circuit comprising: a decrypted text data output unit that creates and outputs decrypted text data based on the decrypted data.

Images