JP2009044652A - Content encryption device and content decryption device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce the processing by key management by assigning a key for each form of service and managing the key according to the relation between a plurality of services or a kind of content provided by service. <P>SOLUTION: The content encryption device is provided with: a service definition part 11 which constitutes a service by selecting a specific content from a plurality of contents inputted from an external device; a content key generation part 12 which generates a content encryption key for encrypting the content data and a content decryption key corresponding to the content encryption key based on the type of content constituting service; a service key generation part 13 which generates a service encryption key for encrypting the service data and a service decryption key corresponding to the service encryption key based on the type of content consisting service; and a content encryption part 14 which encrypts the content data using the content encryption key generated in the content key generation part. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a content encryption device that encrypts and distributes multimedia content, and a content decryption device that receives and decrypts encrypted content distributed from the content encryption device.

  Conventionally, a method of encrypting content has been used for the purpose of preventing leakage of digital content due to eavesdropping on the network or secondary distribution unintended by the content right holder. For example, the content encryption method disclosed in Patent Document 1 generates a key for each content and encrypts the content using the generated key.

JP 2004-38974 A

  However, the technique disclosed in Patent Document 1 described above has a problem that key management such as key distribution and update becomes complicated when providing a service having a large number of contents. For example, in a content providing service that requires protection by encryption, the content recipient is provided with the encrypted content and a decryption key used when decrypting the encrypted content. In such a case, in a service that provides a set of a plurality of contents (for example, moving images, audio, caption data, or other additional data) having different rights, a corresponding key is provided for each of the plurality of contents. Alternatively, it is necessary to newly generate a set of a plurality of contents as one content and provide a key corresponding to the newly generated content. Furthermore, if the service is configured to have variations, such as a service that provides only low-quality video, a service that provides only high-quality video, or a service that provides video and caption data, It is necessary to provide various keys according to the service, or to regenerate the contents according to the service form, which increases the amount of processing at the time of service provision, and also complicates operational processing such as key revocation and renewal. There was a problem.

  The present invention has been made to solve the above-described problems. A key is assigned to each service form, and the key is managed according to the relevance of a plurality of services and the type of content provided by the service. Thus, it is an object to realize a reduction in processing by key management.

  The content encryption device according to the present invention selects a specific content from among a plurality of contents input from an external device, configures a service, and stores content data based on the content configuring the service. A content encryption key to be encrypted, a content key generation unit for generating a content decryption key corresponding to the content encryption key, and a service encryption for encrypting the service data based on the content constituting the service An encryption key, a service key generation unit that generates a service decryption key corresponding to the service encryption key, and a content encryption that encrypts the content data using the content encryption key generated by the content key generation unit And a conversion unit.

  According to the present invention, since the encryption key and the decryption key are generated based on the form of the service, it is possible to suppress an unnecessarily increase in the number of keys and to perform processing for key management. Can be reduced.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a configuration of a content encryption apparatus according to Embodiment 1 of the present invention.
The content encryption apparatus 1 according to Embodiment 1 includes a service definition unit 11, a content key generation unit 12, a service key generation unit 13, a content encryption unit 14, and a service decryption key encryption unit 15. The service definition unit 11 defines service contents such as providing all contents or a subset of contents for each service of the video distribution service for contents input from an external device (not shown). Output as definition data. Specifically, as shown in FIG. 1, for the input content 1, content 2,..., Content n, service contents are defined, service 1 definition data, service 2 definition data,. Output service m definition data.

  The content key generation unit 12 includes a content determination unit (determination unit) 12a and a key generation unit 12b. The content determination unit 12a refers to the service definition data input from the service definition unit 11, and determines whether or not a service that includes a part of all the contents constituting a certain content set but does not include the remaining part is defined. Determine whether. That is, if a set of prepared contents is defined as C, a service s is defined as a subset of C (s⊆C), and a set of defined services is defined as S (S⊆pow (C)), a certain content In the set C ′ (C′⊆C), it is determined whether {s | sεS, C′⊆s or (C−C ′) ⊆s} = S holds. Based on the determination result of the content determination unit 12a, the key generation unit 12b uses, for each content included in the service, a key used for encrypting each content (hereinafter referred to as a content encryption key) and a content encryption key. A key used for decrypting each corresponding content (hereinafter referred to as a content decryption key) is generated.

  The key generation unit 12b is the same for all contents constituting the content set determined by the content determination unit 12a that a service that includes a part of all services but does not include the remaining part is defined. Generate a content decryption key. That is, if a set of prepared contents is defined as C, a service s is defined as a subset of C (s⊆C), and a set of defined services is defined as S (S⊆pow (C)), a certain content In the set C ′ (C ′ CC), if {s | s∈S, C′⊆s or (C-C ′) Cs} = S holds, for all contents that are elements of C ′ The same content decryption key is generated. As shown in FIG. 1, based on service 1 definition data, service 2 definition data,..., Service m definition data input from the service definition unit 11, a content 1 encryption key, a content 2 encryption key,.・ Generate a content n encryption key, and generate and output a content 1 decryption key, a content 2 decryption key,..., A content n decryption key.

  As the encryption algorithm used in the key generation unit 12b, for example, an encryption algorithm using a public key such as RSA (Rivest, Shamir, Adleman) or a cryptographic algorithm using a secret key such as AES (Advanced Encryption Standard) is used. Is not particularly limited.

  The service key generation unit 13 determines each service for each service from the service definition data input from the service definition unit 11 and the content encryption key and content decryption key input from the key generation unit 12b of the content key generation unit 12. A decryption key (hereinafter referred to as a service decryption key) necessary for receiving and an encryption key corresponding to the service decryption key (hereinafter referred to as a service encryption key) are generated and output.

  The service decryption key is managed so that a person who obtains the service decryption key can obtain a content decryption key corresponding to an arbitrary content included in the service, and is a key associated with each service. As shown in FIG. 1, service 1 definition data input from the service definition unit 11, service 2 definition data,..., Service m definition data and content 1 encryption key input from the content key generation unit 12, content 2 encryption key,... Content n encryption key, content 1 decryption key, content 2 decryption key,... Based on content n decryption key, service 1 encryption key, service 2 encryption key ,... Generates a service m encryption key, and generates and outputs a service 1 decryption key, a service 2 decryption key,.

  The content encryption unit 14 encrypts the content input from the external device using the content encryption key input from the key generation unit 12b of the content key generation unit 12, generates an encrypted content, and outputs it. As shown in FIG. 1, content 1 and content input from an external device using content 1 encryption key, content 2 encryption key,..., Content n encryption key input from key generation unit 12b 2,..., Encrypt content n to generate encrypted content 1, encrypted content 2,.

  The service decryption key encryption unit 15 encrypts a service decryption key of a certain service with a service encryption key of another service using the service encryption key and the service decryption key input from the service key generation unit 13. The encrypted service decryption key (hereinafter referred to as an encrypted service decryption key) is generated and output. As shown in FIG. 1, a service 1 encryption key, a service 2 encryption key,..., A service m encryption key, a service 1 decryption key, a service 2 decryption key input from the service key generation unit 13 ... Generates and outputs an encryption service i1 decryption key, an encryption service i2 decryption key,..., An encryption service ij decryption key using the service m decryption key. In FIG. 1, signal lines for contents and services are shown. However, a single signal line may be used and multiplexing such as time division multiplexing may be used.

Next, the operation of the content encryption apparatus according to Embodiment 1 of the present invention will be described. FIG. 2 is a flowchart showing the operation of the content encryption apparatus according to the first embodiment of the present invention. Hereinafter, description will be given according to this flowchart.
When content is input from an external device, the service definition unit 11 defines each service that provides a complete set of content or a partial set of content, and stores the service definition data in the content key generation unit 12 and the service key generation unit 13. Output (step ST1). The content determination unit 12a of the content key generation unit 12 refers to the service definition data input in step ST1, and defines a service that includes a part of all the contents constituting a certain content set but does not include the remaining part. It is determined whether it has been performed (step ST2).

  In step ST2, when it is determined that a service that includes a part of all services but does not include the remaining part is not defined, that is, when attention is paid to two contents, one content in all services If there is no service that does not include the other content, the key generation unit 12b of the content key generation unit 12 generates and generates the same content encryption key and content decryption key for the two contents. The content encryption key and the content decryption key are output to the service key generation unit 13, the content encryption key is output to the content encryption unit 14, and the content decryption key is output to a service user side device (not shown) (step). ST3).

For example, there are six types of contents A, B, C, D, E, and F, and four types of services α = {A, F}, β = {A, F, B}, γ = {A, F , C}, δ = {C, D, E}, if attention is paid to the content sets {A, F} and {D, E}, the service that does not include the content F and the content F includes the content A. A service that does not include content A, a service that includes content D and does not include content E, and a service that includes content E and does not include content D are not defined. In such a case, it is determined in step ST2 that the content sets {A, F} and {D, E} do not define a service that includes a part of all services but does not include the remaining part. In step ST3, the same content encryption key and content decryption key are generated for content A and content F, and content D and content E.

On the other hand, when it is determined in step ST2 that a service that includes a part of all services but does not include the remaining part is defined, that is, when attention is paid to two contents, one of the contents is included. When there is a service that does not include the other content, the key generation unit 12b generates different content encryption keys and content decryption keys for the two contents, and the generated content encryption key and The content decryption key is output to the service key generation unit 13, the content encryption key is output to the content encryption unit 14, and the content decryption key is output to the service user side device (step ST4).

  The service key generation unit 13 uses a service encryption key and a service decryption key for each service from the service definition data input in step ST1 and the content encryption key and content decryption key input in steps ST3 and ST4. And the generated service encryption key and service decryption key are output to the service decryption key encryption unit 15 and the service decryption key is output to the service user side device (step ST5). The content encryption unit 14 encrypts the content input from the external device using the content encryption key input in step ST3 and step ST4, generates an encrypted content, and outputs it to the service user side device ( Step ST6).

  The service decryption key encryption unit 15 encrypts the service decryption key of a certain service with the service encryption key of another service using the service encryption key and the service decryption key input in step ST5. The converted service decryption key is generated and output to the service user side device (step ST7). In the video distribution service of the first embodiment, the encrypted service decryption key is multiplexed with the encrypted content for distribution. However, the service is not limited to distribution, and various distribution forms such as storing encrypted content on a medium and distributing it are possible.

  Next, based on the flowchart shown in FIG. 2, the operation of the content encryption apparatus when performing four types of video distribution services using four types of content will be described with reference to FIGS. Although the first embodiment is described as performing four types of services using four types of content, the number of contents and the definition content of the service can be arbitrarily set.

  FIG. 3 is a diagram showing an example of service definition contents of the video distribution service of the content encryption apparatus according to Embodiment 1 of the present invention. In step ST1, from the external device, the content 1 composed of the low-quality moving image shown in FIG. 3, the content 2 composed of the moving image that is the difference to the high image quality, the content 3 composed of the audio, and the caption data When the content 4 to be configured is input, the service definition unit 11 defines the service contents of four types of services that provide a total set of four types of content or a subset of the content. Specifically, the service 3 in FIG. 3 will be described as an example. The service 3 including the content 1, the content 3, and the content 4 is a service that performs “distribution of low-quality moving images and video and subtitle data using audio”. The defined data is output to the content key generation unit 12 and the service key generation unit 13 as service definition data.

  As step ST2, the content determination unit 12a of the content key generation unit 12 includes a part of all the contents constituting a certain content set based on each service definition data of the service 1 to the service 4, but the remaining part. It is determined whether a service that does not include is defined. Specifically, referring to FIG. 3, it is determined that the content set including the content 1 and the content 3 is included in all the services 1 to 4.

  In step ST3, the key generation unit 12b of the content key generation unit 12 generates the same content decryption key for the content 1 and the content 3, and the service key generation unit 13 and the content encryption unit 14 together with the corresponding content encryption key. Output. A specific example of the generated content encryption key and content decryption key is shown in FIG. FIG. 4 is a diagram showing an example of a content encryption key and a content decryption key generated by the content key generation unit according to Embodiment 1 of the present invention. For content 1 and content 3 determined to be included in all services, the same content encryption key (content 1: CKey_enc_1, content 3: CKey_enc_3 = CKey_enc_1) and the same content decryption key (content 1: CKey_dec_1, content 3: CKey_dec_3 = CKey_dec_1) is generated and output to the service key generation unit 13, the content encryption unit 14, and the service user side device.

  In step ST4, the key generation unit 12b of the content key generation unit 12 generates different content decryption keys (content 2: CKey_dec_2, content 4: CKey_dec_4) for the content 2 and the content 4, and the corresponding content encryption key. Along with (Content 2: CKey_enc_2, Content 4: CKey_enc_4), the data is output to the service key generation unit 13, the content encryption unit 14, and the service user side device.

  The content encryption key and content decryption key shown in FIG. 4 indicate a case where an asymmetric encryption algorithm such as RSA is used. When the asymmetric encryption algorithm is used, the content encryption key and the content decryption key are different, but when the content decryption key is the same (CKey_dec_1 = CKey_dec_3) as in content 1 and content 3, normal content encryption is used. The same key is also used (CKey_enc_1 = CKey_enc_3). When a symmetric encryption algorithm such as AES is used, the content encryption key and the content decryption key are the same (CKey_enc_1 = CKey_dec_1, CKey_enc_2 = CKey_dec_2, CKey_enc_4 = CKey_dec_4).

  In addition, the video distribution service of the first embodiment does not provide services such as providing the content 1 and not providing the content 3 or providing the content 3 without providing the content 1. Therefore, it is not necessary to manage the content 1 and the content 3 provided to the same service with different content encryption keys and content decryption keys. This is because the service user who receives the content 1 in the service definition unit 11 is always the service user who receives the content 3, and the service user who receives the content 3 always uses the service 1 who receives the content 1. This is because the service content is defined as a user. As a result, the content key generation unit 12 only needs to generate a minimum number of keys, and can suppress an unnecessary increase in the number of keys, and can eliminate the complexity of key management.

  In step ST5, the service key generation unit 13 uses the definition data of the service 1 to the service 4 and the content encryption key and the content decryption key of the content 1 to the content 4 for each service. A key is generated and output to the service decryption key encryption unit 15 and the service user side device. Specific examples of the generated service encryption key and service decryption key are shown in FIG. FIG. 5 is a diagram showing an example of a service encryption key and a service decryption key generated by the service key generation unit according to Embodiment 1 of the present invention.

  Since the service 1 is a service that provides only the content 1 and the content 3 included in all services, the service decryption key of the service 1 is the same as the content decryption keys of the content 1 and the content 3. Furthermore, since the content decryption keys of content 1 and content 3 are the same (CKey_dec_1 = CKey_dec_3), the service decryption key of service 1 is generated as SKey_dec_1 = CKey_dec_1. Since the service 2 provides the content 1 and the content 3 included in the service 1 and also provides the content 2, the service decryption key of the service 2 is the same as the content decryption key of the content 2 (SKey_dec_2 = CKey_dec_2) Generated.

  Since the service 3 provides the content 1 and the content 3 included in the service 1 and also provides the content 4, the service decryption key of the service 3 is the same as the content decryption key of the content 4 (SKey_dec_3 = CKey_dec_4) Generated. Like service 1 to service 3 described above, service A (first service) that provides contents a and b is defined, and service B (second service) that provides content c in addition to contents a and b Service) is defined, if a service that does not include service A and provides only content c included in service B is not defined, the content decryption key of content c is assigned to service B's service. This is the decryption key.

  On the other hand, since service 4 provides content 1 and content 3 included in service 1, content 2 included in service 2 and content 4 included in service 3, a service decryption key for service 4 is newly generated ( SKey_dec_4).

  Although it is not necessary to use a specific encryption algorithm of the service key generation unit 13, in the first embodiment, for example, the service decryption key of the service 1 is the same as the content decryption key of the content 1. The same encryption algorithm as the encryption algorithm associated with the content decryption key of content 1 is used. The same restrictions apply to the service decryption key for service 2 and the service decryption key for service 3. However, there is no restriction on the encryption algorithm for the service decryption key of service 4, and when an asymmetric encryption algorithm such as RSA is used, the content encryption key and the content decryption key are different as shown in FIG. . When a symmetric encryption algorithm such as AES is used, the service encryption key and the service decryption key are the same (SKey_enc_4 = SKey_dec_4).

  In step ST6, the content encryption unit 14 encrypts the content 1 to the content 4 input from the external device using the content encryption keys (CKey_enc_1, CKey_enc_2, CKey_enc_4) input from the key generation unit 12b, The encrypted content 4 is generated from the encrypted content 1 and output to the service user side device.

  As step ST7, the service decryption key encryption unit 15 generates an encrypted service decryption key obtained by encrypting a service decryption key of a certain service with a service encryption key of another service. A specific example of the generated encryption service decryption key is shown in FIG. FIG. 6 is a diagram showing an encrypted service decryption key generated by the service decryption key encryption unit according to Embodiment 1 of the present invention. There are 12 possible combinations for encrypting the service decryption keys of the service 1 to the service 4 with the service encryption keys of other services. In the video distribution service according to the first embodiment, as shown in FIG. Service 1 encrypted service decryption key encrypted with service encryption key 2, Service 1 encrypted service decryption key encrypted with service 3 service encryption key, Service 4 service encryption key 4 types of encrypted service decryption keys, that is, an encrypted service decryption key of the service 2 encrypted with the service encryption key of the service 3, and an encrypted service decryption key of the service 3 encrypted with the service encryption key of the service 4, Output to the user side device.

  In order to provide the content 1 and the content 3 provided in the service 1 in addition to the content 2, the service 2 uses an encrypted service decryption key obtained by encrypting the decryption key of the service 1 with the service encryption key of the service 2 Generate. In order to provide the content 1 and the content 3 provided in the service 1 in addition to the content 4, the service 3 uses an encrypted service decryption key obtained by encrypting the decryption key of the service 1 with the service encryption key of the service 3. Generate. The service 4 provides the content 1 to the content 4 provided in the service 1 to the service 3, so that the service 2 and the decryption key of the service 3 are encrypted with the service encryption key of the service 4. Is generated.

  The service A (first service) that provides the contents a and b like the service 2 to the service 4 described above is defined, provides all the contents a and b included in the service A, and further the contents c If the service B (second service) providing the service c is defined and the service providing the content c is not defined, the service decryption key of the service A is encrypted with the encryption key of the service B To do. As a result, the service user provided with the service B decrypts the content c using the decryption key of the service B, and decrypts the encrypted decryption key of the service A. Thereafter, using the decryption key of service A, the contents a and b are decrypted to obtain each content. Here, the encryption algorithm uses the encryption algorithm associated with the service encryption key and the service decryption key when the service encryption key and the service decryption key are generated.

  In the video distribution service of the first embodiment, four types of encrypted content are generated, and an encrypted service decryption key is multiplexed on the generated encrypted content and distributed to the service user. As a result, the service user obtains the service decryption key corresponding to the service to be used, and obtains the service decryption key by decrypting the encrypted service decryption key using the service decryption key. The content decryption key can be obtained.

  The service user who receives the service 1 obtains the service decryption key of the service 1 output from the service key generation unit 13, and the service decryption key becomes the decryption key of the content 1 and the content 3. Therefore, the provided content can be decrypted immediately.

  Since the service user who receives the provision of the service 2 obtains the service decryption key of the service 2 output from the service key generation unit 13, the service decryption key becomes the content decryption key of the content 2. The provided content 2 can be decrypted immediately. Further, the service decryption key of service 1 is obtained by decrypting the encrypted service decryption key of service 1 output from service decryption key encryption unit 15 with the service decryption key of service 2. Then, the content 1 and the content 3 can be decrypted by using the service decryption key of the service 1 obtained.

  Since the service user who receives the provision of the service 3 obtains the service decryption key of the service 3 output from the service key generation unit 13, the service decryption key becomes the content decryption key of the content 4. The provided content 4 can be decrypted immediately. Further, the service decryption key of service 1 is obtained by decrypting the encrypted service decryption key of service 1 output from service decryption key encryption unit 15 with the service decryption key of service 3. Then, the content 1 and the content 3 can be decrypted by using the service decryption key of the service 1 obtained.

  The service user who receives the service 4 obtains the service decryption key of the service 4 output from the service key generation unit 13, so that the service decryption key is output from the service decryption key encryption unit 15. The encrypted service decryption key of service 2 and the encrypted service decryption key of service 3 are decrypted. Using the decrypted service decryption keys of the service 2 and the service 3, all four types of content can be decrypted in the same manner as the service user who receives the service 2 or the service 3.

  Since the service key generation unit 13 generates a service decryption key by reusing the content decryption key so that the number of keys does not increase unnecessarily, it is possible to suppress the complexity of key management. Also, the service user obtains a service decryption key corresponding to the service to be used by distributing the encrypted service decryption key generated in the service decryption key encryption unit 15 by multiplexing the encrypted service decryption key on the encrypted content. Then, by decrypting the encrypted service decryption key using the service decryption key and obtaining the service decryption key, the necessary content decryption key can be obtained.

  By generating and providing the service decryption key encrypted by the service decryption key encryption unit 15, the content decryption key is periodically updated or the content is compulsory when the content decryption key is leaked. When updating the decryption key, the content decryption key is simply updated by updating the encrypted service decryption key multiplexed in the distribution data without distributing the service decryption key again to the service user. Since it can be updated, key management can be simplified. For example, when updating the content decryption key of content 1, if the service user using service 2 updates the encryption service decryption key of service 1 included in the received data, the updated service It is only necessary to decrypt the content 1 using one service decryption key (in this embodiment, the content decryption key of the content 1), and there is no need to redistribute the content decryption key of the content 1 separately. . Similarly to the above, it is not necessary to redistribute the content decryption key to the service user who uses the service 3 and the service user who uses the service 4. However, it is necessary to redistribute the service decryption key of the service 1 to the service user who uses the service 1.

  As described above, according to the first embodiment, the service definition unit that defines the service content of the service that provides the content set is provided, and the content encryption key and the content are based on the service content defined in the service definition unit. Since the content key generation unit for generating the decryption key is provided, it is only necessary to generate the minimum content encryption key and content decryption key based on the service content, and the number of keys increases unnecessarily. Can be suppressed, and key management can be simplified.

  Further, according to the first embodiment, a service definition unit that defines the service content of a service that provides a content set is provided, and a content encryption key and a content decryption key are based on the service content defined in the service definition unit. Content key generation unit and a service key generation unit that generates a service encryption key and a service decryption key based on the service content, so that the content encryption key and the content decryption based on the service content It is possible to generate a service encryption key and a service decryption key by reusing the key, to suppress an unnecessarily increase in the number of keys, and to simplify key management.

  Further, according to the first embodiment, the service definition unit that defines the service content of the service that provides the content set is provided, and the encryption that encrypts the service decryption key based on the service content defined in the service definition unit Service decryption key generator so that the service can be used to update the content decryption key periodically or when the content decryption key is forcibly updated. It is possible to update the content decryption key by simply updating the encrypted service decryption key multiplexed in the distribution data without redistributing the service decryption key to the user, thus simplifying key management. Can be

  Further, according to the first embodiment, the service definition unit that defines the service content of the service that provides the content set is provided, and the encryption that encrypts the service decryption key based on the service content defined in the service definition unit The service decryption key generation unit is provided and the encrypted service decryption key is multiplexed with the encrypted content and provided to the service user side device, so that the service decryption corresponding to the service used by the service user is provided. It is possible to obtain a decryption key, obtain a decryptable encryption service decryption key, and obtain a necessary content decryption key, thereby simplifying key management. Also, multicast distribution or broadcast distribution can be performed without considering the difference in service form for a large number of service users. It is also possible to multiplex and distribute only the minimum encrypted content and the encrypted service decryption key depending on the service form provided to the service user.

  In the first embodiment described above, a configuration in which one content decryption key is generated for one content has been shown. However, two content decryption keys are generated for one content at the same time. May be. Thus, while one content decryption key is applied to the content, the content decryption key is switched for the continuously distributed content by updating or redistributing the other content decryption key. Even when the location is not clearly managed, it is possible to operate the service user so that the content decryption is not hindered. The same applies to the service decryption key as well as the content decryption key.

Embodiment 2. FIG.
In the first embodiment, the content encryption apparatus as the service provider side apparatus has been described. Next, the service user who receives the video distribution service distributed from the content encryption apparatus according to the first embodiment is provided. A content decrypting apparatus provided will be described. In the second embodiment, the provided video distribution service is the service definition of the video distribution service shown in FIG. 3 of the first embodiment, the content shown in FIG. 4 and its decryption key, and FIG. Assuming that the service is composed of the indicated service and its decryption key and the encrypted service key shown in FIG. 6, it will be described as a content decryption device for a service user who receives the video distribution service. It can be configured as a content decryption device corresponding to an arbitrary content encryption device.

FIG. 7 is a block diagram showing the configuration of the content decryption apparatus according to Embodiment 2 of the present invention. The content decryption apparatus 2 according to Embodiment 2 includes a content decryption key extraction unit 21 and a content decryption unit 22.
The content decryption key extraction unit 21 uses the service decryption key input from the content encryption device (not shown) as the service provider side device, and similarly encrypts the service input from the content encryption device. Decrypt the decryption key to obtain the service decryption key. Furthermore, another encrypted service decryption key is decrypted using the obtained service decryption key. This decryption operation is repeated to finally obtain the content decryption key and output it to the content decryption unit 22. Specifically, as shown in FIG. 7, using the input service s decryption key, an encryption service b ₁ decryption key, an encryption service b ₂ decryption key,..., An encryption service b _The decryption key _q is decrypted, and the content c ₁ decryption key, content c ₂ decryption key,..., content _cr decryption key are output.

The content decryption unit 22 decrypts the encrypted content input from the content encryption device using the content decryption key input from the content decryption key extraction unit 21 and obtains the desired content. And output. Specifically, as shown in FIG. 7, the input encrypted content a ₁ , encrypted content a ₂ ,..., Encrypted content a _p is converted into content c ₁ decryption key, content c ₂ decryption key ,..., Decrypted with the content _cr decryption key, and plainly obtained, and contents c ₁ , contents c ₂ ,..., Contents _cr are obtained and output.

Next, the operation of the content decryption apparatus according to Embodiment 2 of the present invention will be described. FIG. 8 is a flowchart showing the operation of the content decryption apparatus according to Embodiment 2 of the present invention.
First, a service decryption key and an encryption service decryption key of a service provided to the content decryption key extraction unit 21 are distributed as a video distribution service from a content encryption device that is a service provider side device, and content decryption is performed. The encrypted content is distributed to unit 22 (step ST11). The content decryption key extraction unit 21 decrypts the encrypted service decryption key using the service decryption key distributed in step ST11 to obtain a different service decryption key (step ST12). It is determined whether the encrypted service decryption key can be further decrypted using the obtained service decryption key (step ST13).

  If it is determined in step ST13 that there is an encrypted service decryption key that can be decrypted using the extracted service decryption key, the process returns to step ST12. On the other hand, if it is determined in step ST13 that there is no encrypted service decryption key that can be decrypted using the extracted service decryption key, the content decryption key is determined using the extracted service decryption key. Obtain and output to the content decryption unit 22 (step ST14).

  The content decryption unit 22 decrypts the encrypted content input in step ST11 using the content decryption key input in step ST14, obtains the content, and outputs the content to a display device (not shown) or the like. (Step ST15). The display device or the like appropriately displays and reproduces or outputs the content input in step ST15 (step ST16). As a result, the service user can appropriately receive the service.

Next, it is assumed that the service user uses the service 2 based on the flowchart shown in FIG.
In step ST11, the service decryption key and the encryption service decryption key of the service 2 are distributed to the content decryption key extraction unit 21 as a video distribution service from the content encryption device which is the service provider side device, and the content decryption unit The encrypted content is distributed to 22. Note that the following four types of encryption service decryption keys shown in FIG. 6 are multiplexed and distributed in the encrypted content and can be obtained. Service 1 encryption service decryption key encrypted with service 2 service encryption key, Service 1 encryption service decryption key encrypted with service 3 service encryption key, Service 4 service encryption The encryption service decryption key of service 2 encrypted with the key, and the encryption service decryption key of service 3 encrypted with the service encryption key of service 4.

  As step ST12, the content decryption key extraction unit 21 extracts the encrypted service decryption key of service 1 using the service decryption key of service 2 that has been distributed. In step ST13, it is determined whether to further decrypt the encrypted service decryption key using the service decryption key of service 1 extracted. However, in this example, since there is no other encrypted service decryption key that can be decrypted using the extracted service decryption key of service 1, the process proceeds to step ST14.

  In step ST14, the content decryption key of content 2 is obtained using the service decryption key of service 2, and the content decryption of content 1 and content 3 is obtained using the service decryption key of service 1 obtained in step ST13. Get the activation key. The obtained three types of content decryption keys are output to the content decryption unit 22. In step ST15, the content decryption unit 22 decrypts the encrypted content of the content 1 to the content 3 using the content decryption key of the content 1 to the content 3, obtains the content 3 from the content 1, and displays the display device (FIG. (Not shown). In step ST16, the display device or the like appropriately displays and reproduces the content 3 from the input content 1 or outputs it.

  As described above, according to the second embodiment, the encryption service similarly input from the content encryption device using the service decryption key input from the content encryption device which is the service provider side device. Decrypt the decryption key to obtain a different service decryption key, and repeatedly execute the process of decrypting the encrypted service decryption key using the different service decryption key, and finally the content decryption key A content decryption key extraction unit to be obtained and a content decryption unit that decrypts the encrypted content input from the content encryption device using the content decryption key input from the content decryption key extraction unit Since it is configured, it is possible to simplify the management of keys distributed from the service provider.

It is a block diagram which shows the structure of the content encryption apparatus concerning Embodiment 1 of this invention. It is a flowchart which shows operation | movement of the content encryption apparatus concerning Embodiment 1 of this invention. It is a figure which shows an example of the definition content of the service of the content encryption apparatus concerning Embodiment 1 of this invention. It is a figure which shows an example of the content encryption key / decryption key of the content encryption apparatus concerning Embodiment 1 of this invention. It is a figure which shows an example of the service encryption key / decryption key of the content encryption apparatus concerning Embodiment 1 of this invention. It is a figure which shows an example of the encryption service decoding key of the content encryption apparatus which concerns on Embodiment 1 of this invention. It is a block diagram which shows the structure of the content decoding apparatus concerning Embodiment 2 of this invention. It is a flowchart which shows operation | movement of the content decoding apparatus based on Embodiment 2 of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 Content encryption apparatus, 2 Content decryption apparatus, 11 Service definition part, 12 Content key generation part, 12a Content determination part, 12b Key generation part, 13 Service key generation part, 14 Content encryption part, 15 Service decryption key An encryption unit, 21 a content decryption key extraction unit, and 22 a content decryption unit.

Claims (6)

A service definition unit that configures a service by selecting specific content from a plurality of contents input from an external device;
A content encryption key for encrypting content data based on content constituting the service, and a content key generation unit for generating a content decryption key corresponding to the content encryption key;
A service encryption key for encrypting the service data based on content constituting the service, and a service key generation unit for generating a service decryption key corresponding to the service encryption key;
A content encryption apparatus comprising: a content encryption unit that encrypts the content data using a content encryption key generated by the content key generation unit. In the service definition unit, at least the first service and the second service are defined,
The second service is composed of all contents constituting the first service and different contents not included in the first service,
When a service composed only of the different contents is not defined,
The content encryption according to claim 1, further comprising a service decryption key encryption unit that encrypts a service decryption key of the first service with a service encryption key of the second service. apparatus. The content key generator
For a content set consisting of multiple contents,
A determination unit that determines whether or not a service that includes a part of the content constituting the content set but does not include the remaining part is defined;
When the determination unit determines that a service that includes a part of the content that configures the content set but does not include the remaining part is not defined, the same content decoding is performed on the content that configures the content set. The content encryption apparatus according to claim 1, further comprising: a key generation unit that generates an encryption key. The service key generator
4. The content encryption apparatus according to claim 3, wherein a service decryption key of a service including only content included in all services is made the same as a content decryption key of the content. In the service definition unit, at least the first service and the second service are defined,
The second service is composed of all contents constituting the first service and different contents not included in the first service,
When a service composed only of the different contents is not defined,
5. The content encryption according to claim 1, wherein the service key generation unit uses the content decryption key of the different content as the service decryption key of the second service. 6. Device. A content decryption key extraction unit that obtains a content decryption key using a service decryption key and an encryption service decryption key input from an external device;
A content decryption unit that decrypts encrypted content input from the content encryption device using a content decryption key input from the content decryption key extraction unit;
The content decryption key extraction unit decrypts an encrypted service decryption key using a service decryption key input from the content encryption device to obtain a different service decryption key, and the different service decryption key A content decrypting apparatus, wherein a content decrypting key is obtained by repeatedly executing a process of decrypting different encryption service decrypting keys by using.

Images