JPH1131130A - Service providing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide the utilization of service only to a user who has a legal right, minimizing the burden on the user and a service provider. SOLUTION: When a plug-in 38 of an internet browser 31 is started, a verification program 15 in the plug-in 38 is started, communicates with a program 32 for certification and performs user authentication. A certification data generation program A36 of the program 32 cooperates with a certification data generation program B37 in a token 33, calculates based on a user inherent information 16 and an access ticket 13 and communicates with the program 15 in the plug-in 38 based on the calculation. As the result of the communication, the success of authentication by the program 15 is limited to only when the three of the user inherent information, the access ticket and enciphered contents correctly correspond with one another.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a service providing apparatus and a service providing method capable of selectively providing a service only to a user having a legitimate right.

[0002]

2. Description of the Related Art With the development of networks in recent years, an era has come where various types of information are digitized and distributed through networks. The information to be digitized includes text information, still images, moving images, audio, programs, etc., and we can receive various services combining these on a network. However, the easiness of copying, which is a great feature of these digital information, has been a factor that hinders the distribution of digital information on networks. This is because copying digital information can produce exactly the same thing as the original, so that once distributed, it is used without permission by the author without permission, and it is difficult to collect the legitimate value that the author should get. Due to the problem.

In order to solve this problem, recently, when digital information is encrypted and freely distributed and used, such as CD-SHOWCASE (trademark or product name) of IBM Japan, Ltd. There is a system that pays the price, receives the decryption key via a telephone line, and uses digital information. In addition, 6-953
No. 02, "Software Management System" discloses an example of a system for charging and collecting a fee according to the amount of software used. Japanese Patent Publication No. Hei 7-21276 discloses an "information use amount measuring device" which can accurately measure the use amount of information distributed by broadcasting, such as information use time, of all users. Has been stated. According to this, the information usage amount measuring device receives and stores the encrypted book information, records the time and amount in which the user has decrypted and displayed the book information as a usage history, and thereby collects a fee. It is shown.

[0004] As a method for realizing the above-mentioned system, various encryption techniques and program execution control techniques are known as prior art.

The program execution control technique embeds a routine for authenticating a user's access qualification in an application program, and the routine requires that the user who is trying to execute the application has a proper authentication key. In this technique, the program is continued only when the presence of the authentication key is confirmed, and otherwise, the execution of the program is stopped. By using this technology, only an authorized user who has an authentication key can execute an application. This technology has been put to practical use in the software distribution business, and products such as Rainbow Technologies, Inc.
Sentinel SuperPro (TM)
Aladdin Knowledge Systems
Ltd. HASP (trademark) of the company.

Hereinafter, the program execution control technique will be described in more detail. A user who executes software has an authentication key as user-specific information. The authentication key is a key for encryption, and is distributed to a user by a person who permits use of the software, for example, a software vendor. The authentication key is tightly enclosed in a memory in hardware to prevent duplication, and is delivered to the user using physical means such as mail. Attach the hardware with the built-in user authentication key to the owner's personal computer or workstation by the specified method. The hardware is mounted on a printer port, for example. When the user launches the application program and execution of the program extends to the access entitlement authentication routine, the program communicates with hardware containing the user's authentication key. The program identifies the authentication key based on the communication result, and moves to the next step when the existence of the correct authentication key is confirmed. If the communication fails and the existence of the authentication key is not confirmed, the program stops itself and prevents further execution.

The identification of the authentication key by the access qualification authentication routine is performed by, for example, the following protocol. The access qualification routine generates an appropriate number and sends it to the hardware with the key. The hardware with the built-in key encrypts the number sent using the built-in authentication key, and returns the same to the access qualification authentication routine. The authentication routine is based on the expected number of replies,
That is, it is determined whether the number transmitted to the hardware is a number obtained by encrypting the number with the correct authentication key. If the returned number matches the expected number, execution of the program is continued; otherwise, the program is stopped.

In this case, the communication between the application program and the hardware with the built-in authentication key must be different each time it is executed, even if it is exchanged with the same hardware at the same place in the same application program. Must. Otherwise, by recording the communication contents in the normal execution process once and returning the recorded communication contents to the application program each time the program is executed thereafter, even a user who does not have a correct authentication key can execute the program. It will be possible. Such an attack is called a replay attack.

In order to prevent a replay attack, the number sent to the hardware with a built-in key usually uses a random number newly generated for each communication.

[Problems of the prior art] The problem of the prior art is that when an application program is created, a program creator assumes a user's authentication key in advance and protects the program based on the authentication key. Derived from the property that processing must be performed.

That is, the creator of the program prepares a correct reply from the hardware with a built-in key when preparing the program and prepares the program so that the program can be normally executed only when the correct reply is received. There must be.

There are basically two types of utilization of the prior art having the above-mentioned features, but in each case, there are the following problems.

In the first method, a user authentication key is prepared so as to be different for each user. That is, a different authentication key is prepared for each user, such as an authentication key for user A and an authentication key for user B. In this case, the authentication routine in the program must be created so as to be able to authenticate the unique authentication key of the user who uses the program, and the program creator needs to create a different program by the number of users.

When there are a large number of users, the task of customizing (individualizing) a program for each user requires an unbearable effort for the program creator, and the list of user authentication keys that must be managed is enormous. Become.

In the second method, the creator of the program prepares a different authentication key for each application. That is, a different authentication key is prepared for each application such as an authentication keyer for the application A and an authentication key B for the application B, and each application program is created so as to identify a unique authentication key.

In this method, it is not necessary to individually create a program for each user as in the first method.
Conversely, the user has to hold the authentication keys for the number of applications to be used.

As described above, it is necessary to distribute the authentication key to the user in a state where the authentication key is strictly enclosed in hardware. Therefore, while the program itself can be easily distributed via a network, the distribution of hardware containing an authentication key has to rely on physical means such as mail.
Every time a program creator grants permission to use an application, the program creator must mail the hardware containing the authentication key corresponding to the application. It places a heavy burden on the creator.

Further, the user must be satisfied with the trouble that the hardware must be replaced every time the application to be used is changed.

Even if the user wants to use an application, the user must wait until the hardware in which the authentication key is enclosed is mailed and arrives, and there is also a problem that the hardware cannot be used immediately.

In order to alleviate these problems, a plurality of authentication keys are enclosed in advance in the hardware so that the authentication key in the hardware can be used every time the user is permitted to use a new application. Can be used to inform the user of the password, but the same problem occurs when the authentication key enclosed in advance is used up, and is not an essential solution.

In addition to the above-described effective control method, a simple method of simply encrypting an application and instructing a user of a decryption key in a secure manner is generally widely used. Once the application has been decrypted, the user can copy the application as desired and distribute it fraudulently, and thus may be regarded as having little protection.

Therefore, when digitalized information, for example, software, music, movies, etc. (hereinafter collectively referred to as contents) is to be distributed over a network to obtain a legitimate price, a conventional technique is required. In such a case, there has been a problem that the management of the content becomes complicated, and the management of the hardware for authentication puts a heavy burden on the user.

[0023]

SUMMARY OF THE INVENTION The present invention has been made in view of such a problem, and minimizes the burden on a user and a service provider while giving users who have legitimate rights to use the service. It is an object of the present invention to provide a system that can provide only a service or a system that can collect a legitimate price according to use of a service.

[0024]

According to a first aspect of the present invention, in order to achieve the above object, authentication data is provided to a service providing apparatus which provides services only to users having valid rights. An execution result obtained by executing a predetermined calculation on the first storage unit for storing, the second storage unit for storing the unique information of the user, the unique information of the user, and the characteristic information of the access qualification. A third storage unit that stores the auxiliary information for certification, authentication data held in the first storage unit, unique information of the user stored in the second storage unit, And proof data generation means for performing predetermined calculation on the proof auxiliary information stored in the storage means and generating proof data.

According to the second aspect of the present invention, a first storage means for storing authentication data in a service providing apparatus for providing a service only to a user having a legitimate right; A second storage unit for storing certification auxiliary information, which is an execution result of executing a predetermined calculation with respect to the unique information of the user and the characteristic information of the access qualification authentication; The authentication data held in the first storage means, the user unique information stored in the second storage means, and the third data.
A proof data generating means for performing a predetermined calculation on the proof auxiliary information stored in the storage means to generate proof data; and a proof data generated by the proof data generating means is characterized by the access qualification authentication. Proof data verification means for verifying that the information is generated based on the information is provided.

According to these configurations, by introducing auxiliary data for certification (access ticket), the characteristic information for access qualification authentication given on the protect side and the user unique information given on the user side are independent. The user possesses user-specific information in advance, and a protector such as a program creator creates an application program using the access qualification authentication characteristic information independently of the user-specific information possessed by the user, and thereafter, By creating and distributing an access ticket in accordance with the personal information of the user and the characteristic information of the access ticket qualification authentication used for creating the application program, etc., it is possible to authenticate the user access qualification such as execution control. It is possible to provide desired services only to users who have legitimate rights Kill. If a log is taken at the time of generating proof data, a legitimate price for the service can be collected.

[0027] In the above configuration, at least the second storage means and the proof data generation means include:
The internal data and the processing procedure may be held in a protection means that makes it difficult to observe from the outside.

Further, in the above configuration, at least the proof data verification means may be held in a protection means which makes it difficult to observe the internal data and the processing procedure from outside.

The feature information of the access qualification authentication is a decryption key in an encryption function, and the authentication data is obtained by encrypting appropriate data using an encryption key corresponding to the decryption key. The proof data verification means may verify that the proof data generated by the proof data generation means is a correctly decrypted version of the authentication data. Further, the characteristic information of the access qualification authentication is an encryption key in an encryption function, and the authentication data is obtained by decrypting appropriate data using a decryption key corresponding to the encryption key. The verification means may verify that the proof data generated by the proof data generation means is a correctly encrypted version of the authentication data. Further, the characteristic information of the access qualification authentication is a signature key in a digital signature function, and the proof data generated by the proof data generation means is a digital key that is correctly generated using the signature key with respect to the authentication data. The signature may be verified.

Also, the characteristic information of the access qualification authentication is a first decryption key in an encryption function, and the authentication data is a second decryption key for decrypting the encrypted information in the first decryption key. Encrypted using an encryption key corresponding to the key, the proof data generated by the proof data generation means is the second decryption key, and the crypt data is encrypted using the second decryption key. The received information may be decoded to provide a service corresponding to the information.
Further, the encryption function may be an asymmetric key encryption function, and the characteristic information of the access qualification authentication may be one of the keys.

Further, the encryption function may be a public key encryption function, and the characteristic information of the access qualification may be a secret key.

Further, the encryption function may be a symmetric key encryption function, and the characteristic information of the access qualification may be a common secret key.

Also, a proof data generation device comprising the first storage means, the second storage means, the third storage means, and the proof data generation means, and the proof data verification means In addition to the above, the fourth storing the authentication data
A service providing apparatus having an access qualification authenticating apparatus for authenticating an access qualification of a user by communicating with each other, and a proof data verifying apparatus having a fifth storing means for storing proof data. The verification device writes the authentication data stored in the fourth storage device to the first storage device of the proof data generation device, and the proof data generation device writes the authentication data to the first storage device by the proof data generation device. The certification data generated based on the authentication data is extracted to a fifth storage unit in the certification data verification device, and the certification data verification device uses the certification data written in the fifth storage unit to generate a user data. You can also authenticate your access credentials.

Further, the characteristic information for authentication of access qualification is a decryption key of the encryption function, and the proof data verification device has a random number generation means, a sixth storage means for storing the generated random number,
Seventh storage means for storing the elementary data for authentication, wherein the random number generation means writes the generated random number to the sixth storage means, and stores the random number in the elementary data for authentication stored in the seventh storage means. After performing a random number effect using the proof data generation device, the proof data verification unit writes the random number effect based on the random number stored in the sixth storage unit by the proof data generation device. The result of the removal from the certification data written in the fifth storage means is that the elementary data for authentication stored in the seventh storage means is decrypted with the decryption key which is the characteristic information of the access qualification authentication. Verification may be performed.

Further, the characteristic information for access qualification authentication is an encryption key of an encryption function, the proof data verification device includes random number generation means, and the random number generation means stores the generated random number as authentication data in a fourth memory. The proof data verification means may be configured to verify that the proof data written in the fifth storage means by the proof data generation device is obtained by decrypting the random number.

Further, the characteristic information for access qualification authentication is a signature key of a digital signature function, the proof data verification device includes random number generation means, and the random number generation means uses the generated random number as authentication data as fourth storage means. The proof data verification unit writes the proof data written in the fifth storage unit by the proof data generation device with a digital signature using a signature key, which is characteristic information of access qualification authentication, for the authentication data, which is the random number. You may verify that there is.

[0037]

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail. [Embodiment 1] First, a principle configuration of the present invention will be described with reference to Embodiment 1. FIG. 1 shows the overall configuration of a first embodiment of the present invention. In FIG. 1, the service providing system includes a proof data verification device 10 and a proof data generation device 11, and the proof data generation device 11 An access ticket (assistance data for certification) 13 is received from the access ticket generation device 12. The proof data verification device 10 performs a verification routine 15
Execute The proof data generation device 11 holds the user unique information 16 and the access ticket 13, and executes the proof data generation program 17. At least a part of the user unique information 16 and the proof data generation program 17 are protected by the tamper-resistant device 20.

The access ticket generating device 12 generates an access ticket 13 based on the characteristic information 14 of the access qualification authentication and the user's unique information 16, and the access ticket 13 is sent to the user through a network or a storage medium to authenticate the user. The data is stored in the data generation device 11.

The proof data verification device 10 outputs the authentication data 1
8 is transmitted to the proof data generation device 11. The proof data generation device 11 generates proof data 19 using the access ticket 13 and the user unique information 16 and returns this to the proof data verification device 10. Proof data verification device 10
Verifies the validity of the proof data based on the authentication data. That is, it verifies that the proof data is data generated based on the verification data and the characteristic information of the access qualification authentication.

If the validity of the proof data is verified, it is authenticated that the user has the right and the desired service is provided by the service providing apparatus.

Hereinafter, the present invention will be specifically described with reference to FIG. 2 taking an actual service as an example.

In the first embodiment of the present invention, an Internet browser (Netscape Navigator-a trademark of Netscape Communications, Inc. of the United States) is used.
The proof data verification routine 15 and the decryption program 35
An example in which are integrated and incorporated as a plug-in (Plug-In) module will be described. Here, a plug-in module refers to a software program that extends the function of the Internet browser,
It can support users to use new data types. When the information of the data type that the Internet browser does not support is received from the server, the Internet browser searches for the plug-in associated with the data type, loads it, and starts it. This enables seamless support of new data types without changing the user's existing system.

The new data type in the present embodiment refers to the encrypted content 34. When the Internet browser receives the encrypted content 34 from the server, the new data type of the encrypted content 34 is To find and load and activate the plug-in 38 associated with that data type. The activated plug-in activates the verification routine 15 and sends authentication data to the certification program 32,
Verification is performed using the returned proof data. If the verification is successful by the verification routine 15, the decryption program 3
5, the encrypted content 34 is decrypted and provided to the user. The decrypted content includes information such as a hyperdocument, an image, a moving image, and music, and a downloaded program.

The proof data generation device includes a proof program 32 and a token 33. The authentication program 32 is a software program including the access ticket 13 and the authentication data generation program A36, and operates on the user's personal computer (PC). The token 33 preferably includes hardware (hereinafter referred to as tamper-resistant hardware) that includes the authentication data generation program B37 and the user-specific information 16 and that has a defense against theft of the internal state by the probe. This is because the user-specific information is equivalent to a password in password authentication, and is the only important information that proves the user's identities. If the user-specific information 16 can be read, copied, and distributed, This would allow anyone who does not have the right to illegally use the content.

The user is provided with proof data generation programs A and B for executing a predetermined calculation procedure in addition to the user-specific information. This program is for communicating with the verification routine 15 in the plug-in 38. When the user unique information 16 and the access ticket 13 are given, the program performs a calculation on the authentication data 42 and proves the user's identity. Proof data 45 to be generated. The user-specific information 16 is used in the process of this calculation. However, there is a problem that the user-specific information 16 leaks to the outside for the above-described reason. Can be stored. As the tamper-resistant hardware, an IC card or an IC chip protected by a resin mold or the like is simple and easy to apply. However, if the added value of the service to be provided is very high, high security as shown in “encryption device, decryption device, confidential data processing device, and information processing device” of Japanese Patent Application No. 08-284475 is used. May be used.

Several examples of the operation of the proof data verification routine 15 will be described below.

1. During the proof data verification routine 15,
Data to be transmitted (authentication data 42) and expected return data (expected value) are embedded. The proof data verification routine 15 extracts the transmission data, transmits it to the user, and receives a reply from the user. Next, the reply data from the user is compared with the expected value, and if they match, the content 34 is decrypted by the decryption program 35 to provide the content in a usable state to the user.

2. During the proof data verification routine 15,
Data to be sent and expected return data (expected value)
Is embedded. The proof data verification routine 15 extracts the transmission data, transmits it to the user, and receives a reply from the user. Next, the value obtained by applying the one-way function to the reply data from the user is compared with the expected value, and when the two match, the content 34 encrypted by the decryption program 35 is decrypted and used by the user. Provide content where possible.

In the above operations 1 and 2, if the return data is a result of encryption of the transmission data according to a predetermined encryption algorithm, the characteristic information of the access qualification authentication is an encryption key. If the return data is a digital signature according to a predetermined signature algorithm of the transmission data, the characteristic information of the access qualification is a signature key.

3. During the proof data verification routine 15,
Data to be sent is embedded. The proof data verification routine 15 extracts the transmission data, transmits it to the user, and receives a reply from the user. Next, the encrypted content 34 is decrypted by the decryption program 35 using the return data as a decryption key, and the content is provided to the user in a usable state.

4. During the proof data verification routine 15,
Data to be sent is embedded. The proof data verification routine 15 takes out the transmission data, gives it a random number effect, transmits it to the user, and receives a reply from the user. Next, using the result obtained by removing the random number effect from the reply data as a decryption key, the content 34 encrypted by the decryption program 35 is decrypted, and the content is provided to the user in a usable state.

5. The proof data verification routine 15 receives transmission data corresponding to the encrypted content.
In this case, the transmission data may be embedded in the encrypted content. Proof data verification routine 15
Transmits the received transmission data to the user and receives a reply from the user. Next, the encrypted content 34 is decrypted by the decryption program 35 using the return data as a decryption key, and the content is provided to the user in a usable state.

6. The proof data verification routine 15 receives transmission data corresponding to the encrypted content.
In this case, the transmission data may be embedded in the encrypted content. Proof data verification routine 15
Sends a random number effect to the received transmission data, transmits it to the user, and receives a reply from the user. Then
Using the result obtained by removing the random number effect from the return data as a decryption key, the decryption unit decrypts the encrypted content by the decryption program 35 and provides the content to the user in a usable state.

In the above operations 3 to 6, only when the correct decryption key is obtained from the return data, the encrypted content 34 is correctly decrypted, and the user can use the content. In this case, the characteristic information of the access qualification authentication serves as a decryption key for decrypting the encrypted decryption key.

In the execution control technique described in the conventional example, the user-specific information (user authentication key) is the same as the characteristic information of the access qualification authentication. The conventional proof data generation routine inputs the characteristic information of access qualification authentication and the data transmitted from the proof data verification routine, and calculates return data.

On the other hand, a feature of the present invention is that the user unique information 16 and the access qualification authentication feature information 14 are independent of each other. Also in this configuration, the proof data generation programs A and B receive the access ticket 13 as input and return data (proof data) in addition to the user-specific information 16 and the data 42 transmitted from the proof data verification routine 15.
Calculate 45. This configuration has the following properties.

1. The access ticket 13 is data calculated based on the specific user specific information 16 and the characteristic information 14 of access qualification authentication. 2. Access ticket 1 without knowing user specific information 16
From 3, it is at least computationally impossible to calculate the access qualification authentication feature information 14. 3. The proof data generation programs A and B determine that the user unique information 16 and the access ticket 13 are a correct combination, that is, the user unique information 16 and the access ticket 1
Only when a correct combination with 3 is input, correct reply data is calculated.

As described above, the user possesses the user unique information 16 in advance, the content creator encrypts the content independently of the user unique information 16 possessed by the user, and authenticates the access ticket 13 with the user unique information 16 and the access qualification. Therefore, only the user having the right can enjoy the use of the encrypted content independently of the user unique information 16 by creating the content in accordance with the characteristic information.

Further, the user unique information 16 is composed of two pieces of unique information, and the unique information used when creating the access ticket 13 and the unique information used by the user in the communication program can be used separately. The most typical example is a method in which the user unique information 16 is used as a public key pair, the public key is used as public unique information for creating an access ticket, and the private key is enclosed in the token 33 as personal unique private information of the user. is there. In this case, the access ticket 13 can be calculated from the characteristic information 14 of the access qualification authentication and the public key of the public key pair, so that the access ticket 13 is calculated while keeping the user unique information 16 as a secret key secret. It is possible to do.

Next, a more specific configuration will be described with reference to an embodiment. 2, the Internet browser 31, the plug-in 38, and the certification program 32 can be realized as software programs on the computer 30 (PC or workstation) used by the user. The token 33 may be similarly implemented as a software program, but has a tamper-resistant property connected to the computer 30 in order to increase the security of the unique information (user unique information) for identifying the user. It is desirable to use a token 33 (IC card, PC card, board, etc.) together. At this time, if portable hardware such as an IC card is used, a
This is convenient when working on C or a workstation.

[0061] The encrypted contents 34 used by the Internet browser 31 are stored in a network or CD-R.
The data is supplied to the user using a storage medium such as an OM, a DVD, and a floppy disk.

When the user requests the use of the encrypted content from the Internet browser, the Internet browser looks at the data type of the encrypted content, searches for and loads the plug-in associated with the data type, to start.

When the plug-in starts, the verification program in the plug-in starts, communicates with the certifying program 32 to authenticate the user, and decrypts the content only when the communication is properly completed. .

In order for the user to use the encrypted content 34, it is necessary to obtain an access ticket (certification auxiliary information) issued to the user himself. The user registers the acquired access ticket in the certification program 32 installed on the PC or the workstation, and, for example, when the user-specific information is enclosed in the IC card, the IC card is transferred to the PC or the workstation. Attach to the station.

The proof data generation program A performs a calculation based on the user unique information 16 and the access ticket 13 in cooperation with the proof data generation program B, and communicates with the verification program 15 in the plug-in based on the calculation. I do.

As a result of the communication, the authentication by the verification program 15 succeeds only when the three pieces of user-specific information, the access ticket, and the encrypted content correctly correspond to each other. If either the user-specific information or the access ticket is missing, the authentication will not succeed.

An access ticket is issued to a specific user. That is, when generating an access ticket, user specific information of a specific user is used. If the user unique information used at the time of generating the access ticket does not match the user unique information used by the proof data generation program, the authentication does not succeed.

An access ticket is generated based on characteristic information of a specific access qualification, and the verification program 15 is configured to authenticate the characteristic information of the access qualification. Therefore, even if the characteristic information from which the access ticket is generated and the characteristic information to be authenticated by the verification program 15 do not correspond to each other, the authentication does not succeed.

Since the access ticket itself has sufficient security, it can be delivered via a network. The security of the access ticket has the following two properties.

1. The access ticket is a registered name, and only the user who issued the access ticket (more precisely, the holder of the user unique information used at the time of generating the access ticket) correctly operates the proof data generation device using the access ticket. Can be done. Therefore, even if a malicious third party eavesdrops on the network and illegally obtains another user's access ticket, this third party obtains legitimate user-specific information to which the access ticket is issued. Unless otherwise, this access ticket cannot be used.

2. The access ticket keeps stricter security. That is, even if a malicious third party collects an arbitrary number of access tickets and conducts any analysis, the malicious third party forges another access ticket based on the obtained information or operates the proof data generation device. It is impossible to configure a device that imitates authentication by imitating.

In the first embodiment, the access ticket t is data generated based on the following equation 1.

[0073]

## EQU00001 ## (1) t = D-e + .omega..phi. (N) The symbols in the above formula are all integers and represent the following. n is R
SA (Rivest-Shamir-Adelman)
Modulus, that is, the product of two sufficiently large prime numbers p and q (n
= Pq). φ (n) is the Euler number of n, that is, the product of p−1 and q−1 (φ (n) = (p−1) (q−
1)). e represents user-specific information, which is different for each user and used to identify the user. D represents an access ticket secret key, that is, feature information of access qualification authentication, is an RSA secret key under a modulus n, and satisfies Equation 2.

[0074]

(2) gcd (D, φ (n)) = 1 Here, gcd (x, y) represents the greatest common divisor of binary numbers x and y. The property expressed by equation (2) guarantees that a number E that satisfies equation 3 exists.

[0075]

(3) ED mod φ (n) = 1 E is called an access ticket public key.

Ω is a number determined depending on n and e. When either n or e is different, ω is determined so that the values do not easily match (do not collide). As an example of a method of determining ω, there is a method of determining ω as in Expression 4 using a one-way hash function h.

[0077]

(4) ω = h (n | e) where the symbol | represents a combination of bit strings.

The one-way hash function is defined as h (x) = h
It is a function having the property that it is extremely difficult to calculate different x and y that satisfy (y). As an example of a one-way hash function, RSA Data Securi
ty Inc. MD2, MD4, MD5, and the United States Federal Government standard SHS (Secure Has
h Standard) is known.

In the numbers that appear in the above description, t, E
And n are public and the remaining D, e, ω, p, q
And φ (n) must be secret to anyone other than those who have the right to create tickets.

FIG. 3 is a schematic diagram of a computer (PC or workstation) used by a user. In FIG. 3, a card reader 39 is provided in the computer 30 used by the user.
Is connected, and the user inserts the token 33 into the card reader 39 for use. Internet Browser 3
1. The plug-in and the certification program are implemented as software programs on the computer 30. Also,
The access ticket is also stored in the storage area of the computer 30. The content to be used is an image of a picture of a yacht. When a user having a valid token and a valid access ticket reads the encrypted content into the Internet browser 31, as shown in FIG. Internet browser 31 by plugin
Above, an image of a picture of a yacht is displayed.

Embodiment 1 will be further described in detail with reference to FIG. FIG. 4 specifically shows a configuration example of the first embodiment of the present invention. In comparison with FIG. 2, those corresponding to the verification routine 15 include an access ticket public key storage unit 51, an authentication data storage unit 52, a random number generation unit 53, a random number storage unit 54, a transmission data (challenge) calculation unit 55, and data separation. The decryption program 35 includes a unit 56, a proof data receiving unit 57, a random number effect removing unit 58, and a verification unit 59. The decryption program 35 corresponds to the decryption / display unit 61. In this example, the verification routine and the decryption program are configured separately, but the decryption program may be combined with the verification routine as needed. The certifying program 32 includes an authentication data receiving unit 71, an access ticket storage unit 72, a first
It comprises an operation unit 73 and a proof data generation unit 76,
The token 33 includes a user-specific information storage unit 74 and a second operation unit 75.

Next, the operation will be described. All variables in the following description are integers.

[Step 1]: When the user requests the use of the encrypted content from the Internet browser, the Internet browser looks at the data type of the encrypted content and checks the plug-in associated with the data type. Find, load and launch. When the corresponding plug-in starts, the verification routine 15 in the plug-in starts. The content in this case refers to a content that a user uses through an Internet browser, such as display information (image, video, hyperdocument, etc.) on a homepage, or Java.
It is a program like an applet.

[0084] [Step 2]: validation routine 15 of the plug-ins, the access ticket public key from the encrypted content in the data separator (E, n) and retrieves the authentication data K ^E, the access ticket respective public key storage unit 51 and the authentication data storage unit 52. here,
The access ticket public key and the authentication data have been described as being distributed along with the encrypted content. As described above, the access ticket public key and the authentication data may be attached to the encrypted content or may be obtained through a network. However, in consideration of security, the access ticket public key and the authentication data are attached to the encrypted content. Preferably, the authentication data is embedded so that the user cannot see it. For example, the authentication data may be encrypted and embedded in the content, taken out, and then decrypted with a decryption key provided to the plug-in.

[Step 3]: Next, the verification routine 15
Generates a random number r in the random number generation unit 53, stores the random number r in the random number storage unit 54, and transmits the transmission data (challenge) using the access ticket public key (E, n), the authentication data K ^E and the random number r.
C is calculated according to equation 5.

[0086]

Equation 5] ^{(5) C = r E K} E mod n challenge C and the access ticket public key method number (RSA method number) n is transmitted to the certification data generation side. Since the value of C includes a random number r, the value of C becomes different every time communication is performed, and has an effect of preventing a replay attack.

[Step 4]: In the certification program,
Challenge C and RSA modulus n sent from the verification routine
Are received by the authentication data receiving unit, and proof data (response) R is generated as follows. First, the first arithmetic unit reads the RSA modulus n from the access ticket storage unit 72.
To obtain the corresponding access ticket t using
Equation 6 is executed under the SA modulus n to obtain intermediate information R ′.

[0088]

(6) R ′ = C ^t mod n [Step 5]: The second arithmetic unit 75 acquires the user unique information e stored in the user unique information storage unit 74,
Equation 7 is executed to obtain difference information S.

[0089]

(7) S = C ^e mod n [Step 6]: Then, the proof data generation unit 76
Then, the intermediate information R ′ and the difference information S are obtained from the second operation units 73 and 75, and the calculation of Expression 8 is performed to obtain the proof data R.

[0090]

(8) R = R'S mod n The proof data R is transmitted to the verification routine.

[Step 7]: The random number effect removing unit 58 of the verification routine 15 obtains the proof data R received by the proof data receiving unit 57, and obtains Equation 9 by using the random number r stored in the random number storage unit 54. Is calculated to obtain K ′.

[0092]

(9) K ′ = Rr ⁻¹ mod n [Step 8]: In the verifying unit 59, the K ′ calculated by the random number effect removing unit 58 is generated based on D which is characteristic information of access qualification authentication. Verify that it is. If K ′ is correctly generated based on D which is the feature information of the access qualification authentication, K ′ = K should hold. Whether or not this formula holds can be determined by decrypting the data that has been encrypted using this K ′ and determining whether or not the data can be decrypted correctly, by adding redundancy to K, and specifying a specific value in that part. There is a method of determining whether K ′ has the specific value or not. For the latter method, a method such as the international standard ISO 9796 can be used. Here, description will be continued on the assumption that verification is performed using the latter method.

[Step 9]: If the verification by the verification unit 59 is determined to be correct, the verification routine executes the decryption / display unit 61.
To pass the decryption key K 'to

[Step 10]: The decryption / display unit 61
Upon receiving the decryption key K ′ from the verification unit 59, the data separation unit 5
The encrypted content separated in step 6 is decrypted and displayed. It is also possible to pass the decrypted content to the Internet browser and display it on the Internet browser.However, since the decrypted information may be copied by the Internet browser, the Internet browser is It is desirable that the plug-in directly displays in the specified area.

In this way, a user who has a legitimate right can use the encrypted content using the Internet browser. At this time, the decrypted content only temporarily exists in the memory and disappears when the user finishes using it, thereby preventing the decrypted content from being illegally used.

In this embodiment, the encrypted content is composed of the access ticket public key (E, n) and the authentication data K.
^E was described as being distributed along with it. FIG. 5 shows a configuration example of the encrypted content. As shown in FIG. 5, the encrypted content includes an access ticket public key (E, n), authentication data K ^E, and an encrypted content body. The data separation unit of the verification routine reads these and separates them into each part.

The content itself is encrypted with the key K, and when verification is correctly completed using the authentication data K ^E ,
The key K can be restored through the random number effect removing unit, and the content itself can be decrypted using the key K.

In order to further enhance the security, it is desirable that the authentication data K ^E is embedded so that it cannot be easily separated by the user. One way to achieve this is shown in FIG. In FIG. 6, similarly to FIG. 5, the encrypted content is composed of the access ticket public key (E, n) and the authentication data K.
^E and the encrypted content itself,
Not only the content itself, but also the authentication data ^KE is further encrypted. 6, the authentication data K ^E is shown as being encrypted by the key K _p.

[0099] Data separation unit of the validation routine (example using a common key encryption) decryption key holds K _p corresponding to the encryption Kagikagi K _P, from the whole inputted content, the access ticket public key ( E, n), the encrypted authentication data K ^E, and the encrypted content body,
The encrypted authentication data is decrypted using the held decryption key K _P to extract the authentication data K ^E. Thereafter, verification is performed using the authentication data K ^E , and when verification is correctly completed, the key K can be restored through the random number effect removing unit, and the content itself can be decrypted using the key K. .

[0100] Here, though to encrypt the content itself or authentication data, for an example of using the common key cryptosystem, the key K and the key K _P uses the same key as the encryption and decryption Example However, it is also possible to use a public key cryptosystem such as RSA for this part.

FIG. 7 shows an example of the simplest structure of the content. In this example, the content is composed of only the content main body, and the content main body is not subjected to processing such as encryption. However, the situation is that only specific plug-ins can provide services using this content. In the verification routine in the plug-in, the same processing as described above is performed, and the plug-in provides a service using the content only when the verification unit determines that the content is valid.

In the following, an example of the configuration of the processing in the verification unit of the verification routine described in the first embodiment will be described with reference to FIGS.
Some examples will be described using. 8 to 11 mainly show the configuration of the verification unit 59 in the verification routine. Here, in order to clarify the difference between the respective configuration examples, the verification unit 59
Is shown as a configuration in which the comparison unit 591 and the expected value storage unit 592 are included, but the present invention is not limited to this.
And the like may be configured outside the verification unit 59.

(1) FIG. 8 shows one example of the configuration of the verification section 59. In this configuration example, the verification unit 59 includes the expected value storage unit 59
2 and a comparison unit 591, and the expected value storage unit 592 stores an expected value A expected as proof data. The proof data received from the proof program, or the proof data obtained by removing the random number effect from the received proof data when a random number effect is given when the authentication data is generated, is input to the verification unit 59. The comparison unit 591 compares the input proof data A ′ with the expected value A stored in the expected value storage unit 592. As a result of the comparison, when it is determined that the data is valid, the validity is passed to the display unit (decoding / display unit 61), and the display unit displays the data.

In this configuration, it is difficult but not impossible for the expected value A stored in the expected value storage unit 592 to be stolen by program analysis or the like. If the expected value A is stolen, if the random number at the time of applying the random number effect can be predicted, it is possible to configure a device that imitates the operation of the proof program, and unauthorized access by impersonation becomes possible. To prevent this,
One-way function h () with the property that it is difficult to convert in the reverse direction
Is used as the expected value stored in the expected value storage unit 592, the data h obtained by applying the one-way function h () to A
(A) is stored, and the proof data A ′ input to the verification unit 591 is compared with the data h (A ′) obtained by applying the one-way function h (). I just need.
With this configuration, the expected value storage unit 592 should be used.
Even if the expected value h (A) stored in
Since it is extremely difficult to calculate A from h (A), the above-described spoofing can be prevented.

(2) FIG. 9 shows a second example of the configuration of the verification section 59. In this configuration example, the verification unit 59 includes the expected value storage unit 59
2, a comparison unit 591 and a decryption key storage unit 593, and the expected value storage unit 592 stores an expected value A expected as proof data. The proof data received from the proof program, or the proof data obtained by removing the random number effect from the received proof data when a random number effect is given when the authentication data is generated, is input to the verification unit 59.
The input proof data A ′ and the expected value storage unit 592
Is compared with the expected value A stored in the storage unit. As a result of the comparison, when it is determined to be valid, the decryption key K is passed from the decryption key storage unit 593 to the decryption / display unit 61 and the decryption / display unit 6
1 decrypts the encrypted data using the decryption key K and displays the data.

As in the configuration example 1, it is also possible to use the one-way function h ().

(3) FIG. 10 shows a third example of the configuration of the verification unit 59. In this configuration example, the verification unit 59 is similar to the configuration example 1.
Has an expected value storage unit 592 and a comparison unit 591. The expected value storage unit 592 stores the decryption key K as an expected value. As in the first configuration example, the comparing unit 591 compares the input proof data K ′ with the expected value K stored in the expected value storage unit 592. As a result of the comparison, when it is determined to be valid, the decryption key K 'is passed to the decryption / display unit 61, and the decryption / display unit 61 decrypts the encrypted data using the decryption key K and displays the data.

(4) FIG. 11 shows a fourth example of the configuration of the verification section 59. In this configuration example, the verification unit 59 includes the redundancy check unit 5
94. The proof data received from the proof program, or the proof data obtained by removing the random number effect from the received proof data when a random number effect is given when the authentication data is generated, is input to the verification unit 59. The input proof data K ′ is checked by the redundancy checker 594. In this method, as described above, K has redundancy in advance, and it is checked whether K 'has the redundancy. For example, the international standard ISO 9796
Such a method can be used. Redundancy check unit 594
, The redundancy check unit 594 passes the decryption key K ′ to the decryption / display unit 61, and the decryption / display unit 61
Decrypts the encrypted data using the decryption key K and displays the data.

Embodiment 2 Next, Embodiment 2 of the present invention will be described. In the first embodiment of the present invention, the proof data verification device 10 verifies that the proof data generated by the proof data generation device 11 is the data generated based on the verification data and the characteristic information of the access qualification authentication. Only when the validity of the proof data is verified by the routine 15, the proof data verification routine 15 and the decryption program 35 are integrated into the Internet browser of the service providing apparatus provided with the service, and plug-in is performed. -The example of assembling as a module was described. In the first embodiment, the result of removing the random number effect from the proof data received by the verification routine 15 is used as a decryption key for decryption by the decryption / display unit, and it is determined whether the decryption key is valid. Thus, only when the data is legitimate, the service is provided by decrypting the encrypted data using the decryption key.

However, in the case of using the result of removing the random number effect from the proof data as the decryption key as in the first embodiment, it is not always necessary to determine the validity of the decryption key. By decrypting the encrypted data using the result of removing the random number effect from the proof data as it is as the decryption key, if the decryption key is valid, the decryption can be successfully completed and the service can be provided. In other words, if the key is not a valid decryption key, the decryption is not successful, and the only result is that the service cannot be provided.

In the second embodiment, an example without such a verification unit will be described. Hereinafter, in the second embodiment, the term “verification routine” is used, but this verification routine does not include a verification unit. That is, there is no part that determines whether the verification is successful. The access ticket public key (E, n) and the authentication data ^KE are extracted from the encrypted content, authentication data is generated using the access key public key, the authentication data is transmitted to the certification program, and a random number is obtained from the certification data returned from the certification program. The processing of passing the result of removing the effect to the decryption / display unit as a decryption key is performed.

FIG. 12 shows a configuration example of the second embodiment. FIG. 12 shows a configuration in which the verification unit 59 is eliminated from FIG. 4, and the other configuration is the same as that in FIG.

The operation is almost the same as that described in the first embodiment. [Step 1] to [Step 7]
Performs the same processing. Hereinafter, [Step 8] and subsequent steps will be described.

[Step 8]: The processing of the verification routine ends in step 7, and the verification routine passes K ′ calculated by the random number effect removing section 58 to the decryption / display section 61 as a decryption key.

[Step 9]: The decryption / display unit 61 receives the decryption key K ′ from the random number effect removal unit 58 of the verification routine, decrypts the encrypted content separated by the data separation unit 56, and displays it. Only when a user having a valid token generates proof data using a valid access ticket in the proof program, the decryption key K ′ becomes a correct decryption key, and the encrypted content is correctly decrypted and displayed. . When the token or the access ticket is not valid, the decryption key K ′ cannot be a correct decryption key, and the encrypted content is not correctly decrypted, so that a correct display is not performed.

Third Embodiment Next, a third embodiment of the present invention will be described. FIG. 13 shows the configuration of the third embodiment of the present invention. The third embodiment is an example in which a protocol different from the above is used on the proof data verification side.
This is similar to the configuration in which the components of the verification unit shown in (b) are put out of the verification unit. Those corresponding to FIG. 4 are indicated by the same numbers. In FIG. 13, reference numeral 81 denotes a decryption key storage unit, and the verification routine holds a decryption key K for decrypting the content in advance.

The structure of the encrypted content is composed of the encrypted content body and the access ticket public key, and does not need to include the authentication data.

Next, the operation will be described. All variables in the following description are integers.

[Step 1]: When the user requests the use of the encrypted content from the Internet browser, the Internet browser looks at the data type of the encrypted content and checks the plug-in associated with the data type. Find, load and launch. When the corresponding plug-in starts, the verification routine 15 in the plug-in starts. The content in this case refers to a content that a user uses through an Internet browser, such as display information (image, video, hyperdocument, etc.) on a homepage, or Java.
It is a program like an applet.

[Step 2]: The plug-in verification routine 15 extracts the access ticket public key (E, n) from the content encrypted by the data separation unit,
It is stored in the access ticket public key storage unit 51.

[Step 3]: Next, the verification routine 15
Is generated by a random number generation unit 53 and stored in a random number storage unit 54, and the random number r is used as transmission data (challenge) C.
The challenge C and the access ticket public key modulus (RSA modulus) n are transmitted to the proof data generation side. in this case,
The proof data returned by the proof program should be obtained by encrypting the challenge C using the RSA encryption under the modulus n.

[Step 4]: In the certification program,
Challenge C and RSA modulus n sent from the verification routine
Are received by the authentication data receiving unit, and proof data (response) R is generated as follows. First, the first arithmetic unit reads the RSA modulus n from the access ticket storage unit 72.
To obtain the corresponding access ticket t using
Equation 6 is executed under the SA modulus n to obtain intermediate information R ′.

[Step 5]: The second computing section 75 acquires the user unique information e stored in the user unique information storage section 74 and executes equation 7 to obtain difference information S.

[Step 6]: The proof data generation unit 76 obtains the intermediate information R ′ and the difference information S from the first and second operation units 75, and calculates the equation 8 to obtain the proof data R
Get. The proof data R is transmitted to the verification side.

[Step 7]: The verification unit 59 of the verification routine 15 obtains the received proof data R, calculates the expression 10, and compares the random number r stored in the random number storage unit 54 with the calculation result r ′. Verification is performed by comparison.

[0126]

Verification Equation 10] ^{(10) r '= R E} mod n random number r and the calculation result r' and when the same is considered to be successful, the verification routine 15 passes the decryption key K to the decoding / display unit.

[Step 8]: The decryption / display unit 61 receives the decryption key K from the verification unit 59, decrypts the encrypted content separated by the data separation unit 56, and displays it.
It is also possible to pass the decrypted content to the Internet browser and display it on the Internet browser.However, since the decrypted information may be copied by the Internet browser, the Internet browser is It is desirable that the plug-in directly displays in the specified area.

As described above, the verification routine verifies only that the user has a valid right, and if the verification is successful, decrypts the encrypted content with the decryption key registered in advance. Good.

In the first to third embodiments, an example is shown in which the verification routine is configured by a software program. In this case, the decryption key K of the content must be kept secret. This is because if K is leaked, anyone can decrypt the encrypted content, thus permitting unauthorized use of the content. Therefore, the verification routine needs to protect the internal data in some way. As such a method, there is a method of obfuscating a program into machine language so that internal data and a program procedure are difficult to analyze. These techniques are described in Takanori Murakami et al. “On Obfuscation of Program Code”, IEICE Technical Report (I
EICE Technical Report), Information Security, ISEC95-25 (1995). In addition to the software method, a method in which the verification routine and the decryption program are configured by one piece of hardware may be used. In that case, it can be constituted by dedicated hardware, a PC card, an IC card, and the like. Further, all of the verification routine, the proof data generation unit, and the decryption / display unit can be configured by one piece of hardware.

Fourth Embodiment Next, a fourth embodiment of the present invention will be described. In the present embodiment, a configuration example using usage control information will be described. The usage control information is control information for controlling generation of proof data, and is control information describing conditions for providing a service, and is distributed together with an access ticket. The control information can describe, for example, a time limit for providing a service, a charge amount, the number of times, a time, and the like. When generating proof data, these conditions are checked. Provision of the service can be stopped without performing the generation. In addition, the control information describes user attributes such as job title, gender, age, and the like, and controls generation of proof data by comparing with user attributes held in the token. It is also possible.

In the following, a brief description will be given of a case where a use period is used as control information and a description of a case where a charge amount is used.

In this embodiment, the access ticket t is data generated based on the following equation (11).

[0133]

(11) t = DF (n, e, L) The three-variable function F (x, y, z) is a three-variable function whose function values are unlikely to collide with each other. Function h
And can be determined as in Expression 13.

[0134]

(12) F (x, y, z) = h (x | y | z) All symbols in the above formula are integers, and as in the first embodiment,
n represents RSA modulus, D represents an access ticket secret key, and e represents user-specific information. L is usage control information, and the function F
() Is a one-way function.

This embodiment will be described in further detail with reference to FIG. FIG. 14 specifically shows a configuration example of the fourth embodiment of the present invention. The left half of FIG. 14, that is, the plug-in and verification routine side is the same as FIG. 4 of the first embodiment.

The certification program 32 includes an authentication data receiving unit 71, an access ticket storage unit 72, and a first arithmetic unit 7.
3 and a proof data generation unit 76, and the token 33 includes a user unique information storage unit 74, a second calculation unit 75, and a use control information determination unit 77.

The access ticket storage unit 72 stores the usage control information L in addition to the RSA modulus n and the access ticket t.
Are stored as a set. Usage control information determination unit 77
Determines the condition of the usage control information L passed from the access ticket storage unit 72, and passes the usage control information L to the second calculation unit 75 only when it is determined that the result is correct. Second
Only when the usage control information L is passed from the usage control information determination unit 77, the calculation unit 75 calculates the difference information S based on Expression 13 and sends the difference information S to the proof data generation unit 76.

[0138]

(13) S = C ^{F (n, e, L)} mod n Hereinafter, a description will be given of a case in which a usage period is used as usage control information. When the usage control information has a usage term, the value of the usage control information L is, for example, 1997123.
A value like 12400. In this case, this value indicates that the usage period is until 24:00 on December 31, 1997. Instead of such numbers, they may be represented by relative seconds from a certain date and time.

The use control information determining unit 77 in the token
It has a clock and compares the usage control information L passed from the access ticket storage unit 72 with the current time. If the result of the comparison indicates that the value of the usage control information L is later than the current time, the usage control information L is determined to be correct, and the usage control information L is passed to the second arithmetic unit 75. Only when the use control information L is passed from the use control information determination unit 77,
The difference information S is calculated based on
Send to

Thereafter, as in the first embodiment, the proof data generation unit 76 calculates the proof data R using Expression 8, and the random number effect removal unit 58 of the verification routine 15 receives the proof data R received by the proof data reception unit 57. The data R is acquired and the random number storage unit 54
Is calculated by using the random number r stored in the equation (9) to obtain K ′.

Only when the calculation is performed using the correct access ticket t, the correct user unique information e, and the correct use control information L, K ′ = K holds, and it is determined that K ′ = K is correct by the verification unit of the verification routine 15. Is determined,
Service is provided. Someone tries to use an access ticket whose usage period of the usage control information L has expired.
Even if the usage control information L stored in the access ticket storage 72 is falsified, the access ticket t cannot be falsified.
Cannot be a correct value, and the service cannot be provided improperly.

When the usage control information L is a service usage amount, the value of the usage control information L is, for example, 10
The number 100 is given in the meaning of 0 yen.

The token has, for example, a prepaid balance storage unit for storing prepaid balance information, and the usage control information judging unit 77 in the token compares the usage control information L with the prepaid balance to determine whether the prepaid balance is higher. Is larger, the value corresponding to the usage control information L is reduced from the prepaid balance, and the usage control information L is passed to the second arithmetic unit 75. The following processing is the same.

Also, instead of the prepaid balance storage unit,
The usage control information determination unit 77 in the token records the value of the usage control information L in the usage history storage unit together with information such as time, and stores the usage control information L in the second arithmetic unit 75. May be passed to. In this case, the usage history stored in the usage history storage unit is sometimes collected,
Processing such as paying a corresponding amount is performed.

As described above, even in the example other than the example shown here, by using the use control information L by checking the use control information L by the use control information determining unit 77, the use control information L is passed to the second arithmetic unit 75. Various usage controls can be performed.

[Embodiment 5] Next, Embodiment 5 of the present invention will be described. The fifth embodiment is an example in which a service is provided by distributing encapsulated content using satellite broadcasting. Here, the encapsulation indicates that the content cannot be used as it is by performing encryption or the like. FIG. 15 is a schematic diagram of a service providing system using satellite broadcasting. The encapsulated content is distributed to each user using satellite broadcasting. The user receives a satellite radio wave with a satellite antenna and inputs the signal to the receiver 100. In the receiver, the service providing apparatus of the present invention is mounted, and the content can be used when the verification is successful.

[0147] The contents provided here may be of various types such as movies, music, television programs, software, photographs, documents, and news. Each content is used by the television / video 200, the audio device 300, the computer (PC) 400, and the like connected to the receiver 100. Here, an example in which the receiver 100 and the service using device are divided will be described.
The same can be said for a service using device in which 0 is built-in.

FIG. 1 shows the structure of the encapsulated content.
6 is shown. The encapsulated content is classified into a content header and encrypted data. The content header has a label for identifying the content, a public key (E, n), and an encrypted decryption key.
The encrypted data corresponds to the content body encrypted in the above embodiment.

FIG. 17 is a specific example of the configuration of the receiver 100 in FIG. Each circuit of the receiver 100 is controlled by a microcomputer. The satellite signal from the satellite antenna is first received by the receiver 100
Is input to the tuner 101. The tuner 101 extracts data of a channel selected by the user using a panel of the receiver 100 or a remote controller. The error correction circuit / descrambling circuit 102 restores the extracted data as content and inputs the data to the data control circuit 103. The data control circuit 103 identifies whether or not the content is encapsulated by a content label, and if the content is not encapsulated, passes the content as it is to the output side. If the content is encapsulated, the content is verified / decrypted by the circuit 104.
To enter. In the verification / decoding circuit 104, the validity can be verified by the verification routine shown in the previous embodiments. In the fifth embodiment, another method will be described. Details of this method will be described with reference to FIG. Note that the decoded data is sent to the video decoder 106 or the audio decoder 107 via the demultiplexing circuit 105 and supplied to a device to be used as a corresponding signal.

FIG. 18 shows a verification procedure (protocol) of the fifth embodiment. Portions having functions similar to those of the first embodiment are denoted by the same reference numerals.

The access ticket t in the fifth embodiment is data generated based on Expression 14.

[0152]

(14) t = DF (n, e) All symbols in the above formula are integers, and represent the following. (Refer to the equation of the first embodiment) n is an RSA modulus, that is, a product of two sufficiently large prime numbers p and q (n = pq). φ (n) is the Euler number of n, that is, the product of p−1 and q−1 (φ (n) = (p−1)
(Q-1)). e represents user-specific information, which is different for each user and used to identify the user. D represents an access ticket secret key, is an RSA secret key under a modulus n, and satisfies Equation 2. Where gcd (x, y)
Represents the greatest common divisor of binary numbers x and y.

The property expressed by equation (2) is expressed by equation 3
That there is a number E that satisfies E is called an access ticket public key.

The two-variable function F (x, y) is a two-variable function whose function values are unlikely to collide with each other, and can be determined as in Equation 15 using the above-described one-way hash function h.

[0155]

(15) F (x, y) = h (x | y) The fifth embodiment will be described below in detail with reference to the drawings. The verification / decoding circuit 104 in FIG. 17 is indicated by 38 in FIG. The verification / decoding circuit 38 includes the verification routine 15 and the decoding unit 6
1 and the ASIC (applications
peculiar integrated circuit
By realizing at t) and the like, high-speed decoding processing and security of the verification routine are guaranteed. Of course, verification / decryption circuit 3
8 can be realized by a software program. Further, in order to further enhance the safety, it may be configured by hardware having the above-described tamper-resistant characteristics. Verification /
In the decryption circuit, the encapsulated content received from the data control circuit is separated into a content header and encrypted data by the data separation unit 56, and the public key (E, n) is stored in the access ticket public key storage unit 51. To
The encrypted decryption key K ^E is stored in the authentication data storage unit 52, and the encrypted data is stored in the decryption unit 61. Then, the verification / decoding circuit generates a random number in the internal random number generation unit and stores the random number in the random number storage unit 54, while calculating the transmission data C in the transmission data calculation unit based on Equation 5 as in the first embodiment.

The transmission data C thus calculated is
It is sent to the certification program together with the modulus n.

The operations of the first operation unit 73 and the proof data generation unit 76 of the certification program are executed by the microcomputer, and the access ticket is stored in the EPROM (erasab).
leprogrammable read only
memory) or the like. For the authentication data, the corresponding access ticket t is selected from the access ticket storage unit 72 based on the received n, and the authentication data reception unit 71
Equation 16 is executed under the RSA modulus n received from, to obtain intermediate information R ′.

[0158]

(16) The R ′ = C ^t mod n token is realized by an IC card, has a user unique information storage unit 74 and a second arithmetic unit 75, receives authentication data from a microcomputer, and obtains the expression (17). Execute to obtain difference information S.

[0159]

(17) S = C ^{F (n, e)} mod n Then, the proof data generation unit 75 of the proof program
Then, the intermediate information R ′ and the difference information S are obtained from the second calculation units 73 and 75, and the calculation of Expression 18 is performed to obtain the proof data R.

[0160]

(18) R = R'S mod n The proof data R thus obtained is transmitted to the proof data reception unit 57 of the verification / decryption circuit.

The random number effect removing section 58 of the verification routine 15
Obtains the proof data R received by the data receiving unit 57, and obtains the proof data R by using the random number r stored in the random number storage unit 54.
The decryption key K is obtained by performing the calculation of Expression 19.

[0162]

(19) K = Rr ⁻¹ mod n At this time, by giving redundancy to K and giving a specific value to that portion, the verification unit 59 determines whether or not the decryption key K has been correctly decrypted. May be verified. The obtained decryption key K is input to the decryption unit 61, and the decryption unit 61 decrypts the encrypted data using the decryption key K and outputs it as content.

The output content is used as digital data by a PC or used as video information or audio information.

FIG. 19 shows an overview of the service providing apparatus of this embodiment. As shown in the figure, the service providing device is connected to a television. Although not shown in the figure, the service providing device is connected to a satellite antenna and receives satellite broadcasts, while being connected to a network through a modem and uses the encapsulated content received by satellite broadcasts. An access ticket can be obtained. As shown in FIG. 19A, if the content is encrypted and the token is not inserted into the service providing device, the user cannot watch the video. Therefore, when the user obtains a valid access ticket and inserts the token into the service providing apparatus, the user obtains the ticket shown in FIG.
An image can be viewed as shown in FIG.

As described above, according to the present invention, one content is
Despite being provided with one encryption key,
The service cannot be used unless both the access ticket customized for each user and the token storing the user-specific information are provided. Therefore, the content provider (provider) can encrypt and provide the content using mass media such as satellite broadcasting, and use the access ticket and the token to ensure reliable usage management for each user. It is possible to do.

[Embodiment 6] Next, Embodiment 6 of the present invention will be described. The above describes the case of encapsulation for each content.However, as another application example, there is a case where the same encryption is applied to the satellite broadcast channel and the use of the content is restricted by managing the viewing time. is there. Such a service is realized by expressing the access ticket by Expression 20.

[0167]

(20) t = DF (n, e, L) Here, L is use control information and represents a use period. The three-variable function F (x, y, z) is a three-variable function whose function values are unlikely to collide with each other, and can be determined as in Equation 21 using the above-described one-way hash function h.

[0168]

(21) F (x, y, z) = h (x | y | z) FIG. 20 shows a configuration example of the usage control information. As shown in the figure, the usage control information L includes a usage start time, a usage end time, and a usage fee. The usage fee is required only when the token has a prepaid function, and can be omitted when the prepaid function is not used. FIG. 21 shows a verification protocol when the usage control information L is used. Here, those having the same functions as those in FIG. 18 are indicated by the same numbers.

The sixth embodiment will be described below in detail with reference to the drawings. In the verification / decryption circuit, the encapsulated content received from the data control circuit is separated into a content header and encrypted data by the data separation unit 56, and the public key (E, n) is stored in the access ticket public key. In the unit 51, the encrypted decryption key K ^E is stored in the authentication data storage unit 52, and the encrypted data is stored in the decryption unit 61. Then, the verification / decoding circuit generates a random number in an internal random number generation unit and stores the generated random number in the random number storage unit 54, while calculating a transmission data C in the transmission data calculation unit based on Expression 15.

The transmission data C calculated as described above is
It is sent to the certification program together with the modulus n.

The operations of the first operation unit 73 and the proof data generation unit 76 of the certification program are executed by the microcomputer, and the access ticket is stored in the EPROM (erasab).
leprogrammable read only
memory) or the like. The authentication data selects the corresponding access ticket t and the usage control information L from the access ticket storage unit 72 based on the received n, and formula 16 is obtained based on the RSA modulus n received from the authentication data receiving unit 71. To obtain the intermediate information R '.

The token is stored in the user unique information storage unit 74,
It has a second arithmetic unit 75, and further has prepaid frequency and token time data. The token receives the authentication data and the usage control information L from the microcomputer, and verifies whether the expiration date in the usage control information is consistent with the token time. That is, when the use start time ≦ the token time ≦ the use end time, the verification is considered to be successful. If the expiration date has been successfully verified, it is confirmed that the number of tokens remaining in the usage control information L is equal to or greater than the usage frequency, and if it remains, the number of usages in the usage control information L is subtracted from the token frequency. If the validation of the expiration date fails or if the frequency is insufficient, an error is returned without performing the processing. If the above verification is successful, Equation 22
To obtain the difference information S.

[0173]

(22) S = C ^{F (n, e, L)} mod n Then, the proof data generating unit 75 of the proof program
Then, the intermediate information R ′ and the difference information S are obtained from the second calculation units 73 and 75, and the calculation of Expression 18 is performed to obtain the proof data R. The proof data R thus obtained is transmitted to the proof data receiving unit 57 of the verification / decryption circuit.

The random number effect removing section 58 of the verification routine 15
Obtains the proof data R received by the data receiving unit 57, and obtains the proof data R by using the random number r stored in the random number storage unit 54.
The decryption key K is obtained by performing the calculation of Expression 19. Here, if the usage control information L used in the token has been falsified, an accurate decryption key cannot be extracted. At this time, the verification unit 59 may verify whether the decryption key K has been correctly decrypted by giving redundancy to K and giving a specific value to that portion. Obtained decryption key K
Is input to the decryption unit 61, which decrypts the encrypted data using the decryption key K and outputs it as content.

The output content is used as digital data by a PC or used as video information or audio information.

In this embodiment, the time is given to the token. However, when an IC card is used, since there is no clock inside, it is necessary to guarantee the validity of the token time.

By doing so, the user cannot use the access ticket until the expiration date in the usage control information, and even if the content of one channel is encrypted with the same encryption key, Use rights can be set, and functions such as pay-per-view can be realized.

The present invention is not limited to the above embodiments. For example, contents can be used via various recording media, communication media, and broadcast media. The present invention can be applied to the case where various communication media and broadcast media are used in addition to the Internet and satellite broadcasting. For example, the present invention can be applied to the provision of a communication karaoke service through a normal telephone network, a data communication network, or a TCP / IP connection.

[0179]

As described above, according to the present invention,
By introducing proof auxiliary data (access ticket), the characteristic information of access qualification authentication and the user-specific information can be made independent.
The user only needs to prepare one piece of unique information. The access ticket is data calculated based on specific user specific information and characteristic information of access qualification authentication,
Also, it is impossible to calculate the characteristic information of the access qualification authentication from the access ticket without knowing the user unique information, at least in an appropriate amount. Only when the user-specific information and the access ticket are correctly combined, the service is provided (the content is decrypted). Therefore, the user has the user-specific information in advance, and the service provider has the user-specific information and the user-specific information. Can independently prepare access credential feature information. Therefore, for example, even when the content is encrypted with one encryption key, it is possible to set the access right only to the desired user,
There is no need to prepare encrypted content for each user.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an example of the basic configuration of the present invention.

FIG. 2 is a block diagram illustrating an outline of a configuration example according to a first embodiment;

FIG. 3 is a schematic diagram of a computer used by a user according to the first embodiment.

FIG. 4 is a detailed block diagram of a configuration example according to the first embodiment;

FIG. 5 is a configuration example 1 of the encrypted content according to the first embodiment.

FIG. 6 is a configuration example 2 of the encrypted content according to the first embodiment.

FIG. 7 is a configuration example 3 of the encrypted content according to the first embodiment.

FIG. 8 is a configuration example of a process in a verification unit according to the first embodiment.

FIG. 9 is a configuration example of a process in a verification unit according to the first embodiment.

FIG. 10 is a configuration example of a process in a verification unit according to the first embodiment.

FIG. 11 is a configuration example of a process in a verification unit according to the first embodiment.

FIG. 12 is a detailed block diagram of a configuration example according to a second embodiment.

FIG. 13 is a detailed block diagram of a configuration example according to a third embodiment.

FIG. 14 is a detailed block diagram of a configuration example according to a fourth embodiment;

FIG. 15 is a schematic view of a fifth embodiment.

FIG. 16 is a configuration diagram of encapsulated content according to the fifth embodiment.

FIG. 17 is a detailed block diagram of a configuration example according to a fifth embodiment;

FIG. 18 is a detailed block diagram of a configuration example according to a fifth embodiment.

FIG. 19 is a diagram illustrating a configuration example of a fifth embodiment;

FIG. 20 is a configuration diagram of usage control information according to the sixth embodiment.

FIG. 21 is a detailed block diagram of a configuration example according to a sixth embodiment;

[Explanation of symbols]

 Reference Signs List 10 proof data verification device 11 proof data generation device 12 access ticket generation device 13 access ticket (auxiliary data for proof) 14 characteristic information of access qualification authentication 15 verification routine 16 user unique information 17 proof data generation program 18 authentication data 19 proof data Reference Signs List 20 tamper-resistant device 30 computer 31 internet browser 32 certification program 33 token 34 content 35 decryption program 38 plug-in (plug-in module)

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] October 29, 1997

[Procedure amendment 1]

[Document name to be amended] Drawing

[Correction target item name] All figures

[Correction method] Change

[Correction contents]

FIG.

FIG.

FIG. 2

FIG. 3

FIG. 5

FIG. 6

FIG. 7

FIG.

FIG. 4

FIG. 8

FIG. 9

FIG. 16

FIG. 10

FIG. 11

FIG.

FIG. 13

FIG. 14

FIG.

FIG.

FIG.

FIG. 21

Claims (21)

[Claims] 1. A service providing apparatus for providing a service only to a user having a valid right, a first storage unit for storing authentication data, a second storage unit for storing user-specific information, A third storage unit for storing proof auxiliary information, which is an execution result of performing a predetermined calculation on the unique information of the user and the characteristic information of the access qualification authentication; and a third storage unit that is stored in the first storage unit. Authentication data,
Proof data generation for generating proof data by performing a predetermined calculation on the user unique information stored in the second storage means and the proof auxiliary information stored in the third storage means Means for providing a service using the proof data generated by the proof data generation means. 2. A service providing apparatus for providing a service only to a user having a legitimate right, wherein: a first storage unit for storing authentication data; a second storage unit for storing user-specific information; A third storage unit for storing proof auxiliary information, which is an execution result of performing a predetermined calculation on the unique information of the user and the characteristic information of the access qualification authentication; and a third storage unit that is stored in the first storage unit. Authentication data,
Proof data generation for generating proof data by performing a predetermined calculation on the user unique information stored in the second storage means and the proof auxiliary information stored in the third storage means Means, and proof data verification means for verifying that the proof data generated by the proof data generation means is generated based on the characteristic information of the access qualification authentication. A service providing apparatus for providing a service only when the service is successful. 3. An input means for inputting information whose use is restricted, wherein only when the verification by the proof data verification means succeeds, the restriction on use of the information is released and the information can be used. The service providing apparatus according to claim 2, wherein: 4. The characteristic information of the access qualification authentication is a decryption key in an encryption function, and the authentication data is obtained by encrypting appropriate data using an encryption key corresponding to the decryption key. 4. The proof data verification unit according to claim 2, wherein the proof data generation unit determines that the verification is successful when the proof data generated by the proof data generation unit is a correctly decrypted version of the authentication data. Service providing equipment. 5. The characteristic information of the access qualification authentication is an encryption key in an encryption function, and the proof data verification unit correctly encrypts the authentication data in the proof data generated by the proof data generation unit. The service providing apparatus according to claim 2, wherein when it is determined that the verification is successful, the verification is determined to be successful. 6. The characteristic information of the access qualification authentication is a signature key in a digital signature function, and the proof data verification unit determines that the proof data generated by the proof data generation unit is 4. The service providing apparatus according to claim 2, wherein when the digital signature is verified to be correctly generated using the signature key, the verification is determined to be successful. 5. 7. The information whose use is restricted is at least partially encrypted information, and decrypts the encrypted information only when the verification by the proof data verification unit succeeds. 7. The service providing apparatus according to claim 2, wherein information can be used. 8. An input means for inputting encrypted information, wherein the characteristic information of the access qualification authentication is a first decryption key in an encryption function, and the authentication data is the encrypted data. A second decryption key for decrypting information is encrypted by using an encryption key corresponding to the first decryption key, and the proof data generated by the proof data generation unit is the second decryption key. And decrypting the encrypted information using the second decryption key to provide a service corresponding to the information.
A service providing device according to claim 1. 9. The service providing apparatus according to claim 4, wherein the encryption function is an asymmetric key encryption function, and the access credential information is one of keys. 10. The service providing apparatus according to claim 4, wherein the encryption function is a public key encryption function, and the characteristic information of the access qualification is a secret key. 11. The service providing apparatus according to claim 4, wherein the encryption function is a symmetric key encryption function, and the characteristic information of the access qualification is a common secret key. 12. A service providing apparatus comprising a proof data generation device and a proof data verification device, wherein the proof data generation device and the proof data verification device communicate and authenticate an access qualification of a user. In the above, the proof data generation device may include: first storage means for storing authentication data; second storage means for storing user's unique information; user's unique information; A third storage unit for storing auxiliary information for certification as an execution result of executing a predetermined calculation, the authentication data held in the first storage unit, and the second storage unit. A predetermined calculation is performed on the unique information of the user held in the means and the auxiliary information for proof held in the third storage means to generate proof information. Proof data generation means, wherein the proof data verification device is generated by the fourth storage means for storing authentication data, the fifth storage means for storing proof data, and the proof data generation means. Proof data verification means for verifying that the proof data is generated based on the characteristic information for access qualification authentication, wherein the proof data verification device is stored in the fourth storage means. The certification data is written to the first storage unit of the certification data generation device, and the certification data generation device also stores the certification data written to the first storage unit by the certification data generation unit. And writing the generated proof data to the fifth storage unit of the proof data verification device, and the proof data verification device writes the proof data to the fifth storage unit. Service providing device, wherein authenticating the access right of the user by using the proof data written. 13. The characteristic information for access qualification authentication is a decryption key of an encryption function. The proof data verification device includes a random number generation unit, a sixth storage unit that stores the generated random number, and an authentication element. A seventh storage unit for storing data, wherein the random number generation unit writes the generated random number to the sixth storage unit, and stores the generated random number in the elementary data for authentication stored in the seventh storage unit. After applying a random number effect using a random number, the data is written to the fourth storage unit as the authentication data, and the proof data verification unit performs the random number effect based on the random number stored in the sixth storage unit. The result of removal from the proof data written in the fifth storage means by the proof data generation device is stored in the seventh storage means as a decryption key which is characteristic information of the access qualification authentication. 13. The service providing apparatus according to claim 12, wherein it is verified that the authentication elementary data is decrypted. 14. The characteristic information for access qualification authentication is an encryption key of an encryption function, the proof data verification device includes a random number generation unit, and the random number generation unit uses the generated random number as the authentication data. The proof data verification unit writes the fourth proof data, and the proof data verification unit verifies that the proof data written to the fifth storage unit by the proof data generation device is obtained by decrypting the random number. The service providing apparatus according to claim 12, wherein: 15. The characteristic information for access qualification authentication is a signature key of a digital signature function. The proof data verification device includes random number generation means, and the random number generation means uses the generated random number as authentication data as the authentication data. 4, the proof data verification means is characterized in that the proof data written in the fifth storage means by the proof data generation device is a feature of the access qualification authentication for authentication data which is the random number. The service providing apparatus according to claim 12, wherein the service providing apparatus verifies that the information is a digital signature using a signature key that is information. 16. At least the second storage means,
16. The proof data generation means is stored in a protection means which makes it difficult to externally observe internal data and processing procedures.
A service providing device according to claim 1. 17. At least the second storage means,
16. The service providing apparatus according to claim 1, wherein the proof data generating unit is configured as a portable small-sized arithmetic device such as an IC card. 18. The method according to claim 1, wherein at least the proof data verification means is stored in a protection means that makes it difficult to observe internal data and processing procedures from outside. Service providing device. 19. The service providing apparatus according to claim 1, wherein at least the proof data verification unit is configured as a portable small arithmetic device such as an IC card. 20. The information input from the input means,
20. The service according to claim 1, wherein the multimedia information such as an image, a moving image, a sound, and music or the multimedia is encrypted, and the service reproduces the input information. Providing device. 21. An apparatus according to claim 21, further comprising: an eighth storage unit configured to store usage control information for controlling generation of the proof data, wherein the proof auxiliary information held in the third storage unit is provided by An execution result obtained by performing a predetermined calculation on the unique information, the characteristic information of the access qualification authentication, and the use control information, wherein the proof data generation unit is held in the first storage unit. Authentication data, the user's unique information stored in the second storage means, the certification auxiliary information stored in the third storage means, and stored in the eighth storage means. 21. The service providing apparatus according to claim 1, wherein a predetermined calculation is performed on the usage control information to generate certification data.