JP4663435B2 - Content usage information transmitting method, content usage information providing device and content usage information receiving device capable of using the method - Google Patents

Description

  The present invention relates to a data input / output technology, and more particularly to a technology for encrypting and inputting data that should be kept secret between a storage device and a host device.

  For example, in Patent Document 1, a device that handles license data in an unencrypted state is used as a server device, a memory card (storage device), and a decoder (use device) as a content data distribution system that increases the confidentiality of license data. It is classified into three devices, and license data transmission / reception between devices (server device and storage device or storage device and using device) is done by building an encrypted communication path between the two devices that send and receive license data. The server device, the storage device, and the utilization device are provided with a TRM (Tamper Resistant Module) that can handle unencrypted license data.

  In constructing an encrypted communication path, a device that receives license data (referred to as a license receiving device) first transmits a certificate including a public key to a device that provides license data (referred to as a license providing device). Then, the license providing apparatus verifies the certificate of the license receiving apparatus, and only when the certificate is determined to be valid according to the verification result, the license receiving apparatus uses the public key of the license receiving apparatus included in the certificate, Key exchange is performed between two devices. Then, the license data is encrypted with the two keys sent from the license receiving apparatus, and the encrypted license data is transmitted from the license providing apparatus to the license receiving apparatus. The two keys are a temporally symmetric key generated for each communication by the license receiving apparatus and a public key individually held by the license receiving apparatus.

  The TRM is a circuit module in which confidentiality is physically protected, and is configured so that it cannot be accessed from outside except through an encrypted communication path.

  When acquiring license data, the memory card is mounted on a terminal device that can communicate with the server device, and receives license data from the server device via the terminal device. Further, when using the content, the memory card is attached to a terminal device incorporating a decoder, and transmits license data to the decoder via the terminal device.

As described above, in content distribution services, copyright protection relating to content is thoroughly implemented by encrypting content data and concealing license data. In this way, by thoroughly protecting the content copyright, the rights of the content right holder are protected and the content can be provided safely. As a result, the lineup of content targeted for the distribution service also increases, and the needs of users who receive content distribution can be satisfied more widely.
JP 2004-133654 A

  Video content compatible with high-definition television is emerging. Here, high-definition TV image quality video content is called HD content, and conventional TV image quality video content is called SD content.

  HD content has a larger amount of data per unit time than SD content. For example, in the MPEG2 system used in digital broadcasting, the data amount per unit time of HD content is about three times the data amount per unit time of SD content. Therefore, further high-speed access is required for storage devices that record HD content.

  On the other hand, it is considered to use the copyright protection function of the conventional system for such HD contents. In a conventional system, public key cryptography is used for transmission / reception of license data. Since the computation time of the public key cryptography requires more time than the computation time of the common key cryptography, the time required for transmitting or receiving one license requires the computation time of the public key cryptography.

  When license data is recorded in units of programs and played back in units of programs, the access frequency of the license data is low and the access time is not so much of a problem, but special playback (skip playback, multiple programs partially) In the case of providing continuous program reproduction or the like, the access frequency of the license data is increased, and the license data is required to be accessed at a higher speed.

  The present invention has been made in view of such a situation, and an object of the present invention is to reduce the access time when data to be kept secret is encrypted and input / output between the storage device and the host device. It is.

  In view of the above problems, the present invention has the following features.

  One embodiment of the present invention relates to a content usage information transmission method. This content usage information transmission method is a method for transmitting and receiving content usage information including a content key for decrypting encrypted content data, and first step of establishing an encrypted communication path for transmitting and receiving the content usage information And a second step of transmitting and receiving the content usage information using the encrypted communication path, wherein the first step is a step in which a transmission source of the content usage information authenticates a transmission destination of the content usage information; And, when the transmission destination is approved, sharing a first symmetric key between the transmission source and the transmission destination using a public key cryptosystem, and the second step includes the content Sharing a second symmetric key between the transmission source and the transmission destination when it is time to transmit usage information; and But it characterized in that it comprises the steps of: transmitting the content usage information and encrypted with the first symmetric key and said second symmetric key to the destination.

  According to such an aspect, when data to be concealed such as content usage information is transmitted / received, once the encryption communication path is established, only the common key encryption algorithm is used without using the public key encryption algorithm. Data can be encrypted and sent / received. Since the common key encryption algorithm has a smaller calculation amount than the public key encryption algorithm and can be easily implemented in hardware, the processing efficiency and the processing speed can be improved by using only the common key encryption algorithm. Further, since the content usage information is double-encrypted with the first symmetric key and the second symmetric key and transmitted / received, the encrypted data can be efficiently transmitted / received without losing security.

  The step of sharing the second symmetric key may be performed using a common key cryptosystem. The first step may further include a step of sharing a third symmetric key used for sharing the second symmetric key between the transmission source and the transmission destination, wherein the second symmetric key is used. The step of sharing the key may share the second symmetric key by encrypting the second symmetric key with the third symmetric key and transmitting / receiving it. Thus, the step of sharing the second symmetric key is also performed using the common key cryptosystem, so that the processing efficiency and the processing speed can be improved. The third symmetric key may be shared using public key cryptography. If the third symmetric key is shared in the first step, the processing speed of the second step is not affected even if a public key cryptosystem with a large amount of computation is used. Therefore, safety can be further improved without affecting the processing speed of the second step.

  The first symmetric key may be issued by either the transmission source or the transmission destination, and the second symmetric key may be issued by the other. As a result, even when one of the devices is an unauthorized device, it is possible to prevent leakage of the content usage information, thereby improving safety.

  The first symmetric key may be held at the transmission source and the transmission destination after the second step is finished, and used when the content usage information is transmitted next time. When the timing for transmitting the content usage information has arrived, the first step may be omitted if the first symmetric key is already shared between the transmission source and the transmission destination. . As a result, when content usage information is repeatedly transmitted and received, it is possible to quickly encrypt and transmit and receive using only the common key encryption algorithm without sacrificing safety. Further, when the content usage information is continuously transmitted and received, the processing can be speeded up without sacrificing safety by omitting the authentication processing. The first symmetric key may be destroyed when the encrypted communication path is disconnected. For example, when the connection between devices is canceled or one of the power supplies is turned off and the established encrypted communication path cannot be maintained, the first symmetric key is discarded and the encryption The communication path may be disconnected. Thereby, the safety | security of encryption communication is securable.

  The second symmetric key may be newly issued when the next content usage information is transmitted after the end of the second step, and may be shared between the transmission source and the transmission destination. Since the content usage information is encrypted with the newly issued second symmetric key every time the content usage information is transmitted, leakage of the content usage information can be prevented, and safety can be improved.

  The first step may further include the step of the destination authenticating the source, wherein the step of exchanging the first symmetric key is performed when the destination and the source are mutually approved. May be. The content use information receiving device provides a function of rejecting recording of license data from a license use information providing device or a fake content use information providing device whose safety has been impaired, thereby further enhancing the safety of the device. And can protect the rights of authors and the like appropriately.

  The step of sharing the first symmetric key may share the first symmetric key using an Elliptic Curve Diffie-Hellman encryption algorithm. Thereby, a shared key can be safely shared using a public key cryptosystem using an operation on an elliptic curve. In addition, by continuously holding the shared key once shared and using it for encryption and decryption of the license data, it is possible to reduce the amount of calculation when sending and receiving the license data, and to speed up the processing. In addition, the circuit scale can be reduced.

  Another aspect of the present invention relates to a content use information providing apparatus. This content usage information providing device is a content usage information providing device that provides content usage information including a content key for decrypting encrypted content data to a content usage information receiving device, and holds the content usage information Means for obtaining authentication information from the content use information receiving device and verifying the validity of the authentication information; and when the verification means approves the content use information receiving device, the content use information A first symmetric key sharing unit that shares a first symmetric key with a receiving device using a public key cryptosystem, and the content usage information receiving device when the timing for transmitting the content usage information has arrived And a second symmetric key sharing means for sharing a second symmetric key between the content usage information and the content usage information An encryption unit that reads from the stage and encrypts the content using the first symmetric key and the second symmetric key, and a content usage information transmitting unit that transmits the content usage information receiving device encrypted by the encryption unit And.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content usage information receiving device is a content usage information receiving device that receives content usage information including a content key for decrypting encrypted content data from the content usage information providing device. A first symmetric key using a public key cryptosystem between the authentication information transmitting means for transmitting the authentication information and the content usage information providing device when the content usage information providing device approves the authentication information. A second symmetric key sharing unit that shares a second symmetric key between the first symmetric key sharing unit that shares the content use information and the content use information providing device when the timing for receiving the content use information arrives. Means and the content usage information encrypted with the first symmetric key and the second symmetric key. Content usage information receiving means for receiving from the information providing device, and decryption means for decrypting the encrypted content usage information with the first symmetric key and the second symmetric key. .

  Still another aspect of the present invention relates to a content use information providing apparatus. The content usage information providing device is a content usage information providing device that provides content usage information including a content key for decrypting encrypted content data to the content usage information receiving device, and the content usage information receiving device. Are set in the interface for controlling the exchange of data between them, the symmetric key generating unit that temporally generates the first symmetric key and the second symmetric key when providing the content usage information, and the content usage information receiving device A first encryption unit that encrypts data using the first public key, a second encryption unit that encrypts data using the second public key set in the content use information receiving device, The data encrypted in the second encryption unit by the third symmetric key generated by the content use information receiving device. Is encrypted by a third encryption unit that further encrypts the data, a fourth symmetric key that is encrypted by the fourth symmetric key generated by the content use information receiving device, and the second symmetric key. Are further encrypted, a decryption unit for decrypting the data using the first symmetric key or the second symmetric key, and a control unit, wherein the control unit includes the first symmetric key. The symmetric key generation unit is instructed to generate, the first public key is received via the interface, is given to the first encryption unit, and the first encrypted by the first public key is encrypted. One symmetric key is received from the first encryption unit and output via the interface, and the third symmetric key and the second public key encrypted by the first symmetric key are transmitted to the interface. Received via The second symmetric key is generated, the second symmetric key is generated, the symmetric key generation unit is instructed to give the second symmetric key to the second encryption unit, and the second public key or the The second symmetric key encrypted with the third symmetric key is received from the second or third encryption unit and output through the interface, and the first symmetric key or the second symmetric key is output. The fourth symmetric key encrypted by the above is received from the content use information receiving apparatus via the interface and given to the decrypting unit, and encrypted by the fourth symmetric key and the second symmetric key. The content use information thus received is received from the fourth encryption unit or the fifth encryption unit and output via the interface.

  In the process of continuously providing the content usage information to the same content usage information receiving device, the control unit is encrypted with the first symmetric key or the second symmetric key. A fourth symmetric key is received via the interface and given to the decryption unit, and content usage information encrypted with the new fourth symmetric key and the second symmetric key is sent via the interface. May be output.

  The content usage information includes a content key for encrypting content data and decrypting the encrypted content data, and the content usage information providing device includes a content usage information generation unit for generating the content usage information, and the content A sixth encryption unit that encrypts data with the content key and outputs the encrypted content data may be further included.

  The content usage information providing apparatus further includes a storage unit, and the storage unit includes a first storage unit that stores the encrypted content data, and a second storage unit that stores the content usage information, The second storage unit may be configured by a tamper resistant structure.

  Still another embodiment of the present invention relates to a content use information receiving apparatus. The content usage information receiving device is a content usage information receiving device that receives from a content usage information providing device that records content usage information including a content key for decrypting and reproducing encrypted content data, the content usage information receiving device. An interface that controls the exchange of data with the providing device, a first public key holding unit that holds a first public key set in the content information receiving device, and the first public key A first secret key holding unit for holding a first secret key for decrypting the received data, a second public key holding unit for holding a second public key set in the content use information receiving device, A second secret key holding unit for holding a second secret key for decrypting data encrypted with the second public key; and the content usage information A symmetric key generating unit that temporally generates a first symmetric key and a second symmetric key, and a third symmetric key generated by the content usage information providing device when receiving content usage information from the providing device; An encryption unit for encrypting data, a first decryption unit for decrypting data encrypted with the first public key with the first secret key, and an encryption with the first symmetric key A second decryption unit for decrypting data; a third decryption unit for decrypting data encrypted with the second public key with a second secret key; and encrypted with the second symmetric key. A fourth decryption unit that decrypts data; a fifth decryption unit that decrypts data using the fourth symmetric key generated by the content use information providing device; and a control unit, wherein the control unit includes: The first public key The third symmetric key that is output via the interface and encrypted with the first public key is received via the interface, and the first symmetric key is generated and provided to the encryption unit. To the symmetric key generation unit, the first symmetric key encrypted by the third symmetric key decrypted by the first decryption unit and the second public key from the encryption unit Receiving and outputting via the interface, receiving via the interface a second symmetric key encrypted with the second public key or the first symmetric key, and receiving the second symmetric key The symmetric key generation unit is instructed to be generated and given to the encryption unit, and encrypted by the fourth symmetric key or the third symmetric key decrypted by the second decryption unit or the third decryption unit. Said 2 symmetric keys are received from the encryption unit and output via the interface, and content usage information encrypted by the second symmetric key and the fourth symmetric key is received via the interface. It is characterized by.

  The control unit generates the new second symmetric key in a process of continuously receiving the content usage information from the same content usage information providing apparatus, and generates the symmetric key so as to be given to the encryption unit. A second symmetric key that is encrypted by the encryption unit using the first symmetric key or the fourth symmetric key, and outputs the second symmetric key. The content usage information encrypted with the fourth symmetric key may be received via the interface.

  The content usage information receiving apparatus further includes a content playback circuit that decrypts the encrypted content data with a content key included in the content usage information and plays back the content data, and the content playback circuit includes the encrypted content data May be included with the content use information key, and a playback unit for playing back the content data decrypted with the fourth decryption unit.

  The content usage information receiving device further includes a storage unit that stores the encrypted content data and the content usage information, and the storage unit includes a first storage unit that stores the encrypted content data, and the content usage A second storage unit that stores information, and the second storage unit may be configured by a tamper resistant structure.

  The features of the present invention and the technical significance thereof will become more apparent from the following description of embodiments. However, the following embodiment is only one embodiment of the present invention, and the meaning of the present invention or the terms of each constituent element is limited to those described in the following embodiment. is not.

  According to the present invention, it is possible to improve processing efficiency when data to be concealed is encrypted and input / output between the storage device and the host device.

Embodiments of the present invention will be described below with reference to the drawings.
(First embodiment)
FIG. 1 shows an overall configuration of a data management system 10 according to the first embodiment. The data management system 10 includes a recording device 100 that controls recording of data in the storage device 200, a playback device 300 that controls playback of data recorded in the storage device 200, and a storage device 200 that records and holds data.

  The storage device 200 according to the present embodiment includes not only a storage medium that holds data but also a controller that controls input / output of data between a host device such as the recording apparatus 100 or the playback apparatus 300 and the storage medium. Is a drive-integrated storage device. In the present embodiment, a hard disk drive will be described as an example of the storage device 200.

  The conventional hard disk drive is generally used by being fixedly connected to one host device, but the storage device 200 of the present embodiment is a host device such as the recording device 100 and the playback device 300. It is comprised so that attachment or detachment is possible. That is, the storage device 200 according to the present embodiment can be removed from the host device and carried in the same manner as a CD or DVD. A storage device that can be shared between host devices.

  As described above, the storage device 200 according to the present embodiment is assumed to be connected to a plurality of host devices. For example, the storage device 200 is connected to a host device of a third party other than the owner and recorded therein. Data may be read out.

  When it is assumed that contents to be protected by copyright such as music and video, confidential data such as corporate and personal information are recorded on the storage device 200, the confidential data leaks to the outside. In order to prevent this, it is preferable to provide the storage device 200 itself with a configuration for appropriately protecting data and to have a sufficient tamper resistance function.

  From such a viewpoint, the storage device 200 according to the present embodiment has a configuration for encrypting and exchanging confidential data when the confidential data is input and output with the host device. Further, in order to store confidential data, a confidential data storage area different from a normal storage area is provided, and the confidential data storage area is configured to be accessible only through a cryptographic engine provided in the storage device 200. . This cryptographic engine inputs / outputs secret data only to / from a host device verified as having a legitimate authority. Hereinafter, such a data protection function is also referred to as a “secure function”. With the above configuration and function, the confidential data recorded in the storage device 200 can be appropriately protected.

  In order to make the most of the characteristics of the storage device 200 as a removable medium, it is preferable that normal data can be input / output even by a host device that does not support the secure function. Therefore, the storage device 200 according to the present embodiment supports ATA (AT Attachment), which is a standard of ANSI (American National Standards Institute), in order to maintain compatibility with the conventional hard disk, and the secure function described above. Is realized as an ATA extension instruction.

  Hereinafter, a case where content data such as video is recorded and reproduced will be described as an example of confidential data input / output. Although the content data itself may be handled as confidential data, in the present embodiment, the content data is encrypted, and the encrypted content data itself is recorded as normal data in the storage device 200. Then, data (license data and data) including a key for decrypting the encrypted content (referred to as a content key) and information (referred to as a usage rule) related to content reproduction control, license use, transfer, and copy control. Is input / output as secret data using the secure function described above. As a result, while maintaining sufficient tamper resistance, data input / output can be simplified, processing speed can be increased, and power consumption can be reduced. Here, the license data includes a license ID for specifying the license data in addition to the content key and the usage rule.

  Hereinafter, of the commands issued by the host device such as the recording device 100 and the playback device 300 to the storage device 200, the extended command for the secure function is also referred to as “secure command”, and the other commands are also referred to as “normal command”. Call.

  FIG. 2 shows an internal configuration of the recording apparatus 100 according to the embodiment. This configuration can be realized in hardware by a CPU, memory, or other LSI of an arbitrary computer, and in software, it is realized by a program having a recording control function loaded in the memory. So, functional blocks that are realized by their cooperation are drawn. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The recording apparatus 100 mainly includes a controller 101, a storage interface 102, a cryptographic engine 103, an encryptor 104, a content encoder 105, and a data bus 110 that electrically connects them.

  The content encoder 105 codes the content acquired online or offline into a predetermined format. Here, video data acquired from a broadcast wave or the like is coded in the MPEG format.

  The encryptor 104 issues license data LIC including a content key for decrypting the encrypted content, and encrypts the content coded by the content encoder 105 using this content key. The encrypted content is recorded in the storage device 200 via the data bus 110 and the storage interface 102. The issued license data LIC is notified to the encryption engine 103 and recorded in the storage device 200 via the encryption engine 103.

  The cryptographic engine 103 controls cryptographic communication with the storage device 200 in order to input the license data LIC to the storage device 200. The storage interface 102 controls data input / output with the storage device 200. The controller 101 comprehensively controls the components of the recording apparatus 100.

  FIG. 3 shows an internal configuration of the playback apparatus 300 according to the embodiment. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof.

  The playback apparatus 300 mainly includes a controller 301, a storage interface 302, a cryptographic engine 303, a decoder 304, a content decoder 305, and a data bus 310 that electrically connects them.

  The storage interface 302 controls data input / output with the storage device 200. The cryptographic engine 303 controls cryptographic communication with the storage device 200 in order to receive the license data LIC including the content key from the storage device 200.

  The decryptor 304 decrypts the encrypted content read from the storage device 200 with the content key included in the license data LIC obtained from the storage device 200.

  The content decoder 305 decodes and outputs the content decoded by the decoder 304. For example, if the content is in MPEG format, the video signal and the audio signal are restored from the content, the video signal is output to a display device (not shown), and the audio signal is output to a speaker (not shown). The controller 301 comprehensively controls the components of the playback device 300.

  FIG. 4 shows an internal configuration of the storage device 200 according to the embodiment. The storage device 200 mainly includes a controller 201, a storage interface 202, a cryptographic engine 203, a tamper resistant storage unit 204, a normal data storage unit 205, and a data bus 210 that electrically connects them.

  The storage interface 202 controls data input / output with the recording device 100 and the playback device 300. The cryptographic engine 203 controls cryptographic communication for inputting / outputting secret data such as license data LIC including a content key between the recording device 100 and the playback device 300. The normal data storage unit 205 is a normal storage area for recording encrypted content, normal data, and the like. The tamper resistant storage unit 204 is a confidential data storage area for recording confidential data such as license data LIC including a content key. The normal data storage unit 205 is directly accessed (data input / output) from the outside, but the tamper-resistant storage unit 204 is configured so that it cannot be accessed (data input / output) through the cryptographic engine 203. The controller 201 comprehensively controls the components of the storage device 200.

  Here, the key used in this embodiment will be described. In the present embodiment, the key is expressed as a character string starting with a capital letter “K”. The character described at the end of the character string indicating the key is a symbol for identifying the cryptographic engine to which the key is given. In the present embodiment, when the provision destination is clear, the numbers “1”, “2”, and “3” are written, and the key is provided from other than the encryption engine and the provision destination is unknown. When not specified, it is expressed by English characters such as “x” and “y”.

  The challenge key, which is a symmetric key (common key) that is temporally generated at the data transmission source, is distinguished into two according to the generation timing, and the first challenge key is generated Kfcy, the second time. The challenge key is written as Kscy. In addition, the session key, which is a symmetric key generated temporally at the data transmission destination, is also classified into two depending on the generation timing, the session key generated first time is Kfsx, and the session key generated second time is It is written as Kssx.

  Further, the data transmission destination holds two key pairs by the public key cryptosystem. The first set is a public key KPdx and a secret key Kdx. This key pair is a key given to each group of apparatuses, and the public key KPdx is held in the form of a public key certificate C [KPdx] (hereinafter simply referred to as a certificate). The second set is a public key KPpx and a secret key Kpx. This set is a key pair given to each device. In addition, there is a verification key KPa for verifying the validity of the certificate C [KPdx]. The usage method will be described later.

  In this embodiment, “1” is used as the identification symbol for the cryptographic engine 103 of the recording device 100, “2” is used as the identification symbol for the cryptographic engine 203 of the storage device 200, and the cryptographic engine 303 of the playback device 300 is used. Uses “3” as an identification symbol.

  FIG. 5 shows an internal configuration of the cryptographic engine 103 of the recording apparatus 100 shown in FIG. The cryptographic engine 103 includes a certificate verification unit 120, a random number generation unit 121, a first encryption unit 122, a first decryption unit 123, a second encryption unit 124, a third encryption unit 125, a second decryption unit 126, and a fourth encryption unit. 127, a fifth encryption unit 128, and a local bus 130 that electrically connects at least some of these components.

  The certificate verification unit 120 verifies the certificate C [KPd2] acquired from the storage device 200. The certificate C [KPd2] includes plaintext information (referred to as “certificate body”) including the public key KPd2 and an electronic signature attached to the certificate body. This electronic signature is obtained by applying a calculation result of a hash function to the certificate body (this calculation process is referred to as “hash calculation”), and a root key Ka of a certificate authority (not shown) as a third party. Data encrypted by. The root key Ka is a private key that is strictly managed by the certificate authority and serves as a secret key of the certificate authority.

  The certificate verification unit 120 holds a verification key KPa that is paired with the root key Ka. This verification key KPa is a public key for verifying the validity of the certificate. The verification of the certificate is judged by the validity of the certificate and the validity of the certificate. The verification of the validity of the certificate is a process of comparing the calculation result of the hash function for the certificate body of the certificate to be verified with the result of decrypting the electronic signature with the verification key KPa. It is judged that. The certificate verification unit 120 maintains a certificate revocation list (CRL) that is a list of invalid certificates, and the CRL checks whether the certificate to be verified is valid. It is judged that it is effective when it is not described. The process of judging the validity and validity of a certificate and approving a valid certificate is called verification.

  If the verification is successful, the certificate verification unit 120 retrieves the public key KPd2 of the storage device 200, transmits it to the first encryption unit 122, and notifies the verification result. If verification fails, a verification error notification is output.

  The random number generation unit 121 generates challenge keys Kfc1 and Ksc1 that are temporarily used to perform cryptographic communication with the storage device 200. By generating the challenge keys Kfc1 and Ksc1 with random numbers each time encrypted communication is performed, the possibility that the challenge key can be detected is minimized. The generated challenge key Kfc1 is transmitted to the first encryption unit 122, the first decryption unit 123, and the second decryption unit 126, and the challenge key Ksc1 is transmitted to the second encryption unit 124 and the fifth encryption unit 128.

  In order to notify the storage device 200 of the challenge key Kfc1, the first encryption unit 122 encrypts the challenge key Kfc1 with the public key KPd2 of the storage device 200 extracted by the certificate verification unit 120, and first challenge information E (KPd2, Kfc1) is generated.

  The first decryption unit 123 decrypts the data encrypted with the challenge key Kfc1. Since the session key Kfs2 issued by the storage device 200 and the public key KPp2 held by the storage device 200 are supplied from the storage device 200 as the first session information E (Kfc1, Kfs2 // KPp2), the first decryption unit 123 decrypts the first session information using the challenge key Kfc1 generated by the random number generator 121, and extracts the session key Kfs2 and the public key KPp2. The extracted public key KPp2 is transmitted to the second encryption unit 124, and the session key Kfs2 is transmitted to the third encryption unit 125. Here, the symbol “//” indicates data concatenation, and Kfs2 // KPp2 indicates a data string obtained by combining the session key Kfs2 and the public key KPp2 side by side. E indicates an encryption function, and E (Kfc1, Kfs2 // KPp2) indicates that the data Kfs2 // KPp2 is encrypted with the challenge key Kfc1.

  In order to notify the storage device 200 of the challenge key Ksc1, the second encryption unit 124 encrypts the challenge key Ksc1 with the public key KPp2 of the storage device 200 extracted by the first decryption unit 123, and encrypts the challenge key E (KPp2, Ksc1) is generated. Then, the encryption challenge key E (KPp2, Ksc1) is transmitted to the third encryption unit 125.

  The third encryption unit 125 further encrypts E (KPp2, Ksc1) transmitted from the second encryption unit 124 with the session key Kfs2 issued by the storage device 200, and second challenge information E (Kfs2, E ( KPp2, Ksc1)) is generated.

  The second decryption unit 126 decrypts the data encrypted with the challenge key Kfc1. Since the session key Kss2 issued by the storage device 200 is supplied from the storage device 200 as the second session information E (Kfc1, Kss2), the second decryption unit 126 uses the challenge key Kfc1 generated by the random number generation unit 121. Is used to decrypt the second session information and retrieve the session key Kss2. The extracted session key Kss2 is transmitted to the fourth encryption unit 127.

  The fourth encryption unit 127 acquires the license data LIC including the content key issued when the encryptor 104 encrypts the content, and the license data LIC is issued by the storage device 200 that is the license data providing destination. Encryption with the key Kss2 generates E (Kss2, LIC). Then, E (Kss2, LIC) is transmitted to the fifth encryption unit 128.

  The fifth encryption unit 128 further encrypts E (Kss2, LIC) transmitted from the fourth encryption unit 127 with the challenge key Ksc1 issued by the recording device 100, and encrypts license data E (Ksc1, E ( Kss2, LIC)).

  In FIG. 5, among the components of the cryptographic engine 103, the certificate verification unit 120, the first encryption unit 122, the first decryption unit 123, the third encryption unit 125, and the fifth encryption unit 128 are electrically connected by the local bus 130. Are connected to the data bus 110 of the recording apparatus 100 via the local bus 130. Various modifications can be considered in the form of connecting each component, but in this embodiment, the challenge keys Kfc1 and Ksc1 generated by the random number generator 121 and the session keys Kfs2 and Kss2 received from the storage device 200 are Consideration is given not to flow directly to the data bus 110. Thereby, it is possible to prevent each key used in the cryptographic engine 103 from leaking to the outside through other components of the recording apparatus 100 and improve the security.

  FIG. 6 shows the internal configuration of the cryptographic engine 303 of the playback apparatus 300 shown in FIG. The cryptographic engine 303 includes a certificate output unit 320, a random number generation unit 321, a first decryption unit 322, a first encryption unit 323, a second decryption unit 324, a third decryption unit 325, a second encryption unit 326, and a fourth decryption unit. 327, a fifth decoding unit 328, and a local bus 330 that electrically connects at least some of these components.

  The certificate output unit 320 outputs the certificate C [KPd3] of the playback device 300. The certificate may be held by the certificate output unit 320 or may be held in a certificate holding unit (not shown) and read out. The certificate is composed of a certificate body including the public key KPd3 of the playback apparatus 300 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the verification authority, like the certificate of the storage device 200.

  The random number generation unit 321 generates session keys Kfs3 and Kss3 that are temporarily used to perform encrypted communication with the storage device 200. The generated session key Kfs3 is transmitted to the first encryption unit 323 and the second decryption unit 324, and the generated session key Kss3 is transmitted to the second encryption unit 326 and the fifth decryption unit 328, respectively.

  The first decryption unit 322 decrypts the data encrypted with the public key KPd3 with the secret key Kd3. At the time of playback, the challenge key Kfc2 issued by the storage device 200 is encrypted by the public key KPd3 of the playback device 300 and supplied from the storage device 200, so the first decryption unit 322 decrypts with the private key Kd3 of itself. Then, the challenge key Kfc2 is taken out. The extracted challenge key Kfc2 is transmitted to the first encryption unit 323 and the second encryption unit 326.

  The first encryption unit 323 encrypts data with the challenge key Kfc2 extracted by the first decryption unit 322. In order to notify the storage device 200 of the session key Kfs3 and its own public key KPp3, the session key Kfs3 generated by the random number generator 321 and its own public key KPp3 are concatenated and encrypted to obtain the first session information. E (Kfc2, Kfs3 // KPp3) is generated.

  The second decryption unit 324 decrypts the data encrypted with the session key Kfs3. The challenge key Ksc2 issued by the storage device 200 is supplied from the storage device 200 as the second challenge information E (Kfs3, E (KPp3, Ksc2)) double-encrypted with the public key KPp3 and the session key Kfs3. The second decryption unit 324 decrypts the session key Kfs3 generated by the random number generation unit 321 and transmits the result to the third decryption unit 325.

  The third decryption unit 325 decrypts the data encrypted with the public key KPp3. The result of the second decryption unit 324 is decrypted with the secret key Kp3 paired with the public key KPp3, and the challenge key Ksc2 is extracted. The extracted challenge key Ksc2 is transmitted to the fourth decryption unit 327.

  The second encryption unit 326 encrypts data with the challenge key Kfc2 extracted by the first decryption unit 322. In order to notify the storage device 200 of the session key Kss3, the session key Kss3 generated by the random number generation unit 321 is encrypted to generate second session information E (Kfc2, Kss3). The session key Kss3 is regenerated by the random number generator 321 every time one piece of license data is transmitted.

  The fourth decryption unit 327 decrypts the data encrypted with the challenge key Ksc2. Since the license data LIC is supplied from the storage device 200 as encrypted license data E (Ksc2, E (Kss3, LIC)) double-encrypted with the challenge keys Ksc2 and Kss3, the fourth decryption unit 327 Decryption is performed using the challenge key Ksc2 issued by the storage device 200, and the result is transmitted to the fifth decryption unit 328.

  The fifth decryption unit 328 decrypts the data encrypted with the session key Kss3. The result of the fourth decryption unit 327 is decrypted, and the license data LIC is extracted. The extracted license data LIC is transmitted to the decryptor 304, and the decryptor 304 decrypts the encrypted content using the content key included in the license data LIC.

  In the cryptographic engine 303 shown in FIG. 6, various modifications can be considered in the form of connecting each component. In the present embodiment, the session keys Kfs3, Kss3, the public key generated by the random number generator 321 are possible. And the secret keys Kd3 and Kp3 paired with the storage device 200 and the challenge keys Kfc2 and Ksc2 received from the storage device 200 are configured not to flow on the data bus 310 via the local bus 330. Prevents the decryption key used inside the computer from leaking outside.

  FIG. 7 shows an internal configuration of the cryptographic engine 203 of the storage device 200 shown in FIG. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof. The cryptographic engine 203 includes a control unit 220, a random number generation unit 221, a certificate output unit 222, a certificate verification unit 223, a first decryption unit 224, a first encryption unit 225, a second decryption unit 226, a third decryption unit 227, Second encryption unit 228, fourth decryption unit 229, fifth decryption unit 230, third encryption unit 231, sixth decryption unit 232, fourth encryption unit 233, fifth encryption unit 234, seventh decryption unit 235, sixth The encryption unit 236, the seventh encryption unit 237, and a local bus 240 that electrically connects at least some of these components.

  The control unit 220 mediates data input / output between the control of the internal configuration of the cryptographic engine 203 and the external configuration in accordance with an instruction from the controller 201 of the storage device 200.

  The random number generation unit 221 generates session keys Kfs2, Ks2 and challenge keys Kfc2, Ksc2 that are temporarily used for encrypted communication with the recording device 100 or the playback device 300 by random number calculation. Specifically, when the storage device 200 provides license data, two challenge keys Kfc2 and Ksc2 are generated, and when the storage device 200 records license data, two session keys Kfs2 and Kss2 are generated.

  The certificate output unit 222 outputs the certificate C [KPd2] of the storage device 200. The certificate may be held by the certificate output unit 222, or may be held in a predetermined storage area of the storage device 200, for example, the tamper resistant storage unit 204, and read out. The certificate includes a certificate body including the public key KPd2 of the storage device 200 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the verification authority.

  The certificate verification unit 223 verifies a certificate provided from the outside. Specifically, the certificate C [KPd3] acquired from the playback device 300 is verified with the verification key KPa. Since the detailed processing of the verification has been described above, the description thereof is omitted here.

  The first decryption unit 224 decrypts the data encrypted with its own public key KPd2. Specifically, at the time of recording, the challenge key Kfc1 issued by the recording device 100 is supplied from the recording device 100 as first challenge information E (KPd2, Kfc1) encrypted with the public key KPd2 of the storage device 200. Therefore, this is decrypted with its own secret key Kd2, and the challenge key Kfc1 is extracted. The extracted challenge key Kfc1 is transmitted to the first encryption unit 225 and the second encryption unit 228.

  The first encryption unit 225 encrypts data with the challenge key Kfc1 issued by the recording apparatus 100. Specifically, the session key Kfs2 generated by the random number generation unit 221 and its own public key KPp2 are concatenated and encrypted with the challenge key Kfc1, thereby generating first session information E (Kfc1, Kfs2 // KPp2).

  The second decryption unit 226 decrypts the data encrypted with the session key Kfs2 generated by the random number generation unit 221. Specifically, since the challenge key Ksc1 is received from the recording device 100 as the second challenge information E (Kfs2, E (KPp2, Ksc1)) double-encrypted with the public key KPp2 and the session key Kfs2, this is received. Decryption is performed using the session key Kfs2, and the result is transmitted to the third decryption unit 227.

  The third decryption unit 227 decrypts the data encrypted with its own public key KPp2. The challenge key E (KPp2, Ksc1) encrypted with the public key KPp2 transmitted from the second decryption unit 226 is decrypted with its own private key Kp2 paired with the public key KPp2, and the challenge key Ksc1 is extracted. The extracted challenge key Ksc1 is transmitted to the fourth decryption unit 229.

  The second encryption unit 228 encrypts data with the challenge key Kfc1 issued by the recording apparatus 100. Specifically, the session key Kss2 generated by the random number generator 221 is encrypted with the challenge key Kfc1 to generate second session information E (Kfc1, Kss2).

  The fourth decryption unit 229 decrypts the data encrypted with the challenge key Ksc1 issued by the recording device 100. Specifically, since the license data LIC is supplied from the recording device 100 as encrypted license data E (Ksc1, E (Kss2, LIC)) that is doubly encrypted by the challenge key Ksc1 and the session key Kss2, This is decrypted with the challenge key Ksc1, and the result is transmitted to the fifth decryption unit 230.

  The fifth decryption unit 230 decrypts the data encrypted with the session key Kss 2 generated by the random number generation unit 221. The license data E (Kss2, LIC) encrypted with the session key Kss2 transmitted from the fourth decryption unit 229 is decrypted, and the license data LIC is extracted.

  The extracted license data LIC is supplied to the data bus 210 via the local bus 240 and the control unit 220, and is stored in the tamper resistant storage unit 204 in accordance with an instruction from the controller 201.

  The third encryption unit 231 encrypts data with the public key KPd3 of the playback device 300. Specifically, when the license data is provided to the playback device 300, the challenge key Kfc2 generated by the random number generation unit 221 with the public key KPd3 extracted from the certificate C [KPd3] received from the playback device 300. Is encrypted, and first challenge information E (KPd3, Kfc2) is generated.

  The sixth decryption unit 232 decrypts the data encrypted with the challenge key Kfc2 generated by the random number generation unit 221. The first session information E (Kfc2, Kfs3 // KPp3) received from the playback device 300 is decrypted with the challenge key Kfc2 generated by the random number generator 221 and the session key Kfs3 and the public key KPp3 of the playback device 300 are extracted. The extracted session key Kfs3 and public key KPp3 are transmitted to the fifth encryption unit 234 and the fourth encryption unit 233, respectively.

  The fourth encryption unit 233 encrypts the data with the public key KPp3 of the playback device 300. When providing license data to the playback device 300, the challenge key Ksc2 generated by the random number generator 221 is encrypted with the public key KPp3 received from the playback device 300.

  The fifth encryption unit 234 encrypts data with the session key Kfs3 issued by the playback device 300. Specifically, with the session key Kfs3, the challenge key E (KPp3, Ksc2) encrypted with the public key KPp3 of the playback device 300 in the fourth encryption unit 233 is further encrypted, and the first session information E (Kfs3, Kfs3) is encrypted. E (KPp3, Ksc2)) is generated.

  The seventh decryption unit 235 decrypts the data encrypted with the challenge key Kfc2 issued by the random number generation unit 221. The second session information E (Kfc2, Kss3) received from the playback device 300 is decrypted with the challenge key Kfc2 issued by the random number generator 221 and the session key Kss3 is extracted. The extracted session key Kss3 is transmitted to the sixth encryption unit 236. The session key Kss3 is reissued by the playback device 300 every time one piece of license data is output.

  The sixth encryption unit 236 encrypts the data with the session key Kss3 issued by the playback device 300. When providing license data to the playback apparatus 300, the license data LIC is encrypted with the latest session key Kss3 received from the playback apparatus 300. The license data LIC is read from the tamper-resistant storage unit 204 in accordance with an instruction from the controller 201 and supplied in advance to the sixth encryption unit 236 via the data bus 210, the control unit 220, and the local bus 240.

  The seventh encryption unit 237 encrypts the data with the challenge key Ksc2 generated by the random number generation unit 221. Specifically, the license data encrypted with the session key Kss3 issued by the playback device 300 in the sixth encryption unit 236 with the challenge key Ksc2 is further encrypted, and the encrypted license data E (Ksc2, E (Kss3, LIC)).

  8, 9, and 10 show a procedure until the recording apparatus 100 records the license data LIC in the storage device 200.

  First, the controller 101 of the recording apparatus 100 issues a certificate output command to the storage device 200 (S102). When the controller 201 of the storage device 200 normally accepts the certificate output command (S104), the controller 201 instructs the cryptographic engine 203 to output the certificate, reads the certificate C [KPd2] from the cryptographic engine 203, and sends it to the recording device 100. Output (S106).

  When the controller 101 of the recording apparatus 100 acquires the certificate C [KPd2] from the storage device 200, it sends it to the cryptographic engine 103 of the recording apparatus 100 (S108). When the cryptographic engine 103 receives the certificate C [KPd2] of the storage device 200 (S110), the certificate verification unit 120 verifies the certificate with the verification key KPa (S112). When the certificate is not approved (N in S112), the certificate verification unit 120 transmits a verification error notification to the controller 101 (S290). When the controller 101 receives the error notification (S292), the process ends abnormally.

  When the certificate is approved (Y in S112), the cryptographic engine 103 generates a challenge key Kfc1 by the random number generation unit 121, and transmits the generated challenge key Kfc1 to the first encryption unit 122 and the first decryption unit 123. . The first decryption unit 123 holds the challenge key Kfc1 inside (S114). The first encryption unit 122 encrypts the challenge key Kfc1 with the public key KPd2 of the storage device 200, and generates first challenge information E (KPd2, Kfc1). Then, this is sent to the controller 101 (S116).

  Upon receiving the first challenge information E (KPd2, Kfc1) (S118), the controller 101 issues a first challenge information processing command to the storage device 200 (S120). In the storage device 200, when the controller 201 receives the first challenge information processing command, the controller 201 requests input of the first challenge information E (KPd2, Kfc1) (S122). In response to this request, the controller 101 of the recording device 100 outputs the first challenge information E (KPd2, Kfc1) to the storage device 200 (S124).

  When the storage device 200 receives the first challenge information E (KPd2, Kfc1) (S126), in the cryptographic engine 203, the control unit 220 transmits the first challenge information E (KPd2, Kfc1) to the first decryption unit 224. To do. The first decryption unit 224 decrypts this with its own secret key Kd2 and takes out the challenge key Kfc1 (S128). Then, the extracted challenge key Kfc1 is transmitted to the first encryption unit 225 and the second encryption unit 228. The first encryption unit 225 and the second encryption unit 228 hold this (S130).

  On the other hand, when the processing of the first challenge information processing command is completed in the storage device 200, the controller 101 of the recording device 100 issues a first session information generation command to the storage device 200 (S132). In the storage device 200, when the controller 201 receives the first session information generation command (S134), in the cryptographic engine 203, the random number generation unit 221 generates the session key Kfs2 according to the instruction of the control unit 220, and the generated session key Kfs2 Is transmitted to the second decryption unit 226 and the first encryption unit 225. Then, the second decryption unit 226 holds this session key Kfs2 (S136).

  The first encryption unit 225 concatenates the session key Kfs2 and its own public key KPp2, encrypts them with the challenge key Kfc1 held in step S130, and first session information E (Kfc1, Kfs2 // KPp2) Is generated (S138).

  On the other hand, when the processing of the first session information generation command is completed in the storage device 200, the controller 101 issues a first session information output command (S140). In the storage device 200, when the first session information output command is received (S142), the controller 201 reads the first session information E (Kfc1, Kfs2 // KPp2) from the cryptographic engine 203 and sends it to the controller 101 of the recording apparatus 100. It outputs (S144).

  When the controller 101 of the recording apparatus 100 receives the first session information E (Kfc1, Kfs2 // KPp2) from the storage device 200, it sends it to the cryptographic engine 103 (S146). When the cryptographic engine 103 receives the first session information E (Kfc1, Kfs2 // KPp2) from the controller 101 (S148), the first decryption unit 123 uses the challenge key Kfc1 held therein to store the session information E (Kfc1, Kfs2). // KPp2) is decrypted to extract the session key Kfs2 and the public key KPp2 of the storage device 200. (S150). The extracted session key Kfs2 and public key KPp2 are transmitted to and held in the third encryption unit 125 and the second encryption unit 124, respectively (S152).

  Subsequently, the random number generation unit 121 generates a challenge key Ksc1, and transmits the generated challenge key Ksc1 to the second encryption unit 124 and the fifth encryption unit 128. The fifth encryption unit 128 holds this challenge key Ksc1 so that it can be used repeatedly (S154). The second encryption unit 124 encrypts the challenge key Ksc1 with the public key KPp2 of the storage device 200 and transmits it to the third encryption unit 125. The third encryption unit 125 further encrypts the result given from the second encryption unit 124 with the session key Kfs2 to generate second challenge information E (Kfs2, E (KPp2, Ksc1)). Then, this is sent to the controller 101 (S156).

  Upon receiving the second challenge information E (Kfs2, E (KPp2, Ksc1)) (S158), the controller 101 issues a second challenge information processing command to the storage device 200 (S160). In the storage device 200, when the controller 201 receives the second challenge information processing command, the controller 201 requests input of the second challenge information E (Kfs2, E (KPp2, Ksc1)) (S162). In response to this request, the controller 101 of the recording apparatus 100 outputs the second challenge information E (Kfs2, E (KPp2, Ksc1)) to the storage device 200 (S164).

  When the storage device 200 receives the second challenge information E (Kfs2, E (KPp2, Ksc1)) (S166), the control unit 220 of the cryptographic engine 203 uses the second challenge information E (Kfs2, E (KPp2, Ksc1)). ) Is transmitted to the second decoding unit 226. The second decryption unit 226 decrypts the second challenge information E (Kfs2, E (KPp2, Ksc1)) using the session key Kfs2, and extracts the encrypted challenge key E (KPp2, Ksc1). Then, the extracted encryption challenge key E (KPp2, Ksc1) is transmitted to the third decryption unit 227. The third decryption unit 227 decrypts the encrypted challenge key E (KPp2, Ksc1) with the public key KPp2 and the paired secret key Kp2, and extracts the challenge key Ksc1 (S168). The extracted challenge key Ksc1 is given to the fourth decryption unit 229 and held here so that it can be used repeatedly (S170).

  On the other hand, when the processing of the second challenge information processing command is completed in the storage device 200, the controller 101 of the recording device 100 issues a second session information generation command to the storage device 200 (S172). In the storage device 200, when the controller 201 receives the second session information generation command (S174), in the cryptographic engine 203, the random number generation unit 221 generates the session key Kss2 according to the instruction of the control unit 220, and the generated session key Kss2 is transmitted to the fifth decryption unit 230 and the second encryption unit 228. Then, the fifth decryption unit 230 holds the session key Kss2 (S176). The second encryption unit 228 encrypts the session key Kss2 with the challenge key Kfc1 held in the previous step S130, and generates an encrypted session key E (Kfc1, Kss2) (S178).

  On the other hand, when the processing of the second session information generation command is completed in the storage device 200, the controller 101 of the recording apparatus 100 issues a second session information output command (S180). In the storage device 200, when the second session information output command is received (S182), the controller 201 reads the second session information E (Kfc1, Kss2) from the cryptographic engine 203 and outputs it to the controller 101 of the recording apparatus 100 ( S184).

  Upon receiving the second session information E (Kfc1, Kss2) from the storage device 200, the controller 101 of the recording apparatus 100 sends it to the cryptographic engine 103 (S186). When the cryptographic engine 103 receives the second session information E (Kfc1, Kss2) from the controller 101 (S188), the second decryption unit 126 uses the challenge key Kfc1 held therein to store the second session information E (Kfc1, Kss2). And the session key Kss2 is extracted (S190).

  Subsequently, the cryptographic engine 103 uses the fourth encryption unit 127 to encrypt the license data LIC issued by the encryptor 104 with the session key Kss2 issued by the storage device 200. Then, the license data LIC encrypted by the fourth encryption unit 127 is further encrypted by the fifth encryption unit 128 using the challenge key Ksc1 generated in step S154, and the encrypted license data E (Ksc1, E (Kss2, LIC) )) Is generated and sent to the controller 101 (S192).

  Upon receiving the encrypted license data E (Ksc1, E (Kss2, LIC)) (S194), the controller 101 issues a license data write command to the storage device 200 (S196). The license writing command is accompanied by an address that designates a recording position in the tamper resistant storage unit 204. Here, the address indicates a logical address and does not directly specify the recording position in the tamper-resistant storage unit 204. However, the controller records the data recorded by specifying the address so that it can be read by specifying the same address. 201. However, the physical address directly indicating the position in the tamper resistant storage unit 204 may be used.

  When the storage device 200 accepts the license write command, the storage device 200 requests input of encryption license data (S198), and the controller 101 of the recording apparatus 100 responds to the request with the encryption license data E (Ksc1, E (Kss2). , LIC)) to the storage device 200 (S200). When the storage device 200 receives the encrypted license data E (Ksc1, E (Kss2, LIC)) (S202), it transmits the encrypted license data E to the fourth decryption unit 229 in the cryptographic engine 203.

  The fourth decryption unit 229 decrypts the encrypted license data E (Ksc1, E (Kss2, LIC)) with the challenge key Ksc1 held therein, and the license data E (Kss2, Kss2, encrypted with the session key Kss2) LIC). The extracted encrypted license data E (Kss2, LIC) is transmitted to the fifth decryption unit 230. The fifth decryption unit 230 decrypts this using the session key Kss2 generated and held in step S176, extracts the license data LIC (S204), and supplies this to the data bus 210 via the local bus 240 and the control unit 220. . The controller 201 performs a storage process of recording the license data LIC supplied to the data bus 210 at a specified address in the tamper resistant storage unit 204 (S206).

  On the other hand, after the processing of the license data write command is completed in the storage device 200, the controller 101 determines whether to continue recording license data (S208).

  When license data is continuously recorded (Y in S208), the process proceeds to step S172, and the procedure is started from the issue of the session information generation command. This is a procedure for reducing the processing by sharing the certificate verification processing when recording a plurality of license data. Here, it is assumed that the license data is continuously recorded, but it is not always necessary to record the next license data immediately after recording one license data. A state in which the cryptographic engine 103 and the storage device 200 share the two challenge keys Kfc1 and Ksc1, specifically, the second decryption unit 126 of the cryptographic engine 103 of the recording apparatus 100 and the cryptographic engine 203 of the storage device 200. The second encryption unit 228 holds the same challenge key Kfc1, and the fifth encryption unit 128 of the encryption engine 103 of the recording device 100 and the fourth decryption unit 229 of the encryption engine 203 of the storage device 200 have the same challenge. Any timing may be used as long as the key Ksc1 is held.

  Even if the license data is continuously recorded, there is no problem even if the procedure is started from step S102. If the license data is not recorded subsequently (N in S208), the process ends normally.

  With the above procedure, the license data necessary for decrypting and playing back the encrypted content is recorded in the storage device 200. The encrypted content is normal data and is directly stored in the normal data storage unit 205 of the storage device 200 by a normal command. The description of the normal data storage process is omitted.

  Note that the recording order of the license data and the encrypted content data may be any first. Further, the license data may be recorded by dividing and issuing the secure command during the free time when recording the encrypted content data. The procedure until the recording apparatus 100 shown in FIGS. 8, 9, and 10 records the license data in the storage device 200 is an example in the case where the process has been changed normally.

  11, 12, and 13 show a procedure until the playback apparatus 300 reads license data from the storage device 200. First, the controller 301 of the playback device 300 makes a certificate output request to the cryptographic engine 303 (S302). When the cryptographic engine 303 receives this transmission request (S304), the certificate output unit 320 sends the certificate C [KPd3] to the controller 301 (S306). Upon receiving the certificate C [KPd3] from the cryptographic engine 303 (S308), the controller 301 issues a certificate verification command to the storage device 200 (S310).

  When the storage device 200 accepts the certificate verification command, the storage device 200 requests input of the certificate (S312), and the controller 301 of the playback device 300 responds to the request by the certificate C [KPd3] received from the cryptographic engine 303. Is output to the storage device 200 (S314). When the storage device 200 receives the certificate C [KPd3] (S316), the storage device 200 gives the certificate C [KPd3] to the internal encryption engine 203. In the cryptographic engine 203, the certificate verification unit 223 verifies the certificate C [KPd3] with the verification key KPa according to the instruction of the control unit 220 (S318). If the certificate is not approved (N in S318), the certificate verification unit 223 transmits a verification error notification to the controller 301 via the control unit 220, the controller 201, and the storage interface 202 (S490). Upon receiving the error notification (S492), the controller 301 ends the process abnormally. On the other hand, when the certificate C [KPd3] is approved (Y in S318), the control unit 220 of the cryptographic engine 203 extracts the public key KPd3 from the certificate C [KPd3] and transmits it to the third cryptographic unit 231. . The third encryption unit 231 holds the public key KPd3 (S320).

  On the other hand, when the storage device 200 approves the certificate C [KPd3] of the cryptographic engine 303 in the storage device 200, the controller 301 issues a first challenge information generation command to the storage device 200 (S322). Then, the storage device 200 accepts the first challenge information generation command (S324). In the cryptographic engine 203, the random number generation unit 221 generates a challenge key Kfc 2 in accordance with an instruction from the control unit 220, and transmits the generated challenge key Kfc 2 to the third encryption unit 231 and the sixth decryption unit 232. Then, the sixth decryption unit 232 holds the challenge key Kfc2 inside (S326). Then, the third encryption unit 231 generates first challenge information E (KPd3, Kfc2) obtained by encrypting the session key Kfs2 with the public key KPd3 held in step S320 (S328).

  On the other hand, when the processing of the first challenge information generation command is completed in the storage device 200, the controller 301 of the playback device 300 issues a first challenge information output command (S330). Then, when the storage device 200 receives the first challenge information output command (S332), the controller 201 extracts the first challenge information E (KPd3, Kfc2) from the cryptographic engine 203 and outputs it to the controller 301 of the playback device 300. (S334).

  Upon receiving the first challenge information E (KPd3, Kfc2), the controller 301 of the playback device 300 sends it to the cryptographic engine 303 (S336). When the cryptographic engine 303 receives the first challenge information E (KPd3, Kfc2) (S338), the first decryption unit 322 decrypts the first challenge information E (KPd3, Kfc2) with its own secret key Kd3. The challenge key Kfc2 is extracted (S340). Subsequently, the extracted challenge key Kfc2 is held in the first encryption unit 323 and the second encryption unit 326 (S342).

  Next, the controller 301 makes a transmission request for the first session information to the cryptographic engine 303 (S344). When the cryptographic engine 303 receives this transmission request (S346), in the cryptographic engine 303, the random number generation unit 321 generates a session key Kfs3 and transmits it to the first encryption unit 323 and the second decryption unit 324. The second decryption unit 324 holds the session key Kfs3 inside (S348). Then, the first encryption unit 323 encrypts data obtained by concatenating the session key Kfs3 and its public key KPp3 with the challenge key Kfc2, and generates first session information E (Kfc2, Kfs3 // KPp3), The data is sent to the controller 301 (S350). When the controller 301 receives the first session information E (Kfc2, Kfs3 // KPp3) from the cryptographic engine 303 (S352), it issues a first session information processing command to the storage device 200 (S354).

  When the storage device 200 receives the first session information processing command (S356), the storage device 200 requests input of the first session information, and the controller 301 of the playback device 300 receives the first session received from the cryptographic engine 303 in response to this request. Session information E (Kfc2, Kfs3 // KPp3) is output to the storage device 200 (S358). When the storage device 200 receives the first session information E (Kfc2, Kfs3 // KPp3) (S360), it transmits this to the sixth decryption unit 232 of the cryptographic engine 203.

  The sixth decryption unit 232 decrypts the transmitted first session information E (Kfc2, Kfs3 // KPp3) with the challenge key Kfc2 held in step S326. Then, the session key Kfs3 and the public key KPp3 of the playback device 300 are extracted (S362). The extracted session key Kfs3 and public key KPp3 are transmitted to the fifth encryption unit 234 and the fourth encryption unit 233, respectively (S364).

  On the other hand, when the processing of the first session information processing command is completed in the storage device 200, the controller 301 of the playback device 300 issues a second challenge information generation command to the storage device 200 (S366). Then, the storage device 200 receives the second challenge information generation command (S368). In the cryptographic engine 203, the random number generation unit 221 generates a challenge key Ksc2 in accordance with an instruction from the control unit 220, and transmits the generated challenge key Ksc2 to the fourth encryption unit 233 and the seventh encryption unit 237. The seventh encryption unit 237 holds the challenge key Ksc2 so that it can be used repeatedly (S370). Then, the fourth encryption unit 233 encrypts the challenge key Ksc2 with the public key KPp3 of the playback device 300 acquired previously, and transmits this to the fifth encryption unit 234. The fifth encryption unit 234 further encrypts the challenge key E (KPp3, Ksc2) encrypted by the fourth encryption unit 233 with the session key Kfs3 to obtain second challenge information E (Kfs3, E (KPp3, Ksc2) ) Is generated (S372).

  On the other hand, when the processing of the second challenge information generation command is completed in the storage device 200, the controller 301 of the playback device 300 issues a second challenge information output command (S374). Then, when the storage device 200 receives the second challenge information output command (S376), the controller 201 retrieves the second challenge information E (Kfs3, E (KPp3, Ksc2)) from the cryptographic engine 203, and the playback device 300 To the controller 301 (S378).

  When receiving the second challenge information E (Kfs3, E (KPp3, Ksc2)), the controller 301 of the playback device 300 sends it to the cryptographic engine 303 (S380). When the cryptographic engine 303 receives the second challenge information E (Kfs3, E (KPp3, Ksc2)) (S382), the second decryption unit 324 receives the second challenge information E (Kfs3, E (KPp3, Ksc2)). ) Is decrypted with the held session key Kfs3, and the decryption result E (KPp3, Ksc2) is transmitted to the third decryption unit 325. The third decryption unit 325 decrypts this with its own secret key Kp3 and takes out the challenge key Ksc2 (S384). The extracted challenge key Ksc2 is transmitted to the fourth decryption unit 327 and held here (S386).

  This is the process common to repeated license data access. The subsequent processing is repeated every time the license data is accessed.

  Next, the controller 301 of the playback device 300 issues a license read command to the storage device 200 (S388). The license read command is accompanied by an address that designates a read position in the tamper resistant storage unit 204. Upon receiving the license read command (S390), the storage device 200 reads the license data LIC stored at the specified address of the tamper resistant storage unit 204, and the read license data LIC is the sixth of the cryptographic engine 203. It is held by the encryption unit 236 (S392).

  On the other hand, the controller 301 makes a transmission request for the second session information to the cryptographic engine 303 (S394). When the cryptographic engine 303 receives this transmission request (S396), in the cryptographic engine 303, the random number generation unit 321 generates a session key Kss3 and transmits this to the second encryption unit 326 and the fifth decryption unit 328. . The fifth decryption unit 328 holds the session key Kss3 inside (S398). Then, the second encryption unit 326 encrypts the session key Kss3 generated by the random number generation unit 321 with the challenge key Kfc2 held in step S342, generates the second session information E (Kfc2, Kss3), and sends it to the controller 301. Send (S400). When the controller 301 receives the second session information E (Kfc2, Kss3) from the cryptographic engine 303 (S402), it issues a second session information processing command to the storage device 200 (S404).

  When the storage device 200 receives the second session information processing command, the storage device 200 requests input of session information (S406), and the controller 301 of the playback device 300 receives the second session information received from the cryptographic engine 303 in response to this request. E (Kfc2, Kss3) is output to the storage device 200 (S408).

  When the storage device 200 receives the second session information E (Kfc2, Kss3) (S410), it transmits it to the seventh decryption unit 235 of the cryptographic engine 203. The seventh decryption unit 235 decrypts the transmitted second session information E (Kfc2, Kss3) with the challenge key Kfc2 held in step S326. Then, the session key Kss3 issued by the playback device 300 is extracted and transmitted to the sixth encryption unit 236 (S412). The sixth encryption unit 236 encrypts the license data LIC held in step S392 with the session key Kss3 issued by the playback device 300, generates E (Kss3, LIC), and transmits it to the seventh encryption unit 237. The seventh encryption unit 237 further encrypts the transmitted E (Kss3, LIC) with the challenge key Ksc2 held in step S370, and generates encrypted license data E (Ksc2, E (Kss3, LIC)). (S414).

  On the other hand, when the processing of the session information processing command is completed in the storage device 200, that is, the encrypted license data is generated, the controller 301 of the playback device 300 issues an encrypted license output command (S416). In the storage device 200, when the encrypted license output command is received (S418), the controller 201 retrieves the encrypted license data E (Ksc2, E (Kss3, LIC)) from the cryptographic engine 203, and the controller 301 of the playback device 300. (S420).

  When receiving the encrypted license data E (Ksc2, E (Kss3, LIC)) from the storage device 200, the controller 301 of the playback device 300 sends it to the encryption engine 303 (S422). When the cryptographic engine 303 receives the encrypted license data (S424), the fourth decryption unit 327 decrypts the encrypted license data E (Ksc2, E (Kss3, LIC)) with the challenge key Ksc2 held in step S386, The decoding result E (Kss3, LIC) is sent to the fifth decoding unit 328. The fifth decryption unit 328 decrypts this with the session key Kss3 held in step S398 and extracts the license data LIC (S426). The license data is sent to the decryptor 304 (S428), and is used when the decryptor 304 decrypts the encrypted content data.

  With the above procedure, license data for decrypting the encrypted content is read from the storage device 200 by the playback device 300.

  On the other hand, after reading the license data in the storage device 200, if the controller 301 wants to read other license data (Y in S430), the controller 301 proceeds to step S388 and starts the procedure from issuing the license read command. be able to. This is a procedure for reducing the processing by sharing the certificate verification processing when reading a plurality of license data. Here, it is assumed that the license data is continuously read out. However, it is not always necessary to perform the next reading immediately after reading out one license data. A state in which the cryptographic engine 303 and the storage device 200 share the two challenge keys Kfc2 and Ksc2, specifically, the second cryptographic unit 326 of the cryptographic engine 303 of the playback device 300 and the cryptographic engine 203 of the storage device 200. The seventh decryption unit 235 holds the same challenge key Kfc2, and the fourth decryption unit 327 of the encryption engine 303 of the playback device 300 and the seventh encryption unit 237 of the encryption engine 203 of the storage device 200 have the same challenge. Any timing may be used as long as the key Ksc2 is held. Even if the license data is continuously read out, there is no problem even if the procedure is started from step S302. Subsequently, when other license data is not read (N in S430), the controller 301 ends the process normally.

  The procedure until the playback device 300 shown in FIGS. 11, 12, and 13 reads the license data from the storage device 200 is an example in the case where the processing has been normally performed.

  By the above procedure, the license data recorded in the storage device 200 is copied (license data recorded in the storage device 200 can be used) or moved to another storage device (license data recorded in the storage device 200). Can be deleted or invalidated). If another storage device that newly records license data has the same function, the license may be transferred between the storage devices in the same procedure, and the license may be recorded from the storage device 200 to the other storage device. Obviously we can do it. In this case, the transfer of the license from the storage device 200 to the other storage device is the use of the license from the storage device 200 to the playback device 300, and the transfer of the license from the other storage device to the storage device 200 is the above. It functions in the same manner as license recording from the recording apparatus 100 to the storage device 200.

  According to the above-described embodiment, when repeatedly accessing (recording or reading) data to be concealed such as license data, the concealed data can be protected by using only the common key encryption algorithm without losing security. become able to. The common key encryption algorithm has a smaller amount of computation than the public key encryption algorithm, and is easy to implement in hardware. Therefore, it becomes possible to quickly access the license data.

  In this way, when repeated access (recording or reading) to license data is performed repeatedly, the data to be kept secret is encrypted between the storage device and the host device without sacrificing safety. The processing efficiency when inputting / outputting can be improved.

  In this embodiment, the license data transmission destination (storage device 200 during recording, playback device 300 during reading) is x, and the license data transmission source (recording device 100 during recording, storage device 200 during reading). ) Is y, the encrypted license data E (Kscy, E (Kssx, LIC)) is used, but the same applies to E (Kssx, E (Kscy, LIC)) in which the order of encryption is reversed. The effect can be obtained.

  That is, the license data LIC only needs to be double-encrypted with a disposable key that is temporally generated at the transmission source of the license data and a disposable key that is temporally generated at the transmission destination of the license data. Of the two disposable keys, one is a disposable key generated every time the license data LIC is transmitted, and the other is desirably a disposable key generated every time the certificate is verified.

  In the present embodiment, the second session information E (Kfcy, Kssx) is used. However, instead of the challenge key Kfcy, another challenge provided from the license data transmission source to the license data transmission destination most recently is used. There is no problem even if E (Kscy, Kssx) is used using the key Kscy.

  In the present embodiment, only the license data transmission destination transmits the license data transmission destination public key certificate C [KPdx] to the license data transmission source, and verifies the validity. Further, the license data transmission source sends the license data transmission source public key certificate C [KPdy] to the license data transmission destination, and the license data transmission destination is the validity of the license data transmission source. You may make it perform verification of. For example, 1) The transmission source of the license data transmits the public key certificate C [KPdy] held by itself together with the first challenge information E (KPdx, Kfcy), and 2) the public key certificate The destination of the received license data verifies this, and 3) at least one of the session key Kfsx and the public key KPpx for transmitting the second session information from the destination of the license data is from the public key certificate C [KPdy]. The format is changed to a double-encrypted format using the extracted public key KPdy and challenge key Kfcy.

  In order to perform the above processing, specifically, the cryptographic engine 103 stores the certificate output unit that holds and outputs the public key certificate C [KPd1], and the data encrypted by the public key KPd1 as the private key. The encryption engine 303 includes a certificate verification unit that verifies the certificate C [KPd2] provided from the outside, and a cryptographic unit that encrypts data using the public key KPd2 included in the certificate. Is provided.

  In this way, the license data transmission destination can provide a higher level of safety by providing a function of rejecting the recording of license data from a license data transmission source or a fake license data transmission source whose security has been compromised. The rights of authors and the like can be protected appropriately.

  In the above-described procedure, cryptographic algorithms such as RSA and EC-DH (Elliptic Curve Diffie-Hellman) can be used as public key cryptosystems. When adopting EC-DH, it is shared between the transmission source of the license data and the transmission destination of the license data by the EC-DH encryption method instead of the challenge key Ksc1 as a symmetric key used when encrypting the license data LIC. Shared key may be used.

  EC-DH encrypts data with a symmetric key (called a shared key) shared by both parties by multiplication on an elliptic curve over a finite field (this operation algorithm is called elliptic curve cryptography). The encrypted data has a format in which the result of encrypting the data and data for sharing the shared key (referred to as parameters) are concatenated.

  For example, transmission of encrypted data using the public key KPpx and the secret key Kpx will be described. In EC-DH, the relationship between the two is KPpx = Kpx * B. Here, the base point on the elliptic curve is indicated by “B”, and the multiplication on the elliptic curve is indicated by “*”. Also, a shared key shared between the license data transmission source and the license data transmission destination is KPpxECDHy. In the following description, “x” indicates a side that receives encrypted data (referred to as a receiving side), and “y” indicates a side that provides encrypted data (referred to as a transmitting side).

  The receiving side transmits the public key KPpx to the transmitting side. Upon receiving the public key KPpx, the transmission side first generates a random number rdy in order to create encrypted data. Then, the public key KPpx and the random number rdy are multiplied on the elliptic curve, the coordinate KPpx * rdy on the curve is obtained by calculation, the coordinate is substituted into the key generation function F (), and the shared key KPpxECDHy = F (KPpx * Rdy) is obtained by calculation. At the same time, the parameter B * rdy is calculated in order to share the shared key KPpxECDHy with the receiving side. The base point B and the key generation function F () are shared in advance together with the elliptic curve equation.

  The target shared data (denoted as Data) is encrypted with the generated shared key KPpxECDHy to generate encrypted data Es (KPpxECDHy, Data). Then, the parameter B * rdy and B * rdy // Es (KPpxECDHy, Data) concatenated with the result are sent as Ep (KPpx, Data) to the receiving side.

  Here, Es indicates an encryption function based on the common key encryption method, and Es (KPpxECDHy, Data) indicates that the target data Data is encrypted with the symmetric key KPpxECDHy. Ep indicates an encryption function using a public key cryptosystem, and indicates that the target data Data is encrypted with the public key KPpx. Thus, in EC-DH, Ep (KPpx, Data) = B * rdy // Es (KPpxECDHy, Data).

  On the receiving side, when Ep (KPpx, Data) is received, the stored secret key Kpx and the parameter B * rdy are multiplied on the elliptic curve to obtain the coordinates Kpx * B * rdy = KPpx * rdy on the curve. Further, the shared key KPpxECDHy is obtained. The encrypted data Es (KPpxECDHy, Data) is decrypted with the obtained shared key KPpxECDHy. The same applies to the set of the public key KPdx and the secret key Kdx. In this way, symmetric key sharing and encrypted data transmission / reception are performed simultaneously.

  In the procedure described above, when the license data LIC is encrypted, the shared key shared by the EC-DH algorithm in this way may be used as the challenge key. For example, when encrypted with the public key KPpx and transmitted, the shared key based on the EC-DH encryption method described above may be used as the challenge key Ksc1 or Ksc2. This is because the shared key KPpxECDHy is derived from the public key KPpx of the license data transmission destination, but is determined by the random number rpy generated at the license data transmission source. Can be treated as a symmetric key. In this case, the license data LIC is encrypted with the shared key as the challenge key and the session key generated most recently, and transmitted from the license data transmission source to the license data transmission destination. In this case, the encrypted license data is E (KPpxECDHy, E (Kssx, LIC)) or E (Kssx, E (KPpxECDHy, LIC)).

(Second Embodiment)
FIG. 14 shows a configuration of a recording / reproducing apparatus 400 according to the second embodiment. In the present embodiment, the recording apparatus 100 and the reproducing apparatus 300 in the first embodiment are realized as one recording / reproducing apparatus 400.

  The recording / reproducing apparatus 400 of this embodiment includes a controller 401, a storage interface 402, a recording unit 403, a reproducing unit 404, and a data bus 410 that electrically connects at least some of these components.

  The recording unit 403 includes the configuration of the recording device 100 according to the first embodiment illustrated in FIG. 2, and the reproducing unit 404 includes the configuration of the reproducing device 300 according to the first embodiment illustrated in FIG. In the figure, the same reference numerals are assigned to the same components as those in the first embodiment.

  The first cryptographic engine 103 corresponds to the cryptographic engine 103 of the recording device 100 in the first embodiment, and the second cryptographic engine 303 corresponds to the cryptographic engine 303 of the playback device 300 in the first embodiment. The internal configuration of the first cryptographic engine 103 is the same as the cryptographic engine 103 of the first embodiment shown in FIG. 5, and the internal configuration of the second cryptographic engine 303 is the same as that of the first embodiment shown in FIG. This is the same as the internal configuration of the encryption engine 303 of the embodiment.

  The controller 401 has the functions of both the controller 101 of the recording apparatus 100 and the controller 301 of the playback apparatus 300 in the first embodiment. The storage interface 402 controls data input / output with the storage device 200, and the data bus 410 electrically connects the configuration of the recording / playback apparatus 400.

  The operation of the recording / reproducing apparatus 400 in the present embodiment is the same as that in the first embodiment. In the operation described in the first embodiment, the recording apparatus 100 and the reproducing apparatus 300 are connected to the recording / reproducing apparatus 400. Further, the controller 101 and 301 are replaced with the controller 401, the storage interface 102 and 302 are replaced with the storage interface 402, and the data buses 110 and 310 are replaced with the data bus 410, respectively.

  In the present embodiment, the recording unit 403 and the playback unit 404 include the first cryptographic engine 103 and the second cryptographic engine 303, respectively. However, the same functional blocks in these cryptographic engines may be shared. In this case, the configuration is the same as the cryptographic engine 203 in the storage device 200 shown in FIG. 7 in the first embodiment.

(Third embodiment)
FIG. 15 shows a configuration of a content distribution system according to the third embodiment. In the present embodiment, the recording device 100 in the first embodiment is realized as a distribution server 500 that distributes content and a terminal device 520 that receives the content. In the figure, the same components as those of the recording apparatus 100 according to the first embodiment are denoted by the same reference numerals.

  The distribution server 500 includes a cryptographic engine 103, a communication device 502, a content database 503, a license database 504, a user database 505, a controller 501 that controls them, and a data bus 510 that electrically connects them. The terminal device 520 includes a controller 101, a storage interface 102, a communication device 521, and a data bus 522 that electrically connects them. The distribution server 500 and the terminal device 520 are connected by the Internet 20 as an example of a network via the communication devices 502 and 521, respectively.

  The cryptographic engine 103 of the distribution server 500 has the same function as the cryptographic engine 103 of the first embodiment. The controller 101 and the storage interface 102 of the terminal device 520 are the same as the controller 101 of the first embodiment. It has the same function as the storage interface 102.

  The content database 503 holds content provided to the user. The license database 504 holds license data including a content key used for encrypting content. In this embodiment, the content is already encrypted with the content key and stored in the content database 503. However, the content before encryption is stored in the content database 503, and the distribution server 500 stores the first content. The content encoder 105 and the encryptor 104 included in the recording apparatus 100 according to the embodiment may be further provided, and the content may be read from the content database 503, encoded, and encrypted.

  The user database 505 holds information on a user who is a content providing destination. For example, the user's personal information, the user's terminal device 520 address, content purchase history, billing information, and the like may be held. The controller 501 reads encrypted content from the content database 503 in response to a user request and provides it to the user. Then, when the license data for decrypting the content is provided to the user by the encryption engine 103, the user database 505 is updated to charge for the content provision.

  In this embodiment, if the data bus 510, the communication device 502, the Internet 20, the communication device 521, and the data bus 522 are the data bus 110 in the first embodiment having the electrically connected configuration, The configuration is the same as that of the first embodiment. The procedure of the cryptographic input / output process of this embodiment is the same as that of the first embodiment.

  In the present embodiment, communication between the cryptographic engine 103 and the controller 101 is performed via the Internet 20, but as described with reference to FIGS. 8 to 10, data is always transmitted between the cryptographic engine 103 and the controller 101. Therefore, high tamper resistance can be realized.

  Content playback can be performed by attaching the storage device 200 to the playback device 300 in the first embodiment or the recording / playback device 400 in the second embodiment. Further, the terminal device 520 may be configured to include the playback unit 404 of the recording / playback device 400 in the second embodiment, and playback may be performed.

  As mentioned above, although embodiment which concerns on this invention was described, this embodiment is an illustration, this invention is not limited to this embodiment, The combination of each of those component and each processing process is carried out. It will be appreciated by those skilled in the art that various modifications are possible and that such modifications are within the scope of the present invention.

  For example, in the above-described embodiment, the functional block for performing encryption and the functional block for performing decryption are separately provided in the cryptographic engine, but the circuit may be shared by these components. As a result, the circuit scale can be reduced, contributing to downsizing and low power consumption.

  The embodiments of the present invention can be appropriately modified in various ways within the scope of the technical idea shown in the claims.

It is a figure which shows the whole structure of the data management system which concerns on 1st Embodiment. 1 is a diagram illustrating an internal configuration of a recording apparatus according to a first embodiment. It is a figure which shows the internal structure of the reproducing | regenerating apparatus concerning 1st Embodiment. It is a figure which shows the internal structure of the storage device which concerns on 1st Embodiment. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the internal structure of the encryption engine shown in FIG. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a recording device records license data on a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the procedure until a reproducing | regenerating apparatus reads license data from a storage device. It is a figure which shows the internal structure of the recording / reproducing apparatus which concerns on 2nd Embodiment. It is a figure which shows the internal structure of the content delivery system which concerns on 3rd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Recording apparatus 200 Storage device 300 Playback apparatus 400 Recording / playback apparatus 500 Distribution server 520 Terminal apparatus

Claims (26)

A method for transmitting and receiving content usage information including a content key for decrypting encrypted content data,
A first step of establishing an encrypted communication path for transmitting and receiving the content usage information;
A second step of transmitting and receiving the content usage information using the encrypted communication path,
The first step includes
The content usage information transmission source device authenticating the content usage information transmission destination device ;
Sharing a first symmetric key between the source device and the destination device using a public key cryptosystem when the destination device is approved,
The second step includes
Sharing a second symmetric key between the source device and the destination device when the timing to transmit the content usage information arrives;
A method of transmitting content usage information, comprising: the transmission source device encrypting the content usage information with the first symmetric key and the second symmetric key and transmitting the encrypted content usage information to the transmission destination device . . The first step further includes a step of sharing a third symmetric key used for sharing the second symmetric key between the transmission source device and the transmission destination device ;
The step of sharing the second symmetric key claim 1, characterized in that sharing the second symmetric key by transmitting and receiving said second symmetric key encrypted with the third symmetric key The content usage information transmission method described in 1. Said first symmetric key, said transmission issued by either the source device and the destination device, the second is the symmetric key, according to claim 1 or 2, characterized in that the other issues Content usage information transmission method. The second symmetric key is newly issued when the next content usage information is transmitted after the end of the second step, and is shared between the transmission source device and the transmission destination device. The content usage information transmission method according to any one of claims 1 to 3 . The first step further includes the step of the destination device authenticating the source device ;
When the destination device and the source device is authorized to each other, the content use information according to any one of claims 1 to 4, wherein the step of replacing the first symmetric key is performed Transmission method. 6. The content usage information transmission method according to claim 1, wherein one of the transmission source device and the transmission destination device is a storage device. A content use information providing device that provides content use information including a content key for decrypting encrypted content data to a content use information receiving device,
Verification means for acquiring authentication information from the content use information receiving device and verifying the validity of the authentication information;
A first symmetric key sharing unit that shares a first symmetric key with the content usage information receiving device using a public key cryptosystem when the verification unit approves the content usage information receiving device;
A second symmetric key sharing means for sharing a second symmetric key with the content usage information receiving device when the timing for transmitting the content usage information arrives;
Encryption means for encrypting the content usage information with the first symmetric key and the second symmetric key;
Content usage information transmitting means for transmitting to the content usage information receiving device encrypted by the encryption means;
A content use information providing apparatus comprising: Further comprising third symmetric key sharing means for sharing a third symmetric key used for exchanging the second symmetric key with the content use information receiving device,
The second symmetric key sharing means transmits the second symmetric key encrypted with the third symmetric key to the content usage information receiving device or receives the content usage information receiving device from the content usage information receiving device. 8. The content usage information providing apparatus according to claim 7 , wherein a second symmetric key is shared with the content usage information receiving apparatus. The first symmetric key is issued by one of the content usage information providing device and the content usage information receiving device, and the second symmetric key is issued by the other. The content use information providing apparatus according to claim 7 or 8 , characterized in that The second symmetric key is newly issued when transmitting the next content usage information after transmitting the content usage information to the content usage information receiving device, and is shared with the content usage information receiving device. The content use information providing apparatus according to claim 7 , wherein the content use information providing apparatus is provided. The content usage information receiving device further includes an authentication information transmitting unit that transmits its own authentication information,
The first symmetric key sharing unit, when the verification unit approves the content use information receiving device and the content use information receiving device approves the authentication information of the content use information receiving device. The content usage information providing apparatus according to claim 7 , wherein the first symmetric key is shared with the content usage information providing apparatus. A content use information providing device that provides content use information including a content key for decrypting encrypted content data to a content use information receiving device,
An interface for controlling the exchange of data with the content use information receiving device;
A symmetric key generation unit that temporally generates a first symmetric key and a second symmetric key when providing the content usage information;
A first encryption unit that encrypts data using a first public key set in the content use information receiving device;
A second encryption unit for encrypting data with a second public key set in the content use information receiving device;
A third encryption unit for further encrypting data encrypted in the second encryption unit with a third symmetric key generated by the content use information receiving device;
A fourth encryption unit for encrypting data with a fourth symmetric key generated by the content use information receiving device;
A fifth encryption unit for further encrypting the data with the second symmetric key;
A decryption unit for decrypting the data with the first symmetric key or the second symmetric key;
A control unit,
The controller is
Instructing the symmetric key generation unit to generate the first symmetric key;
Receiving the first public key via the interface and providing the first public key to the first encryption unit;
Receiving the first symmetric key encrypted with the first public key from the first encryption unit and outputting it via the interface;
Receiving the third symmetric key and the second public key encrypted by the first symmetric key via the interface and providing them to the decryption unit;
Instructing the symmetric key generation unit to generate the second symmetric key and give the second symmetric key to the second encryption unit;
Receiving the second symmetric key encrypted by the second public key or the third symmetric key from the second or third encryption unit and outputting it via the interface;
Receiving the fourth symmetric key encrypted by the first symmetric key or the second symmetric key from the content use information receiving device via the interface and providing the decryption unit;
Receiving the content usage information encrypted by the fourth symmetric key and the second symmetric key from the fourth encryption unit or the fifth encryption unit and outputting the information via the interface;
A content use information providing apparatus characterized by the above. The controller is
In the process of continuously providing the content usage information to the same content usage information receiving device,
The new fourth symmetric key encrypted with the first symmetric key or the second symmetric key is received via the interface and given to the decryption unit,
The content usage information providing apparatus according to claim 12 , wherein the content usage information encrypted with the new fourth symmetric key and the second symmetric key is output via the interface. The content usage information providing device includes:
A content usage information generating unit for generating the content usage information;
A content data encryption unit that encrypts the content data with the content key and outputs the encrypted content data;
The content usage information providing apparatus according to claim 7 , further comprising: The content usage information providing device includes:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
15. The content use information providing apparatus according to claim 7 , wherein the second storage unit is configured by a tamper resistant structure. 16. The content use information providing apparatus according to claim 7, wherein the content use information providing apparatus is a storage device. A content use information receiving device for receiving content use information including a content key for decrypting encrypted content data from a content use information providing device,
Authentication information transmitting means for transmitting the authentication information to the content usage information providing device;
A first symmetric key sharing means for sharing a first symmetric key with the content usage information providing apparatus using a public key cryptosystem when the content usage information providing apparatus approves the authentication information;
A second symmetric key sharing means for sharing a second symmetric key with the content usage information providing device when the timing for receiving the content usage information arrives;
Content usage information receiving means for receiving, from the content usage information providing device, the content usage information encrypted with the first symmetric key and the second symmetric key;
Decryption means for decrypting the encrypted content usage information with the first symmetric key and the second symmetric key;
A content use information receiving device comprising: Further comprising third symmetric key sharing means for sharing a third symmetric key used for exchanging the second symmetric key with the content use information providing apparatus,
The second symmetric key sharing means transmits the second symmetric key encrypted with the third symmetric key to the content usage information providing device or receives the content from the content usage information providing device, The content usage information receiving device according to claim 17 , wherein the second symmetric key is shared with the content usage information providing device. The first symmetric key is issued by one of the content usage information providing device and the content usage information receiving device, and the second symmetric key is issued by the other. The content use information receiving device according to claim 17 or 18 , characterized in that The second symmetric key is newly issued when the next content usage information is received after receiving the content usage information from the content usage information providing device, and is shared with the content usage information providing device. The content use information receiving device according to any one of claims 17 to 19 , wherein It further comprises verification means for acquiring authentication information from the content usage information providing device and verifying the validity of the authentication information,
The first symmetric key sharing unit includes the content usage information providing device when the verification unit approves the content usage information providing device and the content usage information providing device approves its own authentication information. 21. The content use information receiving apparatus according to claim 17 , wherein the first symmetric key is shared between the two. A content usage information receiving device for receiving from a content usage information providing device that records content usage information including a content key for decrypting and reproducing encrypted content data,
An interface for controlling the exchange of data with the content usage information providing device;
A first public key holding unit for holding a first public key set in the content use information receiving device;
A first secret key holding unit that holds a first secret key for decrypting data encrypted by the first public key;
A second public key holding unit that holds a second public key set in the content use information receiving device;
A second secret key holding unit for holding a second secret key for decrypting data encrypted with the second public key;
A symmetric key generating unit that temporally generates a first symmetric key and a second symmetric key when receiving content usage information from the content usage information providing device;
An encryption unit for encrypting data with a third symmetric key generated by the content use information providing device;
A first decryption unit for decrypting data encrypted with the first public key with the first secret key;
A second decryption unit for decrypting data encrypted by the first symmetric key;
A third decryption unit for decrypting data encrypted with the second public key with a second secret key;
A fourth decryption unit for decrypting data encrypted by the second symmetric key;
A fifth decryption unit for decrypting data with the fourth symmetric key generated by the content use information providing device;
A control unit,
The controller is
Outputting the first public key via the interface;
Receiving the third symmetric key encrypted with the first public key via the interface;
Instructing the symmetric key generation unit to generate the first symmetric key and give it to the encryption unit;
Receiving the first symmetric key and the second public key encrypted by the third symmetric key decrypted by the first decryption unit from the encryption unit, and outputting them via the interface; ,
Receiving, via the interface, a fourth symmetric key encrypted with the second public key or the first symmetric key;
Instructing the symmetric key generation unit to generate the second symmetric key and give it to the encryption unit;
Receiving the fourth symmetric key decrypted by the second decryption unit or the third decryption unit or the second symmetric key encrypted by the third symmetric key from the cipher unit; Output through
The content usage information receiving apparatus, wherein the content usage information encrypted by the second symmetric key and the fourth symmetric key is received via the interface. The controller is
In the process of continuously receiving the content usage information from the same content usage information providing device,
Instruct the symmetric key generation unit to generate a new second symmetric key and give it to the encryption unit;
Outputting the new second symmetric key encrypted by the first symmetric key or the fourth symmetric key in the encryption unit via the interface;
The content usage information receiving apparatus according to claim 22 , wherein the content usage information encrypted by the second symmetric key and the fourth symmetric key is received via the interface. The content use information receiving device is:
A content data decrypting unit for decrypting the encrypted content data with the content key;
The content use information receiving apparatus according to any one of claims 17 to 23 , further comprising: a reproduction unit that reproduces the content data decrypted by the content data decryption unit. The content use information receiving device is:
A first storage unit for storing the encrypted content data;
A second storage unit for storing the content usage information,
The content use information receiving device according to any one of claims 17 to 24 , wherein the second storage unit is configured by a tamper-resistant structure. 26. The content use information receiving apparatus according to claim 17, wherein the content use information receiving apparatus is a storage device.

Images