JP4671653B2 - ENCRYPTION DEVICE, DECRYPTION DEVICE, METHOD THEREOF, PROGRAM, AND RECORDING MEDIUM - Google Patents

Description

  The present invention relates to an encryption device, a decryption device, a secret key generation device, a copyright protection system, and the like that protect copyright when transferring a digital work via a recording medium or a transmission medium. The present invention relates to a defense technique against a replacement attack of a public key revocation list for specifying a public key certificate.

  When transferring a digital work from the first device to the second device, the first device authenticates the second device prior to the transfer in order to prevent copyright infringement due to unauthorized acquisition (or Mutually authenticate). In other words, it is confirmed whether or not the communication partner is indeed the intended partner.

  For example, as an example using public key cryptography, the first device transmits a random number to the second device, and then the second device encrypts the random number with its own private key (such as an electronic signature). ) To the first device, and finally the first device verifies the returned ciphertext (or signature text) using the public key of the second device. is there. However, in such authentication using public key cryptography, it is assumed that the public key itself is valid.

  Therefore, recently, an “public key certificate” is issued from an organization or company called a certificate authority, which indicates that the public key is correct for each user (it is “approved” for the public key). I came. In order to invalidate the public key certificates issued by the public key certificates that have expired, the users who have worked illegally, or the users whose private keys have been stolen ( In order to notify other users that the revocation has been made, a public key revocation list (hereinafter referred to as “CRL”, “Public Key Certificate”) that lists information specifying the revoked public key certificate "Certificate Invalidation List" or "Invalidation List" etc.) has been issued.

  Therefore, when authenticating the communication partner using the public key of the communication partner, the public key certificate is obtained from the communication partner, and the obtained public key certificate is registered in the public key revocation list ( By performing the above-described authentication process after confirming that it has not been revoked, it is possible to avoid passing a valuable digital work to an unauthorized communication partner.

Note that although some keys are verified using only a public key certificate (see, for example, Patent Document 1), as described above, those that have expired, fraudulent users, or secrets. We cannot deal with the public key certificate of the user whose key has been stolen.
Japanese Patent No. 3199119 (page 2)

  However, not all devices can obtain a valid public key revocation list and check the validity of the other party's public key certificate, which can lead to fraudulent acts that exploit their weaknesses. There is.

  For example, a device such as a DVD drive device that plays a DVD (Digital Video / Versatile Disc) on which a digital work such as a movie is recorded obtains a regular public key revocation list (recorded on the DVD). The latest public key revocation list), and using the public key revocation list to authenticate the other device (computer with built-in replay processing circuit or replay software) In the process of reading the public key revocation list, for example, there is a possibility that the old public key revocation list may be replaced. Therefore, even if it is registered as a revoked public key certificate if it is a legitimate (for example, the latest) public key revocation list, it is still registered in the replaced old public key revocation list. There is a problem that it is possible to receive an attack in which a digital work is illegally obtained using an invalid public key that has not been provided.

  In order to solve such a problem, the inventors can protect against an attack of replacement of a public key revocation list, and an encryption device that enables a digital work to be transferred safely, A decryption device and a copyright protection system were devised (Japanese Patent Application No. 2002-259514).

  In the encryption device according to the present invention, the attribute value calculation unit calculates an attribute value depending on the content of the public key revocation list, which is a list of information specifying the public key certificate revoked in the attribute value calculation unit, and the transformation unit A second secret key associated with a decryption device that decrypts the encrypted digital work is transformed with the attribute value calculated by the attribute value calculation section, and the first encryption section encrypts the digital work. The first secret key used in the first encryption key is encrypted with the second secret key transformed by the transformation unit, the digital work is encrypted with the first secret key in the second encryption unit, and the public key revocation list in the output unit; The first secret key encrypted by the first encryption unit and the digital work encrypted by the second encryption unit are output to a recording medium or a transmission medium.

  On the other hand, in the decryption device corresponding to the encryption device, the digital work encrypted in the acquisition unit, the encrypted first secret key obtained by encrypting the first secret key used for the encryption, and the invalidation A public key revocation list that is a list of information for identifying the public key certificate that has been obtained is obtained via a recording medium or a transmission medium, and the public key revocation list is obtained based on the public key revocation list obtained by the attribute value calculation unit An attribute value depending on the contents of the key revocation list is calculated, and the second secret key unique to the decryption device stored in advance in the deforming unit is deformed with the attribute value calculated by the attribute value calculating unit, and the first The encrypted first secret key obtained in the decryption unit is decrypted with the second secret key transformed by the transformation unit, and the encrypted digital work obtained by the acquisition unit in the second decryption unit is converted into the first digital key. 1 decoding It is to be decrypted by the first secret key decrypted by parts.

  As a result, the encryption apparatus sends the encrypted digital work, the encrypted first secret key used for the encryption (encrypted first secret key), and the public key revocation list. However, the encrypted first secret key is not simply the first secret key encrypted by the second secret key associated with the decryption device. It is encrypted with the second secret key involved. Therefore, the decryption device that has received the encrypted digital work, the encrypted first secret key, and the public key revocation list has the second secret key that it has inside if the public key revocation list has been replaced. The contents of the participation by the public key revocation list for the password are different, and the encrypted first secret key cannot be decrypted into the original first secret key using the second secret key modified as described above. Therefore, the encrypted digital work cannot be decrypted correctly. Therefore, it is possible to transfer a secure digital work having a defense function against a public key revocation list replacement attack.

  By the way, with the intensification of the market, the appearance of a decoding device having a higher price / performance ratio (cost performance) is desired.

  Therefore, the present invention provides an encryption device, a decryption device, a copyright protection system, and the like that can exhibit a higher price / performance ratio and can safely transfer a digital work. Objective.

  In order to achieve such an object, the inventors analyzed in detail the operation of the decryption device according to the above device, and depend on the contents of the public key revocation list in the attribute value calculation unit of the decryption device. It has been found that it takes time to calculate the attribute value, which not only causes a decrease in performance, but also increases the cost of the attribute value calculation unit. Therefore, a configuration of an encryption device, a decryption device, a copyright protection system, etc. that can safely transfer a digital work without calculating an attribute value depending on its contents from the public key revocation list is devised. It came to do.

  Here, the second secret key storage unit, the attribute value calculation unit, the transformation unit, and the first decryption unit of the decryption apparatus are a copyright protection module (for example, tamper resistant as a content key decryption unit). IC card or IC chip), and the second decoding unit is configured as a descrambler. Then, the copyright protection module and the descrambler determine the validity of the public key of the counterpart device by referring to the public key revocation list, and if it is determined to be valid, An encryption communication device for communication is provided. As a result, when the partner device (copyright protection module and descrambler) is not an unauthorized device, a SAC (Secure Authentication Channel) is formed in a mutual authentication format with the partner device. The first secret key can also be sent from the right protection module to the descrambler by encrypted communication.

  Such a configuration acts illegally in an application or the like when a decryption device is realized by a DVD drive device and an application program for reproducing content (hereinafter also simply referred to as “application”) in a personal computer (PC). In some cases, it is particularly necessary to form a SAC between the DVD drive device and the application.

  However, when a decryption device is realized in a consumer DVD player, in addition to the second secret key storage unit, the attribute value calculation unit, the transformation unit, and the first decryption unit of the content key decryption unit, Generally, the second decoding unit of the descrambler is configured by hardware. For this reason, it is easy to integrally form the second decryption unit of the descrambler in the copyright protection module. When the second decryption unit of the descrambler is integrally formed in the copyright protection module in this way, as long as the copyright protection module is manufactured under some management of the copyright holder, the content key decryption unit and the descrambler This eliminates the need to form a SAC. Therefore, the encryption communication device can be omitted, and the decryption device can be configured at low cost. And although the SAC is not formed in the DVD player, it is unreasonable and useless to calculate the attribute value (hash value) from the CRL in the attribute value calculation unit, while decrypting the encrypted content key. For this purpose, an attribute value (hash value) is required. Therefore, the attribute value (hash value) calculated by the attribute value calculation unit of the encryption device is bound to the recording medium or output to the transmission medium, and the attribute value acquired via the recording medium or transmission medium in the decryption device is obtained. By using it, we developed a configuration that eliminates the attribute value calculation unit from the decoding device. As a result, the attribute key is used instead of the public key revocation list CRL, so that the calculation time of the attribute value that has occurred so far is eliminated, so that the decryption of the secret key is improved, and the attribute By eliminating the value calculation unit, the price of the decoding device can be reduced. Although the mutual authentication cannot be performed by not using the public key revocation list CRL, the time required for the mutual authentication that has occurred so far is eliminated, so that the decryption of the content is greatly improved and the SAC is formed. Therefore, the price of the decryption device can be greatly reduced. That is, an encryption device, a decryption device, a copyright protection system, and the like that can exhibit a higher price-performance ratio and can safely transfer a digital work can be realized.

  That is, the encryption device according to the present invention is an encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium, and includes a digital work storage means for storing the digital work, and a digital work First secret key storage means for storing a first secret key used for encryption, and second secret key storage for storing a second secret key associated with a decryption device for decrypting the encrypted digital work Means, public key revocation list storage means for storing a public key revocation list that is a list of information for specifying a revoked public key certificate, and a public key stored in the public key revocation list storage means Based on the revocation list, attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list, and the second secret key stored in the second secret key storage means is the attribute value calculation means. Calculated by Transforming means for transforming with the attribute value, first encryption means for encrypting the first secret key stored in the first secret key storage means with the second secret key transformed by the transforming means, Second encryption means for encrypting a digital work stored in the digital work storage means with a first secret key stored in the first secret key storage means, and stored in the public key revocation list storage means A recording medium or a transmission medium for the attribute value depending on the contents of the public key revocation list, the first secret key encrypted by the first encryption means, and the digital work encrypted by the second encryption means Output means for outputting to the output.

  As a result, the encryption apparatus sends the encrypted digital work, the encrypted first secret key used for the encryption (encrypted first secret key), and the public key revocation list. Attribute value (hash value) is output, but the encrypted first secret key is not simply the first secret key encrypted by the second secret key associated with the decryption device. The attribute value of the public key revocation list is encrypted by the second secret key involved. Therefore, the decryption device that has received the attribute values of the encrypted digital work, the encrypted first secret key, and the public key revocation list, even if the public key revocation list is replaced, Therefore, it is impossible to decrypt the encrypted first secret key into the original first secret key using the second secret key modified in this manner, and thus correctly decrypt the encrypted digital work. Can not be converted. Therefore, it is possible to transfer a digital work that is safe. In addition, since the attribute value calculation time is eliminated by using the attribute value, the decryption of the first secret key is enhanced, and the attribute value calculation unit is eliminated, thereby reducing the cost of the decryption device. Can be

  Here, the encryption device further stores confirmation data serving as a reference for confirming whether or not the first secret key decrypted by the decryption device is correct in the recording medium or the transmission medium. Confirmation data output means for outputting may be provided. For example, the confirmation data output means stores data obtained by encrypting data of a predetermined fixed pattern with a first secret key stored in the first secret key storage means as the confirmation data on the recording medium or transmission medium. Or the confirmation data output means outputs the data obtained by encrypting the first secret key stored in the first secret key storage means with the first secret key as the confirmation data. May be output.

  As a result, the decryption device that has received the encrypted digital work, the encrypted first secret key, and the public key revocation list attribute values output from the encryption device can restore the correct first secret key. Since it can be determined whether or not it has been made, it is possible to avoid in advance a useless process of decrypting the digital work with the wrong first secret key.

  An encryption device according to the present invention is an encryption device for encrypting a digital work, which is a digital work, and outputting the encrypted digital work to a recording medium or a transmission medium, and a digital work storage means for storing the digital work. Storing a first secret key storage means for storing a first secret key used for encrypting the digital work and a second secret key associated with a decryption device for decrypting the encrypted digital work Second private key storage means, public key revocation list storage means for storing a public key revocation list that is a list of information for specifying revoked public key certificates, and storage in the first private key storage means A first encryption means for encrypting the first secret key that has been encrypted with a second secret key stored in the second secret key storage means; and a public key revocation list stored in the public key revocation list storage means Based on its publication An attribute value calculating means for calculating an attribute value depending on the contents of the revocation list, and a modification for transforming the first secret key stored in the first secret key storage means with the attribute value calculated by the attribute value calculating means. Means, second encryption means for encrypting the digital work stored in the digital work storage means with the first secret key transformed by the transformation means, and stored in the public key revocation list storage means A recording medium or a transmission medium for the attribute value depending on the contents of the public key revocation list, the first secret key encrypted by the first encryption means, and the digital work encrypted by the second encryption means Output means for outputting to the output.

  As a result, the encryption apparatus sends the encrypted digital work, the encrypted first secret key used for the encryption (encrypted first secret key), and the public key revocation list. Is output, but the encrypted digital work is not simply encrypted with the first secret key, but the first secret after the modification with the public key revocation list involved in the first secret key. It is encrypted with a key. Therefore, the decryption device that has received the attribute values of the encrypted digital work, the encrypted first secret key, and the public key revocation list, even if the public key revocation list is replaced, Is not used, the encrypted digital work cannot be correctly decrypted using the first secret key thus modified. Therefore, it is possible to transfer a digital work that is safe. In addition, since the attribute value calculation time is eliminated by using the attribute value, the decryption of the first secret key is enhanced, and the attribute value calculation unit is eliminated, thereby reducing the cost of the decryption device. Can be

  Further, as described above, the confirmation data relating to the attribute value of the public key revocation list associated with the first private key is attached and output from the encryption device, so that the encryption output from the encryption device is output. Whether or not the decryption device that has received the attribute values of the encrypted digital work, the encrypted first private key, and the public key revocation list can restore the correct private key used for encrypting the digital work Therefore, it is possible to avoid in advance a useless process of decrypting a digital work with an incorrect secret key.

  Furthermore, the encryption apparatus can be configured to have a multi-layered secret key. That is, in the encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium, the digital work is encrypted using the first private key among n (≧ 2) private keys, The encryption sequence of encrypting the (i-1) secret key using the i (2 ≦ i ≦ n) secret key is repeated for the first to (n-1) secret keys and encrypted. The first to (n-1) secret keys are output to the medium, and the encryption using at least one of the first to nth secret keys is invalid prior to the encryption. A private key is transformed using an attribute value that depends on the contents of a public key revocation list, which is a list of information for specifying a publicized public key certificate, and the attribute value is output to the medium It can also be.

  Further, in an encryption apparatus that encrypts a digital work and outputs it to a recording medium or a transmission medium, medium identification information is expressed by a one-way function using the first secret key among n (≧ 1) secret keys. After the conversion, the digital work is encrypted with the converted medium identification information, and when n is 2 or more, the (i−1) -th secret is used using the i-th (2 ≦ i ≦ n) secret key. The encryption chain of encrypting a key is repeated for the first to (n-1) secret keys, and the encrypted first to (n-1) secret keys are output to the medium. In the encryption or conversion using at least one of the first to n-th secret keys, (1) a list of information for specifying a revoked public key certificate prior to the encryption or conversion Transform the private key using attribute values that depend on the contents of a public key revocation list Either leave allowed, or can be characterized in that the output (2) the medium identification information obtained by the conversion allowed to deform in the attribute value, the attribute value to the medium.

  Here, a content key, a device key, a disk key, a media ID, or the like can be used as the secret key.

Thereby, the encryption strength can be increased.
The present invention can be realized as a decryption device or a secret key generation device corresponding to the encryption device, or can be realized as a copyright protection system including the encryption device and the decryption device. It can also be realized as an encryption method and a decryption method having steps as characteristic means constituting the decryption apparatus, or as a program for causing a personal computer or the like to execute these steps. Needless to say, the program can be widely distributed via a recording medium such as a DVD or a transmission medium such as the Internet.

  As is apparent from the above description, according to the present invention, the public key revocation list CRL can be dealt with by replacing the public key revocation list CRL by using attribute values instead of using the public key revocation list CRL. Since the calculation time of the attribute value that has been generated so far is eliminated, the decryption of the secret key is enhanced, and the cost of the decryption device can be reduced by eliminating the attribute value calculation unit. Although the mutual authentication cannot be performed by not using the public key revocation list CRL, the time required for the mutual authentication that has occurred so far is eliminated, so that the decryption of the content is greatly improved and the SAC is formed. Therefore, the price of the decryption device can be greatly reduced. Therefore, an encryption device, a decryption device, a copyright protection system, and the like that can exhibit a higher price / performance ratio and can safely transfer a digital work can be realized.

  As described above, according to the present invention, it is possible to transfer digital works safely while exhibiting a higher price-performance ratio, and the digital works can be transferred via a transmission path such as the Internet or a recording medium such as a DVD. Today, where distribution and distribution are active, the practical value of the present invention is extremely high.

  Hereinafter, a copyright protection system according to an embodiment of the present invention will be described in detail with reference to the drawings.

(Embodiment 1)
FIG. 1 is a functional block diagram showing the overall configuration of the copyright protection system according to the first embodiment.

  As shown in FIG. 1, the copyright protection system 1a records encrypted content or the like on a DVD 2a as a recording medium, or reads the encrypted content or the like from the DVD 2a and decrypts the content. An encryption device 100a for recording the encrypted content on the DVD 2a, a decryption device 200a for reading the encrypted content from the DVD 2a and decrypting the content, a public key revocation list CRL, etc. And a terminal device 300 used by a public key certificate authority (Certificate Authority, hereinafter referred to as “certificate authority”, “CA”, etc.).

  The encryption device 100a is roughly composed of two terminal devices, that is, a terminal device 110a used by a copyright protection licensor and a terminal device 160 used by a content manufacturer.

  The decryption device 200a is, for example, an HD-DVD player that supports content playback at an image quality level HD (1125i / 750p), a DVD drive device 290 that reads encrypted content from the DVD 2a, and copyright protection. The module 210a and the like.

  The terminal device 110a used by the copyright protection licensor includes information for protecting the copyright in the decryption device 200a, that is, a public key revocation list CRL, a hash value Hash of the CRL, a content key for decrypting the content, This is a computer device that provides the terminal device 160 with a bundle of encrypted content keys obtained by encrypting the content key, and as its functions, the public key revocation list storage unit 111, the device key bundle storage unit 112, and the content key storage Unit 113, hash function processing unit 114, Ex-OR unit 115, Enc unit 116, and the like.

  The public key revocation list storage unit 111 periodically accesses the terminal device 300 via a communication network such as the Internet, and periodically updates the latest public key revocation list CRL provided by the public key certificate authority CA. Update memorize. As shown in FIG. 2, the public key revocation list CRL includes a file header, a “general” field, a “revocation list” field, and the like. The file header includes a file “name” (◯ △ □ △ .crl), a file “size” (for example, 119 KB), a file “type” (certificate invalid list), and a file “update date” (for example, , 2003/08/08/17: 42). In the “general” field, “version” (V1), “issuer” (○ △ □ △), “valid start date” (for example, August 07, 2003), “next update scheduled date” (For example, August 17, 2003), a record of “signature algorithm” (for example, md5RAS) is included. In the field of “invalid list”, a record of the serial number of the invalid certificate and its invalid date is described in a text format. This public key revocation list CRL has a monotonous increase in the number of certificates that have become invalid over time, so the more recent the version, the more the number of certificate serial numbers that have become invalid (the number of registered lists) ) Increases monotonously and the “size” of the file increases monotonically.

  The device key bundle storage unit 112 stores in advance a unique device key KD_A (for example, 128 bits) for each copyright protection module 210a manufactured under some management of the copyright protection licensor.

  The content key storage unit 113 stores a content key Kc (for example, 128 bits) that is a secret key for encrypting predetermined content such as a movie or music.

  The hash function processing unit 114 compresses the public key revocation list CRL, which is variable-length data stored in the public key revocation list storage unit 111, in accordance with the hash function, thereby fixing fixed length (for example, 128 bit) data (for example, 128 bits). This is a processing unit for converting into a hash value Hash), for example, according to SHA-1 (Secure Hash Algorithm-1) or MD5.

  The Ex-OR unit 115 calculates an exclusive OR value between the hash value Hash calculated by the hash function processing unit 114 and each device key KD_A stored in the device key bundle storage unit 112 (each device key KD_A Is transformed with the hash value Hash).

  The Enc unit 116 encrypts the content key Kc stored in the content key storage unit 113 with the output of the Ex-OR unit 115, that is, the exclusive OR value of the hash value Hash and each device key KD_A, and the encrypted content key Generate a bunch of

  Note that the hash function processing unit 114 and the Ex-OR unit 115 of the terminal device 110a transform the device key KD_A depending on the public key revocation list CRL stored in the public key revocation list storage unit 111. However, this is to associate the encrypted content key output from the Enc unit 116 with the public key revocation list CRL by encrypting the content key Kc with the modified device key KD_A. This makes it possible to defend against an attack of replacing the public key revocation list CRL in a decryption process performed by the decryption apparatus 200a described later.

  The terminal device 160 used by the content manufacturer is a writing device that records the public key revocation list CRL passed from the terminal device 110a, the hash value Hash of the CRL, and the bundle of encrypted content keys as they are on the DVD 2a. As its functions, a content storage unit 161, an Enc unit 162, and the like are provided.

The content storage unit 161 stores predetermined contents such as movies and music in advance.
The Enc unit 162 encrypts the content stored in the content storage unit 161 with the content key Kc passed from the terminal device 110a, and generates encrypted content.

  In this way, in the encryption device 100a composed of the two terminal devices 110a and 160, when manufacturing the DVD 2a, the terminal device 110a reads the public key revocation list CRL from the public key revocation list storage unit 111. Then, the read public key revocation list CRL is passed to the hash function processing unit 114 and the terminal device 160. The hash function processing unit 114 calculates the hash value Hash of the public key revocation list CRL, and passes the calculated hash value Hash to the Ex-OR unit 115 and the terminal device 160. The Ex-OR unit 115 reads the device keys KD_A,... From the device key bundle storage unit 112 one by one, and sequentially calculates the exclusive OR value of the device keys KD_A,. The exclusive OR value is output to the Enc unit 116. Then, the terminal device 110a reads the content key Kc from the content key storage unit 113, and passes the read content key Kc to the Enc unit 116 and the terminal device 160. The Enc unit 116 encrypts the passed content key Kc with each exclusive OR value output from the Ex-OR unit 115. That is, the Enc unit 116 encrypts the content key Kc using the exclusive OR value of each value of the device key KD_A and the hash value Hash as a key. As a result, the Enc unit 116 generates a plurality of encrypted content keys and passes the encrypted content keys together to the terminal device 160.

  The terminal device 160 writes the public key revocation list CRL passed from the terminal device 110a, the CRL hash value Hash, and the bundle of encrypted content keys to the DVD 2a as they are. Then, the encrypted content generated by the Enc unit 162 is written to the DVD 2a. The DVD 2a manufactured in this way is sent to the user in a state where the bundle of encrypted content keys, the latest public key revocation list CRL at the time of manufacture, and the hash value Hash of the CRL are bound together with the encrypted content. Sold. The reason why the public key revocation list CRL is bound to the DVD 2a is to maintain compatibility with a decryption device that calculates a hash value from the public key revocation list CRL devised by the inventors.

  On the other hand, the copyright protection module 210a of the decryption device 200a for decrypting such a DVD 2a is supplied from the copyright protection licensor or under the control of the copyright protection licensor, the manufacturer of the decryption device 200a. As shown in FIG. 3, for example, it is configured by a tamper resistant module (TRM: Tamper Resistance Module) that is implemented as an LSI on a single chip. The LSI-protected copyright protection module 210a is mounted in the decryption apparatus 200a by being mounted in the socket 210j or by being directly attached to the substrate with solder or the like. This LSI includes, for example, a protective film for destroying an internal circuit in a scribe area of the internal circuit, and destroys the internal circuit when subjected to an attack attack from the outside. Therefore, it is very difficult to perform unauthorized access and alteration from the outside, and high security can be realized.

  Note that the copyright protection module 210a may be configured with an IC card. In this case, as shown in FIG. 4, a card insertion slot 2100 is provided on the front panel of the HD-DVD player 200, and a copyright protection module 210a in the form of an IC card is attached to the card insertion slot 2100. You may do it. The copyright protection module 210a in the form of an IC card is a card in which an IC chip including a CPU is embedded in a plastic card, and the access when reading and writing data is legitimate by processing by the built-in CPU. Can be determined. Therefore, it is very difficult to perform unauthorized access and alteration from the outside, and high security can be realized.

  Such a copyright protection module 210a is roughly divided into a content key decryption unit 220a that acquires a key for decrypting encrypted content based on the hash value Hash of the public key revocation list CRL bound to the DVD 2a. And a Dec processing unit 280 for decrypting the encrypted content.

  The content key decryption unit 220 includes a device key storage unit 221, an Ex-OR unit 223, and a Dec processing unit 224.

  The device key storage unit 221 stores a device key KD_A (a secret key, for example, an AES 128-bit key) unique to the copyright protection module 210a.

  The Ex-OR unit 223 calculates an exclusive OR value between the device key KD_A stored in the device key storage unit 221 and the hash value Hash bound to the DVD 2a (that is, the device key KD_A is calculated using the hash value Hash). Deform).

  The Dec processing unit 224 reads out a self-encrypted content key recorded at a predetermined location from a bundle of encrypted content keys bound to the DVD 2a, and uses the read encrypted content key as a device key. The content key Kc is generated by decrypting with the exclusive OR value of KD_A and the hash value Hash.

  The Dec processing unit 280 decrypts the encrypted content acquired from the DVD 2a via the DVD drive device 290 using the content key Kc passed from the Dec processing unit 224, and acquires the content.

  Next, an operation of content decryption processing in the content key decryption unit 220a will be described.

  In this content decryption process, first, the content key used for content encryption is decrypted in the content key decryption unit 220a. That is, the Ex-OR unit 223 calculates an exclusive OR value between the device key KD_A of the copyright protection module 210a itself stored in the device key storage unit 221 and the CRL hash value Hash bound to the DVD 2a. When the calculation of the exclusive OR value is completed, the Dec processing unit 224 reads out the self-encrypted content key from the bundle of encrypted content keys bound to the DVD 2a, and reads out the read out self-encrypted content key. The content key Kc is obtained by decrypting it with the obtained exclusive OR value, and the content key Kc is passed to the authenticating unit 237 to complete the content key decryption process. When the content key decryption processing is completed in this way, the Dec processing unit 280 decrypts the encrypted content acquired from the DVD 2a via the DVD drive device 290 with the content key Kc passed from the Dec processing unit 224. , Get content. As a result, the content can be decrypted while protecting the copyright.

  As described above, according to the copyright protection system 1a according to the first embodiment, the digital work (content) encrypted from the encryption device 100a to the DVD 2a and the content key Kc used for the encryption are stored. The encrypted one (encrypted content key) and the attribute value (hash value) of the public key revocation list are bound, and the encrypted content key is the second associated with the decryption device 200a. The content key is not simply encrypted by the secret key (device key KD_A), but is encrypted by the device key in which the attribute value (hash value) of the public key revocation list is involved. Therefore, the decryption apparatus 200a that has received the encrypted content, the encrypted content key, and the public key revocation list attribute value uses the device key thus modified to convert the encrypted content key into the original content key. It cannot be decrypted and therefore the encrypted digital work cannot be decrypted correctly. Therefore, it is possible to transfer a digital work that is safe. The digital work recorded on the DVD 2a is protected from unauthorized copying and the like, and healthy development in the distribution market of multimedia related products can be expected. In addition, since the attribute value (hash value) bound to the DVD 2a is used, the calculation time of the attribute value that has occurred so far is eliminated, so that the decryption of the content key is improved and the attribute value calculation unit is eliminated. Thus, the price of the decoding device 200a can be reduced. Although the mutual authentication cannot be performed by not using the public key revocation list CRL, the time required for the mutual authentication that has occurred so far is eliminated, so that the decryption of the content is greatly improved and the SAC is formed. Therefore, the price of the decryption device 200a can be greatly reduced.

(Embodiment 2)
FIG. 5 is a functional block diagram showing a partial configuration of the copyright protection system according to the second embodiment. In this copyright protection system 1b, parts corresponding to those of the copyright protection system 1a of the first embodiment are denoted by the same reference numerals, description thereof is omitted, and differences from the copyright protection system 1a are mainly described. .

  The decryption device 200b calculates a hash value from the public key revocation list CRL bound to the DVD 2a, and reproduces the content at the image quality level HD (1125i / 750p) by the personal computer (PC). A DVD drive device 290a that reads encrypted content from the computer, an application 260 installed in a hard disk, and the like.

  By the way, a medium called DVD can be read by a personal computer (PC) and has high compatibility with the PC. At the same time when a DVD drive is installed in the PC, playback software is installed on a hard disk or the like. -It is used as a decryption device as with a DVD to view content. Even in this case, there is a case where the DVD drive or the like works illegally, and it is necessary to protect the copyright as in the case of HD-DVD. In Embodiment 1, in addition to the DVD drive device 290, the content key decryption unit 220a and the Dec processing unit 280 constitute the decryption device 200a. However, in the case of a PC, the DVD drive and the playback software It is common to configure a decoding device with a large amount of room for fraud. Therefore, the decryption device 200b according to the second embodiment includes a DVD drive device 290a and an application 260. The DVD drive device 290a is provided with an authentication processing unit 230a, and the application 260 includes an authentication processing unit 270, a content key decryption unit 220a ', and a Dec processing unit 280.

  The DVD drive device 290a protects the copyright by eliminating an unauthorized application 260 that appears on the public key revocation list CRL, and the communication partner (application 260) can be revoked by the public key revocation list CRL. An authentication processing unit 230a is provided for setting SAC in a mutual authentication format with the application 260 while checking whether or not (invalidated). Note that the authentication processing unit 230a is preferably composed of modules used to prevent a computer program from being intentionally changed.

  The authentication processing unit 230 a includes a certificate authority public key storage unit 231, a drive private key storage unit 232, a drive public key certificate storage unit 233, a random number generation unit 234, and a public key revocation list check unit 235. And an elliptic curve encryption processing unit 236, an authentication unit 237, a buffer memory 238, and the like.

  The certificate authority public key storage unit 231 stores in advance a certificate authority public key PK_CA used for decrypting a signature of the certificate authority CA.

  The drive secret key storage unit 232 stores in advance the drive secret key SK_A used by the authentication processing unit 230a for its own signature.

  The drive public key certificate storage unit 233 stores in advance a drive public key certificate Cert_A, which is a document that the certification authority CA proves that the public key PK_A paired with the drive secret key SK_A belongs to the DVD drive device 290a. Remember. As shown in FIG. 6, the drive public key certificate Cert_A includes the ID of the DVD drive device 290a, the drive public key PK_A for the drive private key SK_A, and the certificate authority CA for the drive public key PK_A. Consists of signature, expiration date (certificate), etc.

The random number generation unit 234 generates a random number (for example, 128 bits) as a time-varying value.
The public key revocation list check unit 235 checks whether the ID of the partner (application 260) is included in the public key revocation list CRL.

  The elliptic curve encryption processing unit 236 executes encryption processing (for example, a 256-bit processing unit) according to the elliptic curve at the time of authentication or the like in the SAC setting.

  The authentication unit 237 is a communication interface that communicates with the application 260 via the SAC.

  The buffer memory 238 holds a random number generated by the random number generation unit 234 and temporary data generated by the elliptic curve encryption processing unit 236.

  On the other hand, the application 260 is broadly divided into a mutual authentication format with the copyright protection module 210a while checking whether the communication partner (copyright protection module 210a) is revoked by the public key revocation list CRL. Authentication processing unit 270 for setting the SAC, content key decryption unit 220a ′ for obtaining a key for decrypting the encrypted content based on the public key revocation list CRL bound to the DVD 2a, and reading from the DVD 2a The Dec processing unit 280 is provided for decrypting the encrypted content with the content key Kc passed from the content key decrypting unit 220a ′ and acquiring the content. Each of these units is realized by an application, a PC CPU, a memory, and the like.

  The authentication processing unit 270 has substantially the same configuration as the authentication processing unit 230a, and includes a certificate authority public key storage unit 271, an application private key storage unit 272, an application public key certificate storage unit 273, and a random number generation. 274, public key revocation list check unit 275, elliptic curve encryption processing unit 276, authentication unit 277, buffer memory 278, and the like.

  The certificate authority public key storage unit 271 stores the certificate authority public key PK_CA of the certificate authority CA in advance.

  The application secret key storage unit 272 stores in advance a unique application secret key SK_i that the application 260 uses for its signature.

  The application public key certificate storage unit 273 stores in advance an application public key certificate Cert_i, which is a document certifying that the certification authority CA verifies that the application public key PK_i is paired with the application secret key SK_i. To do. As shown in FIG. 7, the application public key certificate Cert_i includes the application 260 ID (certificate serial number), the application public key PK_i for the application private key SK_i, and the certificate for the application public key PK_i. Certificate authority CA signature, certificate expiration date, etc.

The random number generation unit 274 generates a random number (for example, 128 bits) as a time-varying value.
The public key revocation list check unit 275 checks whether the ID of the other party (DVD drive device 290a) is included in the public key revocation list CRL.

  The elliptic curve encryption processing unit 276 executes encryption processing (for example, a 256-bit processing unit) according to the elliptic curve at the time of authentication or the like in the SAC.

  The authentication unit 277 is a communication interface that communicates with the copyright protection module 210a via the SAC.

  The buffer memory 278 holds a random number generated by the random number generation unit 274 and temporary data generated by the elliptic curve encryption processing unit 276.

  The content key decryption unit 220a 'further includes a hash function processing unit 222 in addition to the configuration of the content key decryption unit 220a (device key storage unit 221, Ex-OR unit 223, and Dec processing unit 224).

  The hash function processing unit 222 is configured similarly to the hash function processing unit 114 of the terminal device 110a, and calculates a hash value Hash (for example, 128 bits) of the public key revocation list CRL bound to the DVD 2a.

  Next, the SAC setting between the DVD drive device 290a and the application 260 and the decryption sequence of the encrypted content recorded on the DVD 2a will be described with reference to FIG.

  FIG. 8 is a communication sequence diagram performed by the DVD drive device 290a and the application 260.

  When there is an instruction to reproduce the content of the DVD 2a by a user operation, the random number generation unit 274 of the application 260 generates a first random number y (for example, 128 bits) and stores it in the buffer memory 278 (S1). Then, the authentication unit 277 of the application 260 reads the first random number y stored in the buffer memory 278 and the application public key certificate Cert_i stored in the application public key certificate storage unit 273, and Is transmitted to the DVD drive device 290a (S2).

  The authentication unit 237 of the DVD drive device 290 a stores the first random number y and the application public key certificate Cert_i received from the application 260 in the buffer memory 238. Then, the public key revocation list check unit 235 checks whether the application 260 has been revoked based on the public key revocation list CRL bound to the DVD 2a (S3). Specifically, the determination is made based on whether or not the ID of the application 260 is listed in the public key revocation list CRL. If not revoked, the authentication unit 237 verifies the application public key certificate Cert_i with the public key PK_CA of the public key certificate authority (S4). Specifically, the signature of the certificate authority included in the application public key certificate Cert_i is decrypted with the public key PK_CA of the certificate authority, and it is verified whether or not the application public key certificate Cert_i is indeed that of the application 260. To do. When the verification is completed, the random number generation unit 234 generates a first random number x (for example, 128 bits), and stores the generated first random number x in the buffer memory 238 (S5). Then, the authentication unit 237 reads the first random number x stored in the buffer memory 238 and the drive public key certificate Cert_A stored in the drive public key certificate storage unit 233, and reads them out as an application 260. (S6).

  In the application 260, after the first random number x received from the DVD drive device 290a and the drive public key certificate Cert_A are stored in the buffer memory 278 by the authentication unit 277, the public key revocation list check unit 275 is stored. Checks whether or not the DVD drive device 290a has been revoked based on the public key revocation list CRL passed from the DVD drive device 290a (S7). Specifically, the determination is made based on whether or not the ID of the copyright protection module 210a is listed in the public key revocation list CRL. If not revoked, the authentication unit 277 verifies the drive public key certificate Cert_A using the public key PK_CA of the certificate authority (S8). Specifically, the signature of the certificate authority included in the player maker public key certificate Cert_A is decrypted with the public key PK_CA of the certificate authority, and whether the drive public key certificate Cert_A is indeed that of the DVD drive device 290a. Verify whether or not. When the verification is completed, the random number generation unit 274 generates a second random number y ′ (for example, 128 bits), and stores the second random number y ′ in the buffer memory 278 (S9). Then, the elliptic curve encryption processing unit 276 multiplies the second random number y ′ and the base point G (constant) on the elliptic curve, generates a multiplication result y′G, and generates the multiplication result y′G. The data is stored in the buffer memory 278 (S10). Next, the authentication unit 277 generates a signature S1: = Sig (SK_i, y′G || x) for the multiplication result y′G, and stores this signature S1 in the buffer memory 278 (S11). This signature is performed by signing with the secret key SK_i the bit number concatenated with the first random number x to the multiplication result y′G. The symbol “||” represents bit concatenation, and y′G and random number x are combined in the digit direction to 256 bits (for example, y′G is higher 128 bits and random number x is lower 128 bits). It is shown that. When the signature S1 is stored, the authenticating unit 277 sends the multiplication result y'G and the signature S1 corresponding thereto to the copyright protection module 210a (S12).

  The authentication unit 237 of the copyright protection module 210a stores y′G and the signature S1 corresponding thereto in the buffer memory 238, and then uses the application public key PK_i obtained from the application public key certificate Cert_i to perform S1. Is the signature of the application 260 for y′G || x (S13). Specifically, the signature S1 is decrypted with the application public key PK_i, and the bit concatenation of y′G and the random number x is separated and verified. Thereby, it can be confirmed that the communication partner (application 260) is not an eavesdropper or the like.

  When such verification is finished, the random number generation unit 234 of the DVD drive device 290a generates the second random number x 'and stores it in the buffer memory 238 (S14). Next, the elliptic curve encryption processing unit 236 multiplies the second random number x ′ and the base point G (constant) on the elliptic curve, generates a multiplication result x′G, and stores this in the buffer memory 238. (S15). Next, the authentication unit 237 generates a signature S0: = Sig (SK_A, x′G || y) for the multiplication result x′G, and stores this signature S0 in the buffer memory 238 (S16). This signature is performed by signing the result of multiplication x'G, which is a bit concatenation of the first random number y, with the secret key SK_A. When the signature is stored, the authenticating unit 237 sends the multiplication result x′G and the signature S0 to the application 260 (S17).

  The authentication unit 277 of the application 260 stores the multiplication result x′G and the signature S0 received from the copyright protection module 210a in the buffer memory 278, and then obtains the IC card public key obtained from the drive public key certificate Cert_A. Using PK_A, it is verified that S0 is the signature of the application 260 for x′G || y (S18). Specifically, the signature S1 is decrypted with the application public key PK_i, and the bit concatenation of y′G and the random number x is separated and verified. Accordingly, it can be confirmed that the communication partner (the copyright protection module 210a) is not an eavesdropper or the like.

  When the authentication unit 277 of the application 260 confirms that the copyright protection module 210a has not been revoked and is not an eavesdropper or the like, the authentication unit 277 generates the second random number y ′ (generated on its own side stored in the buffer memory 278). For example, a multiplication K ′ = y ′ (x′G) of the multiplication result x′G received from the communication partner is generated by calculation, and the calculation result K ′ is stored in the buffer memory 278 as a session key. (S19).

  On the other hand, when the authentication unit 237 of the copyright protection module 210a confirms that the application 260 has not been revoked and is not an eavesdropper or the like, the authentication unit 237 generates the second generated on the self side stored in the buffer memory 238. A multiplication K: = x ′ (y′G) of the random number x ′ and the multiplication result y′G received from the communication partner is generated by calculation, and the calculation result K is stored in the buffer memory 238 as a session key (S20). .

  Thereby, the copyright protection module 210a and the application 260 can have the same key K (= K ′), and thereafter perform encrypted communication using K (= K ′) as a session key (S21). ).

  When the generation of the session key K ′ is completed, the content key decryption unit 220 a ′ of the application 260 executes content key decryption processing. In this content key decryption process, first, the hash function processing unit 222 calculates the hash value Hash of the public key revocation list CRL passed during authentication from the DVD drive device 290a (S22). Next, the Ex-OR unit 223 calculates an exclusive OR value between the device key KD_A of the application 260 itself stored in the device key storage unit 221 and the hash value Hash (S23).

  When the hash function processing unit 222 calculates the hash value Hash of the public key revocation list CRL, the public key revocation list CRL is re-encrypted via the SAC from the DVD drive device 290a to the application 260, and encrypted communication is performed. The hash value Hash may be calculated based on the obtained public key revocation list CRL. Thereby, eavesdropping of the public key revocation list CRL is surely prevented.

  When the generation of the session key K is completed, the DVD drive device 290a acquires the encrypted content key for the content key decryption unit 220a from the DVD 2a (S24), and the authentication processing unit 230a authenticates the acquired encrypted content key. To part 237. When the encrypted content key is passed, the authentication unit 237 encrypts the encrypted content key with the session key K (S25), and transmits it to the application 260 via the SAC (S26). Thereby, eavesdropping of the encrypted content key is surely prevented.

  The authentication unit 277 of the application 260 decrypts the encrypted content key received from the DVD drive device 290a with the session key K ′ (S27), and passes the decrypted encrypted content key to the Dec processing unit 224. The Dec processing unit 224 decrypts the encrypted content key with the obtained exclusive OR value, acquires the content key Kc (S28), passes this content key Kc to the Dec processing unit 280, and sends the content key The decryption process ends.

  The Dec processing unit 280 decrypts the encrypted content acquired via the DVD drive device 290a with the content key Kc passed from the Dec processing unit 224, and acquires the content (S29). As a result, the content can be decrypted while protecting the copyright. When decrypting the encrypted content in the Dec processing unit 280, the encrypted content is encrypted and communicated from the DVD drive device 290a to the application 260 via the SAC, and the encrypted content is obtained based on the encrypted content. The content may be decrypted. As a result, eavesdropping of the encrypted content can be reliably prevented.

  Here, it is assumed that the application 260 replaces the public key revocation list CRL bound to the DVD 2a with the public key revocation list CRL before its own public key becomes invalid. In this case, as in the case where there is no replacement, the SAC is set and the process can proceed to the encryption communication stage (S21) using the session key.

  However, in the decryption apparatus 200b according to the second embodiment, the bundle of encrypted content keys encrypted with the public key revocation list CRL and the information related to the hash value Hash of the public key revocation list CRL Is bound to the DVD 2a. For this reason, when CRL replacement is performed, the hash value Hash of the replaced public key revocation list CRL does not match the hash value Hash of the public key revocation list CRL bound to the DVD 2a. . As a result, even if an attempt is made to decrypt the content key using the hash value Hash of the replaced public key revocation list CRL, the normal content key Kc cannot be acquired. Therefore, in order to obtain the content key Kc for decrypting the content, it is necessary to pass the public key revocation list CRL bound to the DVD 2a.

  Therefore, it is possible to eliminate the malicious decryption device 200a that replaces the public key revocation list CRL, and it is possible to enhance the protection of copyright.

  In the second embodiment, the content key decryption unit 220a 'is provided in the application 260, but may be provided in the DVD drive device 290a. In this case, the content key Kc may be encrypted and communicated from the DVD drive device 290a to the application 260 via the SAC, and the content may be decrypted based on the content key Kc obtained by the encrypted communication. As a result, eavesdropping of the content key Kc can be reliably prevented.

  In addition, the device key storage unit 221, the Ex-OR unit 223, and the Dec processing unit 224 in the content key decrypting unit 220a ′ may be provided in the DVD drive device 290a, and only the hash function processing unit 222 may be provided in the application 260. . In this case, the public key revocation list CRL may be sent from the DVD drive device 290a to the application 260, and the hash value calculated by the hash function processing unit 222 may be sent from the application 260 to the DVD drive device 290a. At this time, the public key revocation list CRL and the hash value are cryptographically communicated via the SAC, and the hash value is calculated based on the public key revocation list CRL and the hash value obtained by the cryptographic communication, or the encrypted content The key may be decrypted. Thereby, eavesdropping of the public key revocation list CRL and the hash value is surely prevented. Further, in this case, the Dec processing unit 280 may be provided in the DVD drive device 290a. That is, the device key storage unit 221, the Ex-OR unit 223, the Dec processing unit 224, and the Dec processing unit 280 in the content key decrypting unit 220a ′ are used as the DVD drive device 290a, and only the hash function processing unit 222 is used as the application 260. You may make it provide. In this case, the public key revocation list CRL is sent from the DVD drive device 290a to the application 260, the hash value calculated by the hash function processing unit 222 is sent from the application 260 to the DVD drive device 290a, and further from the DVD drive device 290a. The decrypted content may be sent to the application 260. At this time, the public key revocation list CRL and the hash value are cryptographically communicated via the SAC, and the hash value is calculated based on the public key revocation list CRL and the hash value obtained by the cryptographic communication, or the encrypted content The key may be decrypted, and the decrypted content may be encrypted and communicated via the SAC, and passed to the application 260 by encrypted communication. As a result, in addition to the public key revocation list CRL and the hash value, wiretapping of content can be surely prevented.

  Furthermore, in the above embodiment, the SAC is formed by two-way authentication. However, the SAC may be formed by one-way authentication.

(Embodiment 3)
FIG. 9 is a functional block diagram showing a partial configuration of the copyright protection system 1c according to the third embodiment. In this copyright protection system 1c, parts corresponding to those of the copyright protection system 1a of the first embodiment are denoted by the same reference numerals, description thereof is omitted, and differences from the copyright protection system 1a are mainly described. .

  The decryption device 200c performs one-way authentication from the public key revocation list CRL bound to the DVD 2a, calculates a hash value from the public key revocation list CRL, and reproduces content by a personal computer (PC). The DVD drive device 400 reads the encrypted content from the DVD 2a and the application 500 installed on the hard disk or the like.

  The DVD drive device 400 includes a bus authentication public key certificate storage unit 410, a bus authentication private key storage unit 420, a public key decryption unit 430, a key calculation unit 440, and a bus encryption unit 450. .

  A public key certificate storage unit 410 for bus authentication of the DVD drive device 400 stores a public key certificate for bus authentication such as an IDE bus or a SCSI bus in advance. Pass the key certificate to the application 500.

  The bus authentication private key storage unit 420 to the bus encryption unit 450 generate a session key K and form a SAC with the application 500.

  The application 500 functions as a certificate validity checking unit 510, a public key validity checking unit 520, a public key encryption unit 530, a verification unit 540, a key calculation unit 550, a bus decryption unit 560, A hash function processing unit 570, a device key storage unit 580, and Dec processing units 590 and 595 are provided. Each of these units is realized by software, a CPU of a PC, a memory, and the like.

  The certificate validity checking unit 510 decrypts the certificate sent from the bus authentication public key certificate storage unit 410 with the public key, and checks whether the certificate is valid.

  When the public key validity checking unit 520 receives a notification from the certificate validity checking unit 510 that the certificate is valid, the public key revocation list CRL for bus authentication received via the DVD drive device 400, With reference to the latest public key revocation list CRL for bus authentication read from the latest public key revocation list storage unit (not shown), it is checked whether or not the DVD drive device 400 has been revoked.

  When the public key encryption unit 530 to the bus decryption unit 560 receives a notification from the public key validity checking unit 520 that the DVD drive device 400 has not been revoked, that is, the DVD drive device 400 is valid, the session key K 'Is generated and a SAC is formed with the DVD drive device 400.

The public key encryption unit 530 calculates a hash value Hash of the public key revocation list CRL.
The device key storage unit 580 stores the device key KD_A in advance.

  The Dec processing unit 590 generates a content key Kc based on the encrypted content key output from the bus decryption unit 560, the hash value Hash output from the hash function processing unit 570, and the device key KD_A.

  The Dec processing unit 590 generates the content by decrypting the encrypted content bound to the DVD 2a with the content key Kc.

  Next, an authentication process performed between the DVD drive device 400 and the application 500 will be described.

  Upon receiving the notification that the DVD drive device 400 is valid, the public key encryption unit 530 generates a random number cha, encrypts the generated random number cha with the other party's bus authentication public key, and makes the DVD drive device 400 public. The encrypted random number cha is transferred to the key decryption unit 430.

  The public key decryption unit 430 decrypts the encrypted random number cha with the bus authentication private key stored in the bus authentication private key storage unit 420 to obtain the random number cha. Then, the public key decryption unit 430 encrypts the random number cha and its own private key with the other party's bus authentication public key, transfers the encrypted result to the verification unit 540, and uses the random number cha and the private key as a key. It passes to the calculation unit 440. The key calculation unit 440 calculates a session key K based on the random number cha and the secret key, and passes the session key K to the bus encryption unit 450. The bus encryption unit 450 encrypts the bundle of encrypted content keys with the session key K and sends the double-encrypted bundle of content keys to the application 500.

  On the other hand, the verification unit 540 of the application 500 checks whether or not the random number cha obtained by the decryption matches the original random number cha using its own secret key. The secret key is passed to the key calculation unit 550. The key calculation unit 550 calculates a session key K ′ using the random number cha and the other party's secret key, and passes it to the bus decryption unit 560. The bus decryption unit 560 decrypts the double encrypted content key bundle with the session key K ′, generates an encrypted content key bundle, and outputs the encrypted content key bundle to the Dec processing unit 590. .

  On the other hand, the hash function processing unit 570 calculates the hash value Hash of the CRL output via the DVD drive device 400 and outputs the hash value Hash to the Dec processing unit 590. The Dec processing unit 590 decrypts the content key Kc into a value encrypted with the device key KD_A, for example, by calculating an exclusive OR of the bundle of encrypted content keys and the hash value Hash, and further decrypts the content key Kc with the device key KD_A. By decrypting with the key KD_A, the content key Kc is decrypted, and the content key Kc is passed to the Dec processing unit 595. The Dec processing unit 595 decrypts the encrypted content bound to the DVD 2a with the content key Kc, and reproduces the content.

  Therefore, even in the decryption device 200c of the copyright protection system 1c according to the third embodiment, that is, the PC configured by the DVD drive device 400 and the application 500, the content is decrypted similarly to the HD-DVD. In order to obtain a key for this purpose, it is necessary to pass the public key revocation list CRL bound to the DVD 2a, and an illegal DVD drive device 400 that replaces the public key revocation list CRL can be eliminated. Protect rights.

  When the decryption device 200c, that is, a PC is connected to the Internet, the terminal device 300 is accessed when the DVD 2a is played, the latest CRL is downloaded from the terminal device 300, and the latest downloaded The public key validity checking unit 520 may check whether the DVD drive device 400 is revoked using the CRL.

  Further, in the decryption device 200c of the third embodiment, the DVD drive device 400 and the application 500 are configured. However, the DVD playback PC software actually has only a so-called “descramble” function, and a copyright protection module. It is also assumed that the cable is used by connecting. That is, the copyright protection module 210a can be attached to the PC, and the decryption device 200c constituted by this PC is changed to the DVD drive device 400, the copyright protection module 210a, and the DVD playback PC software of the Dec processing unit 595 part. You may comprise.

  In this case, the DVD drive device 400 and the copyright protection module 210a form a SAC, the SAC is formed by the copyright protection module 210a and the DVD playback PC software of the Dec processing unit 595, and then the DVD drive device. The encrypted content read by 400 may be decrypted with the content key and the content may be reproduced.

  In the third embodiment, the challenge (encryption) → response (decryption) → confirmation (decryption of the decrypted text) is used for authentication, but a challenge (plain text) that is a general authentication method → the response (response ( Signature generation) → Confirmation (signature confirmation) may be adopted.

(Embodiment 4)
FIG. 10 is a functional block diagram showing the overall configuration of the copyright protection system 1d according to the fourth embodiment. In this copyright protection system 1d, parts corresponding to those of the copyright protection system 1a of the first embodiment are denoted by the same reference numerals, description thereof is omitted, and the differences from the case of the copyright protection system 1a are mainly described. explain.

  In the copyright protection system 1d, the terminal device 110b of the encryption device 100b includes the public key revocation list storage unit 111, the device key bundle storage unit 112, the content key storage unit 113, the hash function processing unit 114, and the Enc unit. 117 and an Ex-OR unit 118 are further provided. On the other hand, in the copyright protection module 210b of the decryption device 200d, the content key decryption unit 220b is configured to further include a Dec processing unit 225 and an Ex-OR unit 226 in addition to the device key storage unit 221.

  Here, in the terminal device 110a of the encryption device 100a according to the first embodiment, the exclusive OR value of the hash value Hash of the public key revocation list CRL output from the hash function processing unit 114 and each device key is obtained. It is calculated by the Ex-OR unit 115, and the Enc unit 116 encrypts the content key Kc with the exclusive OR value to generate a bundle of encrypted content keys.

  On the other hand, in the terminal device 110b of the encryption device 100b according to the fourth embodiment, the Enc unit 117 encrypts the content key Kc only with each device key stored in the device key bundle storage unit 112, and only each device key. Is configured to generate a bundle of encrypted content keys encrypted in the above.

  Also, the terminal device 110a of the encryption device 100a according to Embodiment 1 passes the content key Kc to the terminal device 160 as it is. For this reason, in the terminal device 160, the Enc unit 162 encrypts the content with the content key Kc to generate the encrypted content.

  In contrast, in the terminal device 110b of the encryption device 100b according to the fourth embodiment, the Ex-OR unit 118 uses the hash value Hash and the content key of the public key revocation list CRL output from the hash function processing unit 114. It is configured to take an exclusive OR with Kc and to pass the exclusive OR value to the terminal device 160. Therefore, in the terminal device 160 that has received the exclusive OR value, the Enc unit 162 encrypts the content with the exclusive OR value, and generates encrypted content.

  Therefore, the hash value is not involved in each encrypted content key bound to the DVD 2b, and the hash value is involved in the encrypted content, and the relationship is opposite to that of the DVD 2a.

  Further, in the content key decryption unit 220a of the decryption apparatus 200a according to Embodiment 1, the own device key KD_A and the hash value of the public key revocation list CRL stored in the device key storage unit 221 in the Ex-OR unit 223 The exclusive OR value with Hash is calculated, and the Dec processing unit 224 decrypts the encrypted content key in which the hash value is involved with the exclusive OR value to obtain the content key Kc.

  On the other hand, in the content key decryption unit 220b of the decryption apparatus 200d according to the fourth embodiment, since the hash value Hash is not involved in the encrypted content key bound to the DVD 2b, the Dec processing unit 225 performs the encryption. The content key is decrypted only with its own device key stored in the device key storage unit 221 to obtain the content key Kc. Since the hash value Hash is involved in the encrypted content bound to the DVD 2b, the content key Kc acquired by the Dec processing unit 225 and the public key revocation bound to the DVD 2b are performed in the Ex-OR unit 226. An exclusive OR value with the hash value Hash of the list CRL is calculated, and the obtained exclusive OR value is passed to the authentication unit 237 of the authentication processing unit 230a.

  The exclusive OR value of the content key Kc and the hash value Hash is passed to the Dec processing unit 280. For this reason, the Dec processing unit 280 decrypts the encrypted content related to the hash value Hash recorded on the DVD 2b with the exclusive OR value of the content key Kc and the hash value Hash, and acquires the content.

  Therefore, also in the copyright protection system 1d according to the fourth embodiment, the encryption device 100b encrypts the encrypted digital work and the first secret key (content key) used for the encryption. Output (encrypted content key) and the hash value of the public key revocation list, but the encrypted digital work is not simply encrypted with the first secret key, The first secret key is encrypted with the modified first secret key in which the hash value of the public key revocation list is involved. Therefore, the decryption device 200b that has received the attribute values of the encrypted digital work, the encrypted first secret key, and the public key revocation list, even if the public key revocation list is replaced, Since the list is not used, the encrypted digital work cannot be correctly decrypted by using the first secret key modified in such a manner. Therefore, it is possible to transfer a digital work that is safe. In addition, since the attribute value calculation time is eliminated by using the attribute value, the decryption of the first secret key is enhanced, and the attribute value calculation unit is eliminated, thereby reducing the cost of the decryption device. Can be That is, a copyright protection system that can exhibit a higher price / performance ratio and can safely transfer digital works is realized.

(Embodiment 5)
FIG. 11 is a functional block diagram showing the overall configuration of the copyright protection system 1e according to the fifth embodiment. In the drawing, illustration of functional parts corresponding to the copyright protection system 1a of the first embodiment is omitted, and only functional parts specific to the copyright protection system 1e are shown.

  In the encryption device 100c of the copyright protection system 1e, the terminal device 110c further includes a fixed pattern storage unit 119. On the other hand, in the copyright protection module 210c of the decryption apparatus 200e, the content key decryption unit 220c is configured to further include a Dec processing unit 227 and a content decryption key check unit 228 in addition to the Dec processing unit 224 and the like.

  Here, the content key decryption unit 220a of the decryption apparatus 200a according to Embodiment 1 simply passes the acquired content key Kc to the Dec processing unit 280, and the content key decryption unit 220a itself acquires the acquired content. It was not known whether the key Kc is a legitimate key that can normally decrypt the encrypted content. For this reason, it is desirable to check beforehand whether or not the content key Kc is a correct value before passing the acquired content key Kc to the Dec processing unit 280.

  Therefore, the copyright protection system 1e according to the fifth embodiment is a system having such a key check function, and the terminal device 110c used by the copyright protection licensor of the encryption device 100c is the terminal device 110a. In addition to the above configuration, a fixed pattern storage unit 119 is further provided. The fixed pattern storage unit 119 stores in advance a fixed pattern obtained by encrypting a predetermined fixed pattern plaintext (for example, fixed pattern plaintext “01234456789ABCDEF” expressed in hexadecimal) with the content key Kc. The fixed pattern stored in the fixed pattern storage unit 119 is bound to the DVD 2c via the terminal device 160.

  On the other hand, the content key decryption unit 220c provided in the copyright protection module 210c of the decryption device 200e further includes a Dec processing unit 227 and a content decryption key check unit 228 in addition to the configuration of the content key decryption unit 220a. The Dec processing unit 227 decrypts the encrypted data of the fixed pattern plaintext bound to the DVD 2a with the content key Kc decrypted by the Dec processing unit 224. The content decryption key check unit 228 holds the fixed pattern plaintext “01234456789ABCDEF” in advance, and the fixed pattern plaintext held in advance is the same as the fixed pattern plaintext decrypted by the Dec processing unit 227. Whether the decrypted content key Kc is a correct value is checked.

  According to the copyright protection system 1e configured as described above, it is possible to check in advance whether or not the content key Kc is a correct value inside the content key decryption unit 220c, and an incorrect content key in the Dec processing unit 280 can be checked. It is possible to avoid useless decryption processing such as content decryption using Kc in advance.

  In the copyright protection system 1e according to the fifth embodiment, the key check function is applied to the copyright protection system 1a according to the first embodiment, but is applied to the copyright protection system 1d according to the fourth embodiment. Also good.

  In this case, since the content is encrypted with the exclusive OR value of the content key Kc and the hash value Hash of the public key revocation list CRL, the fixed pattern plaintext “01234456789ABCDEF” is stored in the fixed pattern storage unit 119. A fixed pattern encrypted with an exclusive OR value of the key Kc and the hash value Hash is stored in advance, and this fixed pattern may be recorded on the DVD 2c.

  On the other hand, in the Dec processing unit 227 of the content key decryption unit 220c, the output of the Dec processing unit 224, that is, the output of the Ex-OR unit 226 (see FIG. 10) instead of the content key Kc, that is, the content key Kc and the hash value Hash The encrypted data of the fixed pattern plaintext bound to the DVD 2a with the exclusive OR value of Then, the content decryption key check unit 228 decrypts the content decrypted based on whether the fixed pattern plaintext “01234456789ABCDEF” stored in advance and the fixed pattern plaintext decrypted by the Dec processing unit 227 are the same or not. It is possible to check whether or not the exclusive OR value of the decryption key, that is, the content key Kc and the hash value Hash is a correct value.

(Embodiment 6)
FIG. 12 is a functional block diagram showing the overall configuration of the copyright protection system 1f according to the sixth embodiment. Also in this figure, illustration of functional parts corresponding to the copyright protection system 1a of the first embodiment is omitted, and only functional parts specific to the copyright protection system 1f are shown.

  The copyright protection system 1f according to the sixth embodiment is a system having a key check function like the copyright protection system 1e, and the terminal device 110d of the encryption device 100d is in addition to the configuration of the terminal device 110a. Further, an Enc unit 131 is provided. The Enc unit 131 generates content key verification data obtained by encrypting the content key Kc read from the content key storage unit 113 with the content key Kc. This content key verification data is bound to the DVD 2d.

  On the other hand, the content key decryption unit 220d provided in the copyright protection module 210d of the decryption device 200f further includes an Enc unit 241 and a content key check unit 242 in addition to the configuration of the content key decryption unit 220a. The Enc unit 241 has the same configuration as the Enc unit 131 of the terminal device 110d, and encrypts the content key Kc decrypted by the Dec processing unit 224 with the content key Kc to generate content key collation data. The content key check unit 242 compares the content key verification data generated by the Enc unit 241 with the content key verification data bound to the DVD 2d, and determines whether or not these data have the same value. It is checked whether or not the content key Kc decrypted by H.224 is a correct key, that is, a key that can decrypt the encrypted content.

  Even with the copyright protection system 1f configured as described above, it is possible to check in advance whether or not the content key Kc is a correct value inside the content key decryption unit 220d, similarly to the copyright protection system 1e. It is possible to avoid in advance a useless decryption process called content decryption using an incorrect content key Kc in the processing unit 280.

  In the copyright protection system 1f of the sixth embodiment, the key check function is applied to the copyright protection system 1a of the first embodiment, but is applied to the copyright protection system 1d according to the fourth embodiment. Also good.

  In that case, since the content is encrypted with the exclusive OR value of the content key Kc and the hash value Hash of the public key revocation list CRL, the Enc unit 131 outputs the output of the content key storage unit 113, That is, instead of the content key Kc, the output of the Ex-OR unit 118, that is, the exclusive OR value of the content key Kc and the hash value Hash is encrypted with this exclusive OR value, and this content key verification data is stored in the DVD 2d. Record it.

  On the other hand, in the Enc unit 241 of the content key decryption unit 220d, the output of the Dec processing unit 224, that is, the output of the Ex-OR unit 226 (see FIG. 10) instead of the content key Kc, that is, the content key Kc and the hash value Hash What is necessary is just to encrypt an exclusive OR value with the exclusive OR value. Then, the content key check unit 242 compares the content key verification data generated by the Enc unit 241 with the content key verification data bound to the DVD 2d, and determines whether or not these keys have the same value. It is possible to check whether the key generated by the OR unit 226 is a correct key, that is, a key that can decrypt the encrypted content.

(Embodiment 7)
FIG. 13 is a functional block diagram showing an overall configuration of a copyright protection system 1g according to the seventh embodiment. Also in this figure, illustration of functional parts corresponding to the copyright protection system 1a of the first embodiment is omitted, and only functional parts specific to the copyright protection system 1g are shown.

  The copyright protection system 1g according to the seventh embodiment is a system having a key check function similar to the copyright protection systems 1e and 1f, and is configured by an encryption device 100d having the same configuration as that of the sixth embodiment. The DVD 2d is bound with the content key verification data generated by the Enc unit 131.

  On the other hand, the content key decryption unit 220e provided in the copyright protection module 210e of the decryption device 200g further includes a Dec processing unit 243 and a content decryption key check unit 244 in addition to the configuration of the content key decryption unit 220a.

  The Dec processing unit 243 decrypts the content key verification data encrypted by the Enc unit 131 and bound to the DVD 2d with the content key Kc decrypted by the Dec processing unit 224. The content decryption key check unit 244 compares the content key Kc decrypted by the Dec processing unit 224 with the content key Kc decrypted by the Dec processing unit 243, and determines whether or not these keys have the same value. Thus, it is checked whether or not the content key Kc decrypted by the Dec processing unit 224 is a correct key, that is, a key that can decrypt the encrypted content.

  Even with the copyright protection system 1g configured in this manner, as in the media copyright protection systems 1e and 1f, whether or not the content key Kc is a correct value is checked beforehand in the content key decryption unit 220e. It is possible to avoid in advance a useless decryption process of content decryption using an incorrect content key Kc in the Dec processing unit 280.

  In the copyright protection system 1g of the seventh embodiment, the key check function is applied to the copyright protection system 1a of the first embodiment, but is applied to the copyright protection system 1d according to the fourth embodiment. Also good.

  In this case, since the content is encrypted with the exclusive OR value of the content key Kc and the hash value Hash of the public key revocation list CRL, the Enc unit 131 is the same as the modification of the sixth embodiment. In this case, instead of the output of the content key storage unit 113, that is, the content key Kc, the output of the Ex-OR unit 118, that is, the exclusive OR value of the content key Kc and the hash value Hash is the exclusive OR value. What is necessary is just to encrypt and record the content key collation data produced | generated by this encryption on DVD2d.

  On the other hand, the Dec processing unit 243 of the content key decrypting unit 220e uses the content key decrypted data read from the DVD 2d as the output of the Dec processing unit 224, that is, the output of the Ex-OR unit 226 (see FIG. 10) instead of the content key Kc. That is, decryption is performed using the exclusive OR value of the content key Kc and the hash value Hash. Then, in the content decryption key check unit 244, a key for decrypting the content decrypted by the Ex-OR unit 226, that is, an exclusive OR value of the content key Kc and the hash value Hash, and the Dec processing unit 243 And whether the key decrypted by the Ex-OR unit 226 is a correct key, that is, a key capable of decrypting the encrypted content, based on whether or not these keys have the same value. Check it out.

(Embodiment 8)
FIG. 14 is a functional block diagram showing the overall configuration of the copyright protection system 1h according to the eighth embodiment. In this copyright protection system 1h, parts corresponding to those of the copyright protection system 1a of the first embodiment are denoted by the same reference numerals, description thereof is omitted, and differences from the copyright protection system 1a are mainly described. .

  In the terminal device 110e of the encryption device 100e, in addition to the public key revocation list storage unit 111, the device key bundle storage unit 112, the content key storage unit 113, and the hash function processing unit 114, a disk key storage unit 141 and an Enc unit 142 are provided. , 143. On the other hand, in the copyright protection module 210f of the decryption apparatus 200h, the content key decryption unit 220f is configured to further include a Dec processing unit 245 and a Dec processing unit 246 in addition to the device key storage unit 221 and the Ex-OR unit 223. The

  By the way, in the encryption device 100a according to Embodiment 1, two keys, a bundle of device keys KD_A, and a content key Kc are stored in the device key bundle storage unit 112 and the content key storage unit 113, respectively. The key Kc is encrypted with a bundle of device keys KD_A involving the hash value of the public key revocation list CRL, a bundle of encrypted content keys is generated, the content is encrypted with the content key Kc, and the encrypted content key is It was generated. That is, the secret key is divided into two layers by the device key KD_A and the content key Kc. Such a two-layered secret key usually provides sufficient encryption strength against attacks.

However, there are licensors who want the encryption strength to be further improved.
Therefore, the terminal device 110e of the encryption device 100e according to the eighth embodiment employs a three-layer structure in which the secret key is the device key KD_A and the content key Kc described above and the disk key Kd is further added. Strength is further improved.

  The disk key storage unit 141 stores a disk key Kd in advance. The disc key Kd is a secret key provided above the content key for each content in consideration of a plurality (about 7) of content entering one DVD.

  The Enc unit 142 encrypts the disk key Kd stored in the disk key storage unit 141 with the exclusive OR value of the hash value Hash and each device key KD_A, and generates a bundle of encrypted disk keys.

  The Enc unit 143 encrypts the content key Kc stored in the content key storage unit 113 with the disc key Kd, and generates an encrypted content key.

  Therefore, the terminal device 160 encrypts the encrypted disk generated by the Enc units 142 and 143 in addition to the encrypted content, the hash value of the public key revocation list CRL and the public key revocation list CRL, with respect to the DVD 2e. Bind the key bundle and the encrypted content key.

  In response to this, the content key decryption unit 220f of the copyright protection module 210f of the decryption apparatus 200h stores only the device key KD_A, and the bundle of encrypted disk keys bound to the DVD 2e is invalidated with the device key KD_A and the public key. The content key Kc is decrypted by decrypting with the hash value of the encryption list CRL to decrypt the disc key Kd and further decrypting the encrypted content key bound to the DVD 2e with the disc key Kd. .

  The Dec processing unit 245 decrypts the disk key Kd by decrypting the encrypted disk key bundle passed from the DVD drive device 290 with the device key KD_A and the hash value of the public key revocation list CRL.

  The Dec processing unit 246 decrypts the content key Kc by decrypting the encrypted content key passed from the DVD drive device 290 with the disc key Kd.

  Therefore, also in the copyright protection system 1h according to the eighth embodiment, as in the case of the first embodiment, it is possible to exhibit a higher price / performance ratio and to transfer a digital work safely. In addition, since the secret key has three layers, the encryption strength against the attack is increased, and the copyright protection can be further strengthened.

  In the eighth embodiment, the secret key has three layers. However, the secret key may be further multilayered. In this case, the encryption strength against the attack can be further increased.

  Further, the terminal device 110e further includes a confirmation data output unit that outputs confirmation data serving as a reference for confirming whether or not the content key decrypted in the decryption device 200h is correct to the DVD 2e. It is good. The confirmation data output unit may be configured to output data obtained by encrypting data of a predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2e as confirmation data. The data output unit may be configured to output data obtained by encrypting the content key with the content key to the DVD 2e as confirmation data. Corresponding to this terminal device 110e, the content key decrypting unit 220f is made to determine whether or not the decrypted content key is the correct key, a content decrypting key checking unit 228, a content key checking unit 242, a content decrypting key check. It is good also as a structure provided with the part 244 grade | etc.,.

(Embodiment 9)
FIG. 15 is a functional block diagram showing the overall configuration of the copyright protection system 1i according to the ninth embodiment. In this copyright protection system 1i, parts corresponding to those of the copyright protection system 1h according to the eighth embodiment are denoted by the same reference numerals, description thereof is omitted, and differences from the copyright protection system 1h are mainly described. .

  In the encryption device 100f of the copyright protection system 1i, the terminal device 110f includes a public key revocation list storage unit 111, a device key bundle storage unit 112, a hash function processing unit 114, an Ex-OR unit 115, and a disk key storage unit. In addition to the 141 and the Enc unit 142, a media ID storage unit 144 and a one-way function unit 145 are further provided. On the other hand, in the copyright protection module 210g of the decryption apparatus 200i, the content key decryption unit 220g is the same as the one-way function unit 145 in addition to the device key storage unit 221, the Ex-OR unit 223, and the Dec processing unit 245. A unidirectional function unit 247 having a configuration is provided.

  By the way, in the terminal device 110e of the encryption device 100e according to Embodiment 8, the disk key Kd stored in the disk key storage unit 141 is encrypted with the exclusive OR value of the hash value Hash and each device key KD_A, A bundle of encrypted disk keys is generated, and the content key Kc stored in the content key storage unit 113 is encrypted with the disk key Kd to generate an encrypted content key. As a result, in the terminal device 110e, while the encryption strength against the attack increases, the load for the two encryption processes is large. Also in the content key decryption unit 220f, the load for the two decryption processes is large.

  Therefore, in the terminal device 110f related to the encryption device 100f of the copyright protection system 1i, instead of the content key storage unit 113, a media ID storage unit 144 that stores a unique media ID and MID for each DVD, and an Enc unit 143 Instead of using the one-way function unit 145 that generates the content key Kc based on the media ID, MID, and the disk key Kd, the processing for encrypting the content key Kc is omitted, thereby reducing the addition of the terminal device 110f. I am trying.

  The one-way function unit 145 is, for example, Ex-OR, and generates the content key Kc by substituting the media ID and MID stored in the media ID storage unit 144 and the disc key Kd into the one-way function. The processing for generating the content key Kc is lighter than the processing for generating the encrypted content key by the Enc unit 143 in FIG.

  In addition to the public key revocation list CRL and the encrypted content, the terminal device 160 bundles the encrypted disk key generated by the Enc unit 142 and the media ID output from the media ID storage unit 144 with respect to the DVD 2f. , MID is bound to DVD2f.

  In response to this, the content key decryption unit 220g related to the copyright protection module 210g of the decryption apparatus 200i stores only the device key KD_A, and a bundle of encrypted disk keys bound to the DVD 2f as the device keys KD_A and DVD 2f. The disc key Kd is decrypted by decrypting with the hash value of the bound public key revocation list CRL, and the content key Kc based on the media ID, MID and disc key Kd bound to the DVD 2f. Is generated.

  The one-way function unit 247 generates a content key Kc by performing one-way function processing on the media ID and MID with the disc key Kd. The processing for generating the content key Kc is lighter than the processing for decrypting the content key Kc by the Dec processing unit 246 in FIG.

  Here, the media ID and MID are easily known because they are bound to the DVD 2f, but the configurations of the one-way function units 145 and 247 are not as well known as the secret key. Therefore, also in the copyright protection system 1i according to the ninth embodiment, as in the case of the first embodiment, it is possible to exhibit a higher price / performance ratio and to safely transfer a digital work. In addition, since the encryption strength is increased, the encryption strength against the attack is increased, copyright protection can be further strengthened, and the load on the terminal device 110f and the content key decryption unit 220g can be reduced.

  The terminal device 110f is further provided with a confirmation data output unit that outputs confirmation data serving as a reference for confirming whether or not the content key decrypted by the decryption device 200i is correct to the DVD 2f. It is good. The confirmation data output unit may be configured to output data obtained by encrypting data of a predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2f as confirmation data. The data output unit may be configured to output data obtained by encrypting the content key with the content key to the DVD 2f as confirmation data. Corresponding to the terminal device 110f, the content key decrypting unit 220g determines whether the decrypted content key is a correct key, a content decrypting key check unit 228, a content key checking unit 242, a content decrypting key check. It is good also as a structure provided with the part 244 grade | etc.,.

(Embodiment 10)
FIG. 16 is a functional block diagram showing the overall configuration of the copyright protection system 1p according to the tenth embodiment. In FIG. 16, the terminal device 300 is not shown. In this copyright protection system 1p, parts corresponding to those of the copyright protection system 1i of the ninth embodiment are denoted by the same reference numerals, description thereof is omitted, and differences from the copyright protection system 1i are mainly described. .

  In the copyright protection system 1i, the encryption device 100f is composed of two terminal devices: a copyright protection licensor terminal device 110f and a content manufacturer terminal device 160. On the other hand, in this copyright protection system 1p, the encryption device 100p has three terminals: a key issuing center terminal device 110p, a content supplier terminal device 150, and a disc manufacturer terminal device 160p. It consists of devices.

  The terminal device 110p includes a public key revocation list storage unit 111, a device key bundle storage unit 112, a hash function processing unit 114, a disk key storage unit 141 that stores a disk key Kd, and a medium that stores a media key Km. It includes a key storage unit 146, an Enc unit 147 that encrypts the media key Km with each device key KD_A, an Enc unit 148 that encrypts the disk key Kd with the media key Km, and the like. Then, the terminal device 110p includes the public key revocation list CRL stored in the public key revocation list storage unit 111, the hash value of the public key revocation list CRL calculated by the hash function processing unit 114, and the Enc unit. Each encrypted media key Km encrypted by 147, the disk key Kd stored in the disk key storage unit 141, and the disk key Kd encrypted by the Enc unit 148 are transferred to the terminal device 160p.

  The terminal device 150 includes a content storage unit 151 that stores AV content, an information storage unit 152 that stores information (for example, content ID) Vu indicating what the content is, and the like. Then, the terminal device 150 transfers the AV content stored in the content storage unit 151 and the information Vu stored in the information storage unit 152 to the terminal device 160p.

  In addition to the Enc unit 162, the terminal device 160p includes an information storage unit 163 that stores information Ve including a value (for example, a serial number) that changes for each disk, and three two-input one-way function units 164, 165, and 166. Etc. The one-way function unit 164 generates a secret key Ke based on the disc key Kd and the information Ve. The one-way function unit 165 generates a secret key based on the secret key Ke and the CRL hash value. The one-way function unit 166 generates a secret key Ku for encrypting AV content based on the secret key generated by the one-way function unit 166 and the information Vu. The Enc unit 162 encrypts the AV content with the secret key Ku, and generates encrypted content. Then, the terminal device 160p, with respect to the DVD 2p, in addition to the public key revocation list CRL, the hash value of the CRL, the encrypted content, the information Ve and Vu, the encrypted media key Enc (Km), and the encryption Bind to the encrypted disk key Enc (Kd).

  The above information Ve and Vu are raw data because of (1) preventing the disc manufacturer's fraud (2) or changing the key for each content supply under the content supplier management. It is also used as data related to content encryption (key generation process). In addition, information specifying the content supplier may be included in the information Vu. Furthermore, the information Ve may include information for specifying a disc manufacturer or specifying a stamper.

  According to such a configuration of the encryption device 100p, the copyright protection module 210p of the decryption device 200p includes a content key decryption unit 220p and a Dec processing unit 280, and the content key decryption unit 220p includes a device key storage. In addition to the unit 221, three Dec processing units 251 and 252 respectively corresponding to the Enc units 147 and 148 of the encryption device 100 p, and three configurations having the same configuration as the one-way function units 164, 165 and 166 of the encryption device 100 p It consists of two-input one-way function units 253, 254, 255 and the like.

  The Dec processing unit 251 receives and receives the encrypted media key Enc (Km) for the decryption device 200p from the bundle of encrypted media keys Enc (Km) recorded on the DVD 2p via the DVD drive device 290. The encrypted media key Enc (Km) is decrypted with the device key KD_A stored in the device key storage unit 221 to generate the media key Km. The Dec processing unit 252 generates the disc key Kd by decrypting the encrypted disc key Enc (Kd) recorded on the DVD 2p with the media key Km generated by the Dec processing unit 251. The one-way function unit 253 generates a secret key Ke based on the information Ve recorded on the DVD 2p and the disc key Kd generated by the Dec processing unit 252. The one-way function unit 254 generates a secret key based on the secret key Ke generated by the one-way function unit 253 and the CRL hash value recorded on the DVD 2p. This secret key is the same as the secret key generated by the one-way function unit 165. The one-way function unit 255 generates a secret key Ku based on the information Vu recorded on the DVD 2p and the secret key generated by the one-way function unit 254, and uses the generated secret key Ku as a Dec processing unit. Forward to 280.

  The Dec processing unit 280 reproduces the AV content by decrypting the encrypted content recorded on the DVD 2p with the secret key Ku transferred from the content key decrypting unit 220p.

  As described above, according to the copyright protection system 1p according to the tenth embodiment, the information Ve as well as the public key revocation list CRL, the hash value of the CRL, the encrypted content from the encryption device 100p to the DVD 2p. , Vu, the encrypted media key Enc (Km), and the encrypted disk key Enc (Kd) are bound, but the secret key Ku that encrypted the encrypted content is not bound. The secret key Ku is not simply a content key encrypted by the second secret key (device key KD_A) associated with the decryption device 200p, but an attribute value (hash value) of the public key revocation list. Etc. are generated based on the above. Therefore, the decryption device 200p that has received the encrypted content, the public key revocation list attribute value, and the like cannot correctly generate such a secret key Ku, and therefore correctly decrypts the encrypted digital work. I can't. Therefore, it is possible to transfer a digital work that is safe. The digital work recorded on the DVD 2p is protected from unauthorized copying and the like, and healthy development in the distribution market of multimedia related products can be expected. Moreover, by using the attribute value (hash value) bound to the DVD2p, the attribute value calculation time that has been generated so far is eliminated, so that the decryption of the content key is improved and the attribute value calculation unit is eliminated. Thus, the price of the decoding device 200a can be reduced. Since the time required for mutual authentication, which has been generated so far, is eliminated, the decryption of the content is greatly improved, and the encryption communication device for forming the SAC is eliminated, so that the decryption device 200p is greatly reduced in price. Can be

  In addition, although the three one-way function units 164 to 166 are used in the encryption device 100p of the tenth embodiment, a four-input one-way function unit or the like is used instead of the one-way function units 164 to 166. The secret key Ku may be generated based on the disk key Kd, the CRL hash value, and the information Ve and Vu. Similarly, in the decryption apparatus 200p, a four-input one-way function unit or the like is used instead of the one-way function units 253 to 255, and based on the disk key Kd, the CRL hash value, and the information Ve and Vu. The secret key Ku may be generated. The information Ve and Vu may be omitted from the secret key generation process. That is, the secret key Ku may be generated based on the disk key Kd and the CRL hash value.

  Further, the terminal device 110p further includes a confirmation data output unit that outputs confirmation data serving as a reference for confirming whether or not the content key decrypted by the decryption device 200p is correct to the DVD 2p. It is good. The confirmation data output unit may be configured to output data obtained by encrypting data of a predetermined fixed pattern with the content key stored in the content key storage unit 113 to the DVD 2p as confirmation data. The data output unit may be configured to output data obtained by encrypting the content key with the content key to the DVD 2p as confirmation data. Corresponding to this terminal device 110p, the content key decrypting unit 220p is caused to determine whether or not the decrypted content key is a correct key, a content decrypting key checking unit 228, a content key checking unit 242, a content decrypting key check. It is good also as a structure provided with the part 244 grade | etc.,.

  The copyright protection system according to the present invention has been described based on the embodiments. However, the present invention is not limited to these embodiments.

  For example, in the copyright protection system in the above embodiment, the digital work is transferred via a recording medium called DVD, but the present invention is applied to a system that transfers the digital work via a transmission medium such as the Internet. be able to. That is, the copyright protection system according to the present invention can be applied by transmitting to the transmission path instead of recording to the recording medium and receiving from the transmission path instead of reading from the recording medium.

  The present invention can also be applied to a system that transfers a digital work by combining a recording medium and a transmission medium. That is, for example, the encrypted content may be provided on a recording medium called a DVD, and the key for decrypting the encrypted content, the CRL, its hash value, and the like may be provided by net distribution using a transmission medium. Further, the reverse form, that is, the key or the like may be provided on a recording medium, and the encrypted content may be provided on the Internet via a transmission medium. In a system for transferring a digital work by combining this recording medium and a transmission medium, what is provided by the recording medium and what is provided by the net distribution by the transmission medium among the encrypted content and the key, It can be arbitrarily determined.

  In the above-described embodiment, the copyright protection system according to the present invention is used in a wide area between the copyright protection licensor or the encryption devices 100a to 100i of the content manufacturer and the decryption devices 200a to 200i used by the user. Although the case where it is applied has been described, the copyright protection system can be applied to processing when performing encrypted communication of content that is a digital work in a small area such as a home or a company.

(Embodiment 11)
FIG. 17 is a block diagram showing the overall configuration of a copyright protection system that encrypts and communicates content via a small home LAN, and FIG. 18 shows the AV server 100j and each plasma TV 200k, VTR 200m, DVD shown in FIG. It is a block diagram which shows the structure of the recorder 200n. In FIG. 18, since the configuration of the plasma TV 200k, VTR 200m, and DVD recorder 200n is the same for the copyright protection mechanism, only the configuration of the plasma TV 200k is shown as a representative example of these.

  The copyright protection system 1j includes a home LAN 30 as a transfer medium, an AV server 100j connected to the home LAN 30, and a plasma TV 200k, a VTR 200m, and a DVD recorder 200n as clients.

  Although the AV server 100j is configured in substantially the same manner as the encryption device 100a shown in FIG. 1, the content received from outside the home is stored in the content storage unit 161 configured by an HDD or the like, and the plasma TV 200k, VTR 200m, The point that the content requested in response to the stored content distribution request from the DVD recorder 200n is distributed over the home LAN 30 is greatly different from the case of the encryption device 100a.

  More specifically, the AV server 100j receives content from the broadcast station 100g via the satellite broadcast (BS, CS) or terrestrial broadcast network 3a, or from the content provider server 100h via the Internet network 3b. The content is received, or the content is received from the CATV station 100i via the CATV network 3c, and the received content is stored in the content storage unit 161.

  The AV server 100j includes a session key storage unit 112a. When there is a distribution request for stored content stored in the content storage unit 161 from any of the clients, for example, the plasma TV 200k, the AV server 100j is based on the distribution request. The SAC is formed with the plasma TV 200k, the session key Kses obtained at the time of forming the SAC is stored in the session key storage unit 112a, and the session key Kses is used instead of the device key used in the encryption device 100a. The content key Kc is encrypted using the key, which is greatly different from the case of the encryption device 100a that encrypts the content key Kc using the device key. That is, the point that the session key Kses is used instead of the device key is greatly different from the case of the encryption device 100a.

  On the other hand, although the plasma TV 200k, VTR 200m, and DVD recorder 200n are configured in substantially the same manner as the decryption device 200a shown in FIG. 1, the session key Kses obtained when the SAC is formed with the AV server 100j is used. Each has a session key storage unit 221a for storing, and the content key Kc is decrypted using the device key KD_A in that the content key Kc is decrypted using the session key Kses stored in the session key storage unit 221a. This is greatly different from the case of the decoding device 200a. That is, the point that the session key Kses is used instead of the device key KD_A is greatly different from the case of the decryption apparatus 200a.

  Next, processing performed by the AV server 100j and the plasma TV 200k of the copyright protection system 1j will be described focusing on differences from the copyright protection system 1a.

  When there is a request for content distribution from the DVD recorder 200n as a client, the AV server 100j performs an SAC process with the plasma TV 200k using elliptical encryption. The AV server 100j stores the session key Kses in the session key storage unit 112a, and the content key decryption unit 220h in the copyright protection module 210k of the plasma TV 200k includes a session key storage unit. The session key Kses is stored in 221a.

  Next, the Ex-OR unit 115 of the AV server 100j XORs the session key Kses shared between the plasma TVs 200k and the hash value of the CRL. Then, the Enc unit 116 encrypts the content key Kc using the value obtained by the Ex-OR unit 115 as a key. Next, the Enc unit 162 encrypts the requested content of the AV data with the content key Kc. When the content key and the content are encrypted, the AV server 100j transmits the encrypted content key and the encrypted content together with the CRL hash value to the plasma TV 200k via the home LAN 30 by encrypted communication using the session key.

  The content key decryption unit 220k related to the copyright protection module 210k in the plasma TV 200k receives the CRL hash value, the encrypted content key, and the encrypted content transmitted via the home LAN 30, and decrypts them with the session key. . Next, the Ex-OR unit 223 of the content key decryption unit 220k XORs the session key Kses and the CRL hash value. Next, the Dec processing unit 224 decrypts the content key using the value obtained by the Ex-OR unit 223 as a key, and passes it to the Dec processing unit 280. The Dec processing unit 280 decrypts the encrypted content with the obtained content key Kc.

  Therefore, even clients connected to a relatively small network such as a home or a company can easily use the contents, and copyright protection can be thoroughly enforced up to the end client.

  In the eleventh embodiment, the session key Kses is used instead of the device key, but the secret key Ks may be shared in advance between the AV server 100j and the plasma TV 200k. In this case, the secret key Ks may be used instead of the session key Kses.

  Further, in order to check in advance whether or not the decrypted content key has a correct value, the above-described fixed pattern may be transmitted together with the CRL or the like so that the copyright protection module 210k can check in advance.

  In addition, the present invention can realize various encryption devices and decryption devices by combining the characteristic processes in the above ten embodiments. That is, in the case of encryption, (1) when each of encryption with respect to a secret key and conversion with a one-way function with respect to a media ID is called a layer, the number of layers is set to two layers, or 3 (2) Regarding a key used for content encryption, it is possible to select a content key or a function value obtained by converting a media ID with a one-way function. (3) Regarding a target that involves the hash value of the public key revocation list, a device key, a disk key, a content key, a media ID, a session key, Or a function value obtained by converting the media ID with a one-way function can be selected.

  Therefore, various forms of encryption device, decryption device, and content key decryption unit can be realized by arbitrarily combining each of these independent parameters (1), (2), and (3). Can do.

  Further, the number of layers for encryption (or decryption) of the secret key or the like is not limited to 1 to 3, and may exceed 3 layers. Considering these variations, the encryption device, decryption device, and content key decryption unit (secret key generation device) of the present invention can be expressed as follows.

  That is, in the encryption method using the content key, the first secret key among the n (≧ 2) secret keys in the encryption device that encrypts the digital work and outputs it to the recording medium or the transmission medium. Is used to encrypt the digital work and the (i-1) secret key is encrypted using the i-th (2≤i≤n) secret key. n-1) A method for repeatedly outputting a first to (n-1) secret key encrypted with respect to a secret key to the medium, wherein at least one of the first to nth secret keys is used In encryption, prior to the encryption, the private key must be transformed using attribute values that depend on the contents of the public key revocation list, which is a list of information that identifies the revoked public key certificate. An encryption method characterized by the following.

  Further, in the case of an encryption method using a media ID, a first secret key among n (≧ 1) secret keys in an encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium. After the medium identification information is converted by using the one-way function, the digital work is encrypted with the converted medium identification information. When n is 2 or more, the i th (2 ≦ i ≦ n) The encryption sequence of encrypting the (i-1) secret key using the secret key is repeated for the first to (n-1) secret keys, and the encrypted first to (n-1) ) A method for outputting a secret key to the medium. In the encryption or conversion using at least one of the first to nth secret keys, (1) it is invalidated prior to the encryption or conversion. Public key revocation list, which is a list of information that identifies the public key certificate (2) An encryption method characterized in that the secret key is transformed using an attribute value that depends on the content, or (2) the medium identification information obtained by the transformation is transformed with the attribute value. is there.

  Further, in the case of a decryption method using a content key, in a decryption device for decrypting an encrypted digital work, an encrypted digital work and n (≧ 2) encrypted private keys After obtaining a public key revocation list, which is a list of information specifying a revoked public key certificate, via a recording medium or a transmission medium, the n ciphers are stored using a private key held in advance. The decryption chain of decrypting the first encrypted private key of the encrypted private keys and decrypting the second encrypted private key with the obtained first private key is repeated for the n encrypted private keys A method of decrypting a digital work with the n-th secret key obtained in the last decryption, wherein at least one of the decryption with respect to the first to n-th encrypted secret keys Prior to the public key, the private key used for decryption A decoding method characterized in that allowed to deform in the attribute value dependent on the contents of the reduction list.

  Further, in the case of a decryption method using a media ID, in a decryption device for decrypting an encrypted digital work, the encrypted digital work, medium identification information, and n (≧ 1) ciphers The private key and the public key revocation list, which is a list of information specifying the revoked public key certificate, are acquired through the recording medium or the transmission medium, and then the private key held in advance is used to Decrypt the first encrypted private key of the n encrypted private keys, and decrypt the second encrypted private key with the first private key obtained by the decryption when n is 2 or more The decryption chain is repeated for the n encrypted secret keys, the medium identification information is converted by a one-way function using the n-th secret key obtained by the last decryption, and the converted medium A method of decrypting identification information with a digital work, In at least one of decryption for the first to n-th encrypted secret keys and conversion for the medium identification information, (1) prior to the decryption or conversion, a secret key used for decryption or conversion is the public key. The decryption method is characterized in that the attribute value depends on the contents of the invalidation list, or (2) the medium identification information obtained by the transformation is transformed by the attribute value. .

  The encryption device according to the copyright protection system of the present invention is useful as a computer device that encrypts a digital work and outputs it to a recording medium such as a DVD or a transmission medium such as the Internet. Is useful as a computer device such as a DVD player or a personal computer for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium.

It is a functional block diagram which shows the whole structure of the copyright protection system which concerns on this Embodiment 1. FIG. It is a figure which shows the structural example of the public key revocation list | wrist CRL. It is a figure which shows the example of mounting when a copyright protection module is comprised by LSI. It is an external view which shows the example of mounting to the decoding apparatus (HD-DVD player) 200a of the copyright protection module 210a at the time of comprising a copyright protection module with an IC card. It is a functional block diagram which shows the partial structure of the copyright protection system 1b which concerns on this Embodiment 2. FIG. It is a figure which shows the structural example of the public key certificate for drives. It is a figure which shows the structural example of the public key certificate for applications. It is a figure which shows the sequence of the process performed between the DVD drive apparatus 290a and the application 260 of the decoding apparatus 200a. It is a functional block diagram which shows the partial structure of the copyright protection system 1i which concerns on this Embodiment 3. It is a functional block diagram which shows the whole structure of the copyright protection system 1b which concerns on this Embodiment 4. It is a functional block diagram which shows the whole structure of the copyright protection system 1c which concerns on this Embodiment 5. It is a functional block diagram which shows the whole structure of the copyright protection system 1d which concerns on this Embodiment 6. It is a functional block diagram which shows the whole structure of the copyright protection system 1e which concerns on this Embodiment 7. It is a functional block diagram which shows the whole structure of the copyright protection system 1g which concerns on this Embodiment 8. FIG. It is a functional block diagram which shows the whole structure of the copyright protection system 1h which concerns on this Embodiment 9. It is a functional block diagram which shows the whole structure of the copyright protection system 1p which concerns on this Embodiment 10. FIG. It is a block diagram which shows the whole structure of the copyright protection system which carries out encrypted communication of content via a small-scale home LAN. It is a block diagram which shows the structure of AV server 100j and plasma TV200k which are shown by FIG.

Explanation of symbols

1a-1j Copyright protection system 2a-2f DVD
30 Home LAN
100a to 100f encryption device 100j AV server 110a to 110f,
160, 300 Terminal device 111 Public key revocation list storage unit 112 Device key bundle storage unit 113 Content key storage unit 114, 222 Hash function processing unit 115, 118, 223, 226 Ex-OR unit 116, 117, 131, 142,
143, 147, 148, 162
241 Enc unit 119 Fixed pattern storage unit 141 Disk key storage unit 144 Media ID storage unit 146 Media key storage unit 145, 163, 164, 165
247,253,254,255 One-way function unit 161 Content storage unit 200a to 200i Decryption device 210a to 210g Copyright protection module 220a to 220g Content key decryption unit 221 Device key storage unit 222 Hash function processing unit 224, 225, 227 ,
243, 251, 252, 280 Dec processing unit 228, 244 Content decryption key check unit 242 Content key check unit 230, 270 Authentication processing unit 290, 400 DVD drive device

Claims (13)

An encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium,
A digital work storage means for storing the digital work;
First secret key storage means for storing a first secret key used for encryption of the digital work;
Second secret key storage means for storing a second secret key associated with a decryption device for decrypting the encrypted digital work;
Fourth secret key storage means for storing a fourth secret key used for encryption of the first secret key;
Public key revocation list storage means for storing a public key revocation list that is a list of information for specifying a revoked public key certificate;
First encryption means for encrypting a fourth secret key stored in the fourth secret key storage means with a second secret key stored in the second secret key storage means;
Second encryption means for encrypting the first secret key stored in the first secret key storage means with the fourth secret key stored in the fourth secret key storage means;
Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the public key revocation list storage means;
Secret key generation for generating a fifth secret key for encrypting the digital work based on the first secret key stored in the first secret key storage means and the attribute value calculated by the attribute value calculation means Means,
A third encryption means for encrypting the digital work stored in the digital work storage means with a fifth secret key generated by the secret key generation means;
The attribute value calculated by the attribute value calculation means, the fourth secret key encrypted by the first encryption means, the first secret key encrypted by the second encryption means, and the third encryption means And an output means for outputting the digital work encrypted by the method to a recording medium or a transmission medium. The encryption device further includes:
And a confirmation data output means for outputting confirmation data as a reference for confirming whether or not the first secret key decrypted in the decryption apparatus is correct to the recording medium or the transmission medium. The encryption device according to claim 1. The confirmation data output means outputs data obtained by encrypting data of a predetermined fixed pattern with the first secret key stored in the first secret key storage means to the recording medium or transmission medium as the confirmation data. The encryption apparatus according to claim 2, wherein: The confirmation data output means outputs data obtained by encrypting the first secret key stored in the first secret key storage means with the first secret key to the recording medium or transmission medium as the confirmation data. The encryption device according to claim 2. The attribute value calculation means calculates a hash value of the public key revocation list as the attribute value .
Encrypting apparatus according to claim 1, wherein a. The encryption apparatus according to claim 1, wherein the output unit further outputs a public key revocation list stored in the public key revocation list storage unit to a recording medium or a transmission medium. A decryption device for acquiring and decrypting an encrypted digital work through a recording medium or a transmission medium,
Encrypts the attribute value that depends on the contents of the public key revocation list, which is a list of information specifying the revoked public key certificate, the encrypted digital work, and the first private key used for the encryption Obtaining means for obtaining, via a recording medium or a transmission medium, an encrypted first secret key and an encrypted fourth secret key obtained by encrypting the fourth secret key used for encrypting the first secret key; ,
Second secret key storage means for storing a second secret key unique to the decryption device;
First decryption means for decrypting the encrypted fourth secret key acquired by the acquisition means with the second secret key stored in the second secret key storage means;
Second decryption means for decrypting the encrypted first secret key acquired by the acquisition means with the fourth secret key decrypted by the first decryption means;
Secret key generation for generating a fifth secret key for decrypting the encrypted digital work based on the first secret key decrypted by the second decryption means and the attribute value acquired by the acquisition means Means,
A decrypting apparatus comprising: a third decrypting unit that decrypts the encrypted digital work obtained by the obtaining unit with a fifth secret key generated by the secret key generating unit. The acquisition unit acquires a hash value of the public key revocation list as the attribute value .
Decoding apparatus according to claim 7, wherein a.   An encryption device encrypts a digital work and outputs it to a recording medium or a transmission medium,
  The encryption device is:
  A digital work storage means for storing the digital work;
  First secret key storage means for storing a first secret key used for encryption of the digital work;
  Second secret key storage means for storing a second secret key associated with a decryption device for decrypting the encrypted digital work;
  Fourth secret key storage means for storing a fourth secret key used for encryption of the first secret key;
  Public key revocation list storage means for storing a public key revocation list that is a list of information for specifying a revoked public key certificate,
  The encryption method is:
  A first encryption step of encrypting a fourth secret key stored in the fourth secret key storage means with a second secret key stored in the second secret key storage means;
  A second encryption step of encrypting the first secret key stored in the first secret key storage means with the fourth secret key stored in the fourth secret key storage means;
  An attribute value calculating step for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the public key revocation list storage means;
  Secret key generation for generating a fifth secret key for encrypting the digital work based on the first secret key stored in the first secret key storage means and the attribute value calculated by the attribute value calculating step Steps,
  A third encryption step of encrypting the digital work stored in the digital work storage means with the fifth secret key generated in the secret key generation step;
  The attribute value calculated by the attribute value calculating step, the fourth secret key encrypted by the first encryption step, the first secret key encrypted by the second encryption step, and the third encryption step An output step of outputting the digital work encrypted by the method to a recording medium or a transmission medium;
  An encryption method comprising:   A decryption method in which a decryption device acquires and decrypts an encrypted digital work through a recording medium or a transmission medium,
  The decryption device includes second secret key storage means for storing a second secret key unique to the decryption device,
  The decoding method is:
  The attribute value depending on the contents of the public key revocation list, which is a list of information identifying the revoked public key certificate, the encrypted digital work, and the first private key used for the encryption are encrypted. Obtaining an encrypted fourth secret key obtained by encrypting the encrypted first secret key and the fourth secret key used for encrypting the first secret key via a recording medium or a transmission medium; ,
  A first decryption step of decrypting the encrypted fourth secret key acquired in the acquisition step with a second secret key stored in the second secret key storage means;
  A second decryption step of decrypting the encrypted first secret key obtained by the obtaining step with the fourth secret key decrypted by the first decryption step;
  Secret key generation for generating a fifth secret key for decrypting the encrypted digital work based on the first secret key decrypted in the second decryption step and the attribute value acquired in the acquisition step Steps,
  A third decryption step of decrypting the encrypted digital work obtained in the obtaining step with the fifth secret key generated in the secret key generating step;
  The decoding method characterized by including.   A program used in an encryption device that encrypts a digital work and outputs it to a recording medium or a transmission medium,
  A computer executes the steps in the encryption method according to claim 9.
  A program characterized by that.   A program used in a decryption device for obtaining and decrypting an encrypted digital work through a recording medium or a transmission medium,
  A computer executes the steps in the decoding method according to claim 10.
  A program characterized by that.   A recording medium for recording a digital work encrypted by an encryption device,
  The encryption device is:
  A digital work storage means for storing the digital work;
  First secret key storage means for storing a first secret key used for encryption of the digital work;
  Second secret key storage means for storing a second secret key associated with a decryption device for decrypting the encrypted digital work;
  Fourth secret key storage means for storing a fourth secret key used for encryption of the first secret key;
  Public key revocation list storage means for storing a public key revocation list that is a list of information for identifying revoked public key certificates;
  First encryption means for encrypting a fourth secret key stored in the fourth secret key storage means with a second secret key stored in the second secret key storage means;
  Second encryption means for encrypting the first secret key stored in the first secret key storage means with the fourth secret key stored in the fourth secret key storage means;
  Attribute value calculation means for calculating an attribute value depending on the contents of the public key revocation list based on the public key revocation list stored in the public key revocation list storage means;
  Secret key generation for generating a fifth secret key for encrypting the digital work based on the first secret key stored in the first secret key storage means and the attribute value calculated by the attribute value calculation means Means,
  A third encryption means for encrypting the digital work stored in the digital work storage means with a fifth secret key generated by the secret key generation means;
  The attribute value calculated by the attribute value calculation means, the fourth secret key encrypted by the first encryption means, the first secret key encrypted by the second encryption means, and the third encryption means Output means for outputting the digital work encrypted by the above to the recording medium,
  The recording medium includes an attribute value calculated by the attribute value calculation unit, a fourth secret key encrypted by the first encryption unit, a first secret key encrypted by the second encryption unit, and A digital work encrypted by the third encryption means is recorded.
  A recording medium characterized by the above.

Images