JPH10215242A - Authentication method and device therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To execute the control of utilization sequence of enciphered contents in off-line. SOLUTION: In the case of using a first key, a corresponding key is retrieved from a key storage section 12 based on an ID imparted to contents. A value of a field denoting a remaining number of times corresponding to the key in the key storage section 12 and when the value is zero, a host 10 sends the contents and the key to a token 20. A decoding section 22 of the token 20 uses the key to decode the contents and sends the result to the host 10. The host 10 checks an ID of a key used next to the present key from the key storage section 12. When the ID of the next key is not zero, the host 10 retrieves the next key based on the ID and conducts key activation processing when the corresponding key is found out. When the ID of the next key is zero, since the next key is not in existence, no key activation processing is conducted. The host 10 utilizes the decoded contents.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication technique for performing a plurality of authentications in a predetermined order, and prevents the authentication from being performed correctly if the order is deviated. Further, the present invention provides a method for decrypting and using encrypted digital information by using proof information in the above order.
Regarding the method of generating the encryption key, by using the digital information a specified number of times according to a predetermined order,
The present invention relates to a technique for generating a predetermined encryption key.

[0002] The scope of use of the present invention is not limited to controlling the order of use by encrypting and distributing contents, and in general, encryption keys (keys for signatures, keys for verification, etc.) In the order of use of the key (general) in (1).

Therefore, for example, when tickets such as train tickets and movie tickets are issued electronically, the tickets can be used only in a predetermined order in order to prevent the ticket from being broken. It can also be used to control the order of use of tickets issued electronically, such as when selling a voucher such as watching one movie and seeing another movie cheaply, etc. is there.

[0004]

2. Description of the Related Art With the recent development of networks, various information has been digitized and distributed.
Digital information is easy to copy, and the copied information does not deteriorate. Therefore, digital contents (images, moving images, programs, etc.) having a monetary value are encrypted and distributed, and the environment of the user at the time of use is encrypted. A distribution form of decrypting and using the information has begun. NTT's miTaKaTTa (TM) and IBM's Info
market ™ is a typical service currently being implemented. In the case where content is distributed after being encrypted with a common key, once the key is exposed, there is a problem that the key is circulated and the content is used for free. Therefore, in these services, keys are temporarily distributed online only when using contents, and the keys are discarded when the use is completed.

[0005] However, in this configuration, the content can be used only on-line, and the user is burdened with the burden of communication costs.

On the other hand, Japanese Patent Publication No. 6-95302
Publication No. JP-A-2005-28509, WaveSystem
In a technology such as WaveChip (trademark) developed by Company m, contents are distributed by being encrypted with a predetermined encryption key, and a user can use an IC card or IC in which a common key for decrypting the content is enclosed. The chip is connected to its own PC, and when it is desired to use the chip, it is decrypted in the device and the content is used.
In a device such as an IC card, a history is taken every time the device is used, and a fee is collected later according to the history.

[0007] However, according to this method, it is impossible to limit available contents according to the user's qualifications and the like.

Therefore, the present applicant has proposed a new user authentication technique (Japanese Patent Application No. 9-418). According to this proposal, the content is encrypted with a common key, and the user has his / her own key, and introduces a ticket called an access ticket and a ticket for maintaining the user. Offline use is possible, and access issuance is controlled by controlling issuance of access tickets for each user.

[0009]

However, according to the proposal of Japanese Patent Application No. 9-418, an access ticket for using the content is provided by an agency such as a content distributor or a ticket issuing center which can issue the access ticket. (Hereinafter, these are collectively called centers for simplicity). That is, once the user has obtained the access ticket, the user can continue to use it offline, but when trying to use new content, the user must request the center online (or an alternative means). Must be done.

[0010] In content that is divided into several parts in advance and is intended to be used in an order, such as a novel or a story, a collection of problems intended to make it difficult step by step, These contents are divided into parts, each part is subjected to different encryption, and each of them is configured to require a different access ticket.

However, in order to limit the use order of the contents, the center cannot issue an access ticket to the user all at once, so that the user accesses every time he wants to use a new part. You will have to ask the center to get a ticket to get it.

There is also a providing method in which the use order is not linear, and another content can be used by using two different contents regardless of the order. In order to adopt such a sales form, in the conventional method, the user must also request the center to issue a ticket for using the third content.

[0013]

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and has as its object to control the order of use of encrypted content (or encryption key) by a user. Is to be implemented offline.

[0014]

First, an outline of the present invention will be described in accordance with a specific realization environment. In one realization environment of the present invention, in order to solve the above-mentioned problem, a user environment is configured by a content use environment and a token previously distributed to each user. The token is a tamper-resistant container having an arithmetic function such as an IC card. By repeatedly performing a specific operation on a certain key a plurality of times, a plurality of keys calculated so as to generate the next specified key are issued for the first time, and the token is determined in the user environment by the predetermined operation. The next key can be used by generating the next key based on the result of the above.

According to another aspect of the present invention, there is provided an access control method using an access ticket (Japanese Patent Application No. 9-418), wherein a series of plural tickets and usage constraint information corresponding to each ticket are used. Is issued based on a predetermined calculation method. The usage restriction information of the access ticket includes the use order of this ticket or a numerical value for identifying the next ticket to be used, ticket activation information for enabling the next ticket to be used, and the time until the next ticket becomes available. Includes fields for the number of times and the modulus of the next ticket. Then, only the issued plurality of tickets and the use restriction information corresponding to the ticket used first are distributed to the user.

The ticket activation information for enabling the use of the next ticket after a certain ticket is generated only by performing a predetermined number of communications with the token using the currently used ticket. You. By adding the ticket activation information thus generated to a specific field of the usage restriction information of the ticket to be used next, the next ticket can be used for the first time.

The next ticket may be for a different content, or may be for permitting the same content to be used under different usage conditions.

Further, the configuration of the present invention will be described in detail.

According to the present invention, in order to achieve the above object, in an authentication method for performing different authentications in a predetermined order, a step of using a corresponding first-order proof information for the first-order authentication, Generating a post-order credential for post-order authentication based on the use of the pre-order credential, and using the post-order credential for the post-order authentication. I want to run.

In this configuration, the proof information in the post-order becomes available only after the proof information in the pre-order is actually used, and the authentication can be forced to be performed in a predetermined order.

According to the present invention, in order to achieve the above-mentioned object, the above-mentioned proof information is generated by using a sequence of proof information generated in order and for certifying a specific right to a specific user. In the supplementary authentication method that performs the corresponding authentication, when using the certification information that is used first, the certification information activation information for activating the subsequent certification information is generated, and the subsequent certification information is generated. Is activated based on the generated proof information activation information, so that the series of proof information can be used only in a predetermined order.

In this configuration, since the preceding certification information is used and the later certification information is activated, it is possible to force the sequence of the certification information to be used only in a predetermined order.

In this configuration, by performing a specific operation based on a plurality of pieces of proof information activation information generated from a plurality of pieces of proof information, activation information for activating other pieces of proof information is obtained. Authentication may be performed using the generated proof information activated by the generated activation information.

Further, activation information generated by using the certification information is held, and when the same certification information is used next time, the activation information generated last time is further activated. By performing an operation and repeating this operation a predetermined number of times, proof information activation information capable of activating the following proof information for the first time is generated,
The authentication may be performed using the certification information activated by the generated activation information.

According to the present invention, there is provided a credential generation method for generating a sequence of proof information for certifying a specific right to a specific user in order to achieve the above object. Generate proof information activation information for activating subsequent credential information from proof information in the order to be performed first, and modify and generate subsequent credential information based on proof information activation information Thus, by using the preceding certification information, the certification information activation information for validating the later certification information can be obtained for the first time.

Also in this configuration, since the previous certification information is used and the later certification information is generated, it is possible to force the sequence of the certification information to be used only in a predetermined order.

Further, in this configuration, certifying information activation information for activating certifying information is generated from a plurality of certifying information, and based on a result obtained by performing a specific operation on the plurality of activating information. By modifying and generating another certification information, a plurality of certification information may be used to obtain certification information activation information for validating the modified certification information. .

Further, when generating subsequent credential information from credential information which is to be used first, a plurality of times of initial values of the credential activation information of the key having the first order are used. Based on the proof information activation information generated by performing the prescribed operation, the subsequent proof information is modified and generated by using the proof information subsequent to the proof information for the first time. May be obtained as proof information activation information for validating.

Further, according to the present invention, in order to achieve the above-mentioned object, it is authenticated that a user is a valid right holder by certification information for certifying that a particular user has a particular right. When the authentication device processes the authentication information and performs authentication, the authentication information activation information for enabling the authentication information to be used subsequent to the authentication information is used at the same time. Activation information calculation means for calculating the activation information of the subsequent certification information from the information, and certification information activation means for making the subsequent certification information usable by the activation information obtained thereby. ing.

Also in this configuration, since the preceding certification information is used and the later certification information is activated, it is possible to force the sequence of the certification information to be used only in a predetermined order.

According to the present invention, there is provided an encryption key order control method for controlling the use of a series of ordered encryption key sequences in order to achieve the above object. When using the encryption key activation information for generating the encryption key activation information for activating the subsequent encryption key and activating the subsequent key based on the generated encryption key activation information, Are made available only in a predetermined order.

In this configuration, by performing a specific operation based on a plurality of pieces of activation information generated from a plurality of keys, activation information for activating another encryption key is generated. It may be.

Further, activation information generated by using the encryption key is held, and when the same encryption key is used next time, the activation information generated last time is further activated. By performing the calculation and repeating this operation a predetermined number of times, the encryption key activation information for activating the subsequent encryption key may be generated for the first time.

According to the present invention, in order to achieve the above-mentioned object, in an encryption key generation method for generating a series of ordered encryption key sequences, a key which is to be used first is used first, By generating encryption key activation information for activating the subsequent encryption key, and modifying and generating the subsequent key based on the encryption key activation information, the first key can be used to generate the subsequent key. Encryption key activation information for validating the key is obtained.

In this configuration, encryption key activation information for activating an encryption key is generated from a plurality of keys, and based on a result obtained by performing a specific operation on the plurality of activation information, the key activation information is obtained. By modifying and generating another encryption key different from the above, by using a plurality of keys, encryption key activation information for validating the modified key may be obtained. When generating a subsequent encryption key from a key whose order is earlier, by performing a predetermined operation multiple times on the initial value of the encryption key activation information of the key whose order is earlier By modifying and generating the subsequent key based on the generated encryption key activation information, by using the previous key multiple times,
For the first time, encryption key activation information for validating a later key may be obtained.

According to the present invention, in order to achieve the above object, a decryption device for decrypting and using encrypted digital information uses a decryption key to decrypt the encrypted data. In addition, at the same time, the activation for calculating the activation information of the subsequent decryption key by inputting the information which is the basis of the decryption key activation information for enabling the decryption key to be used subsequent to the decryption key, An information calculation means and a decryption key activating means for enabling a subsequent decryption key to be used based on the activation information obtained thereby are provided.

In this configuration, it becomes possible to activate the succeeding decryption key by using the preceding decryption key, and it is possible to perform decryption in a predetermined order.

[0038]

Embodiments of the present invention will be described below.

[Embodiment 1] In this embodiment, a method of generating an encryption key for different contents by using one encryption key a specific number of times will be described.

This embodiment comprises a content provider for encrypting digital content and providing it together with a key, and a user environment for decrypting and using the provided content.

FIG. 1 shows a user environment. In this figure, the user environment is composed of a use environment (host) 10 and a token 20, and the use environment 10 is a content holding device for holding encrypted digital content. Part 11;
And a key holding unit 12 for holding a key corresponding thereto. The token 20 is a smart card or an IC card which is distributed to each user in advance, and has a calculation unit 21 for activating a key and a decryption unit 22 for decrypting content or information for decrypting the content. .

Next, the operation of the embodiment will be described with reference to FIGS.
Will be described with reference to FIG. FIG. 2 shows the overall processing of the embodiment. FIG. 3 shows details of the key activation process.

In this embodiment, the content provider issues a key so that four different contents are used in order. First, the content provider encrypts the content with the conventional encryption key K1. Further, other contents are encrypted with keys K2 to K4 in the order of use. Then, as described below, K2 'to K4'
Is calculated.

[0044]

## EQU1 ## K2 '= K2-F ^Ur2 (K1) K3' = K3-F ^Ur3 (K2) K4 '= K4-F ^Ur4 (K3) F ^Ur2 (K1) performs the operation of F twice for K1 by Ur. It means to repeat.

F is a one-way function (eg, a hash function such as MD5), and Ur is the number of times the current ticket must be used to make the next ticket usable. If the calculation method of F is kept secret and the calculation method is different for each user, the value calculated by another user will not be diverted. K1 and K2 ′ to K4 ′ and Ur2 to Ur4 are distributed to the user. The key distributed to the user is stored in the key storage unit 12. FIG. 4 shows the state of the key holding unit 12 when a series of keys is distributed.

In FIG. 2, when the first key is used, a corresponding key is retrieved from the key holding unit 12 based on the ID assigned to the content (S10). If there is no corresponding key, the process ends (S11). Next, the value of the field of the remaining number of times corresponding to the key of the key holding unit 12 is checked, and if the value is not 0, the key is not valid yet, so the process is also terminated (S12). The host 10 sends the content and the key to the token 20 (S13). The decryption unit 22 of the token 20 decrypts the content using the key and sends it to the host 10 (S14). The host 10 checks the ID of the key that can be used next to the current key from the key holding unit 12 (S15). If the ID of the next key is not 0, the next key is searched based on the ID, and if the corresponding key is found,
A key activation process is performed (S16 to S19). Next key ID
Is 0, since the next key does not exist, the host 10
Uses the decrypted content (S20).

Next, the key activation processing S19 will be described in detail with reference to FIG. In FIG. 3, in the key activation process, first, key activation information corresponding to a key is obtained from the key holding unit 12 (S21). If this value is 0, the current key value is written in the key activation information field (S22, S23). Next, the host 10 receives the token 20
To the key activation information α (S24). Token 2
0 calculates F (α) and returns the value to the host 10 (S2
5). The value of the number of remaining times Ur of the next key in the key holding unit 12 (FIG. 4) is reduced by 1 (S26). If the value of the remaining number Ur does not become 0 as a result of reducing by 1, the user environment is set to F
Replace the current key activation information with the value of (α) (S
27, S28). When the value becomes 0, the value of the next key is replaced with the value of the next key plus F (α) (S29). FIG. 5 shows the state of the key holding unit when the second key becomes usable in this way. with this,
The key activation process ends, and the host 10 uses the decrypted content.

As described above, the second key K2 can be calculated for the first time by using the first key K1 a specified number of times by associating a series of keys with the above-described method. This makes the second key K2 available.
By a similar process, a mechanism in which sequentially different keys are used only in a predetermined order and number of times can be realized.

[Embodiment 2] In this embodiment, a method will be described in which, in particular, one content is used a specified number of times to enable use under different usage conditions. For example, there is a method in which a certain content is used a specified number of times to enable use at a lower rate.

In this embodiment, the present invention is described in Japanese Patent Application No. 9-4 / 1993.
This is an example applied to the No. 18 user authentication technology.

First, an overview of processing using an access ticket (authentication auxiliary information) used in this embodiment will be described. FIG. 6 shows an overview of the processing. In FIG. 6, the process using the access ticket is performed by the ticket issuing center 30.
Is executed in a system including the content provider 40 and the user environment 50.

The ticket issuing center 30 includes a ticket public key database 31, a user database 32, a provider database 33, and an access ticket issuing device 3.
Have four. The content provider 40 holds unencrypted content and a conventional encryption key, and encrypts the content using a conventional encryption device.

The user environment 50 is connected to a use environment (host) 51 such as a personal computer or a workstation, which is an information processing device for using digital information, and a host 51 for authenticating a user. And the token 52 that is present. The host 51 is a user tool 53
And encapsulated content 54. Token 52
Is a tamper-resistant container such as an IC card or a smart card in which information unique to each user is securely enclosed, and has a calculation unit for performing user authentication based on the unique information. The token 52 is distributed to each user in advance.

First, the content provider 40
RSA (Rivest, Shamir, Adle) required to encrypt a conventional encryption key for encrypting content
(man) A request for issuing a public key is issued to the ticket issuing center 30 (). The ticket issuing center 30 sends the public key to the content provider 40 in response to the request (). The content provider 40 encrypts the content with a customary encryption key prepared by itself, and further encrypts the key with the issued public key and embeds the key in the content by a specific method. The content (encapsulated content) thus completed is distributed to the user (user environment) 50 by using a network or a CD-ROM.
Since the content is encrypted, it cannot be used as is. The user requests the center 30 to issue an access ticket corresponding to the content to be used and the user ID of the user (). The access ticket is digital information for making the content usable only when the specific content and the unique information of the user are available, and cannot be used for a combination of another user and the content. The center 30 issues an access ticket in response to the user's request and sends it to the user (). The user uses the content using the access ticket. The access ticket contains information for access control,
Information about usage conditions such as usage fee, payment method, and expiration date is given. When the user uses the content, the history is recorded in the token 52 according to the use. At this time, the usage conditions at the time of use are also recorded in the history. The user can use the center 3
Send the usage history to 0 (). The center 30 charges based on the collected usage history. The fee calculated based on the collected history is deducted from each user's account and distributed to the content provider 40 according to the usage amount of each content ().

Next, the processing in this embodiment will be described in detail.

First, the content provider 40
The center 30 issues an RSA public key pair E and D and a modulus n necessary for encrypting a conventional encryption key for encrypting the content. The contents provider 40 receives E and n, and the center 30 records the secret key D and the modulus n corresponding to the issued public key in the public key database 31 and securely manages them. Next, the content provider 30 encrypts this content using the customary encryption key K prepared by itself. Further, this K is encrypted with the public key E issued from the center, and K ^* = K ^E mod n is created. This K ^* is embedded in the content by a specific method. The content thus completed (hereinafter referred to as encapsulated content) is distributed to users using a network, a CD-ROM, or the like.

The user requests the center 30 to issue an access ticket in order to use the content. FIG. 7 shows the structure of the access ticket. The access ticket includes authentication information (hereinafter simply referred to as a ticket) t, use restriction information L, ticket modulus n, and public key E. The access ticket and the content uniquely correspond to each other, and the correspondence can be determined by the public key modulus n of the content.

Here, in order to enable use under different use conditions (for example, a discount rate) after a certain number of uses, the center 30 issues a plurality of tickets as follows when issuing an access ticket. And usage restriction information corresponding to it. In this embodiment, four types of access tickets having different use conditions and use restriction information corresponding to the access tickets are prepared.

[0059]

## EQU2 ## t1 = D + F (du, L1, n) t2 = D + F (du, L2, n) t3 = D + F (du, L3, n) t4 = D + F (du, L4, n) FIG. Shown in

In the above equation and FIG. 8, the equation "(α
1) ^{FUr2 (du, L1, n)} mod n ”is ^{obtained by changing} α1 to F (d
u, L1, n) to the power of Ur two times, and take the remainder for n. t is a ticket, D is a secret key corresponding to the public key of the content, F is a one-way function (for example, MD5
, Du is the user's secret key, n is the public key modulus of the content, Ir is a random number generated when the ticket is issued, and L is usage restriction information describing usage conditions and the like.

The use restriction information L describes information related to the use of the content by the corresponding ticket. The use limit information L indicates a use period indicating a period during which the access ticket can be used, and a one-time usage fee when the content is used by the ticket. Are described. When the content is used, billing is performed according to this information. further,
The use restriction information L includes the use order of this access ticket, ticket activation information α for making the next access ticket usable, and the number of times Ur until the next access ticket becomes usable. .

At the time of ticket generation, t is calculated by setting L as shown in FIG. That is, the values of Ur are all set to 0, and the actual value of Ur is used only for the calculation of α.
The values of n and D are stored in the public key database 31 in the center 30.
And the value of du can be obtained by referring to the user database 32.

A series of tickets from t1 to t4 and an access ticket including usage restriction information L1 to L4 are distributed to the user. However, at the time of distribution to users, L1 to L4
Is set to Ur1 to Ur4 as shown in FIG.
Further, the values of α2 to α4 of L2 to L4 are replaced with values obtained by setting the values to 0.

FIG. 10 shows the configuration of the user environment 50 (FIG. 6). The user environment 50 includes a use environment (host) 51 and a token 52, and the token 52 is a proof information operation unit 64.
And a user-specific information holding unit 65. The user-specific information holding unit 65 stores information unique to each user. The unique information is secret to the user, and the user ID and the corresponding unique information are securely managed by the ticket issuing center 30.

The use environment (host) 51 has an encapsulated content 54 and a user tool 53. The user tool 53 includes an access ticket holding unit (a plurality of tickets) 55, an access ticket search unit 56, and a certification information calculation unit 57. Also, the encapsulated content 54
Includes a random number generator 58, a ticket public key modulus storage 5
9, ticket public key holding unit 60, conventional encryption / decryption unit 61,
It has an encrypted common key storage unit 62 and an encrypted content storage unit 63.

Next, processing in the user environment 50 will be described. 11 and 12 show processing in the user environment 50. The following processing is performed in the user environment. [Step S31] The encapsulated content 54 generates a random number r. [Step S32] The encapsulated content 54 is r ^E
K ^E mod n is calculated, and this value and the public key modulus n of the content are sent to the user tool 53. The reason for using r is to prevent a conventional encryption key from being known on the communication path with the token. [Step S33] The user tool 53 searches the managed ticket holding unit 55 for all access tickets having n as a modulus. The ticket holding unit 55 holds a set of tickets corresponding to the modulus n. [Step S34] If no access ticket is found, the process ends. [Step S35] From the retrieved tickets, a ticket having the remaining usage count Ur of the usage restriction information of 0 and having the largest value of the use order is selected. [Step S36] Among the tickets having the same modulus n as the current ticket, a ticket having the next highest use order value after the current ticket is searched. [Steps S37, S38, S39] If a ticket is found, the value of the activation information of the ticket is checked. If the value is 0, the value of the current ticket activation information is written. Then, it sends r ^E K ^E mod n, modulus n, the use of current ticket restriction information L, and the value of activation information α of the next ticket token 52. Send activation information as if is not zero r ^E K ^E mod n, modulus n, the use of current ticket restriction information L, and the value of activation information α of the next ticket token 52. [Step S36, S40] If the ticket is not found, the value of α as a ^{0, r E K E mod n} , n,
The pair of L and α is sent to the token 52. [Step S41] The token 52 is

[0067]

Equation 3] ^{R1 = (r E K E)} F (du, L, n) R2 = (α) F (du, L, n) is calculated. [Step S42] The user tool 53 sets the token 5
While 2 is performing calculations, to calculate the value of (r ^E K ^{E) t.} [Step S43] The token 52 is calculated R1,
The value of R2 is sent to the user tool 53. [Steps S44 to S46] When there is a ticket of the next use order, the user tool 53 reduces the value of the remaining number Ur in the use restriction information of the next ticket by 1, and furthermore,
The value of the activation information field of the next ticket is replaced with the value of R2. [Step S47] R1 received from the token 52
From sending the encapsulated content 54 to calculate the ^{(r E K E) t ·} R1 -1 = rK mod n. [Step S48] The encapsulated content 54 is r
Find K from K. The value of r is the encapsulated content 49
, K can be calculated. [Step S49] The encapsulated content 54 is
Of the content encrypted by the conventional encryption / decryption unit 6
1 for decryption.

The usage restriction information at the time when the first ticket t1 is used once is as shown in FIG.

When the user uses the content, the usage conditions at the time of use are recorded in the token 52 as a history. Even if the contents are the same, the history under the use conditions at the time of use is recorded, so that the contents can be used according to the use conditions determined by the determined use order and number of times.

By calculating the pair of the ticket and the usage restriction information in this way, for example, the first ticket t1
By using a specific number of times, α2 in L2 used for calculating t2 can be calculated, and the second ticket can be used. By setting the usage conditions of the second ticket different from those of the first ticket, for example, it is possible to discount the usage fee. By a similar process, a mechanism for sequentially using tickets with different conditions in a predetermined order and number of times can be realized.

[Embodiment 3] In this embodiment, a method will be described in which one content is used a specific number of times to enable the use of different content in a predetermined order.

In the present embodiment, processing using an access ticket is performed as in the second embodiment.

The structure of the present embodiment is the same as that of the second embodiment, except that a field for entering the modulus corresponding to the next available content is added to the use restriction information of the access ticket instead of the use order. Is different.

The operation of the embodiment will be described.

In the same manner as in the second embodiment, the content provider 40 encapsulates and distributes the content using the public key issued from the center 30. The user similarly requests the center 30 to issue an access ticket.

Here, in order to make it possible to use a different content in a predetermined order only when a certain content is used a specified number of times, when issuing an access ticket, the center uses a plurality of tickets as follows. And usage restriction information corresponding to it. In this embodiment, 4
Different types of contents, access tickets corresponding to the respective contents, and corresponding usage restriction information (FIG. 14) are prepared.

The access ticket has the following formula.

[0078]

## EQU4 ## t1 = D1 + F (du, L1, n1) t2 = D2 + F (du, L2, n2) t3 = D3 + F (du, L3, n3) t4 = D4 + F (du, L4, n4) Usage restriction information is shown in FIG. It is as shown in.

In the above equation and FIG. 14, the equation "(α
1) ^{FUr2 (du, L1, n2)} mod n ”is ^{obtained by changing} α1 to F (d
u, L1, n2) represents the exponentiation of Ur2 times to take a remainder on n. t is a ticket, D is a secret key corresponding to the public key of the content, F is a one-way function (for example, MD
5, du is the user's secret key, n is the public key modulus of the content, Ir is a random number generated when the ticket is issued, and L is usage restriction information describing usage conditions and the like.

The use restriction information L describes information related to the use of the content by the corresponding ticket. The use limit information L indicates a use period indicating a period during which the access ticket can be used, and a one-time charge when the content is used by the ticket. Are described. When the content is used, billing is performed according to this information. further,
The usage restriction information L includes ticket activation information α for making the next access ticket usable, the number of times Ur until the next access ticket becomes usable, and the modulus of the next usable ticket. include.

At the time of ticket generation, t is calculated by setting L as shown in the above table. That is, the values of Ur are all set to 0, and the actual value of Ur is used only for the calculation of α.

A series of tickets from t1 to t4 and an access ticket including usage restriction information L1 to L4 are distributed to the user. However, at the time of distribution to users, L1 to L4
Are set to values Ur1 to Ur4 as shown in FIG. 15, and further replaced by values obtained by setting the values of α2 to α4 of L2 to L4 to 0.

Next, processing in a user environment will be described. The configuration of the user environment 50 is the same as that of the second embodiment. 16 and 17 show processing in the user environment 50. In the user environment 50, the following processing is performed. [Step S51] The encapsulated content 54 generates a random number r. [Step S52] The encapsulated content 54 is r ^E
K ^E mod n is calculated, and this value and the public key modulus n of the content are sent to the user tool 53. The reason for using r is to prevent a common encryption key from being known on the communication path with the token 52. [Step S53] The user tool 53 searches the managed ticket holding unit 55 for a ticket having n as a modulus. The ticket holding unit 55 holds a set of tickets corresponding to the modulus n. [Step S54] If no ticket is found, the process ends. [Step S55] If the remaining number of times of use Ur of the retrieved ticket is not 0, the ticket is not yet valid, and the process ends. [Step S56] The user tool 53 checks the modulus value of the next ticket in the usage constraint information L of the current ticket. [Steps S57 to S60] The value of the modulus is not 0,
If the next ticket corresponding to this modulus exists, the value of the activation information of the ticket is checked, and if the value is 0, the value of the activation information of the current ticket is written. Send [Step S61] Further r ^E K ^E mod n, modulus n, the use of current ticket restriction information L, and the value of activation information α of the next ticket token 52. [Step S62] Whether the modulus value of the next ticket is 0 or not
As the 0 values of ,, alpha if the ticket shown number of law does not exist, it sends ^{r E K E mod n, n} , L, a set of alpha token 52. [Step S63] The token 52

[0084]

Equation 5] ^{R1 = (r E K E)} F (du, L, n), to calculate R2 = a ^{(α) F (du, L} , n). [Step S64] The user tool 53 sets the token 52
There while performing the calculations, to calculate the value of (r ^E K ^{E) t.} [Step S65] Token 52 is calculated R1,
The value of R2 is sent to the user tool 53. [Steps S66 to S68] If there is a next ticket, the user tool 53 decreases the value of the remaining number Ur in the usage restriction information of the next ticket by one, and furthermore, the value of the activation information field of the next ticket Is replaced by the value of R2. [Step S69] R1 received from the token 52
From

[0085]

[6] Send to ^{(r E K E) t ·} R1 -1 = rK mod n The calculated encapsulated content 54. [Step S70] The encapsulated content 54 is r
Find K from K. The value of r is the encapsulated content 54
, K can be calculated. [Step S71] The encapsulated content 54 is
Of the content encrypted by the conventional encryption / decryption unit 6
1 for decryption.

The usage restriction information at the time when the first ticket t1 has been used once is as shown in FIG.

According to the same method as in the second embodiment, the use history is recorded in the token 52 in accordance with the use of the user, and this is collected by the center 30 so that the charge to the user and the charge to the content provider 40 are reduced. Distribution takes place.

As described above, by calculating and distributing a pair of the ticket and the use restriction information in advance, for example, starting from using the first ticket t1 a specified number of times, α2 in L2 used for the calculation of t2 is calculated. It can be calculated and a second ticket becomes available. Different content is associated with the second ticket, so that the next content can be used in a predetermined order. By a similar process, a mechanism for sequentially using different contents only in a predetermined order can be realized.

Further, as a modification of the present embodiment, it is possible to realize a mechanism in which another ticket can be used for the first time by using two access tickets once. For this purpose, the center prepares the following ticket and usage restriction information.

The access ticket is as follows.

[0091]

## EQU7 ## t1 = D1 + F (du, L1, n1) t2 = D2 + F (du, L2, n2) t3 = D3 + F (du, L3, n3) The usage restriction information is as shown in FIG.

In the above equation and FIG. 19, Ir1,
Ir2 is a random number generated when a ticket is issued, and N is the number of activation information necessary to activate this ticket. Further, f is a flag indicating the usage history, and once used, this value is rewritten to 1.

A series of tickets from t1 to t3 and an access ticket including usage restriction information L1 to L3 are distributed to the user. However, at the time of distribution to the user, as shown in FIG. 20, L3 is replaced by a value obtained by setting α3 to 0.

When t1 and t2 are used first, their use histories are rewritten to 1, and activation information for t3 is activated.

[0095]

Α1 ′ = α1F ^{(du, L1, n1)} α2 ′ = α2 ^{F (du, L2, n2)} is calculated and held in L3. When N3 pieces of necessary activation information are available when using t3,

[0096]

Α3 = α1 ′ + α2 ′ = α1 ^{F (du, L1, n1)} + α
Since ^{2F (du, L2, n2)} can be calculated, t3 can be used.

In this way, it is possible to realize a mechanism in which t3 is valid only when both tickets are used without specifying the order of use of t1 and t2.

[0098]

As described above, by using the present invention, even in an offline environment, no special mechanism is added to the user environment and the provided content itself.
In addition, the encrypted content (or encryption key) is transmitted without communication with the center every time the content is used.
The use order can be controlled.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of a first exemplary embodiment of the present invention.

FIG. 2 is a flowchart illustrating a process according to the first embodiment.

FIG. 3 is a flowchart illustrating a process according to the first embodiment.

FIG. 4 is a diagram illustrating a structure (initial value) of a key holding unit according to the first embodiment.

FIG. 5 illustrates the structure of the key holding unit according to the first embodiment (second key K2);
FIG. 7 is a diagram illustrating a state in which the device can be used.

FIG. 6 is a diagram illustrating a process using an access ticket used in a second embodiment of the present invention.

FIG. 7 is a diagram showing a configuration of an access ticket.

FIG. 8 is a diagram illustrating use restriction information according to the second embodiment.

FIG. 9 is a diagram illustrating use restriction information (sent initially to a user) according to the second embodiment.

FIG. 10 is a block diagram illustrating a configuration of a user environment according to a second embodiment.

FIG. 11 is a flowchart illustrating the operation of the second embodiment.

FIG. 12 is a flowchart illustrating the operation of the second embodiment.

FIG. 13 is a diagram illustrating use restriction information (after use of the first ticket once) according to the second embodiment.

FIG. 14 is a diagram illustrating use restriction information according to a third embodiment of the present invention.

FIG. 15 is a diagram illustrating use restriction information (sent initially to a user) according to the third embodiment.

FIG. 16 is a flowchart illustrating an operation of the third embodiment.

FIG. 17 is a flowchart illustrating an operation of the third embodiment.

FIG. 18 is a diagram for explaining use restriction information (after using the first ticket once) according to the third embodiment.

FIG. 19 is a diagram illustrating use restriction information according to a modification of the third embodiment.

FIG. 20 is a diagram illustrating use restriction information (sent initially to a user) according to the above modification.

[Explanation of symbols]

 Reference Signs List 10 Usage environment (host) 11 Encrypted content holding unit 12 Key holding unit 20 Token 21 Key activation information calculation unit 22 Conventional encryption / decryption unit 22

──────────────────────────────────────────────────の Continued on the front page (51) Int.Cl. ⁶ Identification symbol FI // G06F 12/14 320 H04L 9/00 601E 641

Claims (15)

[Claims] 1. An authentication method for performing different authentications in a predetermined order, comprising the steps of: using a corresponding first-order proof information for a first-order authentication; An authentication method, comprising: generating post-order proof information for order authentication; and using the post-order proof information for the post-order authentication. 2. An authentication method for performing authentication corresponding to proof information using a sequence of proof information for certifying a specific right to a specific user, which is generated in order, wherein an order to be used is When using the previous certification information, the certification information activation information for activating the subsequent certification information is generated, and the subsequent certification information is activated based on the generated certification information activation information. An authentication method characterized in that the series of proof information can be used only in a predetermined order. 3. A specific operation is performed based on a plurality of certification information activation information generated from a plurality of certification information,
3. The authentication method according to claim 2, wherein activation information for activating other certification information is generated, and authentication is performed using the certification information activated by the generated activation information. 4. Activation information generated by using certification information is held, and when the same certification information is next used, activation information generated last time is further activated. By performing an operation and repeating this operation a predetermined number of times, proof information activation information capable of activating the following proof information is generated for the first time, and the proof information activated by the generated activation information is The authentication method according to claim 2, wherein the authentication is performed by using the authentication method. 5. A credential generation method for generating an ordered sequence of proof information for certifying a specific right for a specific user, the credential information being used first in the order of credential information, By generating proof information activation information for activating information and modifying and generating the following proof information based on the proof information activation information, by using the previous proof information, A certifying information generation method, wherein certifying information activation information for validating certifying information is obtained. 6. A method of generating proof information activation information for activating proof information from a plurality of proof information, and determining the activating information based on a result of performing a specific operation on the plurality of activating information. 6. The certifying device according to claim 5, wherein the certifying information activation information for validating the modified certifying information is obtained by modifying and generating another certifying information to use a plurality of certifying information. Information generation method. 7. When generating subsequent certifying information from certifying information having a first order to be used, a plurality of times of initial values of certifying information activation information of a key having a first order are used. Based on the credential activation information generated by performing the prescribed operation, the subsequent credential is modified and generated by modifying the subsequent credential, and the subsequent credential is used for the first time by using the preceding credential multiple times. 6. The certifying information generation method according to claim 5, wherein certifying information activation information for validating the certifying information is obtained. 8. An apparatus for authenticating that a user is a valid right holder by certifying information for certifying that a specific user has a specific right, and performs authentication by processing the certifying information. At the same time, at the same time, the activation of calculating the activation information of the succeeding certification information from the information that is the basis of the authentication information activation information for enabling the certification information to be used subsequent to the certification information is enabled. Information calculation means,
A user authentication device comprising a certifying information activating means for making subsequent certifying information usable by the activating information obtained thereby. 9. An encryption key order control method for controlling use of a series of ordered encryption key sequences, wherein when a key to be used is used first, a subsequent encryption key is activated. By generating the encryption key activation information and activating the subsequent keys based on the generated encryption key activation information, the encryption key sequence can be used only in a predetermined order. Characteristic encryption key use order control method. 10. The activation information for activating another encryption key by performing a specific operation based on a plurality of activation information generated from a plurality of keys. Encryption key use order control method. 11. Activation information generated by using an encryption key is held, and when the same encryption key is next used, activation information generated last time is further added to activation information generated last time. 10. The encryption key use order control method according to claim 9, wherein an operation is performed, and this operation is repeated a predetermined number of times, so that encryption key activation information for activating the subsequent encryption key is generated for the first time. 12. An encryption key generation method for generating a series of ordered encryption key sequences, wherein encryption key activation information for activating a subsequent encryption key from a key whose order is to be used is first. By generating and modifying the subsequent key based on the encryption key activation information, the first key can be used to obtain the encryption key activation information for validating the second key for the first time. An encryption key generation method characterized by doing so. 13. A method for generating encryption key activation information for activating an encryption key from a plurality of keys, and separately generating the encryption key activation information based on a result of performing a specific operation on the plurality of activation information. The encryption key generation method according to claim 12, wherein the encryption key activation information for validating the modified key is obtained by using a plurality of keys by modifying and generating the encryption key. . 14. When a subsequent encryption key is generated from a key whose order to be used is earlier, a plurality of determinations are made for an initial value of encryption key activation information of the key whose order is earlier. Based on the encryption key activation information generated by performing the calculated operation, the subsequent key is modified and generated, and the subsequent key is validated for the first time by using the previous key multiple times. 13. The encryption key generation method according to claim 12, wherein encryption key activation information for obtaining the encryption key is obtained. 15. A decryption device for decrypting and using encrypted digital information, wherein the decryption device uses the decryption key when decrypting the encrypted data using the decryption key. Activation information calculation means for calculating the activation information of the subsequent decryption key, taking as input the information which is the basis of the decryption key activation information for enabling the exponential decryption key, and the activation information obtained thereby. A decryption key activating means for enabling a subsequent decryption key to be used.