JP2015043611A - Decoding device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To securely prevent illegal copying.SOLUTION: Data encrypted by a 1394-interface 26 of a DVD player 1 is transmitted to a personal computer 2 and a magneto-optical disk device 3 through a 1394-bus 11. In the magneto-optical disk device 3 which does not permit a user to change its functions, the received data is decoded by using a 1394-interface 36. On the other hand, in the personal computer 2 which permits the user to change its functions, the encrypted data is decrypted by using a time-variant key i in a 1394-interface 49, and decoding result is further decoded by using a session key S at an application section 61.

Description

  The present invention relates to an encryption apparatus and method, and more particularly, to an encryption apparatus and method that further enhances security.

  Recently, a plurality of electronic devices represented by AV devices, computers, and the like are connected to each other via a bus to form a network, and various types of data can be exchanged within the network.

  As a result, for example, movie data reproduced from a DVD can be transferred to a display device such as a television receiver or a monitor via a bus and displayed by a DVD player connected to a network. Normally, displaying a movie reproduced from a DVD on a display device is permitted by the copyright holder at the time of purchasing the DVD.

  However, it is generally not permitted by copyright holders to copy and use data reproduced from a DVD on another recording medium. Therefore, in order to prevent the data sent via the bus (network) from being illegally copied, it is possible to encrypt the data on the sending side and decrypt it on the receiving side. It is done.

  However, consumer electronics devices (CE devices) such as DVD players and television receivers are usually designed and manufactured for a predetermined purpose, and users can modify them or install other parts. It is manufactured in such a way that it cannot be incorporated to acquire data inside the device or tamper with it (change of function). On the other hand, in many cases, for example, personal computers have open architectures and circuits, and various functions can be added or changed by adding boards or installing various application software. It is made to be able to.

  Therefore, in the personal computer, the data on the internal bus can be directly viewed or altered by adding predetermined hardware or creating a software program. It can be done relatively easily. This means, for example, that data transmitted encrypted from a DVD player to a television receiver can be received by a personal computer, decrypted and copied by creating application software. It means that you can do it.

  In other words, a personal computer has a poor connection between a link unit that performs communication and an application unit that prepares data to be transmitted / received and uses received data via a bus. In fact, there are many parts that the user can add to. On the other hand, in the CE device, the connection between the two is close and there is almost no part where the user can intervene.

  The present invention has been made in view of such a situation, and makes it possible to more reliably prevent illegal copying of data.

  An encryption apparatus according to an aspect of the present invention supplies first key information obtained through an authentication process performed by bidirectional communication with another apparatus in an encryption apparatus that encrypts digital data using an encryption key. A second supply unit that supplies second key information that is changed during a period in which the first key information is used, and a change in the second key information. A generation unit that generates the encryption key that is changed at a predetermined timing during the period based on the first key information and the second key information, a memory that holds the encryption key, and the encryption An encryption unit that encrypts the digital data to be transmitted by an exclusive OR operation between the key and the digital data to be transmitted to the other device.

  In one aspect of the present invention, the first key information obtained through the authentication process performed by two-way communication with another device is changed according to the change of the second key information that is changed during the period in which the first key information is used. An encryption key that is changed at a predetermined timing during the period is generated based on the first key information and the second key information, the encryption key is held, and the encryption key and the other device are transmitted. The digital data to be transmitted is encrypted by an exclusive OR operation with the digital data to be transmitted.

  As described above, according to one aspect of the present invention, encryption can be performed more securely.

It is a block diagram which shows the structural example of the information processing system to which this invention is applied. FIG. 2 is a block diagram illustrating an internal configuration example of a DVD player 1, a personal computer 2, and a magneto-optical disk device 3 in FIG. It is a figure explaining an authentication process. It is a timing chart explaining an authentication process. It is a figure which shows the format of node_unique_ID. It is a timing chart explaining other authentication processing. It is a timing chart explaining other authentication processing. It is a timing chart explaining other authentication processing. It is a timing chart explaining other authentication processing. It is a block diagram explaining an encryption process. It is a block diagram which shows the structural example of the 1394 interface 26 of FIG. FIG. 12 is a block diagram illustrating a more detailed configuration example of the 1394 interface 26 of FIG. 11. It is a block diagram which shows the more detailed structural example of LFSR72 of FIG. FIG. 14 is a block diagram illustrating a more specific configuration example of the LFSR 72 of FIG. 13. It is a block diagram which shows the structural example of the 1394 interface 36 of FIG. FIG. 16 is a block diagram illustrating a more detailed configuration example of the 1394 interface 36 of FIG. 15. It is a block diagram which shows the structural example of the 1394 interface 49 of FIG. FIG. 18 is a block diagram illustrating a more detailed configuration example of the 1394 interface 49 of FIG. 17. It is a block diagram which shows the structural example of the application part 61 of FIG. FIG. 20 is a block diagram illustrating a more detailed configuration example of the application unit 61 in FIG. 19. FIG. 11 is a block diagram illustrating another configuration example of the 1394 interface 26 of FIG. 10. FIG. 11 is a block diagram illustrating another configuration example of the 1394 interface 36 of FIG. 10. FIG. 11 is a block diagram illustrating another configuration example of the 1394 interface 49 of FIG. 10. It is a block diagram which shows the other structural example of the application part 61 of FIG.

  FIG. 1 shows a configuration example of an information processing system to which the present invention is applied. In this configuration example, a DVD player 1, a personal computer 2, a magneto-optical disk device 3, a data broadcast receiving device 4, a monitor 5, and a television receiver 6 are connected to each other via an IEEE 1394 serial bus 11.

  FIG. 2 shows a more detailed configuration example of the inside of the DVD player 1, the personal computer 2, and the magneto-optical disk device 3. The DVD player 1 is connected to the 1394 bus 11 via the 1394 interface 26. The CPU 21 executes various processes in accordance with programs stored in the ROM 22, and the RAM 23 appropriately stores data, programs, and the like necessary for the CPU 21 to execute various processes. The operation unit 24 includes buttons, switches, a remote controller, and the like. When operated by the user, the operation unit 24 outputs a signal corresponding to the operation. The drive 25 drives a DVD (disc) (not shown) and reproduces data recorded therein. The EEPROM 27 stores information (key information in this embodiment) that needs to be stored even after the apparatus is turned off. The internal bus 28 connects these parts to each other.

  The magneto-optical disk device 3 has a CPU 31 to an internal bus 38. These have functions similar to those of the CPU 21 to the internal bus 28 in the DVD player 1 described above, and a description thereof will be omitted. However, the drive 35 drives a magneto-optical disk (not shown) and records or reproduces data there.

  The personal computer 2 is connected to the 1394 bus 11 via the 1394 interface 49. The CPU 41 executes various processes according to programs stored in the ROM 42. The RAM 43 appropriately stores data and programs necessary for the CPU 41 to execute various processes. A keyboard 45 and a mouse 46 are connected to the input / output interface 44, and signals input from them are output to the CPU 41. Further, a hard disk (HDD) 47 is connected to the input / output interface 44 so that data, programs, and the like can be recorded and reproduced there. The input / output interface 44 is also equipped with an expansion board 48 as appropriate so that necessary functions can be added. The EEPROM 50 stores information that needs to be retained even after the power is turned off (in this embodiment, various key information). For example, an internal bus 51 configured by PCI (Peripheral Component Interconnect), a local bus, and the like is configured to connect these units to each other.

  The internal bus 51 is open to the user. The user can connect a predetermined board to the expansion board 48 as appropriate, create a predetermined software program, and install it in the CPU 41. Data transmitted through the bus 51 can be received as appropriate.

  On the other hand, in consumer electronics (CE) devices such as the DVD player 1 and the magneto-optical disk device 3, the internal bus 28 and the internal bus 38 are not released to the user, and unless special modifications are made. It is made so that the data transmitted there cannot be obtained.

  Next, an authentication process performed between a predetermined source and sink will be described. As shown in FIG. 3, this authentication process includes firmware 20 as one of the software programs stored in advance in the ROM 22 of the DVD player 1 as a source and ROM 42 of the personal computer 2 as a sink, for example. And is performed with the license manager 62 as one of the software programs processed by the CPU 41.

  FIG. 4 shows an authentication procedure performed between the source (DVD player 1) and the sink (personal computer 2). The EEPROM 27 of the DVD player 1 stores a service key (service_key) and a function (hash) in advance. These are all given to the user of the DVD player 1 by the copyright owner, and each user keeps this in the EEPROM 27 in a secret manner.

  The service key is given for each piece of information provided by the copyright holder, and is common in the system configured with the 1394 bus 11. In the present specification, the term system refers to an overall device composed of a plurality of devices.

  The hash function is a function that outputs data of a fixed length such as 64 bits or 128 bits for an input of an arbitrary length, and it is difficult to obtain x when y (= hash (x)) is given. In addition, it is a function that makes it difficult to obtain a set of x1 and x2 satisfying hash (x1) = hash (x2). MD5 and SHA are known as representative one-way hash functions. This one-way hash function is described in detail in “Applied Cryptography (Second Edition), Wiley” by Bruce Schneier.

On the other hand, for example, the personal computer 2 as a sink holds an identification number (ID) and a license key (license_key) unique to itself given from the copyright holder in the EEPROM 50 in a secret manner. This license key is a value obtained by applying a hash function to n + m-bit data (ID || service_key) obtained by concatenating an n-bit ID and an m-bit service key. That is, the license key is expressed by the following formula.
license_key = hash (ID ｜｜ service_key)

  As the ID, for example, node_unique_ID defined in the 1394 bus 11 standard can be used. As shown in FIG. 5, this node_unique_ID is composed of 8 bytes (64 bits), the first 3 bytes are managed by IEEE, and are given to each manufacturer of electronic equipment from IEEE. The lower 5 bytes can be assigned to each device provided by each manufacturer to the user. For example, each manufacturer assigns one number serially to the lower 5 bytes, and when all 5 bytes are used, the upper 3 bytes are a different number. Node_unique_ID Then, one number is assigned to each of the lower 5 bytes. Therefore, this node_unique_ID is different for each device regardless of the manufacturer, and is unique to each device.

  In step S 1, the firmware 20 of the DVD player 1 controls the 1394 interface 26 and requests an ID from the personal computer 2 via the 1394 bus 11. In step S2, the license manager 62 of the personal computer 2 receives this ID request. That is, when the 1394 interface 49 receives an ID request signal transmitted from the DVD player 1 via the 1394 bus 11, the 1394 interface 49 outputs it to the CPU 41. When receiving the ID request, the license manager 62 of the CPU 41 reads the ID stored in the EEPROM 50 in step S3 and transmits it to the DVD player 1 from the 1394 bus 11 via the 1394 interface 49.

  In the DVD player 1, when the 1394 interface 26 receives this ID in step S 4, this ID is supplied to the firmware 20 operating on the CPU 21.

In step S5, the firmware 20 combines the ID received from the personal computer 2 with the service key stored in the EEPROM 27 to generate data (ID || service_key). Apply the hash function as shown in the formula to generate the key lk.
lk = hash (ID || service_key)

  Next, in step S6, the firmware 20 generates an encryption key sk. Although details of the encryption key sk will be described later, the encryption key sk is used in each of the DVD player 1 and the personal computer 2 as a session key.

Next, in step S7, the firmware 20 encrypts the encryption key sk generated in step S6 using the key lk generated in step S5 as a key to obtain encrypted data (encryption key) e. That is, the following equation is calculated.
e = Enc (lk, sk)

  Enc (A, B) means that the data B is encrypted using the key A in a common key cryptosystem.

Next, in step S8, the firmware 20 transmits the encrypted data e generated in step S7 to the personal computer 2. That is, the encrypted data e is transmitted from the 1394 interface 26 of the DVD player 1 to the personal computer 2 via the 1394 bus 11. The personal computer 2 receives this encrypted data e through the 1394 interface 49 in step S9. The license manager 62 decrypts the encrypted data e received in this way, using the license key stored in the EEPROM 50 as a key, as shown in the following equation, and generates a decryption key sk ′.
sk '= Dec (license_key, e)

  Here, Dec (A, B) means that the data B is decrypted using the key A in the common key cryptosystem.

  Note that DES is known as an encryption algorithm in this common key cryptosystem. The common key encryption method is also described in detail in Applied Cryptography (Second Edition) described above.

In the DVD player 1, the key lk generated in step S <b> 5 has the same value as (license_key) stored in the EEPROM 50 of the personal computer 2. That is, the following equation is established.
lk = license_key

Therefore, the key sk ′ obtained by decrypting in step S10 in the personal computer 2 has the same value as the encryption key sk generated in step S6 in the DVD player 1. That is, the following equation is established.
sk '= sk

  Thus, the same key sk, sk ′ can be shared by both the DVD player 1 (source) and the personal computer 2 (sink). Therefore, this key sk can be used as an encryption key as it is, or each can generate a pseudo random number based on this key and use it as an encryption key.

  As described above, since the license key is generated based on the ID unique to each device and the service key corresponding to the information to be provided, other devices cannot generate sk or sk ′. In addition, since a device not approved by the copyright holder does not have a license key, sk or sk ′ cannot be generated. Therefore, when the DVD player 1 thereafter encrypts the reproduction data using the encryption key sk and transmits it to the personal computer 2, if the personal computer 2 has obtained the license key properly, the encryption key sk 'is used. Therefore, the encrypted reproduction data transmitted from the DVD player 1 can be decrypted. However, if the personal computer 2 is not appropriate, it does not have the encryption key sk ′, so that the transmitted encrypted reproduction data cannot be decrypted. In other words, only a proper device can generate the common encryption keys sk and sk ′, and as a result, authentication is performed.

  Even if the license key of one personal computer 2 is stolen, the ID is different for each one, so that the license key is used to encrypt other devices transmitted from the DVD player 1. Data cannot be decrypted. Therefore, safety is improved.

  FIG. 6 shows a processing example when not only the personal computer 2 but also the magneto-optical disk device 3 functions as a sink for the source (DVD player 1).

  In this case, the EEPROM 50 of the personal computer 2 serving as the sink 1 stores ID1 as the ID and license_key1 as the license key. In the magneto-optical disk device 3 serving as the sink 2, the EEPROM 37 stores ID2 as the ID. However, license_key2 is stored as a license key.

  The processing in steps S11 to S20 performed between the DVD player 1 (source) and the personal computer 2 (sink 1) is substantially the same as the processing in steps S1 to S10 in FIG. Description is omitted.

That is, as described above, the DVD player 1 performs an authentication process on the personal computer 2. In step S21, the DVD player 1 requests the magneto-optical disk device 3 for an ID. In the magneto-optical disk device 3, when this ID request signal is received via the 1394 interface 36 in step S22, the firmware 30 (FIG. 10) stores the ID (ID2) stored in the EEPROM 37 in step S23. Is transmitted from the 1394 interface 36 to the DVD player 1 via the 1394 bus 11. When the firmware 20 of the DVD player 1 receives this ID2 via the 1394 interface 26 in step S24, the firmware lk2 is generated from the following equation in step S25.
lk2 = hash (ID2 || service_key)

  Further, the firmware 20 calculates the following expression in step S26, encrypts the key sk generated in step S16 using the key lk2 generated in step S25, and generates encrypted data e2.

  In step S27, the firmware 20 transmits the encrypted data e2 from the 1394 interface 26 to the magneto-optical disk device 3 via the 1394 bus 11.

In the magneto-optical disk device 3, the encrypted data e2 is received via the 1394 interface 36 in step S28, and the following equation is calculated in step S29 to generate the encryption key sk2 ′.
sk2 '= Dec (license_key2, e2)

  As described above, the encryption keys sk1 'and sk2' are obtained in the personal computer 2 and the magneto-optical disk device 3, respectively. These values are the same values as the encryption key sk in the DVD player 1.

  In the processing example of FIG. 6, the DVD player 1 individually requests and processes IDs from the personal computer 2 and the magneto-optical disk device 3, but the ID is transmitted by broadcast communication. 7 can be processed as shown in FIG.

  That is, in the processing example of FIG. 7, in step S41, the DVD player 1 as a source sends IDs to all the sinks (in this case, the personal computer 2 and the magneto-optical disk device 3) by broadcast communication. Request. When the personal computer 2 and the magneto-optical disk device 3 receive the ID transfer request signal in steps S42 and S43, respectively, they read ID1 or ID2 stored in the EEPROM 50 or EEPROM 37 in step S44 or step S45, respectively. This is transferred to the DVD player 1. The DVD player 1 receives these IDs in steps S46 and S47, respectively.

In the DVD player 1, in step S48, the encryption key lk1 is generated from the following equation.
lk1 = hash (ID1 || service_key)

In step S49, the encryption key lk2 is generated from the following equation.
lk2 = hash (ID2 || service_key)

In the DVD player 1, an encryption key sk is further generated in step S50, and in step S51, the encryption key sk is encrypted using the key lk1 as a key as shown by the following equation.
e1 = Enc (lk1, sk)

Furthermore, in step S52, the encryption key sk is encrypted according to the following equation using the key lk2 as a key.
e2 = Enc (lk2, sk)

Further, in step S53, ID1, e1, ID2, and e2 are combined as shown by the following equations to generate encrypted data e.
e = ID1 || e1 || ID2 || e2

  In step S54, the DVD player 1 further transmits the encrypted data e generated as described above to the personal computer 2 and the magneto-optical disk device 3 by broadcast communication.

The personal computer 2 and the magneto-optical disk device 3 receive the encrypted data e in step S55 or step S56, respectively. In the personal computer 2 and the magneto-optical disk device 3, the calculation shown in the following equation is performed in step S57 or step S58, and the encryption keys sk1 'and sk2' are generated.
sk1 '= Dec (license_key1, e1)
sk2 '= Dec (license_key2, e2)

  FIG. 8 shows a processing example when one sink can receive a plurality of services (decoding a plurality of types of information). That is, in this case, for example, the personal computer 2 as a sink stores a plurality of license keys (license_key1, license_key2, license_key3, etc.) in the EEPROM 50. The DVD player 1 as a source stores a plurality of service keys (service_key1, service_key2, service_key3, etc.) in its EEPROM 27. In this case, when the DVD player 1 requests an ID from the personal computer 2 as a sink in step S81, the DVD player 1 transfers service_ID for identifying information (service) to be transferred. When receiving this in step S82, the personal computer 2 selects the one corresponding to this service_ID from the plurality of license keys stored in the EEPROM 50, and uses this to decrypt the data in step S90. I do. Other operations are the same as those in FIG.

  FIG. 9 shows still another processing example. In this example, the DVD player 1 as a source stores a service_key, a hash function, and a pseudorandom number generation function pRNG in the EEPROM 27. These are given by the copyright owner and are kept secretly. The EEPROM 50 of the personal computer 2 as a sink has an ID, LK, LK ′, a function G, and a pseudo random number generation function pRNG given by the copyright holder.

LK is a unique random number created by the copyright holder, and LK ′ is generated so as to satisfy the following expression.
LK '= G ^ -1 (R)
R = pRNG (H) (+) pRNG (LK)
H = hash (ID | | service_key)

  G ^ -1 means an inverse function of G. G ^ -1 can be easily calculated if a predetermined rule is known, but has a characteristic that is difficult to calculate if it is not known. As such a function, a function used for public key cryptography can be used.

  The pseudo random number generation function can be provided as hardware.

First, the firmware 20 of the DVD player 1 requests an ID from the license manager 62 of the personal computer 2 in step S101. When receiving the ID request signal in step S102, the license manager 62 of the personal computer 2 reads the ID stored in the EEPROM 50 and transmits it to the DVD player 1 in step S103. When the firmware 20 of the DVD player 1 receives this ID in step S104, it calculates the following expression in step S105.
H = hash (ID | | service_key)

Further, the firmware 20 generates a key sk in step S106, and calculates the following expression in step S107.
e = sk (+) pRNG (H)

  A (+) B means an exclusive OR operation of A and B.

  That is, as a result obtained by inputting H obtained in step S105 to the pseudo-random generation key pRNG, pRNG (H) and an exclusive OR for each bit of the key sk generated in step S106 are calculated. , Encrypt the key SK.

  Next, in step S <b> 108, the firmware 20 transmits e to the personal computer 2.

The personal computer 2 receives this in step S109, and calculates the following equation in step S110.
sk '= e (+) G (LK') (+) pRNG (LK)

  That is, the value G (LK ′) obtained by applying LK ′ also stored in the EEPROM 50 to the function G stored in the EEPROM 50 and e transmitted from the DVD player 1, and stored in the EEPROM 50. The result pRNG (LK) obtained by applying LK ′ to the pseudorandom number generation function pRNG stored in the EEPROM 50 is calculated to obtain a key sk ′.

Here, as shown in the following equation, sk = sk ′.
sk '= e (+) G (LK') (+) pRNG (LK)
= Sk (+) pRNG (H) (+) R (+) pRNG (LK)
= Sk (+) pRNG (H) (+) pRNG (H) (+) pRNG (LK) (+) pRNG (LK)
= Sk

  In this way, the DVD player 1 as the source and the personal computer 2 as the sink can share the same keys sk and sk ′. Since only the copyright holder can create LK and LK ', since the source cannot be made illegally and try to create LK and LK', safety can be further improved.

  In the above, authentication is performed at the source and the sink. However, for example, an arbitrary application program can usually be loaded and used in the personal computer 2. An illegally created application program may be used as the application program. Therefore, it is necessary to determine for each application program whether or not permission has been obtained from the copyright holder. Therefore, as shown in FIG. 3, authentication processing can be performed between each application unit 61 and the license manager 62 as described above. In this case, the license manager 62 serves as a source, and the application unit 61 serves as a sink.

  Next, after the authentication is performed as described above (after the encryption key is shared), the encrypted data is transferred from the source to the sink using the encryption key, and the encryption is performed at the sink. The operation when decrypted data is described.

  As shown in FIG. 10, in a device whose internal functions are not released to general users, such as the DVD player 1 or the magneto-optical disk device 3, the encryption of data exchanged via the 1394 bus 11 is performed. Decoding processing is performed by the 1394 interface 26 or 1394 interface 36, respectively. For this encryption and decryption, a session key S and a time-varying key i are used. The session key S and the time-varying key i (more precisely, the key i ′ for generating the time-varying key i) are Are supplied from the firmware 20 or 30 to the 1394 interface 26 or 1394 interface 36, respectively. The session key S is composed of an initial value key Ss used as an initial value and a disturbance key Si used to disturb the time-varying key i. The initial value key Ss and the disturbance key Si can be configured by upper bits and lower bits of a predetermined number of bits of the encryption key sk (= sk ′) generated in the above-described authentication. This session key S is appropriately updated for each session (for example, for each piece of movie information or for each reproduction). On the other hand, the time-varying key i generated from the disturbance key Si and the key i ′ is a key that is frequently updated in one session. For example, time information at a predetermined timing can be used. it can.

  Now, it is assumed that video data reproduced and output from the DVD player 1 as a source is transmitted to the magneto-optical disk device 3 and the personal computer 2 via the 1394 bus 11 and decoded in each. In this case, in the DVD player 1, encryption processing is performed using the session key S and the time-varying key i in the 1394 interface 26. In the magneto-optical disk device 3, decryption processing is performed using the session key S and the time-varying key i in the 1394 interface 36.

  On the other hand, in the personal computer 2, the license manager 62 supplies the initial value key Ss among the session keys S to the application unit 61, and the disturbance key Si and the time-varying key i (more precisely, the time-varying key). A key i ′) for generating i is supplied to the 1394 interface 49 (link portion). In the 1394 interface 49, a time-varying key i is generated from the disturbance key Si and the key i ′, decrypted using the time-varying key i, and the decrypted data is further transmitted to the session key S in the application unit 61. Decoding is performed using (precisely, the initial value key Ss).

  In this way, in the personal computer 2, since the internal bus 51 is open to the user, only the first stage of decryption is performed by the 1394 interface 49, and the encrypted state is still set. Then, the application unit 61 further performs the second stage decryption to make plain text. As a result, functions are appropriately added to the personal computer 2 to prohibit copying of data (plain text) exchanged on the internal bus 51 to the hard disk 47 or other devices.

As described above, in the embodiment of the present invention, in the CE device in which the internal bus is not released, the encryption or decryption processing is performed at once using the session key S and the time-varying key i. In a device in which the internal bus is released (such as the personal computer 2), the decryption process is divided into a decryption process using the time-varying key i and a decryption process using the session key S. Thus, in order to be able to perform both the one-stage decoding process and the two-stage decoding process, it is necessary to establish the following equation.
Dec (S, Dec (i, Enc (algo (S + i), Data))) = Data

  In the above equation, algo (S + i) represents the result obtained by inputting the session key S and the time-varying key i to a predetermined algorithm.

  FIG. 11 shows a configuration example of the 1394 interface 26 that satisfies the above formula. In this configuration example, m-bit data generated by the additive generator 71 is supplied to the shrink generator 73. An LFSR (Linear Feedback Shift Register) 72 outputs 1-bit data and supplies it to the shrink generator 73. The shrink generator 73 selects the output of the additive generator 71 in response to the output of the LFSR 72 and outputs the selected data to the adder 74 as an encryption key. The adder 74 adds the input plaintext (m-bit data transmitted to the 1394 bus 11) and m-bit data (encryption key) supplied from the shrink generator 73, and adds the result to the ciphertext ( (Encrypted data) is output to the 1394 bus 11.

  The adding process of the adder 74 means that the output of the shrink generator 73 and the plain text are added with mod 2 ^ m (^ means power). In other words, m bits of data are added together, and an added value ignoring carryover is output.

  FIG. 12 shows a further detailed configuration example of the 1394 interface 26 shown in FIG. Of the session keys S output from the firmware 20, the initial value key Ss is transferred to the register 82 via the adder 81 and held therein. The initial value key Ss is composed of, for example, 55 words (one word has a width of 8 bits to 32 bits). Of the session key S supplied from the firmware 20, for example, a disturbance key Si composed of 32 bits on the LSB side is held in the register 85.

  The register 84 holds the key i ′. This key i ′ is supplied to the register 84 every time one packet is transmitted via the 1394 bus 11, for example, and the key i ′ corresponding to 16 packets (32 bits) is supplied. Is added to the 32-bit disturbance key Si held in the register 85 by the adder 86 and supplied to the adder 81 as the final time-varying key i. The adder 81 adds the value held in the register 82 and the time-varying key i supplied from the adder 86 at that time, and supplies the addition result to the register 82 for holding.

  When the number of bits of the word of the register 82 is, for example, 8 bits, the time-varying key i output from the adder 86 is 32 bits. Therefore, the time-varying key i is divided into four and each 8 bits are stored in the register 82. Are added to a word at a predetermined address (0 to 54).

  In this way, the initial value key Ss is first held in the register 82, but thereafter, this value is updated with the time-varying key i every time ciphertext for 16 packets is transmitted.

  The adder 83 selects two predetermined words out of the 55 words held in the register 82 (in the case of the timing shown in FIG. 12, the words at the address 23 and the address 54), and the selected two words And output to the shrink generator 73. Further, the output of the adder 73 is transferred to the address 0 of the register 82 at the timing shown in FIG. 12, and held in place of the previous held value.

  At the next timing, the 2-word address of the register 82 supplied to the adder 83 is moved upward by one word from the address 54 and the address 23 to the address 53 and the address 22, respectively. The address updated by the output of the adder 83 is also moved to a higher address in the figure. However, since there is no address above address 0, in this case, it moves to address 54.

  Note that the adders 81, 83, and 86 can calculate an exclusive OR.

For example, as shown in FIG. 13, the LFSR 72 includes an n-bit shift register 101 and an adder 102 that adds the values of predetermined bits (registers) out of the n bits of the shift register 101. When the shift register 101 holds the bit supplied from the adder 102 in the leftmost register b _n in the drawing, the data held therein is shifted to the right register b _n−1 . The registers b _n-1 , b _n-2 ,... Perform the same processing. At the next timing, the value obtained by adding the values of the respective bits by the adder 102 is held again in the leftmost bit b _n in the drawing. The above operation is sequentially repeated, and the output is sequentially output bit by bit from the rightmost register b _{1 in the} figure.

FIG. 13 shows a typical configuration example. For example, more specifically, the LFSR 72 can be configured as shown in FIG. In this configuration example is configured shift register 101 by 31 bits, the value of the register b ₃₁ values and the left end of the register b ₁ of the right end in the drawing is, added by the adder 102, the added result register b Returned to ₃₁ .

  When the 1-bit data output from the LFSR 72 is logic 1, the condition determination unit 91 transfers the m-bit data supplied from the adder 83 of the additive generator 71 to the FIFO 92 as it is and holds it. On the other hand, when the 1-bit data supplied from the LFSR 72 is logic 0, the condition determination unit 91 does not accept the m-bit data supplied from the adder 83 and interrupts the encryption process. In this way, in the FIFO 92 of the shrink generator 73, only the data of the m-bit data generated by the additive generator 71 at the timing when the LFSR 72 outputs logic 1 is selected and held.

  The m-bit data held by the FIFO 92 is supplied as an encryption key to an adder 74 and added to plaintext data (reproduced data from a DVD) to be transmitted to generate a ciphertext.

  The encrypted data is supplied from the DVD player 1 to the magneto-optical disk device 3 and the personal computer 2 via the 1394 bus 11.

  The magneto-optical disk device 3 has a configuration as shown in FIG. 15 in order to decode data received from the 1394 bus 11 at the 1394 interface 36. In this configuration example, m-bit data output from the additive generator 171 and 1-bit data output from the LFSR 172 are supplied to the shrink generator 173. The m-bit key output from the shrink generator 173 is supplied to the subtractor 174. The subtractor 174 subtracts the key supplied from the shrink generator 173 from the ciphertext and decrypts the plaintext.

  That is, the configuration shown in FIG. 15 is basically the same as the configuration shown in FIG. 11, except that the adder 74 in FIG. 11 is changed to a subtracter 174.

  FIG. 16 shows a more detailed configuration example of the configuration shown in FIG. This configuration is basically the same as the configuration shown in FIG. 12, but the adder 74 in FIG. 12 is changed to a subtracter 174. Other additive generators 171, LFSR 172, shrink generator 173, adder 181, register 182, adder 183, registers 184, 185, adder 186, condition determination unit 191, FIFO 192 are the additive generator 71, LFSR 72, shrink in FIG. 12. The generator 73, the adder 81, the register 82, the adder 83, the registers 84 and 85, the adder 86, the condition determination unit 91, and the FIFO 92 are supported.

  Therefore, since the operation is basically the same as that shown in FIG. 12, the description thereof is omitted. In the example of FIG. 16, the m-bit key output from the FIFO 192 of the shrink generator 173 is The subtracter 174 subtracts the ciphertext and decrypts the plaintext.

  As described above, in the 1394 interface 36, the encrypted data is decrypted at once using the session key S (the initial value key Ss and the disturbance key Si) and the time-varying key i.

  On the other hand, as described above, in the personal computer 2, the 1394 interface 49 and the application unit 61 individually perform decoding in two stages.

  FIG. 17 shows a configuration example when hardware decoding is performed in the 1394 interface 49, and the basic configuration is the same as that shown in FIG. That is, also in this case, the 1394 interface 49 is configured by the additive generator 271, the LFSR 272, the shrink generator 273, and the subtractor 274, and these include the additive generator 171, the LFSR 172, the shrink generator 173, and the subtractor in FIG. 174 basically has the same configuration. However, in the configuration example of FIG. 17, the license generator 62 causes the additive generator 271 to disturb the time-varying key i among the key i ′ for generating the time-varying key i and the session key S. As the disturbance key Si, the same key as in FIG. 15 is supplied, but as the initial value key Ss, a unit element in which all bits are 0 is supplied.

  That is, as shown in FIG. 18, since all bits of the initial value key Ss are set to 0, the encryption key is substantially based only on the time-varying key i, as in the case where the initial value key Ss does not exist. Is generated. As a result, the subtracter 274 only performs decryption based on the time-varying key i of the ciphertext. Since the decryption based on the initial value key Ss has not been performed yet, the data obtained as a result of the decryption is not a complete plaintext but is in a ciphertext state. Therefore, even if this data is fetched from the internal bus 51 and recorded on the hard disk 47 or other recording medium, it cannot be used as it is.

  As described above, in the 1394 interface 49, the configuration of the application unit 61 that software-decrypts the data decrypted based on the time-varying key i in hardware is as shown in FIG. , LFSR 372, shrink generator 373 and subtractor 374. Its basic configuration is the same as that of the additive generator 171, LFSR 172, shrink generator 173, and subtractor 174 shown in FIG.

  However, among the session keys S, as the initial value key Ss, a normal initial value key is supplied as in FIG. 15, but the disturbance key Si and the key i ′ for generating the time-varying key i are , The data of the unit element in which all the bits are 0.

  As a result, as shown in detail in FIG. 20 (the additive generators 371 to FIFO 392 correspond to the additive generators 171 to 192 in FIG. 16), the key i ′ held in the register 384 and the register 385 hold it. Since all the bits of the perturbation key Si are 0, all the bits of the time-varying key i output from the adder 386 are 0, and the operation is substantially the same as when the time-varying key i does not exist. Done. That is, an encryption key based only on the initial value key Ss is generated. Then, in the subtractor 374, the ciphertext is decrypted into plaintext based on the encryption key generated in this way. As described above, since this ciphertext is decrypted in the first stage based on the time-varying key i in the 1394 interface 49, here, the second stage based on the initial value key Ss. By decrypting, complete plaintext can be obtained.

  In the magneto-optical disk device 3, when the ciphertext is decrypted as described above, the CPU 31 supplies the decrypted data to the drive 35 and records it on the magneto-optical disk.

  On the other hand, in the personal computer 2, the CPU 41 (application unit 61) supplies the data decrypted as described above to, for example, the hard disk 47 and records it. In the personal computer 2, a predetermined board can be connected as the expansion board 48 to monitor the data transmitted / received through the internal bus 51, but the data transmitted to the internal bus 51 can be finally decoded. Since the application unit 61 can do this, the expansion board 48 can use the 1394 interface 49 to decrypt data that has been decrypted based on the time-varying key i (data that has not yet been decrypted based on the session key S). Even if it can be monitored, it is not possible to monitor data that has been completely returned to plaintext. Therefore, unauthorized copying is prevented.

  The session key can be shared using, for example, the Diffie-Hellman method.

  In addition, for example, when the processing capability of the 1394 interface 49 or the application unit 61 in the personal computer 2 is relatively low and decryption processing cannot be performed, either the session key or the time-varying key or both are used as the source. If the data is configured on the unit side, and the sink side is also used on the unit side, data can be exchanged effectively without using the session key and the time-varying key. However, if this is done, there is a high risk that the data will be illegally copied.

  If the application unit 61 itself is illegally copied, the decrypted data may be illegally copied. However, if the application unit 61 is authenticated by the license manager 62 as described above, this may occur. Can be prevented.

  As an authentication method in this case, a digital signature using a public key cryptosystem as well as a common key cryptosystem can be used.

The configurations shown in FIGS. 11, 12, and 15 to 20 satisfy the homomorphism relationship. That is, when the keys K ₁ and K ₂ are elements of the Galois field G, K ₁ and K ₂ are also elements of the Galois field G as a result of both group operations. Further, the following equation is established for the predetermined function H.
H (K ₁ · K ₂ ) = H (K ₁ ) · H (K ₂ )

FIG. 21 further shows another configuration example of the 1394 interface 26. In this configuration example, the session key S is supplied to the LFSRs 501 to 503 and is initially set. The widths n _{1 to} n ₃ of the LFSRs 501 to 503 are each about 20 bits, and the widths n _{1 to} n ₃ are configured to be prime to each other. Therefore, for example, in the session key S, for example, the upper n1 bit is initialized to LFSR 501, the next upper n ₂ bit is initialized to LFSR 502, and the next upper n ₃ bit is initialized to LFSR 503.

  For example, when an enable signal of logic 1 is input from the clocking function 506 from the clocking function 506, the LFSRs 501 to 503 perform a shift operation by m bits and output m-bit data. The value of m can be set to 8, 16, 32, 40, for example.

  The outputs of LFSR 501 and LFSR 502 are input to adder 504 and added. Of the addition value of the adder 504, the carry component is supplied to the clocking function 506, and the sum component is supplied to the adder 505 and added to the output of the LFSR 503. The carry component of the adder 505 is supplied to the clocking function 506, and the sum component is supplied to the exclusive OR circuit 508.

  In the clocking function 506, the combination of data supplied from the adder 504 and the adder 505 is any one of 00, 01, 10, and 11, and accordingly, 000 to LFSRs 501 to 503 corresponding to these. The data of any one combination of thru | or 111 is output. The LFSRs 501 to 503 perform an m-bit shift operation when a logic 1 is input, and output new m-bit data. When a logic 0 is input, the same m-bit data as previously output Is output.

  The exclusive OR circuit 508 calculates the exclusive OR of the sum component output from the adder 505 and the time-varying key i held in the register 507, and outputs the calculation result to the exclusive OR circuit 509. The exclusive OR circuit 509 calculates the exclusive OR of the input plaintext and the encryption key input from the exclusive OR circuit 508, and outputs the calculation result as a ciphertext.

  FIG. 22 shows a configuration example of the 1394 interface 36 in the magneto-optical disk device 3. The LFSR 601 through exclusive OR circuit 609 in this configuration example have the same configuration as the LFSR 501 through exclusive OR circuit 509 in FIG. Therefore, the operation is basically the same, and the description thereof is omitted. However, while the encryption process is performed in the configuration example of FIG. 21, the decryption process is performed in the configuration example of FIG.

  FIG. 23 shows a configuration example of the 1394 interface 49 of the personal computer 2. The LFSR 701 through exclusive OR circuit 709 in this configuration example have the same configuration as the LFSR 601 through exclusive OR circuit 609 in FIG. However, the session key S that is initially set in the LFSRs 701 to 703 has a unit element in which all bits are 0. Therefore, in this case, the decryption process is performed substantially corresponding to only the time-varying key i held in the register 707.

  FIG. 24 illustrates a configuration example of the application unit 61 of the personal computer 2. The LFSR 801 through the exclusive OR circuit 809 in this configuration example have basically the same configuration as the LFSR 601 through the exclusive OR circuit 609 in FIG. However, the only difference is that the time-varying key i input to the register 807 is a unit element in which all bits are 0. Therefore, in the case of this configuration example, an encryption key is generated based on only the session key S, and decryption processing is performed.

  The processing shown in FIGS. 19, 20, and 24 is performed in the application unit 61, and thus is processed in software.

  In the above description, the DVD player 1 is used as a source, and the personal computer 2 and the magneto-optical disk device 3 are used as a sink. However, which device is used as a source or a sink is arbitrary.

  The external bus for connecting each electronic device is not limited to the 1394 bus, and various buses can be used. The electronic device connected to the external bus is not limited to the above-described example, and can be any device. .

  As described above, in the first information processing apparatus whose function is not open to the user, the first key and the second key that is changed at a predetermined timing when data is decrypted are used. In the second information processing apparatus in which the encryption key is generated and the function change is open to the user, the first key generated using one of the first key and the second key is used. The encrypted data is decrypted with the encryption key, and the decrypted data is further decrypted with the second encryption key generated using the other of the first key and the second key. In this case, a safer information processing system can be realized.

  In addition, when the first encryption key and the second encryption key to be changed at a predetermined timing are generated by the software program when the data is being decrypted, the decryption may be performed for each application program. This makes it possible to prevent unauthorized copying more reliably.

  1 DVD player, 2 personal computer, 3 magneto-optical disk device, 11 1394 bus, 20 firmware, 21 CPU, 25 drive, 26 1394 interface, 27 EEPROM, 31 CPU, 35 drive, 36 1394 interface, 37 EEPROM, 41 CPU, 47 hard disk, 48 expansion board, 49 1394 interface, 50 EEPROM, 51 internal bus, 61 application section, 62 license manager

The present invention relates to a decoding device , and more particularly, to a decoding device designed to further improve security.

A decryption apparatus according to an aspect of the present invention includes a reception unit that receives encrypted data from a television broadcast receiver having a television broadcast reception unit, a session key supply unit that supplies a session key, and fluctuates during a session. The time-varying key generation means for generating a time-varying key using a time-varying key generating key and a disturbance key shared with the television broadcast receiver, the time-varying key, and the encryption based on the session key A decryption key generating means for generating a decryption key for decrypting the received data, the decryption key fluctuates according to the variation of the time-varying key, and the time-varying key generation key is added to the received packet. This is a decryption device that is a key obtained by combining an included bit string with another bit string.

In one aspect of the present invention , encrypted data is received from a television broadcast receiver having television broadcast receiving means, a session key is supplied, and a time-varying key generating key that fluctuates during a session and the television broadcast A time-varying key is generated using a perturbation key shared with the receiver, and a decryption key for decrypting the encrypted data is generated based on the time-varying key and the session key. The decryption key varies according to the variation of the time varying key, and the time varying key generation key is a key obtained by combining a bit string included in the received packet with another bit string.

Claims (1)

In an encryption device that encrypts digital data using an encryption key,
A first supply unit that supplies first key information obtained through an authentication process performed by two-way communication with another device;
A second supply unit for supplying second key information to be changed during a period in which the first key information is used;
A generating unit configured to generate the encryption key that is changed at a predetermined timing during the period according to the change of the second key information based on the first key information and the second key information;
A memory for holding the encryption key;
An encryption device comprising: an encryption unit that encrypts the digital data to be transmitted by an exclusive OR operation between the encryption key and the digital data to be transmitted to the other device.

Images