JP5076546B2 - Content data management system and apparatus - Google Patents

Description

  The present invention relates to a content data management system and apparatus, and more particularly, to a system and apparatus for recording and reproducing encrypted content data.

When copyright exists in content data such as music data and image data, the right of the author may be infringed if appropriate measures for protecting the copyright are not taken. On the other hand, if the purpose of copyright protection is given the highest priority and the distribution of content data is hindered, it is disadvantageous for the copyright holder who can collect the copyright fee when copying the copyrighted work.
Distribution of content data subject to copyright protection is performed mainly via a digital communication network or broadcast waves. When these data are used by users, they are often recorded on some storage medium and then played back by a playback device. Currently, a magnetic disk device is known as a storage device with a control function having a large capacity and high access performance. Most of the magnetic disk devices are fixedly built in the recording / reproducing apparatus, and no one that can use the data recorded on the magnetic disk apparatus in other reproducing apparatuses has been known yet. However, from the viewpoint of convenience, the use of portable storage devices may progress in the future. On the other hand, a memory card is known as a portable storage device with a copyright protection function although its capacity is smaller than that of a magnetic disk device.

  As an apparatus for reproducing data, a recording / reproducing apparatus used when receiving such data distribution or a portable dedicated reproducing apparatus is used. In order to protect the copyright of the data recorded in the storage device in a recording / reproducing device to which a portable storage device can be connected, the data recorded in the storage device exceeds the range claimed by the copyright holder. Therefore, it is important to take security measures for the recording / reproducing apparatus and the storage device so that they cannot be reproduced. When security measures are applied to a device, regarding data exchange in an area that can be freely accessed from inside and outside the device, authentication processing is performed between the devices to which data is exchanged, or the data itself It is necessary to prevent the data from being accessed freely in plain text by performing encryption processing or the like. On the other hand, the more strict authentication and encryption processing is, the more processing is required from when a user issues a data use request until it can be used, resulting in data reproduction. There is a possibility that a situation in which it cannot be performed smoothly will occur.

  For example, Patent Documents 1 and 2 describe that the digital data intended for use is encrypted while the key for decrypting it and the conditions for use when decrypting it cannot be illegally obtained or altered. It is proposed to protect copyright. Patent Document 3 discloses a plurality of encryption input / output processes sent from a host device in order to improve tamper resistance when data to be concealed is encrypted and input / output between the storage device and the host device. A technique relating to a storage device that divides the process into a plurality of procedures and processes them in parallel is disclosed.

  Also, Patent Document 4 discloses a technique for reducing the load when accessing encrypted content data.

WO01 / 013358 WO01 / 043339 Publication JP 2004-302701 A JP2004-7533

  In the methods disclosed in Patent Documents 1 and 2, when a key for decrypting digital data and a use condition are transferred between two devices, a public key encryption / decryption operation and a certificate Requires verification processing. These documents describe a method for transferring a key and usage conditions, but do not particularly mention an encryption method for content data itself. In particular, when dividing encrypted content data, if the control information for correctly controlling the decryption method of the content data in the vicinity of the dividing point is not recorded in the storage device in any form, There is a problem that it becomes possible to use beyond the range of use intended by the copyright holder of the data.

  An object of the present invention is to provide a content data management system that solves the above-described problems, and a recording / reproducing device and a storage device in the system.

  In order to solve the above problems, the following system and apparatus are provided.

  In a content data management system that handles control information for managing decryption of content data, the content data is encrypted, output to a storage device, and the encrypted content data output from the storage device is decrypted A recording / playback device; and the storage device for storing content data encrypted by the recording / playback device, wherein the control information includes an initial vector generation key and a content key. A plurality of content data of one unit, and the recording / reproducing apparatus determines, for each content data of the first unit, an initial vector based on an identification number for identifying the first content data and the initial vector generation key And encrypting the content data of the first unit based on the initial vector and the content key. And outputting the encrypted first unit of content data to the storage device, and the storage device stores the encrypted content data, and then the content data is assigned a predetermined identification number. Is divided in the middle of the content data of the first unit is divided into the first divided content data that is the first half of the content data and the second divided content data that is the second half of the content data, A content data management system for storing the predetermined identification number as control information of the second divided content data.

  A storage device used in a content data management system that handles control information for managing content data decoding, stores encrypted content data output from a recording / playback device, and stores the content data The control information includes an initial vector generation key and a content key, the content data includes a plurality of content data of a first unit, and the recording / playback device includes: For each first unit of content data, an initial vector is generated based on the identification number for identifying the first content data and the initial vector generation key, and the first vector is generated based on the initial vector and the content key. Encrypt the content data of the unit and output the encrypted content data of the first unit to the storage device Then, after storing the encrypted content data, the storage device is divided in the middle of the first unit of content data assigned a predetermined identification number, and the first half of the content data When divided into first divided content data that is a portion and second divided content data that is the second half of the content data, the predetermined identification number is stored as control information of the second divided content data Storage device.

  According to the present invention, when encrypted content data is divided, it is possible to keep decrypting and using the content data within a normal range without temporarily decrypting and re-encrypting the divided content data.

The present invention is implemented in a preferred example having the following characteristics. That is,
(1) Data that needs protection must be encrypted
(2) The key data necessary for decrypting the data and the conditions under which decryption is permitted are combined into one,
(3) When the key data and the conditions under which decryption is permitted are recorded on the medium, the medium is an area that the user cannot freely access.
(4) The functional unit that has the function of generating the key data and the conditions under which decryption is permitted and transmitting it to the medium, and the functional unit that controls recording and reproduction on the storage medium are so-called encryption. Establishing a communication path
(5) If the key data generated or recorded and the conditions under which decryption is permitted are to be transferred between two functional units as described in (4), it shall be described in (4). It passes through the encrypted communication path.

  Embodiments of the present invention will be described with reference to the drawings. First, a magnetic disk device will be described as an example of the entire system device and an example of a storage device, and then a method for transferring key data and the conditions under which decryption is permitted will be described.

[System equipment configuration]
With reference to FIG. 1 and FIG. 2, the overall configuration of a system including a data recording / reproducing apparatus and a storage device connectable thereto in one embodiment will be described. This embodiment is a storage device capable of detaching broadcast digital video data, digital data distributed from a distribution server, and digital data transmitted via a digital signal line connected to another device. A description will be given of an example in which digital data recorded in the storage and stored in the storage device is applied to a recording / playback system that plays back on a display device or a speaker of the recording / playback device. Hereinafter, the digital data recording / reproducing apparatus is simply referred to as a recording / reproducing apparatus, and digital data such as video, music, text, etc. received by the recording / reproducing apparatus is referred to as content data. Here, the removable storage device for recording the content data is, for example, a magnetic disk device or a semiconductor memory device, and each has a control function characteristic of the present invention. Hereinafter, a magnetic disk device will be described as an example of a storage device. However, the present invention is not limited to this, and any other device than the magnetic disk device may be used as long as it has a function characteristic of the present invention as described below. The present invention can also be applied to a known storage device.

  Content data requiring copyright protection is received by the antenna 131 via broadcast waves, or received from the distribution server 150 via the network interface 100, so that the recording / playback apparatus 112. The content data to be distributed is encrypted by the broadcast wave transmission source 130 and the distribution server 150 by a predetermined encryption method. The encryption method may be uniquely defined by each content protection specification. At that time, key data for decrypting the content data (hereinafter referred to as a content key) and usage conditions for the content data are also separately transmitted to the recording / playback apparatus 112. The information for decoding the content data is hereinafter referred to as content data decoding control information. The decryption control information may be transmitted from the same transmission source as the content data transmission source, or may be transmitted from another transmission source.

  The recording / reproducing device 112 has a configuration capable of connecting a removable storage device, for example, magnetic disk devices 125 and 126. Encrypted content data and content data decryption control information transmitted on a broadcast wave or transmitted from the distribution server 150 are recorded on the magnetic disk devices 125 and 126, the recording module 102, and the protection. It is recorded via an information transmission module 104 (Protected Information Transmit Module). Also, encrypted content data and content data decryption control information are transmitted to the playback module 103 from the removable magnetic disk device 125 or 126 via the protection information transfer module 104. . Decoding and playback of the content data is performed by the playback module 103 in the recording / playback apparatus 112.

  By the way, in order to prevent unauthorized use of the content data, it is necessary to prevent the content key included in the decryption control information from being illegally extracted, the usage conditions from being illegally copied or rewritten. is there. For this purpose, the portions that perform transmission / reception of decoding control information and record / read information in the recording / reproducing device 112 and the removable magnetic disk devices 125 and 126 should be mounted so as to have tamper resistance. is important. Such a portion is a host security manager 111 in the recording / reproducing device 112, and a storage security manager 225 in the magnetic disk device. In addition, the role of the protected information storage (Protected Information Storage) 101 in the host security manager 111, the Usage Pass transfer module (Usage Pass Transfer Module) 221 in the storage security manager 225, the restricted storage controller (restricted storage controller) 222, The specific role of the limited storage unit (Qualified Storage) 223 will be described later. The embodiment according to the present invention relates to a transfer protocol for transmitting and receiving decryption control information between modules in the host security manager 112 and the storage security manager 225. Here, the means for realizing the functions such as the modules and the security manager in the recording / reproducing device 112 and the magnetic disk devices 125 and 126 may be configured by either hardware or software (program).

  On the other hand, in the recording / reproducing apparatus 112, the network interface 100 with the network, the interface bridge unit 105 with the input device, the interfaces 106 and 107 with the magnetic disk device, and a processor for controlling these interfaces The (PU) 108 or the like has a function of controlling processing and delivery of data flowing inside the system as a whole. In this sense, these are hereinafter collectively referred to as host modules 110.

[Magnetic disk unit configuration]
Next, the configuration of the magnetic disk device will be described with reference to FIG. When data that does not require protection other than the decryption control information that is input / output data via the interface unit 220 is input to the magnetic disk device from the outside, the magnetic unit is magnetically connected from the head unit 202 via the controller 230. Recorded on the disc disk 200. The encrypted content data is also recorded on the magnetic disk disk 200 according to this flow. When reading, data flows in reverse to the above. The controller 200 is also controlled by a processor (PU) 231. The Usage Pass transfer module 221 and the restriction storage controller 222 are also controlled by the processor 231. The detailed behavior of the Usage Pass transfer module 221 and the restriction storage controller 222 will be described later.

  On the other hand, Storage Security Manager, which is the entire module group that controls recording and transfer of data that needs protection such as decryption control information, needs to be mounted so as to have high tamper resistance. However, in FIG. 2, the restricted storage unit 223 is provided separately from the magnetic disk disk 200, but access is permitted only by a special access method different from reading and writing of encrypted content data, In addition, the restriction storage unit may be provided on the magnetic disk disk 200 if the apparatus cannot be disassembled or the like to directly read internal data. When implementing such an implementation, it is necessary to implement a special implementation with tamper resistance so that the behavior of the Storage Controller cannot be changed from the outside.

[Basic assumptions]
Content data transmitted on broadcast waves and content data recorded on other media are generally encrypted by a uniquely defined method. Further, the data often includes the decoding control information. When the recording / playback apparatus 112 captures these data via the antenna 131 or the digital signal line 132, the recording module 102 decodes the content data according to a prescribed method and extracts the decoding control information. The extracted decoding control information is collected into one data having a specific format defined in this embodiment. This is hereinafter referred to as a usage pass. A specific structure of the Usage Pass will be described later with reference to FIG.

  When the recording module 102 generates the Usage Pass, it transmits it to the magnetic disk device 125 or 126. However, in order for this transmission to be completed, mutual authentication must be completed between the recording module 102 or the protection information transfer module 104 and the Usage Pass transfer module 221 prior to this transmission. When the authentication process is completed, some key data is shared. The Usage Pass to be transferred is encrypted using the shared key and then transmitted from the recording module 102 to the Usage Pass transfer module 221.

  The process for transferring the Usage Pass can be broadly divided into (1) authentication process until the key is shared, and (2) process of encrypting the Usage Pass using the key shared by the authentication process and transferring it. Consists of. There are two types of these processing methods. One is a method in which the usage direction of the Usage Pass is uniquely determined when mutual authentication is completed between the two modules, and the other is a method in which the Usage Pass can be transferred in both directions. . Hereinafter, the former mutual authentication and usage pass transfer method is referred to as unidirectional transfer mode (UT mode), and the latter mutual authentication and usage pass transfer method is referred to as bidirectional transfer mode (bidirectional transfer mode, This is called BT mode for short. These modes are collectively referred to as a restricted access (Qualified Access) mode. When transferring the Usage Pass between modules, the host module 110 determines which mode is used for mutual authentication and Usage Pass transfer when the recording / reproducing apparatus is activated. For the mutual authentication processing, an electronic signature generated on a public key cryptographic infrastructure is used. In addition, Usage Pass and encryption of temporary keys generated in the middle are performed in a CBC (Cipher Block Chaining) mode using a common key cryptosystem. The encryption processing method in the CBC mode is described in, for example, “Network Security (published by Pearson Education)”.

  In the magnetic disk device, when the Usage Pass transfer module 221 receives the Usage Pass, it transmits it to the restricted storage controller 222. The restriction storage controller is a module that controls the restriction storage unit 223. The Usage Pass body is finally recorded in the restriction storage unit 223. When the distribution server 150 transmits a Usage Pass to a magnetic disk device, or when transferring a Usage Pass from one magnetic disk device to another magnetic disk device, the module that is the Usage Pass transfer source is the transfer destination. The Usage Pass may be directly transmitted to the Usage Pass transfer module in the magnetic disk device according to the method defined in the present invention. In this case, the network interface 100 and the recording module 102 in the recording / reproducing apparatus 112 only control the transfer of data from one module to the other module, and are not directly related to the mutual authentication process or the Usage Pass encryption.

[System key and data configuration]
FIG. 3 shows a key used for encrypting the Usage Pass transfer between the recording module 102, the playback module 103, and the Usage Pass transfer module 221 in the device shown in FIGS. A list of data and data to be distributed is shown. Normally, when the key data X is key data for symmetric encryption, the target data is encrypted using the key data X, and the decryption is also performed using the same key data X. On the other hand, if the key data X is a secret key or public key for asymmetric encryption, the data to be encrypted is encrypted using a public key or secret key Y corresponding to these different from X . Data encrypted using Y is decrypted using X. In the following, asymmetric encryption public key data is abbreviated as a public key, asymmetric encryption secret key data is abbreviated as a secret key, and symmetric encryption key data is abbreviated as a common key. When an electronic signature is attached to the data, it means that the hash value of the data set including the data as a part is encrypted with the secret key Y corresponding to the public key X. In the present specification, what is expressed as K_x is expressed as a subscript in all the drawings.

  Keys related to content data encryption, decryption and playback processing, Usage Pass encryption and decryption, recording module 102, playback module 103, magnetic disk devices 125 and 126, and distribution server 150 are as follows. . The key for encrypting and decrypting the content data is the content key K_c. Each of the distribution server 150, the recording module 102, the reproduction module 103, and the Usage Pass transfer module 221 is assigned a public key KP_dc with an electronic signature for authenticating each other individually. However, when the Host Security Manager (Host Security Manager) 111 is implemented as a functional unit having one tamper resistance as a whole, one KP_dc may be assigned to the Host Security Manager 111.

  Data encrypted with the public key KP_dc can be decrypted with the corresponding private key K_dc. One piece of these secret key data is assigned to each of the distribution server 150, the recording module 102, the Usage Pass transfer module 221, and the reproduction module 103 for a certain limited number. The meaning of a finite number means that there may be one or more. A unit sharing KP_dc and K_dc is called Class. For one Class, the level of security that must be satisfied when the part for transferring or recording the Usage Pass must be implemented and one Usage Pass transfer method are specified. In other words, a plurality of modules belonging to a certain class are all implemented so as to satisfy the safety level specified by the class, and have a function for realizing a common Usage Pass transfer method. Hereinafter, such devices and modules are collectively referred to as “Device”.

  KP_dc is concatenated with other general information, and then given an electronic signature by a predetermined certificate authority, and serves as a certificate for each device. The public key of the certificate authority for giving the electronic signature is written as KP_CA, and the corresponding private key is written as K_CA. Hereinafter, these are referred to as a certificate authority public key and a certificate authority private key. The general information described in the certificate includes the issuer of the certificate and the serial number of the certificate. In the following, the certificate to show the validity of KP_dc is the Device Class certificate, the public key KP_dc is the Device Class public key, and the private key used to decrypt the data encrypted with the key is the Device Class private key. Call. The Device Class certificate and Device Class private key are embedded in each device at the time of shipment. For each device, a public key KP_d embedded individually and a secret key K_d for decrypting data encrypted with the key are also embedded. Hereinafter, these are referred to as a Device public key and a Device private key. Different device public keys and device private keys are embedded in all devices. In the process of encryption with a public key, one common key is generated based on the public key used for encryption. This is represented as * KP_d. Similarly, in the process of decryption with a secret key, one common key is generated based on the secret key used for decryption. This is represented as * K_d. * KP_d and * K_d are actually the same value, and data encrypted with * KP_d can be decrypted with * K_d. These common keys are called a shared Device public key and a shared Device private key, respectively. These key generation methods will be described in detail later when the public key encryption method is described.

  Further, in the system shown in FIG. 1, the following keys are used. A common key K_sn (n ≥ 0) generated mainly at the Usage Pass transfer destination and the mutual authentication process between the devices to encrypt the Usage Pass each time the Usage Pass is transferred between two different devices This is a common key K_ch generated to encrypt K_s0 shared by both devices in the final stage. K_ch and K_s0 are keys shared in the mutual authentication process between devices, and are not used for encrypting them during Usage Pass transfer. On the other hand, K_sn (n ≧ 1) is always used after being updated from K_sn to K_sn + 1 every time Usage Pass transfer is executed. Hereinafter, K_ch is referred to as a challenge key, and K_sn (n ≧ 0) is referred to as a session key. In particular, a session key when n is 0 is called a 0th-order session key.

  Each key is given a [P] or [I] subscript. This indicates whether the key is generated (or embedded) by the Primal Device or the Inceptive Device. Here, Primal Device means that when a device performs mutual authentication with another device, the Device Class certificate transmitted from the partner device is verified in the first process. On the other hand, the Inceptive Device is a device that first transmits its Device Class certificate to the partner device in the same case.

  The encryption performed using the key described above is represented as E (X, Y). This represents that the data Y is encrypted using the key data X. Similarly, decoding is represented as D (X, Y). This represents that the data Y is decrypted using the key data X. H (X) represents a hash value of data X, and X || Y represents that data X and data Y are concatenated. These notations are common to both UT mode and BT mode. In the UT mode, the transfer direction of the Usage Pass is uniquely determined as described before, but the direction is always from Primal Device to Inceptive Device. Therefore, in the UT mode, the recording module 102 is always a Primal Device, and the playback module 103 is always an Inceptive Device. On the other hand, the magnetic disk device becomes an Inceptive Device when recording the Usage Pass sent from the recording module, and becomes a Primal Device when sending the Usage Pass from itself to the playback module for the purpose of decrypting and reproducing content data. .

  On the other hand, in BT mode, the device with Host Security Manager is always the Primal Device, and the magnetic disk device is always the Inceptive Device, but Usage Pass transfer is from Primal Device to Inceptive Device and from Inceptive Device to Primal Device. Is also possible.

[Shared Device public key sharing method by public key encryption]
Before describing a detailed processing sequence regarding mutual authentication and Usage Pass transfer, a public key encryption method used in an embodiment of the present invention will be described. In this embodiment, elliptic encryption is used as a public key encryption method. However, the present invention is not limited to this encryption method.
Elliptic cryptography adds n points, that is, G times, to a fixed point on the curve represented by a two-dimensional elliptic curve equation (this is called the base point G = (Gx, Gy)). This operation is used for encryption. The addition method used here is different from a normal decimal addition method, and the result of adding G an integer number of times is a point on an elliptic curve different from G.

  In the description, assume two devices, Device 1 and Device 2. It is assumed that a message M to be encrypted is recorded in Device 1, and a secret key KPr paired with a certain public key KPu is recorded in Device 2. Here, KPr is a natural number, KPu is a coordinate point (KPux, KPuy) on the elliptic curve, and both and the base point are connected by a relationship of KPu = KPr × G. In other words, KPu is a base point KPr addition point.

First, the encryption process in Device 1 will be described.
(E1) Send KPu from Device2 to Device1.
(E2) Device 1 generates a random natural number r.
(E3) r × G = R = (Rx, Ry) is calculated.
(E4) Calculate r × KPu = P = (Px, Py)
(E5) Generate a certain natural number * KPu using Px, Py: * KPu = f (Px, Py) Here, the function f may be arbitrary as long as it is determined in advance.
(E6) Symmetrically encrypt message M to be encrypted using * KPu as a common key: E (* KPu, M)
(E7) The data obtained in (E3) is concatenated with the data obtained in (E6) and transmitted to Device 2. The data to be transmitted is Rx || Ry || E (* KPu, M). Here, * KPu is called a shared Device public key.

Next, the decoding process in Device 2 will be described.
(D1) Calculate P using Rx, Ry, KPr: KPr × R = KPr × r × G = r × (KPr × G) = r × KPu = P = (Px, Py)
(D2) * KPr is calculated using Px and Py. Here, * KPr and * KPu are exactly the same number. The former is expressed as * KPr in the sense that it was obtained using KPr: * KPr = f (Px, Py)
(D3) Obtain r × KPu = P = (Px, Py).
(D4) * KPr is used as a common key, and the received data is symmetric decrypted: D (* KPr, E (* KPu, M)), in the present invention, this is D (KPr, E (KPu, M )). Here, * KPr is called a shared Device private key. The algorithm for sharing the common keys * KPu and * KPr described above is generally called an ECDH algorithm.

  In this specification, the encryption that performs all of the processing E2 to the processing E7 is referred to as E (KPu, M). When * KPu has already been obtained and only the process E6 is performed, E (* KPu, M) is described. Similarly, decoding that performs all of the processing from D1 to D4 is denoted as D (KPr, E (KPu, M)). When * KPr has already been obtained and only process D4 is performed, D (* KPr, E (* KPu, M)) is described.

[Usage Pass structure]
The structure of the Usage Pass will be described with reference to FIG. The Usage Pass includes a Usage Pass Format (UPF) 400 that indicates what kind of module it can output to, a unique Usage Pass Identifier (UPID) 401, and target content data Usage Rules enforced in Storage Module (UR_s) 402 and Usage Rules enforced in Playback Module (UR_p) 404, and encryption / decryption processing related information for content data that manages encryption / decryption with this Usage Pass (content data Cipher Informatino of Content (CIC) 403, Identifier Content Identifier (CID) 405 for identifying the corresponding content data, Copyright information Copyright information (406 ) Is included. UR_s 402 is information for interpreting the contents at the Usage Pass transfer source and controlling its output (Usage Pass transfer source can be a normal recording module or magnetic disk device), and UR_p 404 is a playback After the module 103 receives the Usage Pass and the content data, it is information for controlling the content data decryption process in the module. UR_s 402 includes a Generation Count that represents the generation information that can be copied, a Copy Count that represents the number of times that the Usage Pass can be copied from itself, and a Play Count that represents the number of times content data can be decrypted using its own Usage Pass. It is. All of these may be specified, but in this embodiment, only one of them can be selected in order to reduce the load when interpreting and processing these values. On the other hand, UR_p is specified for each service, and general-purpose control conditions are not particularly specified.

  Regarding the Usage Pass recorded in the storage device, all information other than the CIC 403 is responded by issuing a command for the recording / reproducing device to refer to the Usage Pass. With this function, the recording / reproducing apparatus can grasp information such as UPID, UR_s, and UR_p without performing transfer encryption / decryption processing.

  In each field, tag data for specifying each field and the size of the data body are described together with the data body. As an example, the structure of the UPID field is shown in FIG. The UPID field includes tag data 500, data body size 501, and data body 502. The size of each field may be variable. However, if the length is fixed, there is an advantage that the information storage position is specified and the processing load when searching for the target field in each Device can be reduced. Therefore, in this embodiment, each field has a size as shown in FIG. UR_p has a larger area than other UR_s and CIC fields because various conditions may be defined for each service. In addition, when the Usage Pass is recorded on the magnetic disk device, since the data access unit is currently 512 bytes, the size of the entire Usage Pass should be 512 bytes or less. . This is also the case in this embodiment.

  A reserved area is provided after UR_s 403, CIC 404, and UR_p 405 so that future control information can be added without expanding the size of the entire Usage Pass.

  In the following, a transfer module configuration and processing procedure for means for realizing Usage Pass transfer in the BT mode will be described with reference to FIGS.

[ Configuration of Usage Pass transfer module that can execute Usage Pass transfer in BT mode]
A configuration of a Usage Pass transfer module capable of executing Usage Pass transfer in the BT mode will be described with reference to FIG. In the BT mode, the magnetic disk device is always an Inceptive Device. Therefore, in the Usage Pass transfer module 630, when performing mutual authentication with another device, the module 602 itself has a function for performing necessary processing as an Inceptive Device, Module 603 that has the function to transfer Usage Pass as a Device, static storage area 604 that cannot be rewritten by the intention of the user, and processing ends normally when Usage Pass transfer is executed Otherwise, the Usage Pass is transferred to the module 605 having the Usage Pass recovery function and the restricted storage controller 222 to prevent the target Usage Pass from being lost from both the transfer source device and the transfer destination device. A Usage Pass Buffer 610 is provided for temporarily accumulating the data before transmission, or for temporarily accumulating the Usage Pass read from the restriction storage unit. The static storage area 604 is called a protection information area. The authentication module 602 accesses the storage area as necessary.

  Data exchange between the outside of the magnetic disk device and each module is performed via an interface 620 and a bus 640. PU 621 is the same as 231 in FIG.

[ Configuration of recording module in recording / playback device that can execute Usage Pass transmission in BT mode]
The configuration of the recording module 102 capable of executing Usage Pass transmission in the BT mode will be described with reference to FIG. In the BT mode, the entire Host Security Manager 111 always operates as a Primal Device, and Usage Pass flows in both directions to the Host Security Manager 111. Therefore, the recording module 725 includes only the functions necessary for outputting the Usage Pass, and the protection information transfer module 104 should include the functions for mutual authentication with the Inceptive Device. It is. Therefore, the recording module is the module 701 that has the function to send Usage Pass as a Primal Device, and when the Usage Pass transmission process is executed, if the process does not end normally, the target module To prevent the Usage Pass from being lost from both the transfer source device and the transfer destination device, the module 705 with the Usage Pass recovery function and the content data and usage right information are obtained from the outside, and the content key is generated Then, a module 706 having a function of encrypting content with a key and generating a Usage Pass including the key is provided. The encrypted content data is recorded from the module 706 to the data bus 740 to the magnetic disk device via the external storage interface 720.

The Host Security Manager 730 including the recording module is provided with a static storage area 704 that cannot be rewritten by the user's intention. The authentication module 700, Usage Pass encryption and transmission module 701, Usage The Pass recovery module 705 and the like access this storage area as necessary. The storage area 704 is called a protection information area.
The type of data recorded in the protection information area 704 will be described later with reference to FIG.

[Configuration of playback module in recording / playback device capable of receiving Usage Pass in BT mode]
The configuration of the playback module 103 capable of executing Usage Pass reception in the BT mode will be described with reference to FIG. In the BT mode, the playback module is always a Primal Device, like the recording module. As described in the description of the recording module, the protection information transfer module 104 has a function for the Host Security Manager to become a Primal Device and perform mutual authentication with the Inceptive Device. Therefore, the playback module 825 is a module 803 having a function for receiving Usage Pass as a Primal Device, and when the Usage Pass reception process is executed, if the process is not completed normally, To prevent the target Usage Pass from being lost from either the transfer source device or the transfer destination device, the modules 805 and 801 having the Usage Pass recovery function, and the received Usage Pass, the UR_p included in the Usage Pass Is provided with a module 806 having a function of interpreting the contents described in the above and decrypting the content data encrypted according to the contents. At this time, the encrypted content data is transmitted to the module 806 via the External Storage Interface 820 and the data bus 840. The decrypted content data is output directly from the module 806 to the outside of the playback module through a protected data communication path or the like.

  The Host Security Manager 830 including the playback module is provided with a static storage area 804 that cannot be rewritten by the user's intention. The authentication module 802, the Usage Pass reception and decryption module 803, The Usage Pass recovery modules 805 and 801 access the storage area as necessary. The storage area 804 is called a protection information area.

  The type of data recorded in the protection information area 804 will be described later with reference to FIG.

[Configuration of protected information transfer module for BT mode]
The configuration of the protection information transfer module 910 for BT mode (corresponding to 700 in FIG. 7 and 800 in FIG. 8) will be described with reference to FIG. As described in the description of the recording module and the playback module, in the BT mode, a configuration in which the protection information transfer module 910 performs mutual authentication with the Inceptive Device is more appropriate. Therefore, in the protection information transfer module 910, the module 900 for executing mutual authentication processing with the Inceptive Device itself as the Primal Device and the latest generated by the Usage Pass reception module 903 in the playback module 916 The module 905 temporarily holds the session key and transmits it to the Usage Pass transmission module in the recording module as necessary.

[ Configuration of protected information area for BT mode in Host Security Manager]
The configuration of the protection information area for the BT mode in the recording / reproducing apparatus will be described with reference to FIG. The BT mode does not depend on the direction in which the Usage Pass is transferred, so that the Host Security Manager 111 is always the Primal Device as a whole, and the magnetic disk device is always the Inceptive Device so that the Usage Pass transfer can be executed in either direction. It is a devised method. Therefore, if the normal recording module 102 and the reproduction module 103 are mounted so as to share one protected information area, the static storage area provided in the recording / reproducing apparatus can be reduced.

  FIG. 10 shows an internal configuration when a protection information area is mounted assuming such a situation. Note that separate storage areas for the recording module 102 and the reproducing module 103 may be prepared, and a Device Class certificate and a key necessary for mutual authentication may be stored in each of them. In this case, each of the recording module and the reproducing module must include a mutual authentication execution module. Such a case is not described in this embodiment.

  Reference numeral 1001 denotes a Device Class certificate. The Device Class certificate 1001 includes a Device Class public key 1000. The Device Class certificate proves the validity of the included Device Class public key and includes an electronic signature. The electronic signature part is encrypted with the certificate authority private key K_CA. 1003 is a certificate authority public key, 1004 is a Device Class private key, 1005 is a Device public key, and 1006 is a Device private key. The above certificate and key information are embedded at the time of initial implementation, and are usually not updated later unless the security system is broken.

  On the other hand, information recorded in the areas 1002 and 1010 is RDCL and Connection Log. RDCL is a list of revoked Device Classes. . When the security of a certain Device Class public key KP_dc is lost, the unique number of the certificate including KP_dc is registered in this list. When verifying a Device Class certificate sent from another device, use the electronic signature part to confirm that the certificate has not been tampered with and register the certificate's unique number in the list. Also check whether it has been done. Connection Log is log information unique to the BT mode. Recorded in the log are the Device public key of the device that is the authentication partner, the 0th-order session key generated by itself and the partner during the authentication process, and the Type Map. As illustrated, the Connection Log does not have a plurality of entries. If you perform mutual authentication between two devices and then reconnect one device to another, the Connection Log will be overwritten. These two pieces of information are information updated in the mutual authentication process. Here, the Type Map will be briefly described. The Type Map indicates “information relating to receivable Usage Pass Format”. This information is included in the Device Class certificate, and in this sense, is sent to the device that is the authentication partner during the authentication process. When the authentication partner device itself is the Usage Pass transfer source, the type map determines what kind of Usage Pass the partner device can receive. For example, if the Usage Pass Format of a certain Usage Pass indicates “Type 0” and the Type Map in the certificate sent from the authentication partner device is “Type 0 cannot be received”, the Usage Pass The transfer source device does not perform Usage Pass transfer processing.

  In the areas 1020 and 1021, Transaction Log is recorded. Transaction Log is information updated in Usage Pass transfer processing. In BT mode, the Transaction Log records the UPID of the transfer target Usage Pass, the transfer type (whether it is the transfer source or transfer destination of the Usage Pass), and the UR_s before the transfer is executed (however, , Only when Primal Device is the Usage Pass transfer destination), Usage Pass before transfer (but only when Primal Device is the Usage Pass transfer source), address where Usage Pass is recorded (However, only when the Primal Device is the transfer source) or the recording destination address (but only when the Primal Device is the Usage Pass transfer destination) is recorded when the Usage Pass transfer is executed. . By recording these data when performing Usage Pass transfer, it is possible to recover even if Usage Pass is lost from either the transfer source or the transfer destination due to an accident. become.

[ Configuration of protected information area in Usage Pass transfer module]
The configuration of the protection information area for the BT mode in the magnetic disk device will be described with reference to FIG. As described above, the BT mode does not depend on the direction in which the Usage Pass is transferred, but the Host Security Manager 111 is always the Primal Device as a whole, and the magnetic disk device is always the Inceptive Device, and the Usage Pass transfer is performed in either direction. This is a method devised so that it can be executed. As illustrated, the data recorded in the protection information area provided in the Usage Pass transfer module is the same as the data recorded in the Host Security Manager 111 except for the Transaction Log. That is, 1101 is a Device Class certificate that includes the Device Class public key 1100, 1103 is the CA public key, 1104 is the Device Class private key, 1105 is the Device public key, 1106 is the Device private key, and 1110 is the Connection Log It is a recording area.

  Further, as shown in the figure, the protected information area in the restriction storage unit 223 is not provided with a Transaction Log recording area. This means that when the Usage Pass transfer is executed, the magnetic disk device does not record the Transaction Log. Since there is no log recording process, the processing load on the magnetic disk device during Usage Pass transfer in the BT mode can be kept relatively light. The above certificate and key information are embedded at the time of initial implementation and are not updated later, and Connection Log is a mutual authentication process performed between devices attempting to execute Usage Pass. The updated information is the same as the protection information area 101 in the Host Security Manager 111.

[Configuration of restriction storage unit 223]
The configuration of the restriction storage unit 223 will be described with reference to FIG. The restriction storage unit 223 is a part in the magnetic disk device that records and holds the Usage Pass sent from the recording module or another magnetic disk device. Usage Pass recording is controlled by the restricted storage controller 222. The restriction storage unit 223 includes areas 1200, 1210, 1220 and the like in which the Usage Pass main body is recorded, and areas 1201, 1211, 1221 and the like in which a flag indicating the validity of the Usage Pass is recorded. Hereinafter, the flag is referred to as an effectiveness instruction flag. The validity indication flag written in 1201 indicates the validity of the Usage Pass written in area 1200, and the validity indication flag written in 1211 indicates the validity of the Usage Pass written in area 1210. The validity indication flag indicates the validity of the Usage Pass written in the area 1220. The area for recording the Usage Pass and the validity instruction flag constitutes a pair as described above, and is provided in the restriction storage unit 223 in the same manner as described above. In each validity indication flag area, when a valid Usage Pass is written in the area paired with the flag, a value indicating “valid” is recorded by the restriction storage controller 222. On the other hand, after the Usage Pass once written is output to the reproduction module or other magnetic disk device, a value indicating “invalid” is recorded in the area. In a complete initial state, a value indicating “unrecorded” is recorded. The Usage Pass recorded in the restriction storage unit is read by the restriction storage controller 222.

[Usage Pass transfer processing: transfer mode setting]
Hereinafter, a method for transferring a Usage Pass between two devices will be described.

  In order to perform Usage Pass transfer between the recording / reproducing device and the storage device, first, the Host Modules 110 in the recording / reproducing device selects which of the two modes is to be used. Then, processing for notifying the selected mode to the module that performs Usage Pass transmission or reception processing in each device is performed. Usually, the Host Modules first inquires with the storage security manager 225 of the storage device as to which method can be used to transfer the Usage Pass (13000). In response to this, Storage Security Manager responds (13001) to Host Modules with the transfer mode implemented in itself. Subsequently, the Host Modules 110 sets to which mode the Usage Pass transfer is executed for the Storage Security Manager 225 (13010).

[Usage Pass transfer processing: BT mode Connection Stage]
In the BT mode, the direction in which the Usage Pass is transferred is not fixed, and both the Primal Device and the Inceptive Device can transmit and receive the Usage Pass. Under BT mode, the module that performs mutual authentication processing and Usage Pass transmission / reception processing in the recording / playback device is the Primal Device, and the module that performs mutual authentication processing and Usage Pass transmission / reception processing in the storage device is the Inceptive Device Call it. The Device Class certificate is called an Inceptive Device Class certificate, and the Device Class public key is called an Inceptive Device Class public key. Hereinafter, the Connection Stage in the BT mode will be described with reference to FIG. Connection Stage is a process in which Primal Device and Inceptive Device perform mutual authentication to update RDCL and share a predetermined secret key.

  When the BT mode is set, the Connection module 602 in the Inceptive Device transmits the Device Class certificate embedded in itself to the Host Security Manager 111 (14000).

  The Primal Device verifies the validity of the received certificate, and if the validity of the received certificate is confirmed as a result of the verification, the Primal Challenge key (PD. C.Key). Subsequently, the Primal Challenge key is encrypted using the received Device Class public key, the Primal Device Class certificate including the Primal Device Class public key is concatenated with the generated encrypted data, and transmitted to the Inceptive Device (14010). . The above processing is 14001.

  In the Inceptive Device, the received data is decrypted using its own Device Class private key, and a Primal Challenge key is obtained. Subsequently, the Inceptive Device generates an Inceptive session key (ID.S.Key) that is a key for temporary common key encryption. When the generation of this key is finished, it is linked with the Inceptive Device public key embedded in itself and encrypted with the received Primal Device Class key. In addition, the obtained data (ie, data encrypted with the Primal Device Class key) is linked with the revoked Device Class list (Inceptive RDCL) and Checksum recorded in itself and encrypted with the received Primal Challenge key. Turn into. When the encryption process is completed, the obtained data is transmitted to the Primal Device (14020). The above processing is 14011.

  The Primal Device decrypts the received data (that is, encrypted data) with the Primal Challenge key, verifies the integrity of the data with Checksum, and extracts the Inceptive RDCL from the result. Since the RDCL includes data issue date information, the issue date information of the Inceptive RDCL is compared with the issue date information of the RDCL (Primal RDCL) recorded in itself. As a result, if the issue date of the Inceptive RDCL is newer, the Primal RDCL is overwritten with the Inceptive RDCL. When the RDCL issue date comparison is completed, the remaining data is decrypted with the Primal Device private key. Subsequently, a 0th-order Primal session key (PD.S.Key) that is a key for temporary common key encryption is generated. When the key generation is completed, the key is encrypted with the previously received Inceptive Device public key. Here, when it is found that the Primal RDCL issue date is newer in the comparison result of the RDCL issue date information, the Primal RDCL is concatenated with the previously encrypted data. The obtained data is encrypted with the previously received Inceptive Challenge key. When the encryption is completed, the data is transmitted to the Inceptive Device (14030). The above processing is 14021.

  The Inceptive Device decrypts the received data with the Inceptive Challenge key, and verifies the integrity of the data. If Primal RDCL is included in the decryption result, Inceptive RDCL is overwritten with the Primal RDCL. Subsequently, the remaining data is decrypted with the Primal Device public key to obtain a 0th-order Primal session key. Subsequently, a 0th-order Inceptive session key (ID.S.Key) that is a key for temporary common key encryption is generated. When the key generation is completed, the Primal Device public key, the 0th-order Primal session key, the 0th-order Inceptive session key, and the Type Map information included in the Primal Device Class certificate are recorded in the Inceptive Connection Log. And it encrypts with the 0th-order Primal session key and Primal Device public key which received previously, and transmits to Primal Device (14040). The above processing is 14031.

  The Primal Device decrypts the received data with the Primal Device private key and the 0th-order Primal session key, and obtains the 0th-order Inceptive session key. Subsequently, the Inceptive Device public key, the 0th-order Inceptive session key, the 0th-order Primal session key, and the Type Map information included in the Inceptive Device Class certificate are recorded in the Primal Connection Log (CL) (14041).

  The above processing is called BT Connection Stage. When BT Connection Stage is completed, 0th-order Primal session key, 0th-order Inceptive session key, shared Primal Device key obtained in the process of encryption with Primal Device public key and decryption with the same secret key, and encryption with Inceptive Device public key Shared Inceptive Device key obtained in the process of encryption and decryption with the same secret key is shared.

[Usage Pass transfer processing: BT mode PI Transfer Stage]
After completing the authentication process, Usage Pass transfer can be executed. First, Usage Pass transfer processing from the Primal Device to the Inceptive Device will be described with reference to FIG.

  First, in the Primal Device, a target Usage Pass is prepared in the Usage Pass transfer module 701. Subsequently, the Inceptive Device generates an nth-order Inceptive session key (ID.S.Key) for encrypting the Usage Pass. After generating the key, encrypt it with the Inceptive session key (n-1st Inceptive session key) generated during the Usage Pass transfer from the previous Primal Device to the Inceptive Device and the latest Primal Session Key at that time. , Transmit to Primal Device (15020). The above processing is 15011.

  The Primal Device decrypts the received data with the latest Primal session key and the (n-1) th order Inceptive session key at that time. Then, the UPID of the transfer target Usage Pass, its role in transfer (transfer source S = Source), and the Usage Pass scheduled to be transmitted are recorded in the Transaction Log. In BT mode, only the Primal Device records Transaction Log. Subsequently, a Usage Pass to be actually transmitted is generated from the Usage Pass prepared in the Usage Pass transmission module. Then, after recording the Usage Pass recording destination address in Inceptive Device in the Transaction Log, the usage pass (either copy, move, or playback) and checksum are linked to the Usage Pass, and shared with the nth-order Inceptive session key Encrypt with Inceptive Device key. When the encryption is completed, the data including the encrypted Usage Pass is transmitted to the Inceptive Device together with the recording destination address (15030). The above processing is 15021.

  The Inceptive Device decrypts the received data with the shared Inceptive Device key and the nth-order Inceptive session key. Then, the data is recorded in the Usage Pass storage area in the Inceptive Device. The above processing is 15031.

  The above is the Usage Pass transfer process from the Primal Device to the Inceptive Device in the BT mode. This is called BT PI Transfer Stage.

[Usage Pass transfer processing: BT mode IP Transfer Stage]
Next, Usage Pass transfer processing from the Inceptive Device to the Primal Device will be described with reference to FIG.

  First, the Host Modules 110 notifies the Inceptive Device of the address where the target Usage Pass is recorded and the UPID of the target Usage Pass (16000).

  In response to this, the Inceptive Device prepares the target Usage Pass in the Usage Pass transfer module 603. Subsequently, Inceptive Device replaces CIC field 403 with 0 for Usage Pass, concatenates Usage Pass status information Usage Pass Status (UPS), concatenates the latest Primal session key and Inceptive session key to the data, and then Hash Calculate the value. Then, the obtained Hash value is linked to the Masked Usage Pass and transmitted to the Primal Device. The Usage Pass in which the CIC field 403 is replaced with 0 is hereinafter referred to as “Masked Usage Pass”. The above processing is 16001.

  The Primal Device verifies the received Hash value and confirms that the received data has not been tampered with (16011).

  Subsequently, the Host Modules 110 transmits the UPID of the transfer target Usage Pass to the Primal Device (16020).

  The Primal Device compares the UPID received from the received Usage Pass Host Modules 110 with the UPID of the Usage Pass received as the Masked Usage Pass. If they match, the UPID, its own role in transfer (transfer destination D = Destination), UR_s described in the transfer target Usage Pass, and the address where the Usage Pass to be transferred in the Inceptive Device is recorded Record in Transaction Log. Next, an m-th order Primal session key (PD.S.Key) is generated, and the Primal session key (m-1st order Primal session key) generated by Usage Pass transfer from the previous Inceptive Device to the Primal Device At that time, it is encrypted with the latest Inceptive session key and sent to the Inceptive Device (16030). The above processing is 16021.

  The Inceptive Device decrypts the received data with the latest Inceptive session key and the m-1 order Primal session key at that time (16031). Subsequently, the Host Modules 110 notifies the Inceptive Device of what type of Usage Pass transfer processing (duplication, movement, reproduction, etc.) (16040). In response to this, the Inceptive Device generates a Usage Pass to be actually transmitted from the Usage Pass prepared in the Usage Pass transmission module. Then, a parameter indicating the purpose of use (duplication, movement, or playback) or Checksum is connected to the Usage Pass, encrypted with the mth-order Inceptive session key and the shared Primal Device key (16041), and sent to the Primal Device ( 16050). After transmitting the data, the Inceptive Device appropriately changes the UR_s and Flag (1101 etc.) of the Usage Pass that has been transferred, and re-records it (16051).

  The Primal Device decrypts the received data with the shared Primal Device key and the m-th Primal session key, and the transfer of the target Usage Pass is completed (16052).

  The above is the Usage Pass transfer process from the Inceptive Device to the Primal Device in the BT mode. This is called BT IP Transfer Stage.

[Usage Pass transfer processing: BT mode Reconnection Stage]
When an abnormality occurs in the recording / reproducing apparatus and the Connection is disconnected (26001), the BT Reconnection Stage is a process for re-establishing the Connection with simpler processing compared to the Connection Stage. The BT Reconnection Stage will be described with reference to FIG.

  First, the Host Modules 110 transmits a request for generating a new 0th-order Primal session key (PD.S.Key) to the Primal Device (17010).

  Subsequently, a new 0th-order Primal session key is generated in the Primal Device. Then, the generated key is encrypted with the Inceptive session key and the Inceptive Device public key recorded in the Primal Connection Log. Then, the obtained data is transmitted to the Inceptive Device (17020). The above processing is 17011.

  The Inceptive Device decrypts the received data with the Inceptive Device private key and the Inceptive session key recorded in the Inceptive Connection Log. Then, a new 0th-order Inceptive session key (ID.S.Key) is generated, and the generated key is encrypted with the Primal session key and the Primal Device public key recorded in the Inceptive Connection Log. Subsequently, the received 0th-order Primal session key and the generated 0th-order Inceptive session key are overwritten and recorded in the Inceptive Connection Log, and the previously encrypted data is transmitted to the Primal Device (17030). The above processing is 17021.

  The Primal Device decrypts the received data with the Primal Device private key and the 0th-order Primal session key recorded in the Inceptive Connection Log. Then, the obtained new 0th-order Inceptive session key and the previously generated 0th-order Primal session key are overwritten and recorded in the Primal Connection Log. The above processing is 17031.

  The above process is called BT Reconnection Stage.

[Usage Pass transfer process: BT mode PI Recovery Stage]
When an abnormality occurs in the recording / reproducing apparatus and the Usage Pass is lost from both the Usage Pass transfer source and the Usage Pass transfer destination, the Usage Pass can be restored by performing the following processing.

  After completing the BT Connection Stage or BT Reconnection Stage, a new shared Primal Device key Primal Device obtained in the process of encryption with the new 0th-order Primal session key, 0th-order Inceptive session key, and Primal Device public key and decryption with the same secret key As described above, a new shared Inceptive Device key obtained in the process of encryption with a public key and decryption with the same secret key is shared.

  First, recovery processing for the BT PI Transfer Stage will be described with reference to FIG. In performing the process of returning the Usage Pass transferred in the BT PI Transfer Stage to the state before executing the transfer process, the Host Modules 110 first transmits the UPID of the Usage Pass to be restored to the Primal Device (18010).

  The Primal Device searches the Primal Transaction Log using this UPID (18011). As a result, when the Primal Transaction Log including the UPID is found, the Usage Pass recording destination address (the address where the received Usage Pass was scheduled to be recorded) in the Inceptive Device recorded in the Log is transmitted to Host Modules (18012). ). Upon receiving the address, the Host Modules 110 transmits the address to the Inceptive Device together with the UPID (18020).

  The Inceptive Device accesses the Usage Pass storage area accessed by the received address, and checks the Usage Pass recording state. Then, the result is set to Usage Pass Status. Then, the m-th order Primal session key, the n-th order Inceptive session key, the UPID, the searched Usage Pass UR_s, the generated Usage Pass Status, and the Usage Pass recording destination address are concatenated to calculate the Hash value. Then, the UPID, the searched Usage Pass UR_s, the generated Usage Pass Status, the Usage Pass recording destination address, and the Hash value are concatenated and transmitted to the Primal Device (18030). The above processing is 18021.

  The Primal Device verifies the received Hash value and confirms that the received data has not been tampered with and that the Usage Pass previously transferred to the Inceptive Device does not exist. When the verification is completed, the Primal Transaction Log including the received UPID is searched. When the Log is found, the Usage Pass before transfer recorded in the Log is overwritten with the Usage Pass currently prepared in the Usage Pass transmission module 701.

  The above is the Usage Pass recovery process for the BT PI Transfer Stage in the BT mode. This is called the BT PI Recovery Stage. When this Stage is completed, the Primal Device has a Usage Pass before transmission.

[Usage Pass transfer processing: BT mode IP Recovery Stage]
Next, Usage Pass recovery processing for the BT IP Transfer Stage will be described with reference to FIG. In performing the process of returning the Usage Pass transferred in the BT IP Transfer Stage to the state before executing the transfer process, first, the Host Modules 110 transmits the UPID of the Usage Pass to be restored to the Primal Device (19010).

  The Primal Device searches the Primal Transaction Log using this UPID (19011). As a result, when a Primal Transaction Log containing this UPID is found, the Host Pass records the Usage Pass recording destination address (address indicating the area where the Usage Pass to be transferred was originally recorded) recorded in the Log. (19012). Upon receiving the address, the Host Modules 110 transmits the address together with the UPID to the Inceptive Device (19020).

  The Inceptive Device accesses the Usage Pass storage area accessed by the received address, checks the Usage Pass recording status, and sets the result to Usage Pass Status. Then, the m-th order Primal session key, the (n-1) th order Inceptive session key, the UPID, the searched Usage Pass UR_s, the generated Usage Pass Status, and the Usage Pass recording destination address are concatenated to calculate the Hash value. Then, the UPID, UR_s of the searched Usage Pass, the generated Usage Pass Status, the Usage Pass recording destination address, and the Hash value are concatenated and transmitted to the Primal Device (19030). The above processing is 19021.

  The Primal Device verifies the received Hash value, whether the received data has not been tampered with, and whether the Usage Pass previously transferred to the Inceptive Device has changed due to past transfer (transmission) processing Check whether it is (19031).

  In parallel with the verification, the Host Modules 110 requests the Inceptive Device to generate a session key (ID.S.Key) (19040). When receiving the request, the Inceptive Device generates an nth-order Inceptive session key. When the generation of this key is completed, the generated nth-order Inceptive session key is encrypted with the n-1th-order Inceptive session key and the mth-order Primal session key, and transmitted to the Primal Device (19050). The above processing is 19041.

  After receiving the data, the Primal Device executes the Usage Pass recovery process described below when it is confirmed that the Usage Pass has been changed by executing the transmission process by the verification process described above. To do. First, the received data is decrypted with the m-th order Primal session key and the (n-1) th order Inceptive session key. Subsequently, the UR_s recorded in the Transaction Log previously found as a result of the search is concatenated with the UPID of the Usage Pass and encrypted with the nth-order Inceptive session key and the shared Inceptive Device key. When the encryption is completed, the data is transmitted to the Inceptive Device (19060). The above processing is 19051.

  The Inceptive Device decrypts the received data with the shared Inceptive Device key and the nth-order Inceptive session key. Then, it is confirmed whether the UPID included in the decryption result matches the UPID of the recovery target Usage Pass. When the UPID match is confirmed, the UR_s included in the decryption result is overwritten and recorded on the Usage Pass existing in the Inceptive Device. The above processing is 19061.

  The above is the Usage Pass recovery process for the BT IP Transfer Stage in the BT mode. This is called BT IP Recovery Stage. When this Stage is completed, the Inceptive Device has a Usage Pass before transmission.

[Usage Pass reference processing recorded in storage device by Host Modules: UP Inquiry Stage]
Processing for the Host Modules to grasp information other than CIC in the Usage Pass recorded in the storage device will be described. This is called UP Inquiry Stage. This is an executable process whether the storage device is a Primal Device or an Inceptive Device, and the Connection Stage is established in either the UT mode or the BT mode.

  First, the Host Modules 110 transmits a Masked Usage Pass transfer request to the storage device in which the Usage Pass is recorded (20000). When the storage device transmits the request, it returns a Masked Usage Pass to the Host Modules 110 (20001).

[Content data encryption method]
Next, a method for actually encrypting content data using the content key included in the CIC field 403 included in the Usage Pass will be described with reference to FIG. The encryption uses a method called a common key cryptosystem. The common key cryptosystem uses the same key data for encryption and decryption. Any common key encryption / decryption algorithm may be used. However, the following description will be made assuming a method of performing encryption using 128-bit key data in units of 128 bits (16 bytes). This is expressed as E128.

  When encrypting data of a certain length using common key method encryption, the method of chained encryption (CBC mode) is more effective for attacks than the method of encrypting content data for each fixed length (ECB mode). It is hard to be broken. Therefore, in the following, it is assumed that the content data is encrypted in the CBC mode like the Usage Pass. The key data for encryption is a content key included in the Usage Pass. In order to perform encryption / decryption of data in the CBC mode, in addition to the key data, an initial vector (the same length as the key data) ( Initial Vector, IV) is required.

  When performing encryption / decryption processing in 16-byte units and CBC mode using E128, it is convenient to perform processing by dividing content data by an integral multiple of 16 bytes. This is because the CBC mode is a processing method that recursively encrypts data, and if encryption processing is performed without dividing the content, the content must always be decrypted from the beginning even if it is desired to use the content from the middle.

  On the other hand, the current magnetic disk unit has an access unit of 512 bytes (this is called one sector), so it is useless if the unit of data to be encrypted in CBC mode is an integer multiple of 512 bytes. Processing can be omitted.

  Therefore, in this embodiment, the minimum unit of encryption processing in the CBC mode is set to 3072 bytes. 3072 bytes is 192 times 16 bytes and 6 times 512 bytes. This block of content data is called an aligned unit (ALNU) 21000. Of course, the length of ALNU is not necessarily 3072 bytes.

  ALNU is the smallest unit of encryption in CBC mode, so different initial vectors are used for different ALNUs. The same applies to the content key. More specifically, encryption can be performed using a different content key every 16 bytes. However, since the content key is data included in the Usage Pass, if a large amount of content key is required for encryption or decryption of the content data, it is necessary to transfer a large amount of Usage Pass including the content key. Therefore, there is a concern that the load on the host device and the storage device becomes very high.

  Therefore, a minimum unit of content data to be encrypted using one content key is newly defined as an allocation unit (ALCU) 21010. The ALCU size can be any number as long as it is an integral multiple of 16 bytes, but it is more convenient if it is also an integer multiple of ALNU. Therefore, in this embodiment, the size is 1.5 megabytes (1572864 bytes). However, this size is not necessarily limited. 1.5 megabytes is 512 times 3072 bytes. That is, 512 ALNUs are included in one ALCU.

  Here, the diversity required for the initial vector will be described. The content data is encrypted in CBC mode for each ALNU, but it is not necessary to change the value of the initial vector for CBC mode processing in all ALNUs. However, if the size is changed for each appropriate size, the number of samples of the encrypted data using the same initial vector can be reduced, so that safety can be further improved. Therefore, in this embodiment, a unit of content data to be encrypted in the CBC mode is set to be the same as a unit to be encrypted using a single content key using a certain initial vector. This means that each ALNU in one ALCU uses the same initial vector for encryption.

  The ALCU encryption method is shown in FIG. In the figure, E-CBC 22000 is a processing block for encryption in the CBC mode using the E128 method.

  In order to encrypt content data in this way, it is necessary to describe the initial vector value together with the content key in the Usage Pass. Since IV is a parameter necessary for executing encryption / decryption processing, it is desirable not to disclose it to the recording / reproducing apparatus even in the UP Inquiry Stage. Therefore, the initial vector value is described together with the content key in the CIC field.

  By the way, as described above, the ALCU is the minimum unit of content data that is encrypted with a content key included in a single Usage Pass. From the opposite viewpoint, this means that a case where a plurality of ALCUs are encrypted with one content key is allowed. For example, this is the case where 1024 ALCUs are encrypted using a single content key.

  However, the initial vector uniformity is limited within the ALCU. Therefore, when the encryption / decryption processing of a plurality of ALCUs is managed by one Usage Pass (content key), the initial vectors used in the encryption / decryption processing of individual ALCUs should be different values.

  Therefore, how to determine an initial vector value that can cope with such a case will be described with reference to FIGS. 23 and 24. FIG. First, when a plurality of ALCUs are managed by one Usage Pass (content key), an ALCU identification number (ALCU Number) starting from 1 is assigned to each ALCU at the time of initial recording. This pattern is illustrated in FIG. This example

Multiple ALCU numbers managed by Usage Pass # 1 from 1 to p,
...
Multiple ALCU Numbers managed by Usage Pass #m from 1 to r,
...
Multiple ALCU numbers managed by Usage Pass #n from 1 to s

It is assumed that it is managed as follows. Since this identification number is always different for all ALCUs managed by a single Usage Pass, it can be used as an initial vector. Therefore, if the value is used as it is as an initial vector, or if another value is generated by some method using the value, it can be used as the initial vector. In particular, if the result obtained by encrypting the identification number with some data is used as the initial vector, the confidentiality of the initial vector can be further enhanced.
Therefore, in this embodiment,

(a1) Encrypt ALCU Number and use as initial vector
(a2) Set the key data for encrypting ALCU Number separately from the content key
(a3) The key data for encrypting the ALCU Number is described in the CIC field 403 in the Usage Pass as the initial vector generation key (IVGK), like the content key.

It is supposed to have the characteristics. Here, the encryption method is not particularly limited. However, if the same encryption method is used, there is an advantage that it is not necessary to install a different encryption / decryption function module when mounting. Therefore, in this embodiment, encryption is performed using E128. However, since ALCU Number is not long data like content data, encryption is executed in ECB (Electronic Code Book) mode. In the ECB mode, data to be encrypted is divided into necessary lengths (fixed length), and each divided block is simply encrypted.

  As for the encryption of ALCU Number, the key data for executing the processing is recorded in the Usage Pass CIC field 403 in the same way as the content key, and the identification number is encrypted using the data. This is used as an initial vector for CBC encryption in each ALCU. This method is illustrated in FIG.

  However, if the content data is encrypted by such a method, there is a problem in dividing the content data once recorded. This pattern will be described with reference to FIG.

  For example, it is assumed that the content data is divided from ALCU (25000 to 25001) managed by Usage Pass #m in the middle of ALCU 34010 of ALCU Number k. Here, in order to move the latter half of the divided content data from the storage device storing the content data and the Usage Pass for managing them to another storage device, copy Usage Pass #m. One of them must be moved together with the content data to the destination storage device. This is because otherwise the migration destination storage device does not have a Usage Pass for decoding from ALCU 25010 with ALCU Number k to ALCU 25001 with ALCU Number r.

  On the other hand, since ALCU is encrypted, it is usually recorded in a freely accessible area in the storage device, and thus can be freely copied by the user himself. Therefore, assume that these ALCUs are copied to another storage device. On the other hand, since there are two Usage Pass #m for decrypting the ALCU from ALCU Number 1 25000 to ALCU Number r 25001, move one of them to the storage device that replicated the ALCU instead of copying it. To do. Then, the ALCU Number r 25001 can be decoded from the ALCU Number 1 25000 at both the transfer source and the transfer destination. In this case, if a copy restriction is imposed in UR_s 402 of Usage Pass #m, it will be violated.

  In order to prevent such a situation from occurring, information described in the Usage Pass is further increased. However, one precondition is given here. That is, when content data is divided, it is limited to only ALNU units. If splitting in the middle of ALNU is allowed, the entire ALNU including the split point must be once decrypted, then split, and then re-encrypted. Theoretically, division may be allowed in the middle of ALNU, but by imposing the condition, it is not necessary to execute ALNU decryption and re-encryption processing including the division point when the division is performed.

  FIG. 25 also shows how content data is divided so as to satisfy the above conditions. The ALCU of the ALCU Number k is divided into two, and it is assumed that t (25020) ALNU is included in the first half and 512 t (25021) ALNU is included in the second half.

  When the above-mentioned restrictions on the division points are provided, the following information is described in the Usage Pass. The field to be described is in CIC. The structure of the expanded CIC field is shown in FIG.

(b1) [For the first half of the divided content data] Last ALCU Number (2607)
(b2) Validity display information of the value described in the field where information (b1) is recorded (1 bit is acceptable, 2606)
(b3) [For the first half of the divided content data] Number of ALNUs included in the last ALCU (2608)
(b4) Validity display information for the value described in the field in which information (b3) is recorded (1 bit is acceptable, 2608)
(b5) [For the latter half of the divided content data] First ALCU Number (2604)
(b6) Validity display information of the value described in the field where information (b5) is recorded (1 bit is acceptable, 2603)
(b7) [For the latter half of the divided content data] Number of ALNUs included in the first ALCU (2605)
(b8) Validity display information of the value described in the field where information (b7) is recorded (1 bit is acceptable, 2605)

When the Playback Module 825 receives the Usage Pass in which the value is described, the Playback Module 825 first confirms the information of (b2), (b4), (b6), and (b8). If these are interpreted as indicating that valid information is described in the corresponding field, the corresponding field of (b1), (b3), (b5), (b7) Confirm. Then, according to the recorded value, the content data is decrypted up to the appropriate ALCU and the internal ALNU. In this way, if the copy restriction information is described in UR_s (402), it can be prevented from being violated.

  Note that the information (b1) to (b8) may be described anywhere within the Usage Pass shown in FIG. Since this information is information for controlling the decryption of the encrypted content data, for example, it is described in UR_p. However, if it is described in the CIC field 403, resistance against attacks can be further increased. The reason is as follows.

(c1) Since the Usage Pass is encrypted in the CBC mode, if 1-bit tampering is performed on the ciphertext, the decryption result affects the next decryption unit including the information. As described in the present embodiment, when double encryption is performed in units of 16 bytes, the alteration range affects the 64 bytes before and after the 16 bytes in the decryption result.
(c2) As a result of falsification of part of the encrypted Usage Pass, if any of the bit values of (b2), (b4), (b6), (b8) is inverted, the Playback Module Although the values to be controlled are described in the fields such as b1), (b3), (b5), and (b7), the decoding control based on the values is not performed. (Despite the fact that ALNU that can be decrypted is restricted, the decryption process is executed assuming that it is not restricted).
(c3) If there is no tag value (for example, 500) that should be confirmed in the range affected by tampering, even if the tampering is actually performed, the Playback Module cannot detect that (all the ranges affected by tampering are If you are in the reserved area, you are likely in this situation). As described in the description of FIG. 4, since the control conditions described in UR_p may be different for each service, it is desirable to secure a relatively large area compared to other fields. In some cases, more data may be described than the CIC field, but nothing may be described. Considering such a situation, it makes sense to describe the information in the CIC field that is fixed to a relatively small size including the size of the reserved area.

  Considering the above, even if the information from (b1) to (b8) is described in the CIC field 403, the possibility of changing to the tag value of UR_p as a result of tampering with these is as follows: Assuming that the information from (b1) to (b8) is described in the UR_p field 404, it can be said that there is a higher possibility that the tag value of the CID will be changed as a result of falsification. Further, since the CIC field 403 is not disclosed from the storage device in response to the Usage Pass reference request by the Host Modules 110, it can be said that it is more secure if it is recorded here also in that sense.

  According to the above embodiment, when the encrypted content data is divided in a system that manages, records, and transfers information for managing encryption / decryption of the content data separately from the encrypted content data. In addition, it is possible to provide an appropriate method for reducing the load related to the cryptographic operation of the recording / reproducing apparatus.

  As mentioned above, although the Example was described, this invention is not limited to the said Example. Further, the present invention can be implemented with various modifications, and can be applied to other apparatuses and systems. In particular, the details of the authentication process (Connection Stage) and the Usage Pass transfer process (Transfer Stage) in the UT mode have not been described, but the contents described in this embodiment remain unchanged even when Usage Pass transfer is performed by this method. Applicable. Furthermore, the authentication method between devices and the encryption method of the content key and usage conditions at the time of transfer between devices are not limited to the UT mode and the BT mode, and may be more general ones. In the present embodiment, the content key and usage conditions are double-encrypted at the time of transfer, but this may be single or triple or more.

  In addition, the names of commands, modules, and the like described in the above embodiments are merely examples, and are not limited to the above examples. For example, the usage pass in the above embodiment may be called license information or confidential information.

  In the above embodiment, the security management of the content data in the system including the recording / reproducing apparatus and the magnetic disk apparatus has been described. However, the present invention can be applied to the system according to another example and its constituent devices. That is, the present invention is not limited to a recording / reproducing apparatus and a magnetic disk apparatus as long as it has a characteristic processing function for handling control information for managing the decryption of content data. As long as it has this characteristic processing function, for example, the magnetic disk device may be a storage device including a semiconductor memory, and the recording / reproducing device may be a host computer to which the storage device is connected.

  In another modification, the protected storage area for storing the key data or the like of the above-described embodiment is not necessarily a memory that is physically tamper resistant as long as the tamper resistance is logically ensured. Is not required.

1 is a schematic configuration diagram showing a data protection system including a recording / reproducing apparatus to which an embodiment of the present invention is applied. 1 is a configuration diagram of a detachable magnetic disk device according to one embodiment. FIG. The table | surface which shows the data used in one Example, information, the symbolic method, etc. The block diagram of the data (Usage Pass) which put together the decryption conditions and the decryption key of the data used in one Example. FIG. 6 is a structural diagram of a UPID field of data (Usage Pass) shown in FIG. 4 used in an embodiment. The Usage Pass transfer module figure which implement | achieves BT mode in the magnetic disc apparatus by one Example. The block diagram of the function module only for a recording which implement | achieves Usage Pass transmission in BT mode in the recording / reproducing apparatus by one Example. The block diagram of the function module only for a decoding which implement | achieves Usage Pass reception in BT mode in the recording / reproducing apparatus by one Example. The block diagram of the functional module which implement | achieves a mutual authentication process between the magnetic disc apparatuses in BT mode in the recording / reproducing apparatus by one Example. In the recording / reproducing apparatus according to an embodiment, the secret information such as a certificate, a public key, a secret key, log information of mutual authentication processing, log information of Usage Pass transfer processing, etc. used in BT and UT modes is recorded. The figure which shows the static storage area which has property. In a magnetic disk device according to an embodiment, a static storage area having tamper-proof properties for recording secret information such as a certificate, a public key, a secret key, and log information for mutual authentication processing used in the BT mode is shown. Figure. FIG. 5 is a diagram showing a tamper-resistant static storage area for recording the Usage Pass shown in FIG. 4 and the like in the magnetic disk device according to an embodiment. The figure which shows the process sequence for the recognition and setting of the access mode in the Usage Pass transfer process by one Example. The figure which shows the mutual authentication process sequence performed between a recording / reproducing apparatus and a magnetic disc unit in BT mode in one Example. The figure which shows the Usage Pass transfer process sequence transmitted with respect to a magnetic disc unit from a recording / reproducing apparatus in BT mode in one Example. The figure which shows the Usage Pass transfer process sequence transmitted with respect to a recording / reproducing apparatus from a magnetic disc apparatus in BT mode in one Example. The figure which shows the simplified re-reciprocal authentication process sequence performed between a recording / reproducing apparatus and a magnetic disc unit in BT mode in one Example. The figure which shows the recovery processing sequence of the lost Usage Pass when the Usage Pass transmitted from the recording / reproducing device to the magnetic disk device in the BT mode is lost in one embodiment. The figure which shows the recovery processing sequence of the lost Usage Pass when the Usage Pass transmitted from the magnetic disk device to the recording / reproducing device in the BT mode disappears in one embodiment. The figure which shows the process sequence in which a memory | storage device responds to the host module with information of Usage Pass other than a content key in one Example. The figure which showed the relationship of encryption of content data and Usage Pass in one Example. The figure which showed the encryption method of content data in one Example. The figure which showed the relationship of encryption of content data and Usage Pass in one Example. The figure which showed the calculation method of the initial vector used when encrypting content data in one Example. The figure which showed the example in the case of dividing | segmenting the encrypted content data in one Example. The figure which showed the structural example of the CIC field in one Example.

Explanation of symbols

100: Network interface 101: Protection information area 102: Recording module 103: Playback module 105: User interface bridge 106, 107: External storage interface 108: Processor 110: Host module 111: Host security manager 112: Recording / playback device 150: Distribution Server 125, 126, 240: Magnetic disk device 221: User path transfer module 222: Restricted storage control unit 223: Restricted storage unit 231: Processor

Claims (12)

In a content data management system that handles control information for managing decryption of content data,
The content data is encrypted and output to a storage device, the recording / playback device for decrypting the encrypted content data output from the storage device, and the content data encrypted by the recording / playback device is stored A storage device,
The control information includes an initial vector generation key and a content key,
The content data has a plurality of content data of a first unit,
The recording / reproducing apparatus comprises:
For each content data of the first unit , an initial vector is generated based on an identification number identifying the content data of the first unit and the initial vector generation key, and based on the initial vector and the content key, Encrypt the first unit of content data, and output the encrypted first unit of content data to the storage device,
The storage device
After storing the encrypted content data, the content data is divided into the first half of the content data of the first unit assigned a predetermined identification number, and the first half of the content data When divided into divided content data and second divided content data that is the latter half of the content data, the predetermined identification number is stored as control information of the second divided content data Data management system. The content data management system according to claim 1,
The content data of the first unit has n pieces of content data of the second unit ,
The storage device
At the divided, if the is divided into m and (n-m) pieces of content data of the second unit, as the control information of the first divided content data, the content of the m-th second unit A content data management system characterized by storing an identification number for identifying data. The content data management system according to claim 1 or 2 ,
A logical area for storing control information is divided into a plurality of areas .
The storage device
The content data management system, wherein the content key, the initial vector generation key, and the predetermined identification number are stored in the same area . The content data management system according to any one of claims 1 to 3 ,
The storage device
After mutual authentication is performed with the recording / reproducing apparatus, the control information is output to the recording / reproducing apparatus. A storage device used in a content data management system that handles control information for managing decryption of content data,
Storing encrypted content data output from the recording / reproducing apparatus, and outputting the content data to the recording / reproducing apparatus;
The control information includes an initial vector generation key and a content key,
The content data has a plurality of content data of a first unit,
The recording / reproducing apparatus comprises:
For each content data of the first unit , an initial vector is generated based on an identification number identifying the content data of the first unit and the initial vector generation key, and based on the initial vector and the content key, Encrypt the first unit of content data, and output the encrypted first unit of content data to the storage device,
The storage device
After storing the encrypted content data, the content data is divided into the first half of the content data of the first unit assigned a predetermined identification number, and the first half of the content data When the divided content data and the second divided content data that is the latter half of the content data are divided, the predetermined identification number is stored as control information of the second divided content data. apparatus. The storage device according to claim 5,
The content data of the first unit has n pieces of content data of the second unit,
The storage device
At the divided, if the is divided into m and (n-m) pieces of content data of the second unit, as the control information of the first divided content data, the content of the m-th second unit A storage device characterized by storing an identification number for identifying data . The storage device according to claim 5 or 6 ,
A logical area for storing control information is divided into a plurality of areas .
The storage device
The storage device, wherein the content key, the initial vector generation key, and the predetermined identification number are stored in the same area . The storage device according to any one of claims 5 to 7 ,
The storage device
The storage device, wherein after performing mutual authentication with the recording / reproducing device, the control information is output to the recording / reproducing device. In a recording / reproducing apparatus for storing content data and control information for managing decoding of the content data in a storage device,
  Means for encrypting the content data;
  Means for outputting and storing the encrypted content data and the control information to the storage device;
  The control information includes an initial vector generation key and a content key for encrypting the content data,
  The content data comprises a plurality of first unit content data,
  The plurality of first unit content data is accompanied by an identification number for identifying the first unit content data,
  For each content data of the first unit, an initial vector is generated based on an identification number for identifying the content data of the first unit and the initial vector generation key, and based on the initial vector and the content key, Encrypting the first unit of content data, outputting the encrypted first unit of content data to the storage device,
  The content data is a first divided content data that is the first half of the content data and a second half of the content data by dividing the content data in the first unit to which a predetermined identification number is assigned. When divided into second divided content data, the predetermined identification number is output to the storage device and stored as control information of the second divided content data
  And a recording / reproducing apparatus. The recording / reproducing apparatus according to claim 9.
  The first unit of content data includes n second units of content data,
  The n second unit of content data is accompanied by an identification number for identifying the second unit of content data.
  In the division, when the content data of the second unit is divided into m pieces and (nm) pieces, the m-th second unit content is used as control information of the first divided content data. An identification number for identifying data is output and stored in the storage device
  And a recording / reproducing apparatus. In a content data management method for storing content data and control information for managing decryption of the content data in a storage device,
  Encrypting the content data;
  Storing the encrypted content data and the control information in the storage device,
  The control information includes an initial vector generation key and a content key for encrypting the content data,
  The content data comprises a plurality of first unit content data,
  The plurality of first unit content data is accompanied by an identification number for identifying the first unit content data,
  For each content data of the first unit, an initial vector is generated based on an identification number for identifying the content data of the first unit and the initial vector generation key, and based on the initial vector and the content key, Encrypting the first unit of content data, storing the encrypted first unit of content data in the storage device,
  The content data is a first divided content data that is the first half of the content data and a second half of the content data by dividing the content data in the first unit to which a predetermined identification number is assigned. When divided into second divided content data, the predetermined identification number is stored in the storage device as control information of the second divided content data
  Content data management method characterized by the above. The content data management method according to claim 11,
  The first unit of content data includes n second units of content data,
  The n second unit of content data is accompanied by an identification number for identifying the second unit of content data.
  In the division, when the content data of the second unit is divided into m pieces and (nm) pieces, the m-th second unit content is used as control information of the first divided content data. An identification number for identifying data is stored in the storage device
  Content data management method characterized by the above.

Images