JP4671657B2 - Content use information storage device and content use device - Google Patents

Description

  The present invention is an apparatus for receiving content output from a storage device having a function of restricting the use of content data based on content usage information or restriction information relating to the reproduction of content data and reproducing the content. In this case, if playback using the received content usage information or content data is not performed, or if playback is within the audition range and is not regarded as playback, the restriction information related to playback in the storage device is not output safely. It is related with the technique which restores to the state.

  As a copyright protection method for protecting content data, a method of encrypting content data and managing confidentiality of content usage information (hereinafter referred to as license data) including its decryption key (hereinafter referred to as content key) Is well known. As such a content data distribution system using a copyright protection method that increases the confidentiality of license data, for example, in Patent Document 1 below, as a device that handles license data in an unencrypted state, a server device, There are three devices: a memory card as a storage device and a decoder as a user device. Encrypted communication between the server device and storage device, and transmission and reception of license data between the storage device and user device. The recording device, the storage device, and the utilization device may be provided with a TRM (Tamper-Resistant-Module) that can handle encrypted license data. It is shown.

  In constructing an encrypted communication path, first, an apparatus that provides license data (hereinafter referred to as a license providing apparatus) receives a certificate including a public key from a side apparatus that receives license data (hereinafter referred to as a license receiving apparatus). ). Then, the license providing device verifies this certificate, and if the verification result indicates that the certificate transmitted from the license receiving device is a valid certificate and is not invalidated by the certificate revocation list. Using the public key included in this certificate, key exchange is performed between the devices. Then, the encrypted license data is transmitted from the license providing apparatus to the license receiving apparatus with the key sent from the license providing apparatus to the license receiving apparatus.

  The TRM is a circuit module in which confidentiality is physically protected, and is configured so that license data can be exchanged only via an encrypted communication path.

  When acquiring license data, the memory card is mounted on a terminal device that can communicate with the server device, and receives license data from the server device via the terminal device. Further, when the content is used, the memory card is attached to a terminal device having a built-in decoder, and the license data is transmitted to the decoder via the terminal device.

  In this system, the memory card itself can restrict the output of license data according to the restriction information in the license data. For example, the license data includes control information indicating the number of times content data can be reproduced using this license data. At the time of reproduction, the memory card confirms the reproduction number limit information in the license data and determines whether or not the license data can be output. At the time of output, this control information is updated, and after reproduction is repeated, the output of license data is finally prohibited.

  As described above, in content distribution services, copyright protection related to content is thoroughly implemented by encrypting content data and concealing license data. Furthermore, introduction of usage restrictions such as playback count control and copy count control enables adaptation to various service forms.

In this way, by thoroughly protecting the content copyright, the rights of the content right holder are protected and the content can be provided safely. As a result, the lineup of content targeted for the distribution service also increases, and the needs of users who receive content distribution can be satisfied more widely.
JP 2002-875550 A

  As described above, in the conventional content distribution system, the license data for limiting the number of playbacks is transmitted from the storage device to the playback device, but playback using the license data is not performed in the playback device. In this case, the user loses the right to play. Further, even when a part of the content is reproduced for the purpose of trial listening, the user similarly loses the right to reproduce once.

  In addition, license data for limiting the number of copies is transmitted to another storage device for the purpose of copying. If writing fails in another storage device, the user loses the right to copy.

  Further, when license data is transmitted to another storage device for the purpose of movement and writing fails in the other storage device, the user loses the license data.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide a storage device and a playback apparatus that can protect a user's rights while protecting the copyright of the content. More specifically, if consumption of license data transmitted from the storage device (playback by the playback device or storage to the storage device) has not been completed, the license data is safely and quickly stored in the source storage device. It is an object of the present invention to provide a storage device and a playback apparatus that have a function for restoring to a disk.

  In view of the above problems, the present invention has the following features.

The invention of claim 1 is a content usage information storage device that records content usage information including a content key for decrypting encrypted content data and provides the content usage information to the outside. and control the transfer of data interface, a storage unit for storing the content usage information, via the interface, the first symmetric key, the first encryption process to be shared between the content usage right information providing destination And a second symmetric key that is temporally generated for each output of the content usage information using the first symmetric key and the content usage information providing destination via the interface. And a third encryption processing unit that encrypts the content usage information with the second symmetric key and outputs the encrypted content usage information via the interface. A log storage unit for storing processing history information including the second symmetric key and first state information indicating a progress state relating to the output of the content usage information; and the content usage information providing destination after receiving the content usage information And receiving the data obtained by concatenating the provision destination state information including the second state information indicating the progress state of the process and the electronic signature for the provision destination state information via the interface, and the first encryption processing unit The validity is verified by the first symmetric key shared and the second symmetric key shared by the second encryption processing unit and stored in the log storage unit when the content usage information is output. If valid, the verification unit that determines whether or not the restoration of the content usage information that is the target of the provision destination state information stored in the storage unit is permitted, and the storage unit A control unit that controls the output of the content usage information, and when the content output information is output, the control unit includes control information related to the output of the content usage information included in the content usage information to be output. Interpretation and giving the license usage information for output or the license usage information to the third encryption processing unit, and changing the control information of the license usage information stored in the storage unit or prohibiting the output of the content usage information Receiving the provider status information from the content usage information provider, and the verification unit confirms that the content usage information is not consumed at the content usage information provider by the provider status information, If restoration of the target content usage information is permitted, this content usage information The control information is returned to the state before output, or the output of the content use information is permitted.

The invention of claim 2 is a content use apparatus for receiving or providing content use information including a content key for decrypting encrypted content data, and decrypting or reproducing the encrypted content data. An interface for controlling the exchange of data, a first cryptographic processing unit for sharing a first symmetric key with a content usage information provider via the interface, and the first encryption key via the interface. A second encryption processing unit that is temporally generated each time content usage information is received using the symmetric key and is shared with the content usage information provider and received via the interface A third encryption processing unit for decrypting the encrypted content usage information with the second symmetric key and extracting the content usage information; Processing history information including a storage unit for storing the content usage information extracted by the third cryptographic processing unit, the second symmetric key, and status information indicating the progress of processing after receiving the content usage information. When it is determined that the content usage information is not consumed in the log storage unit to be stored and the device, provision destination state information including the state information stored in the log storage unit is generated, and the provision destination state A first symmetric key shared by the first cryptographic processing unit for information and a second symmetric key shared by the second cryptographic processing unit upon receipt of the content usage information and stored in the log storage unit calculates the electronic signature data by the key, the signed providing destination status information linked to both outputs through the interface, the content usage right information providing source, the Characterized in that it comprises a signature unit which requests the restoration of content usage information.

The invention of claim 3 is a content use apparatus for receiving or providing content use information including a content key for decrypting encrypted content data, and decrypting or reproducing the encrypted content data. An interface for controlling the exchange of data, a first cryptographic processing unit for sharing a first symmetric key with a content usage information provider via the interface, and the first encryption key via the interface. A second symmetric key that is temporally generated every time content usage information is received using the symmetric key, and is received via the interface. Decrypting the encrypted content usage information with the second symmetric key and extracting the content usage information; and A content decrypting unit for decrypting the encrypted content data with a content key included in the content usage information extracted by the third encryption processing unit; and after receiving the second symmetric key and the content usage information A log storage unit that stores processing history information including state information indicating a progress state of processing, and the state information stored in the log storage unit when it is determined that the content usage information is not consumed in the device Providing state information including the first symmetric key shared by the first encryption processing unit for the provision destination state information and the second encryption processing unit upon receipt of the content usage information The electronic signature data by the second symmetric key shared and stored in the log storage unit is calculated, and the provision destination state information with the signature obtained by concatenating the two is obtained. Via an interface to output, to said content usage information provider, characterized in that it comprises a signature unit which requests the recovery of the content usage information.

  The features of the present invention and the technical significance thereof will become more apparent from the following description of embodiments. However, the following embodiment is only one embodiment of the present invention, and the meaning of the present invention or the terms of each constituent element is limited to those described in the following embodiment. is not.

  According to the present invention, in playback using license data with a limited number of playbacks, some playback for the purpose of cueing or auditioning is not regarded as playback that consumes a license. Can protect their rights.

  Embodiments of the present invention will be described below with reference to the drawings.

(First embodiment)
FIG. 1 shows an overall configuration of a data management system 10 according to the embodiment.

  The data management system 10 includes a distribution server 100 that transmits data, a terminal device 150 that records data transmitted from the distribution server 100 in the storage device 200, a playback device 300 that reproduces data recorded in the storage device 200, and data A storage device 200 for recording and holding is provided.

* Data management system The storage device 200 according to the present embodiment is not only a storage medium that holds data, but also a controller that controls input / output of data with a host device such as the terminal device 150 or the playback device 300. A drive-integrated storage device having a configuration. In the present embodiment, a hard disk drive will be described as an example of the storage device 200.

  The conventional hard disk drive is generally used by being fixedly connected to one host device, but the storage device 200 of the present embodiment is a host device such as the terminal device 150 and the playback device 300. On the other hand, it is configured to be freely detachable. That is, the storage device 200 of the present embodiment can be removed from the host device and carried in the same way as a CD or DVD, and in addition to the terminal device 150 and the playback device 300, a recording and playback device capable of recording and playback can be used. A storage device that can be shared among a plurality of host devices.

  As described above, the storage device 200 according to the present embodiment is assumed to be connected to a plurality of host devices. For example, the storage device 200 is connected to a host device of a third party other than the owner, and the recorded data is stored in the storage device 200. There is also a possibility of being read out.

  When it is assumed that contents to be protected by copyright such as music and video, confidential data such as corporate and personal information are recorded on the storage device 200, the confidential data leaks to the outside. In order to prevent this, it is preferable to provide the storage device 200 itself with a configuration for appropriately protecting data and to have a sufficient tamper resistance function.

  From such a viewpoint, the storage device 200 according to the present embodiment has a configuration for encrypting and exchanging confidential data when the confidential data is input and output with the host device. Further, in order to store confidential data, a confidential data storage area different from a normal storage area is provided, and the confidential data storage area is configured to be accessible only through a cryptographic engine provided in the storage device 200. . This cryptographic engine inputs / outputs secret data only to / from a host device verified as having a legitimate authority.

  Hereinafter, such a data protection function is also referred to as a “secure function”.

  With the above configuration and function, the confidential data recorded in the storage device 200 can be appropriately protected.

  In order to make the most of the characteristics of the storage device 200 as a removable medium, it is preferable that normal data can be input / output even by a host device that does not support the secure function. Therefore, the storage device 200 according to the present embodiment supports ATA (AT Attachment), which is a standard of ANSI (American National Standards Institute), in order to maintain compatibility with the conventional hard disk, and the secure function described above. Is realized as an ATA extension instruction.

  Hereinafter, a case where content data such as video is recorded and reproduced will be described as an example of confidential data input / output. Although the content data itself may be handled as confidential data, in the present embodiment, the content data is encrypted, and the encrypted content data itself is recorded as normal data in the storage device 200. Then, a key for decrypting the encrypted content (hereinafter referred to as a content key) and information regarding control of content reproduction control, license use (reproduction), move, and copy (hereinafter referred to as usage rules). Data (hereinafter referred to as license data) is input / output as confidential data using the above-described secure function. As a result, while maintaining sufficient tamper resistance, data input / output can be simplified, processing speed can be increased, and power consumption can be reduced.

  Here, the license data includes identification information LicID for specifying the license data in addition to the content key and the usage rule. Further, it is assumed that the license data intended for reproduction is included as control rules PC indicating the upper limit of the number of times of output. Here, it is assumed that the control information PC is a 1-byte unsigned integer, the value of which indicates the upper limit of the number of times the license data is output, and 1 is subtracted for each license output. PC = 255 indicates that, as an exception, there is no upper limit of the number of reproductions, and the value is not changed by the output of license data for reproduction. The control information PC setting method and operation method shown here are merely examples in the present embodiment, and are not particularly limited.

  In the following, among commands issued to the storage device 200 by a host device such as the distribution server 100 and the playback device 300, an extended command for a secure function is also referred to as a “secure command”, and other commands are “ Also called “normal command”.

* Distribution system FIG. 2 shows a configuration of a content distribution system according to the embodiment. The content distribution system according to the present embodiment includes a distribution server 100 that distributes content, a terminal device 150 that receives the content, and a storage device 200 in which the content provided to the terminal device 150 is recorded.

  The distribution server 100 and the terminal device 150 are connected by the Internet 20 as an example of a network via the communication devices 104 and 153, respectively.

  The distribution server 100 includes an encryption device 102, an encryption engine 103, a communication device 104, a content database 105, a license database 106, a user database 107, a controller 101 that controls them, and a data bus 110 that electrically connects them.

  The configuration of the distribution server 100 can be realized in hardware by a CPU, memory, or other LSI of an arbitrary computer, and is realized in software by a program having a recording control function loaded in the memory. Here, however, the functional blocks realized by the cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The encryptor 102 issues license data LIC including a content key for decrypting the encrypted content, and encrypts the content coded by the content encoder 105 using the content key. The encrypted content is transmitted to the terminal device 150 via the data bus 110 and the communication device 104 and recorded in the storage device 200.

  The cryptographic engine 103 controls cryptographic communication with the storage device 200 in order to record the license data LIC provided to the user in the storage device 200. The encryption communication path is directly connected to the storage medium 200 via the data bus 110 of the distribution server, the communication device 104, the Internet 20, the communication device 153 of the terminal device 150, the data bus 160, the controller 151, and the storage interface 152. Is called.

The communication device 104 exchanges data with other devices via the Internet 20. Here, the content database 105 that exchanges data with the terminal device 150 holds content to be provided to the user. The license database 106 holds license data including a content key used for encrypting content. The user database 107 holds information about a user who is a content providing destination. For example, the user's personal information, the user's terminal device 150 address, content purchase history, billing information, and the like may be held.

  The controller 101 of the distribution server 100 reads content data from the content database 105 and reads license data LIC from the license database 106 in response to a user request. The read content data and the content key in the license data LIC are transmitted to the encryption device 102, and the license data LIC is transmitted to the encryption engine 103. Then, the encryptor 102 encrypts the content data with the content key, and transmits the encrypted content data to the terminal device 150 via the communication device 104. Further, an encryption communication path is constructed by the encryption engine 103, and the license data LIC is transmitted to the terminal device 150 via the encryption communication path. The terminal device 150 records the received license data LIC in the storage device 200.

  When the encrypted content data and license data LIC are recorded in the storage device 200, the user database 107 is charged to charge the user for the terminal device 150 for the content provision. Update.

  The terminal device 150 includes a storage interface 152, a communication device 153, a controller 151 that controls them, and a data bus 160 that electrically connects them. The configuration of the terminal device 150 can be realized in terms of hardware by a CPU, memory, or other LSI of an arbitrary computer, and can be realized in terms of software by a program having a recording control function loaded in the memory. Here, however, the functional blocks realized by the cooperation are depicted. Accordingly, those skilled in the art will understand that these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof.

  The storage interface 152 controls data input / output with the storage device 200.

  The communication device 153 exchanges data with other devices via the Internet 20. Here, data exchange with the distribution server 100 is performed.

  The controller 151 of the terminal device 150 transmits a user request to the distribution server 100 via the communication device 153. As a response, the encrypted content data and license data provided from the distribution server 100 are received via the communication device 153 and stored in the storage device 200 via the storage interface 152.

* Reproducing Device FIG. 3 shows an internal configuration of the reproducing device 300 according to the embodiment. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof.

  The playback apparatus 300 mainly includes a controller 301, a storage interface 302, a cryptographic engine 303, a decoder 304, a content decoder 305, and a data bus 310 that electrically connects them.

  The storage interface 302 controls data input / output with the storage device 200.

  The cryptographic engine 303 controls cryptographic communication with the storage device 200 in order to receive the license data LIC including the content key from the storage device 200.

  The decryptor 304 decrypts the encrypted content read from the storage device 200 with the content key included in the license data LIC obtained from the storage device 200.

  The content decoder 305 decodes and outputs the content decoded by the decoder 304. For example, if the content is in MPEG format, the video signal and the audio signal are restored from the content, the video signal is output to a display device (not shown), and the audio signal is output to a speaker (not shown).

  The controller 301 comprehensively controls the components of the playback device 300.

* Storage Device FIG. 4 shows an internal configuration of the storage device 200 according to the embodiment. The storage device 200 mainly includes a controller 201, a storage interface 202, a cryptographic engine 203, a tamper resistant storage unit 204, a normal data storage storage unit 205, and a data bus 210 that electrically connects them.

  The storage interface 202 controls data input / output with the distribution server 100 and the playback device 300.

  The cryptographic engine 203 controls cryptographic communication for inputting / outputting secret data such as license data LIC including a content key between the distribution server 100 and the playback device 300.

  The normal data storage unit 205 is a normal storage area for recording encrypted content, normal data, and the like.

  The tamper resistant storage unit 204 is a confidential data storage area for recording confidential data such as license data LIC including a content key.

  The normal data storage unit 205 performs input / output of data by direct access from the outside, but the tamper resistant storage unit 204 is configured so that data cannot be input / output through the cryptographic engine 203.

  The controller 201 comprehensively controls the components of the storage device 200.

* Keys to be used Here, the keys used in this embodiment will be described. In the present embodiment, the key is expressed as a character string starting with a capital letter “K”.

  Further, when the second character “is any one of lowercase letters“ c ”,“ s ”, and r”, it indicates a symmetric key (common key). Specifically, “c” is a challenge key and indicates a temporal symmetric key generated at the transmission source of the license data. “s” is a session key and indicates a temporal symmetric key generated at the transmission destination of the license data. “r” is a recovery key and indicates a temporal symmetric key generated at the transmission destination of the license data.

  If the second character is capital “P”, it indicates the public key of the public key cryptosystem. This key always has a corresponding private key, and this private key is represented by excluding the second capital letter “P” from the public key.

  When the character string indicating the key includes a lower case “d”, it indicates that the key is given to each group of devices. When the character string indicating the key includes a lowercase letter “p”, it indicates that the key is given to each device. The public key KPdx given as a pair of a public key and a private key and given for each group is given as a public key certificate C [KPdx] with an electronic signature.

  The character described at the end of the character string indicating the key, for example, “2” of the public key KPd2 is a symbol for identifying the cryptographic engine to which the key is given. In the present embodiment, when the provider is clear, the numbers “1”, “2”, “3” are written, and the key is provided from other than the encryption engine and the provider is unknown. If not specified, it will be written in English characters such as "x" and "y".

  In the present embodiment, “1” is used as the identification symbol for the cryptographic engine 103 of the distribution server 100, “2” is used as the identification symbol for the cryptographic engine 203 of the storage medium 200, and the cryptographic engine 303 of the playback device 300 is identified. Use “3” as a symbol.

* Cryptographic Engine of Distribution Server FIG. 5 shows an internal configuration of the cryptographic engine 103 of the distribution server 100 shown in FIG. The cryptographic engine 103 includes a certificate verification unit 120, a first encryption unit 121, a random number generation unit 122, a first decryption unit 123, a second decryption unit 124, a second encryption unit 125, a third encryption unit 126, and a certificate output unit. 127, a control unit 128, a log storage unit 129, a log verification unit 130, and a local bus 140 that electrically connects at least some of these components.

  The certificate verification unit 120 verifies the certificate C [KPd2] acquired from the storage device 200. The certificate C [KPd2] includes plaintext information including the public key KPd2 (hereinafter referred to as “certificate body”) and an electronic signature attached to the certificate body. This electronic signature is a third-party organization that is obtained by performing an operation using a hash function on the certificate body (hereinafter, this operation processing is referred to as “hash operation”). The data is encrypted with the root key Ka of the certificate authority (not shown). The root key Ka is a private key that is strictly managed by the certificate authority and serves as a secret key of the certificate authority.

  The certificate verification unit 120 holds a verification key KPa that is paired with the root key Ka. This verification key KPa is a public key for verifying the validity of the certificate. The verification of the certificate is judged by the validity of the certificate and the validity of the certificate.

  The verification of the validity of the certificate is a process of comparing the calculation result of the hash function for the certificate body of the certificate to be verified with the result of decrypting the electronic signature with the verification key KPa. It is judged that.

  The certificate verification unit 120 maintains a certificate revocation list (CRL) that is a list of invalid certificates, and the CRL checks whether the certificate to be verified is valid. It is judged that it is effective when it is not described.

  The process of judging the validity and validity of a certificate and approving a valid certificate is called verification.

  If the verification is successful, the certificate verification unit 120 retrieves the public key KPd2 of the storage device 200, transmits it to the first encryption unit 121, and notifies the verification result. If verification fails, a verification error notification is output.

  The certificate output unit 127 outputs the certificate C [KPd1] of the distribution server 100. This certificate includes a certificate body including the public key KPd1 of the distribution server 100 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority, similarly to the certificate of the storage device 200.

  The random number generation unit 122 generates a challenge key Kc1 that is temporarily used to perform cryptographic communication with the storage device 200. By generating the challenge key Kc1 with a random number each time encrypted communication is performed, the possibility that the challenge key Kc1 is overlooked can be minimized. The generated challenge key Kc1 is transmitted to the first encryption unit 121 and the first decryption unit 123.

  In order to notify the storage device 200 of the challenge key Kc1, the first encryption unit 121 encrypts the challenge key Kc1 with the public key KPd2 of the storage device 200 extracted by the certificate verification unit 120, and encrypts the challenge key E (KPd2, Kc1) is generated. Then, the encrypted challenge key E (KPd2, Kc1) is combined with the certificate C “KPd1” output from the certificate output unit 127 to be challenge information E (KPd2, Kc1) // C “KPd1”. .

  Here, the symbol “//” indicates data concatenation, and E (KPd2, Kc1) // C [KPd1] combines the encryption challenge key E (KPd2, Kc1) and the certificate C [KPd1] side by side. Shows the data string. E indicates an encryption function, and E (KPd2, Kc1) indicates that the challenge key Kc1 is encrypted with the public key KPd2.

  The first decryption unit 123 decrypts the data encrypted with the challenge key Kc1. The session key Ks2 issued by the storage device 200 and the public key KPp2 held by the storage device 200 are supplied from the storage device 200 as session information E (Kc1, E (KPd1, Ks2) // KPp2). The 1 decryption unit 123 decrypts the session information using the challenge key Kc1 generated by the random number generation unit 122, and extracts the encrypted session key E (KPd1, Ks2) and the public key KPp2. The extracted public key KPp2 is transmitted to the second encryption unit 125, and the encrypted session key E (KPd1, Ks2) is transmitted to the second decryption unit 124.

  The second decryption unit 124 transmits the encrypted session key E (KPd1, Ks2) encrypted by its own public key KPd1 transmitted from the first decryption unit 123 with the secret key Kd1 paired with the public key KPd1. Decrypt and take out session key Ks2. The extracted session key Ks2 is transmitted to the third encryption unit 126.

  The second encryption unit 125 acquires the license data LIC including the content key issued when the encryptor 102 encrypts the content, and uses the license data LIC with the public key KPp2 of the storage device 200 to which the license data is provided. Encrypt and generate E (KPp2, LIC). The generated E (KPp2, LIC) is transmitted to the third encryption unit 126.

  The third encryption unit 126 further encrypts E (KPp2, LIC) transmitted from the second encryption unit 125 with the session key Ks2 issued by the storage device 200, and encrypts the license data E (Ks2, E ( KPp2, LIC)).

  The log storage unit 129 stores history information regarding the output of the license data LIC. The history information includes identification information LicID for identifying the license data LIC, information for identifying communication of the license data LIC, a session key used for transmission / reception of the license data LIC, and information ST1 indicating the progress of transmission of the license data. including.

  The information ST1 is one of two states: a state in which a session key is received (hereinafter referred to as “state SP”) and a state in which the license data LIC is output (hereinafter referred to as “state SL”). Contains information indicating.

  The log verification unit 130 receives from the license data transmission destination, here the storage device 200, using the challenge key Kc1 shared with the transmission destination of the license data and the history information stored in the log storage unit 234. The validity of the status information LicID // ST2 // H (Kc1 // Ks2 // LicID // ST2) is verified to determine whether the license data can be retransmitted.

  The control unit 128 mediates the input / output of data between the control of the internal components of the cryptographic engine 103 and the external configuration in accordance with instructions from the controller 101 of the distribution server 100.

  In FIG. 5, connection indicating control of each internal component by the control unit 128 is omitted.

  As shown in FIG. 5, in the present embodiment, the cryptographic engine 103 cannot exchange data with the outside without the control unit 128. Various forms of connecting each component are conceivable. In this embodiment, encryption such as a challenge key Kc1 generated by the random number generator 122, a session key Ks2 received from the storage device 200, and its own secret key Kd1 is used. Each key used in the engine 103 is configured not to directly flow out of the cryptographic engine 103. As a result, each key used in the cryptographic engine 103 is prevented from leaking to the outside via other components of the distribution server 100, and security is improved.

* Cryptographic Engine of Reproducing Device FIG. 6 shows an internal configuration of the cryptographic engine 303 of the reproducing device 300 shown in FIG. The cryptographic engine 303 includes a certificate output unit 320, a random number generation unit 321, a certificate verification unit 322, a first decryption unit 323, a first encryption unit 324, a second encryption unit 325, a second decryption unit 326, and a third decryption unit. 327, a content key output unit 328, an elapsed time measurement unit 329, a log storage unit 330, a log signature unit 331, a control unit 332, and a local bus 340 that electrically connects at least some of these components.

  The certificate output unit 320 outputs the certificate C [KPd3] of the playback device 300. The certificate may be held by the certificate output unit 320 or may be held in a certificate holding unit (not shown) and read out. The certificate is composed of a certificate body including the public key KPd3 of the playback apparatus 300 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority, similarly to the certificate of the storage device 200.

  The random number generator 321 generates a session key Ks3 that is temporarily used for performing cryptographic communication with the storage device 200. The generated session key Ks3 is transmitted to the first encryption unit 324, the second decryption unit 326, and the log storage unit 330.

  The certificate verification unit 322 verifies the certificate C [KPd2] of the storage device 200. Details of the verification are as described above.

  The first decryption unit 323 decrypts the data encrypted with the public key KPd3 with the secret key Kd3. At the time of playback, the challenge key Kc2 issued by the storage device 200 is encrypted by the public key KPd3 of the playback device 300 and supplied from the storage device 200. Therefore, the first decryption unit 321 uses this private key Kd3 to And the challenge key Kc2 is extracted. The extracted challenge key Kc2 is transmitted to the second encryption unit 325.

  The first encryption unit 324 encrypts data with the public key KPd2 extracted from the certificate C [KPd2] of the storage device 200. In order to notify the storage device 200 of the session key Ks3, the session key Ks3 generated by the random number generator 321 is encrypted to generate an encrypted session key E (KPd2, Ks3). The generated encrypted session key E (KPd2, Ks3) is transmitted to the second encryption unit 325.

  The second encryption unit 325 encrypts data using the challenge key Kc2 extracted by the first decryption unit 323. The encrypted session key E (KPd2, Ks3) transmitted from the first encryption unit 324 and its own public key KPp3 are concatenated and encrypted to obtain session information E (Kc2, E (KPd2, Ks3) // KPp3). Is generated.

  The second decryption unit 326 decrypts the data encrypted with the session key Ks3. Since the license data LIC is supplied from the storage device 200 as encrypted license data E (Ks3, E (KPp3, LIC)) that is double-encrypted with the public key KPp3 and the session key Ks3, the second decryption unit 325 is provided. Performs decryption using the session key Ks3 generated by the random number generation unit 321 and transmits the resulting encrypted license data E (KPp3, LIC) to the third decryption unit 327.

  The third decryption unit 327 decrypts the data encrypted with the public key KPp3. Using the private key Kp3 paired with the public key KPp3, the encrypted license data E (KPp3, LIC) as a result of the second decryption unit 326 is decrypted, and the license data LIC is extracted.

  The content key output unit 328 extracts and holds the content key from the license data LIC extracted by the third decryption unit 327. Further, the content key output unit 328 provides the held content key to the decryption unit 304, monitors the decryption process using the content key in the decryption unit 304, and notifies the elapsed time measurement unit 329 of the situation. introduce.

  The elapsed time measurement unit 329 measures the reproduction time of the encrypted content decrypted using the content key provided by the content key output unit 328, and reproduction by the content key is performed after a predetermined T seconds. Then, it is determined that the reproduction right defined by the license data has been consumed once. On the other hand, when the playback is stopped without T seconds elapses, it is determined that the playback using the content key has not been performed, that is, the playback right defined by the license data is not consumed. There are various configuration methods for the configuration of the elapsed time measurement unit 329. Here, a configuration example in which the elapsed time after reproduction is measured using a timer is shown. The elapsed time measuring unit 329 includes a timer. When the content key output unit 328 starts decrypting with the content key provided to the decryptor 304, the timer is reset. Then, when a predetermined T seconds have elapsed, it is determined that reproduction has started. Here, T is a boundary time for determining that playback is performed for each content type (music / video, etc.), that is, that the license is consumed, and is predetermined. According to this, for example, when the content key held by the content key output unit 328 is discarded before the elapse of T seconds and the decryption process in the decryption unit 304 is stopped, it is determined that the reproduction with the content key has not been performed. The Then, the determination result is reflected in information ST3 stored in the log storage unit 330 described later.

  The log storage unit 330 stores history information from receipt of the license data LIC to consumption. The history information is identification information LicID for specifying the license data LIC, information for specifying the communication of the license data LIC, and is consumed (reproduced) from the communication of the session key Ks3 and the license data generated by the communication of the license data LIC. Includes information ST3 indicating a state of reaching.

  The information ST3 includes a state in which a session key has been generated (hereinafter referred to as “state RP”), a state in which license data LIC has been received (hereinafter referred to as “state RL”), and reproduction started by the elapsed time measuring unit 329. It consists of information indicating any one of the three states of the determined state (hereinafter referred to as “state CL”).

  The log signature unit 331 uses the challenge key Kc2 extracted by the first decryption unit 323 and the history information stored in the log storage unit 330 to notify the status of reception and consumption of the license data LIC in the playback device 300. Status information LicID // ST3 // H (Kc2 // Ks3 // LicID // ST3) is generated. The validity of the status information can be verified by the cryptographic engine 203 sharing Kc2 and Ks3.

  The control unit 332 mediates data input / output between the control of the internal components of the cryptographic engine 303 and the external configuration in accordance with an instruction from the controller 301 of the playback device 300.

  In FIG. 6, connection indicating control of each internal component by the control unit 332 is omitted.

  In the cryptographic engine 303 shown in FIG. 6, various forms of connecting each component are conceivable, but in this embodiment, the cryptographic engine 303 cannot exchange data with the outside without the control unit 332. It has a configuration. Thus, the session key Ks3 generated by the random number generation unit 324, the secret keys Kd3 and Kp3 paired with the public key, the session key Ks2 received from the storage device 200, the challenge key Kc2, and the like are used in the encryption engine 303. Key is not leaked to the outside.

* Storage Media Cryptographic Engine FIG. 7 shows the internal configuration of the cryptographic engine 203 of the storage device 200 shown in FIG. These functional blocks can also be realized in various forms by hardware only, software only, or a combination thereof. The cryptographic engine 203 includes a control unit 220, a random number generation unit 221, a certificate output unit 222, a certificate verification unit 223, a first decryption unit 224, a first encryption unit 225, a second encryption unit 226, a second decryption unit 227, Third decryption unit 228, third encryption unit 229, fourth decryption unit 230, fifth decryption unit 231, fourth encryption unit 232, fifth encryption unit 233, log storage unit 234, sixth encryption unit 235, log verification unit 236 and a local bus 240 that electrically connects at least some of these components.

  The control unit 220 mediates data input / output between the control of the internal configuration of the cryptographic engine 203 and the external configuration in accordance with an instruction from the controller 201 of the storage device 200.

  The random number generation unit 221 generates a session key Ks2 and a challenge key Kc2 that are temporarily used for encrypted communication with the distribution server 100 or the playback device 300 by random number calculation. The use of each key will be described later.

  The certificate output unit 222 outputs the certificate C [KPd2] of the storage device 200. The certificate may be held by the certificate output unit 225, or may be held in a predetermined storage area of the storage device 200, for example, the tamper resistant storage unit 204, and read out. The certificate includes a certificate body including the public key KPd2 of the storage device 200 and an electronic signature attached to the certificate body. The electronic signature is encrypted with the root key Ka of the certificate authority.

  The certificate verification unit 223 verifies a certificate provided from the outside. Specifically, the certificate C [KPd1] acquired from the distribution server 100 and the certificate C [KPd3] acquired from the playback device 300 are verified with the verification key KPa. Details of the verification are as described above.

  The first decryption unit 224 decrypts the data encrypted with its own public key KPd2. Specifically, at the time of recording, the challenge key Kc1 issued by the distribution server 100 is encrypted with the public key KPd2 of the storage device 200 and supplied from the distribution server 100, so that it is decrypted with its own secret key Kd2. Then, the challenge key Kc1 is taken out. The extracted challenge key Kc1 is transmitted to the second encryption unit 226.

  The first encryption unit 225 encrypts data with the public key KPd1 of the distribution server 100. Specifically, the session key Ks2 generated by the random number generation unit 221 is encrypted with the public key KPd1, and an encrypted session key E (KPd1, Ks2) is generated. The public key KPd1 of the distribution server 100 used here is extracted from the certificate C [KPd1] of the storage device 200 by the control unit 220 and transmitted via the local bus 240.

  The second encryption unit 226 encrypts data with the challenge key Kc1 issued by the distribution server 100. Specifically, the encrypted session key E (KPd1, Ks2) received from the first encryption unit 225 is concatenated with its own public key KPp2, and this is encrypted with the challenge key Kc1, and the session information E (Kc1, E (KPd1, Ks2) // KPp2) is generated.

  The second decryption unit 227 decrypts the data encrypted with the session key Ks2 generated by the random number generation unit 211. Specifically, the license data LIC is received from the distribution server 100 as E (Ks2, E (KPp2, LIC)) double-encrypted with the public key KPp2 and the session key Ks2, and is received by the session key Ks2. Decode and transmit the result to the third decoding unit 228.

  The third decryption unit 228 decrypts the data encrypted with its own public key KPp2. The license data E (KPp2, LIC) transmitted from the second decryption unit 227 is decrypted with its own private key Kp2 paired with the public key KPp2, and the license data LIC is extracted.

  The extracted license data LIC is supplied to the data bus 210 via the local bus 240 and the control unit 220, and is stored in the tamper resistant storage unit 204 in accordance with an instruction from the controller 201.

  The third encryption unit 229 encrypts the data with the public key KPd3 of the playback device 300. Specifically, when the license data LIC is provided to the playback device 300, the challenge key Kc2 issued by the random number generator 221 with the public key KPd3 extracted from the certificate C [KPd3] received from the playback device 300. Is encrypted to generate an encryption challenge key E (KPd3, Kc2). The generated encryption challenge key E (KPd3, Kc2) is transmitted to the control unit 220 via the local bus 240. The control unit 220 combines this and its own certificate C [KPd2] output from the certificate output unit 222 to generate challenge information E (KPd3, Kc2) // C [KPd2].

  The fourth decryption unit 230 decrypts the data encrypted with the challenge key Kc2 issued by the random number generation unit 221. The session information E (Kc2, E (KPd2, Ks3) // KPp3) received from the playback device 300 is decrypted with the challenge key Kc2 generated by the random number generation unit 221, and the encrypted session key E (KPd2, Ks3) and playback are performed. The public key KPp3 of the device 300 is taken out. The extracted encrypted session key E (KPd2, Ks3) is transmitted to the fifth decryption unit 231, and the public key KPp3 is transmitted to the fourth encryption unit 232 log and the storage unit 234.

  The fifth decryption unit 231 decrypts the data encrypted with its own public key KPd2. Specifically, the encrypted session key E (KPd2, Ks3) transmitted from the fourth decryption unit 230 is decrypted with its own secret key Kd2, and the session key Ks3 is extracted. The extracted session key Ks3 is transmitted to the fifth encryption unit 233.

  The fourth encryption unit 232 encrypts data with the public key KPp3 of the playback device 300. When providing license data to the playback apparatus 300, the license data LIC is encrypted with the session key KPp3 received from the playback apparatus 300. The license data LIC is read from the tamper resistant storage unit 204 according to an instruction from the controller 201 and transmitted to the fourth encryption unit 232 via the data bus 202, the control unit 220, and the local bus 240. Here, the encrypted license data E (KPp3, LIC) is transmitted to the fifth encryption unit 233.

  The fifth encryption unit 233 encrypts the data with the session key Ks3 issued by the playback device 300. Specifically, the license data E (KPp3, LIC) encrypted in the fourth encryption unit 232 with the session key Ks3 is further encrypted, and the encrypted license data E (Ks3, E (KPp3, LIC)) is encrypted. Generate.

  The log storage unit 234 stores history information regarding the output and recording of the license data LIC. The history information is identification information LicID for specifying the license data LIC, information for specifying the communication of the license data LIC, and a session key shared with the license data provider or provider for input / output of the license data LIC. (Ks2 or Ks3) includes information ST2 indicating a state leading to output and recording of license data.

  Information ST2 includes a state in which a session key is generated when license data is recorded (hereinafter referred to as “state RP”), a state where license data LIC is received (hereinafter referred to as “state RL”), and recording of license data is completed. Any one of the three states (hereinafter referred to as “state CL”), the state in which the session key is received when the license data is output (hereinafter referred to as “state SP”), for playback It includes information indicating one of two states of the license data LIC output state (hereinafter referred to as “state SL”).

  The log signature unit 235 uses the challenge key Kc1 shared with the transmission source of the license data and the history information stored in the log storage unit 234 to receive the license data LIC from the storage device 200 to record it. Status information LicID // ST2 // H (Kc1 // Ks2 // LicID // ST2) is generated. The status information can be verified for validity in the cryptographic engine 103 sharing Kc1 and Ks2.

  The log verification unit 236 refers to the history information stored in the log storage unit 234 while referring to the status information LicID // ST3 // H (Kc2 // Ks3 // LicID // ST3) received from the playback device 300. The validity is verified, and it is determined whether or not the license data can be restored.

* Recording of License Data FIGS. 8 to 10 show a procedure until the distribution server 100 records the license data LIC in the storage device 200. FIG. In this recording process, an encryption communication path is established between the encryption engine 103 of the distribution server 100 and the encryption engine 203 of the storage device 200, and the license data LIC is transmitted from the distribution server 100 to the storage device 200 via the encryption communication path. The The figure shows processing divided into a distribution server 100 (cryptographic engine 103), a storage device 200 (cryptographic engine 203), and a terminal device 150 (controller 151) that mediates data exchange between the distribution server 100 and the storage device 200. Yes.

  First, the controller 151 of the terminal device 150 issues a certificate output command to the storage device 200 (S102). When the controller 201 normally receives the certificate output command (S104), the controller 201 instructs the cryptographic engine 203 to output the certificate, reads the certificate C [KPd2] from the cryptographic engine 203, and outputs it to the controller 151 of the terminal device 150. (S106).

  Upon acquiring the certificate C [KPd2] from the storage device 200, the controller 151 transmits it to the distribution server 100 (S108).

  When the controller 101 of the distribution server 100 receives the certificate C [KPd2] issued from the storage device 200 (S110), the controller 101 transmits the certificate C [KPd2] to the cryptographic engine 103, and the certificate verification unit 120 uses the authentication key KPa to generate a certificate. Is verified (S112). If the certificate is not approved (N in S112), the certificate verification unit 120 transmits an error to the controller 101. The controller 101 having received the error transmits a verification error notification to the terminal device 150 (S190). When receiving the error notification (S192), the controller 151 of the terminal device 150 abnormally ends the process.

  If the certificate is approved (Y in S112), the cryptographic engine 103 generates and holds the challenge key Kc1 in the random number generation unit 122 (S114). Then, the held challenge key Kc1 is transmitted to the first encryption unit 121, the first decryption unit 123, and the log verification unit 130.

  The first decryption unit 123 holds the challenge key Kc1 inside (S114). Further, the first encryption unit 121 encrypts this challenge key Kc1 with the public key KPd2 of the storage device 200 extracted from the certificate certificate C [KPd2], and generates an encrypted challenge key E (KPd2, Kc1). Then, the generated encrypted challenge key E (KPd2, Kc1) and its own certificate C [KPd1] output from the certificate output unit 127 are combined, and challenge information E (KPd2, Kc1) // C [KPd1 ] Is transmitted to the controller 101. The controller 101 transmits the generated challenge information E (KPd2, Kc1) // C [KPd1] to the terminal device 150 (S116).

  When receiving the challenge information E (KPd2, Kc1) // C [KPd1] from the distribution server 100 (S118), the controller 151 of the terminal device 150 issues a challenge information verification command to the storage device 200 (S120).

  In the storage device 200, when the controller 201 receives the challenge information verification command, it requests the terminal device 150 to input challenge information E (KPd2, Kc1) // C [KPd1] (S122).

  In response to this request, the controller 151 of the terminal device 150 outputs challenge information E (KPd2, Kc1) // C [KPd1] to the storage device 200 (S124).

  When the storage device 200 receives the challenge information E (KPd2, Kc1) // C [KPd1] (S126), in the cryptographic engine 203, the control unit 220 causes the challenge information E (KPd2, Kc1) // C [KPd1]. The certificate C [KPd1] is taken out from the certificate and transmitted to the certificate verification unit 223. The certificate verification unit 223 verifies the transmitted certificate C [KPd1] with the verification key KPa, and transmits the verification result to the control unit 220 (S128).

  When the certificate is not approved (N in S128), the certificate verification unit 223 notifies the control unit 220 of a verification error notification, and the control unit 220 that has received the verification error notification notifies the controller 201 of the notification.

  Then, the controller 201 transmits the received verification error notification to the controller 151 of the terminal device 150 via the storage interface 202 (S194).

  Upon receiving the verification error notification (S192), the controller 151 ends the process abnormally.

  When the certificate is approved (Y in S128), the control unit 220 extracts the public key KPd1 and the encrypted challenge key E (KPd2, Kc1) from the challenge information E (KPd2, Kc1) // C [KPd1]. Are transmitted to the first encryption unit 225 and the first decryption unit 224, respectively.

  The first encryption unit 225 holds the transmitted public key KPd1. The first decryption unit 224 decrypts the transmitted encrypted challenge key E (KPd2, Kc1) with its own secret key Kd2, and takes out the challenge key Kc1 (S130). The extracted challenge key Kc1 is transmitted to and held by the second encryption unit 226 (S132).

  On the other hand, when the processing of the challenge information verification command is completed in the storage device 200, the controller 151 of the terminal device 150 issues a session information generation command for license data to be recorded to the storage device 200 (S134).

  In the storage device 200, when the controller 201 receives a session information generation command (S136), the cryptographic engine 203 generates a session key Ks2 according to an instruction from the control unit 220, and the random number generation unit 221 generates the generated session key Ks2. The data is transmitted to the second decryption unit 227, the first encryption unit 225, and the log storage unit 234. The second decryption unit 227 holds the transmitted session key Ks2. In addition, the control unit 220 instructs the log storage unit 234 to record the session key Ks2 as history information. The log storage unit 234 stores the session key Ks2 as new history information. At this time, the log storage unit 234 also stores information indicating “state RP” as information ST2 (S138).

  The first encryption unit 225 generates the encrypted session key E (KPd1, ks2) by encrypting the transmitted session key Ks2 with the public key KPd1 held in S130, and transmits this to the second encryption unit 226. . The second encryption unit 226 concatenates the encrypted session key E (KPd1, ks2) and its own public key KPp2, encrypts it with the challenge key Kc1 held in S132, and stores session information E (Kc1, E (KPd1). , Ks2) // KPp2) (S140).

  When the processing of the session information generation command is completed in the storage device 200, the controller 151 of the terminal device 150 issues a session information output command (S142).

  In the storage device 200, when the session information output command is received (S144), the controller 201 reads the session information E (Kc1, E (KPd1, Ks2) // KPp2) from the cryptographic engine 203, and the controller 151 of the terminal device 150. (S146).

  When receiving the session information E (Kc1, E (KPd1, Ks2) // KPp2) from the storage device 200, the controller 151 of the terminal device 150 transmits it to the distribution server 100 (S148).

  When the controller 101 of the distribution server 100 receives the session information E (Kc1, E (KPd1, Ks2) // KPp2) (S150), it transmits this to the cryptographic engine 103.

  The first decryption unit 123 of the cryptographic engine 103 decrypts the transmitted session information E (Kc1, E (KPd1, Ks2) // KPp2) with the challenge key Kc1 held therein, and the encrypted session key E (KPd1) , Ks2) and the public key KPp2 of the storage device 200 are extracted. The extracted encrypted session key E (KPd1, Ks2) is transmitted to the second decryption unit 124, and the second decryption unit 124 decrypts it with its own secret key Kd1 to extract the session key Ks2, and the third encryption unit 126 and the log storage unit 129. When the log storage unit 129 receives the session key Ks2, the log storage unit 129 stores the received session key Ks2 as new history information. At this time, the log storage unit 129 also stores information indicating “state SP” as information ST1 (S152).

  Subsequently, the second encryption unit 125 of the encryption engine 103 encrypts the license data LIC issued by the encryptor 104 with the public key KPp2 of the storage device 200 to generate E (KPp2, LIC), which is the third encryption. Transmitted to the unit 126. The third encryption unit 126 further encrypts the transmitted E (KPp2, LIC) with the session key Ks2 issued by the storage device 200 to generate encrypted license data E (Ks2, E (KPp2, LIC)). This is transmitted to the controller 101. The controller 101 transmits the transmitted encrypted license data E (Ks2, E (KPp2, LIC)) to the terminal device 150. At this time, the log storage unit 129 changes the information ST1 from “state SP” to “state SL” (S154).

  When the controller 151 of the terminal device 150 receives the encrypted license data E (Ks2, E (KPp2, LIC)) transmitted from the distribution server 100 (S156), the controller 151 issues a license data write command to the storage device 200. Issue (S158). This license write command is accompanied by an address for designating a recording position on the tamper resistant storage unit 204. Here, the address indicates a logical address and does not directly specify the recording position in the tamper-resistant storage unit 204, but the data recorded by specifying the address can be read by specifying the same address. Managed by the controller 201. However, a physical address indicating a position in the tamper resistant storage unit 204 may be used.

  When the storage device 200 receives the license write command issued by the terminal device 150, the storage device 200 requests the encrypted license data from the controller 151 of the terminal device 150 (S160), and the controller 151 of the terminal device 150 responds to this request. The encryption license data E (Ks2, E (KPp2, LIC)) is output to the storage device 200 (S162).

  When the storage device 200 receives the encryption license data E (Ks2, E (KPp2, LIC)) (S164), it transmits this to the second decryption unit 227 in the encryption engine 203.

  The second decryption unit 227 decrypts the encrypted license data E (Ks2, E (KPp2, LIC)) with the session key Ks2 held therein, and the license data E (() encrypted with its own public key KPp2. KPp2, LIC) is taken out. The extracted encrypted license data E (KPp2, LIC) is transmitted to the third decryption unit 228.

  The third decryption unit 228 decrypts the transmitted encrypted license data E (KPp2, LIC) with the public key KPp2 and the private key Kp2 paired with the public key KPp2 to extract the license data LIC (S166). To the control unit 220. The control unit 220 extracts the identification information LicID from the license data LIC and transmits it to the log storage unit 129. Further, the license data LIC is output to the data bus 210.

  Upon receiving the identification information LicID, the log storage unit 129 adds the identification information LicID to the stored history information, and changes the state information ST1 in the history information from “state RP” to “state RL”. (S166).

  The controller 201 stores the license data output to the data bus 210 at the designated address of the tamper resistant storage unit 204 (S168).

  When the storage of the license data in the tamper resistant storage unit 204 ends normally (Y in S170), the log storage unit 234 changes the information ST2 to “state RC” (S172).

  When the recording of one license data is thus completed, the controller 151 of the terminal device 150 determines whether to record the license data subsequently (S174).

  Subsequently, when recording license data (Y in S174), the process proceeds to S134 and the process is repeated from the issue of the session information generation command. This is a procedure for reducing the processing by sharing the certificate verification processing when recording a plurality of license data. At this time, the challenge key Kc1 is shared by the cryptographic engine 103 of the distribution server 100 and the cryptographic engine 203 of the storage device 200. Although the license data is subsequently recorded here, the recording of the next license data is not necessarily performed immediately after the recording of one license data. A state where the cryptographic engine 103 of the distribution server 100 and the cryptographic engine 203 of the storage device 200 share the same challenge key Kc1, specifically, the first decryption unit 123 of the cryptographic engine 103 of the distribution server 100 and the storage device 200. Any timing may be used as long as the second encryption unit 226 of the encryption engine 203 holds the same challenge key Kc1.

  Even if the license data is subsequently recorded, there is no problem even if the processing is repeated from S102.

  Subsequently, when the license data is not recorded (N in S174), this process is normally terminated.

  When an error occurs in storing license data in the tamper resistant storage unit 204 (N in S170), the controller 201 transmits a write error notification to the controller 151 of the terminal device 150 via the storage interface 202 (S200). The error when storing the license data was received due to a data error during transmission / reception of the encrypted license data E (Ks2, E (KPp2, LIC)) in addition to the case where writing to the tamper resistant storage unit 204 is impossible. The case where the format of the license data LIC is incorrect may be included.

  When the controller 151 receives the write error notification (S202). A status information generation command is issued to the storage device 200 (S204).

  In the storage device 200, when the controller 201 receives the status information generation command (S206), the control unit 220 of the cryptographic engine 203 instructs the log signature unit 235.

  The log signature unit 235 extracts the session key Ks2, the identification information LicID, and the state information ST2 included in the history information stored in the log storage unit 234, and concatenates them with the challenge key Kc1 held in step S132, Data Kc1 // Ks2 // LicID // ST2 is generated. Then, a hash calculation is performed to calculate H (Kc1 // Ks2 // LicID // ST2), and the calculation result, identification information LicID, and state information ST2 are connected to obtain status information LicID // ST3 // H ( Kc1 // Ks2 // LicID // ST2) is generated (S208).

  When the processing of the status information generation command is completed in the storage device 200, the controller 151 of the terminal device 150 issues a status information output command (S210).

  In the storage device 200, when the status information output command is received (S212), the controller 201 reads the status information LicID // ST2 // H (Kc1 // Ks2 // LicID // ST2) from the cryptographic engine 203, and the terminal The data is output to the controller 151 of the device 150 (S214).

  Upon receiving the status information LicID // ST2 // H (Kc1 // Ks2 // LicID // ST2) from the storage device 200, the controller 151 of the terminal device 150 transmits this to the distribution server 100 (S216).

  Upon receiving the status information LicID // ST2 // H (Kc1 // Ks2 // LicID // ST2) (S218), the distribution server 100 transmits this to the internal cryptographic engine 103.

  The cryptographic engine 103 verifies the status information transmitted to the log verification unit 130 according to the instruction of the control unit 128, and recovers the license data by determining whether the status information is reliable, that is, the license data is not yet transmitted. It is determined whether or not (S220).

  In the verification of the status information in S220, the following two items are confirmed. 1) Whether the identification information LicID in the status information matches the identification information LicID stored in the log storage unit 129. 2) The identification information LicID in the status information, the status information ST3, the session key Ks1 stored as history information in the log storage unit 129, and the challenge key Kc2 held in step S132 are concatenated. Whether the result H (Kc1 // Ks2 // LicID // ST2) of the hash function calculation matches the hash value H (Kc1 // Ks2 // LicID // ST2) in the status information.

  In the confirmation of the above two items, if any one of them does not match, it is determined that the status information is unreliable information and is not subject to recovery (N in S220).

  On the other hand, if the two items match in the confirmation of the two items, the status information is approved as reliable data, and further, based on the information ST2 and the information ST1 stored in the log storage unit 129, It is determined whether the license data is license data to be restored. This is because, from the standpoint of protecting the rights of the content right holder, the license data to be recovered is in a state that is output from the distribution server 100 and is not stored in the storage device 200. is there. Specifically, this is when the state information ST1 stored in the log storage unit 129 is “state SL” and the state information ST2 in the status information is “state RP” or “state” RL. .

  In the above determination, if it is determined that the data is to be recovered (Y in S220), the license data is set to an untransmitted state, and the status information ST1 in the log storage unit is changed to “status SP” (S222). If the license data has not yet been transmitted, for example, if paid content distribution is in a charging state, it is canceled. Alternatively, the state shifts to a state of responding to re-output of license data.

  Subsequently, a recovery notification is transmitted to the terminal device 150 (S224).

  When the controller 151 of the terminal device 150 receives the recovery notification (S226), the controller 151 proceeds to step S174 and determines again whether to receive the license data (S174).

  In the above determination, if it is determined that it is not a target of recovery (N in S220), a recovery error notification is transmitted to the terminal device 150 (S228).

  When the controller 151 of the terminal device 150 receives the recovery notification (S230), the controller 151 proceeds to step S174 and determines whether to receive another license data (S174).

  Through the above procedure, the license data LIC necessary for decrypting and reproducing the encrypted content is recorded in the storage device 200. Since the encrypted content is normal data and is recorded by a normal command of the storage device 200, description thereof is omitted here.

  The recording order of the license data LIC and the encrypted content data may be any first. Further, the license data LIC may be recorded by dividing and issuing the secure command during the free time for recording the encrypted content data.

  The procedure until the terminal device 150 records the license data LIC transmitted from the distribution server 100 in the storage device 200 shown in FIGS.

* Use of License FIG. 11 to FIG. 14 show a procedure related to reproduction processing from when the reproducing apparatus 300 reads out the license data LIC from the storage device 200 and discards the read content key. In this reproduction process, an encryption communication path is established between the encryption engine 203 of the storage device 200 and the encryption engine 303 of the playback apparatus 300, and the license data LIC is transferred from the storage device 200 to the playback apparatus 300 via the encryption communication path. Sent. The figure shows the processing divided into the storage device 200 (cryptographic engine 203), the cryptographic engine 303 of the playback device 300, and the controller 301 of the playback device 300 that mediates the exchange of these data.

  First, the controller 301 of the playback device 300 makes a certificate output request to the cryptographic engine 303 (S302). When the cryptographic engine 303 receives this transmission request (S304), the certificate output unit 320 transmits the certificate C [KPd3] to the controller 301 (S306). When the certificate C [KPd3] is transmitted from the cryptographic engine 303 (S308), the controller 301 issues a certificate verification command to the storage device 200 (S310).

  In the storage device 200, when the certificate verification command is received (S312), the storage device 200 requests a certificate from the playback device 300. In response to this request, the controller 301 of the playback device 300 outputs the certificate C [KPd3] transmitted from the cryptographic engine 303 to the storage device 200 (S314).

  When the storage device 200 receives the certificate C [KPd3] (S316), the storage device 200 transmits the received certificate C [KPd3] to the internal cryptographic engine 203. In the cryptographic engine 203, the certificate verification unit 223 verifies the certificate C [KPd3] with the verification key KPa according to the instruction of the control unit 220 (S318).

  If the certificate is not approved in s318 (N in S318), the certificate verification unit 223 transmits a verification error notification to the controller 301 via the control unit 220, the controller 201, and the storage interface 202 (S490). . When the controller 301 receives the error notification (S492), the process is abnormally terminated.

  On the other hand, when the certificate C [KPd3] is approved in s318 (Y in S318), the control unit 220 of the cryptographic engine 203 extracts the public key KPd3 from the certificate C [KPd3], and uses this as the third cryptographic unit. 229. The third encryption unit 229 holds the transmitted public key KPd3 (S320).

  When the certificate C [KPd3] of the cryptographic engine 303 is approved in the storage device 200, the controller 301 of the playback device 300 issues a challenge information generation command to the storage device 200 (S322). When the storage device 200 receives the challenge information generation command issued by the playback device 300 (S324), in the cryptographic engine 202, the random number generation unit 221 generates and holds the challenge key Kc2 in accordance with the instruction of the control unit 220 ( S326). The held challenge key Kc2 is transmitted to the third encryption unit 229, the fourth decryption unit 230, and the log verification unit 236.

  The third encryption unit 229 encrypts the transmitted session key Kc2 with the public key KPd3 held in S320, and generates an encrypted challenge key E (KPd3, Kc2). Next, it obtains its own certificate C [KPd2] from the certificate output unit 222 and concatenates it with the encrypted challenge key E (KPd3, Kc2) that generated it to challenge information E (KPd3, Kc2) // C [KPd2] is generated (S328).

  In the playback device 300, when the processing of the challenge information generation command is completed in the storage device 200, the controller 301 issues a challenge information output command (S330).

  When the storage device 200 receives the challenge information output command issued by the playback device 300 (S332), the controller 201 extracts the challenge information E (KPd3, Kc2) // C [KPd2] from the cryptographic engine 203, and the playback device. The data is output to the controller 301 of S300 (S334).

  In the playback device 300, when the controller 301 receives the challenge information E (KPd3, Kc2) // C [KPd2], it transmits this to the cryptographic engine 303 (S336). When the cryptographic engine 303 receives the challenge information E (KPd3, Kc2) // C [KPd2] (S338), the certificate verification unit 322 in the cryptographic engine 303 receives the certificate transmitted with the verification key KPa. Verification is performed (S340).

  When the certificate is not approved (N in S340), the certificate verification unit 322 transmits a verification error notification to the controller 301 (S394). When the controller 301 receives the error notification (S492), the process is abnormally terminated.

  On the other hand, when the certificate is approved (Y in S340), the first decryption unit 323 of the cryptographic engine 303 decrypts the encrypted challenge key E (KPd3, Kc2) with its own private key Kd3 and obtains the challenge key Kc2. Take out (S342) and hold (S344). The held challenge key Kc2 is transmitted to the second encryption unit 325 and the log signature unit 331.

  On the other hand, the controller 301 issues a license read command to the storage device 200 (S346). This license read command is accompanied by an address that designates a read position in the tamper resistant storage unit 204.

  When the storage device 200 receives the license read command issued by the playback device 300 (S348), the storage device 200 reads the license data LIC stored at the specified address of the tamper resistant storage unit 204, and the read license data LIC is And stored in the fourth encryption unit 232 of the encryption engine 202 (S350).

  Subsequently, the controller 301 requests session information from the cryptographic engine 303 (S352). When the cryptographic engine 303 receives this request (S354), the random number generation unit 321 generates a session key Ks3 and transmits it to the first encryption unit 324, the second decryption unit 326, and the log recording unit 330. The second decryption unit 326 and the log storage unit 330 store the transmitted session key Ks3 as history information. At this time, the log storage unit 330 also stores information indicating “state RP” as information ST3 (S354). Then, the first encryption unit 324 encrypts the session key Ks2 with the public key KPd2 of the storage device 200 extracted from the certificate C [KPd2], and generates an encrypted session key E (KPd2, Ks3). The generated encrypted session key E (KPd2, Ks3) is transmitted to the second encryption unit 325. The second encryption unit 325 concatenates its public key KPp3 to the transmitted encrypted session key E (KPd2, Ks3), encrypts the public key KPp3 with the challenge key Kc2 held in S344, and session information E (Kc2, E (KPd2, Ks3) // KPp3) is generated and sent to the controller 301 (S356).

  When the controller 301 receives the session information E (Kc2, E (KPd2, Ks3) // KPp3) from the cryptographic engine 303 (S358), it issues a session information processing command to the storage device 200 (S360).

  When the storage device 200 receives the session information processing command issued from the playback device 300 (S362), the storage device 200 requests session information from the playback device 300, and in response to this request, the controller 301 of the playback device 300 encrypts the session information. The session information E (Kc2, E (KPd2, Ks3) // KPp3) received from the engine 303 is output to the storage device 200 (S364).

  When the storage device 200 receives the session information E (Kc2, E (KPd2, Ks3) // KPp3) (S366), the storage device 200 transmits it to the fourth decryption unit 230 of the cryptographic engine 203. The fourth decryption unit 230 decrypts the transmitted session information E (Kc2, E (KPd2, Ks3) // KPp3) with the challenge key Kc2 held in S326. Then, the encrypted session key E (KPd2, Ks3) and the public key KPp3 of the playback device 300 are extracted, the encrypted session key E (KPd2, Ks3) is transmitted to the fifth decryption unit 231, and the public key KPp3 is the fourth key. The data is transmitted to the encryption unit 232 and the log storage unit 234.

  Next, the fifth decryption unit 231 decrypts the transmitted encrypted session key E (KPd2, Ks3) with its own private key Kd2 paired with its own public key KPd2, and extracts the session key Ks3. The data is transmitted to the fifth encryption unit 233 and the log storage unit 234.

  The log storage unit 234 stores the transmitted session key Ks3 as new history information. At this time, information indicating "state SP" is also stored (S368).

  The fourth encryption unit 232 encrypts the license data LIC held in S350 with the public key KPp3 of the playback device 300 transmitted from the fourth decryption unit 230 to generate encrypted license data E (KPp3, LIC). This is transmitted to the fifth encryption unit 233. The fifth encryption unit 233 encrypts the encrypted license data E (KPp3, LIC) generated by the fourth encryption unit 232 with the session key Ks3 transmitted from the fifth decryption unit 231, and encrypts the license data E ( Ks3, E (KPp3, LIC)) is generated (S370).

  When the processing of the session information processing instruction is completed in the storage device 200, that is, the encrypted license data E (Ks3, E (KPp3, LIC)) is generated, the controller 301 of the playback device 300 An encrypted license output command is issued (S372). When the storage device 200 receives the encrypted license output command issued by the playback apparatus 300 (S374), the control unit 220 of the cryptographic engine 203 confirms the control information PC described in the license data LIC (S376). .

  When the control information PC is 0 (IV in S376), the control unit 220 determines that the license data has been limited in the number of reproductions and that the reproduction has been completed for a limited number of times. The notification is transmitted to the controller 301 of the playback device 300 via the controller 201 and the storage interface 202 (S390). When the controller 301 of the playback device 300 receives the error notification transmitted by the storage device 200 (S392), the process proceeds to step S396 and determines whether to transmit another license data (S396).

  In S376, when the control information PC is 1 to 254 (AL in S376), the control unit 220 changes the control information PC of the license data stored in the tamper resistant storage unit 204 to a value obtained by subtracting one. (S378).

  In S376, when the control information PC is 255 (NA in S376) and after S378, the control unit 220 sends the encrypted license data E (Ks3, E (KPp3, LIC)) to the controller 201, the storage interface. The information is output to the controller 301 of the playback device 300 via 202, and the log recording unit 234 holds the identification information LicID of the output license data LIC, and changes the information ST2 to “state SL” (S380).

  When receiving the encrypted license data E (Ks3, E (KPp3, LIC)) from the storage device 200, the controller 301 of the playback device 300 sends it to the cryptographic engine 303 (S382). When the cryptographic engine 303 receives the encrypted license data E (Ks3, E (KPp3, LIC)) (S384), the second decryption unit 326 uses the session key Ks3 held in S354 to encrypt the encrypted license data E (Ks3, E3). E (KPp3, LIC)) is decoded, and E (KPp3, LIC) as a decoding result is transmitted to the third decoding unit 327.

  The third decryption unit 327 decrypts the transmitted E (KPp3, LIC) with its own private key Kp3 paired with the public key KPp3, retrieves the license data LIC, and logs the identification information LicID of the retrieved license data LIC The content key is transmitted to the storage unit 330 and the content key is transmitted to the content key output unit 328.

  The log storage unit 330 holds the transmitted identification information LicID, changes the information ST3 to “state RL” (S386), and the content key output unit 328 provides the content key transmitted to the decoder 304 Is started (S388).

  When the content key can be provided to the decoder 304, the controller 301 confirms the end of playback, that is, the end of playback due to the completion of playback of the encrypted content data, or a playback stop instruction (end operation, It is confirmed whether or not the reproduction should be terminated by a reproduction stop instruction including a selection operation (S390).

  If the reproduction is not finished in S390 (N in S390), the encrypted content data recorded in the normal data storage unit 205 of the storage device 200 is read and supplied to the decryptor 304 (S392). At this time, the controller 301 intermittently supplies the necessary amount of encrypted content data to the decoder 304 so that the content decoder 305 can smoothly reproduce the content. Then, while the supply to the decoder 304 is suspended, the process returns to S390 again to determine the end.

  On the other hand, in the cryptographic engine 303, when the content key can be provided to the decryptor 304, a monitoring process for monitoring the decryption process of the decryption unit 304 by the content key output unit 328 is performed in parallel with the process in the controller 301. The process is started (S400). The content key output unit 328 confirms whether playback using the provided content key is started or whether playback ends without using the content key (S402).

  When it is confirmed that the reproduction is started in S402 (Y in S402), the timer of the elapsed time measuring unit 329 is reset, the measurement of the duration of the decoding process is started, and the elapse of T seconds is waited (S404). When T seconds elapse (Y in S404), information indicating that the license data LIC has been consumed is transmitted from the elapsed time measurement unit 329 to the log storage unit 330. Receiving this information, the log storage unit 330 changes the stored information ST3 to “state CL” (S406), and ends the monitoring process in the cryptographic engine 303.

  When the end of reproduction is confirmed in S402 or S404 (S in S402 or S in S404), the monitoring process in the cryptographic engine 302 is ended. In this case, the information ST3 stored in the log storage unit 330 remains “state RL”.

  In S390, when the controller 301 confirms the end of reproduction (Y in S390), it is confirmed whether the reproduction time exceeds T seconds (S394). In this confirmation, for example, confirmation may be performed using a timer provided in the controller 301, confirmation may be performed with reference to the elapsed time measuring unit 329 of the cryptographic engine 303, or the cryptographic engine The determination may be made according to the state of the information ST3 in the log storage unit 303.

  In S394, when T seconds have elapsed after the reproduction (Y in S394), the controller 301 considers that the license data has been consumed, and determines whether to reproduce the next content (S396). If the reproduction is not continued, that is, if no other license data is read (N in S396), this process ends normally.

  In S396, when the playback is performed subsequently, that is, when other license data is to be read (Y in S396), the controller 301 can proceed to S346 and repeat the processing from the issue of the license read command. This is a procedure for reducing the processing by sharing the certificate verification processing when reading a plurality of license data. Although the license data is subsequently read out, it is not always necessary to perform the next reading immediately after reading out one license data. A state in which the cryptographic engine 303 and the storage device 200 share the challenge key Kc2, specifically, the second cryptographic unit 325 of the cryptographic engine 303 of the playback device 300 and the fourth decrypting unit of the cryptographic engine 203 of the storage device 200 Any timing may be used as long as 230 holds the same challenge key Kc2. Even if the license data is continuously read out, there is no problem even if the procedure is started from step S302. Subsequently, when other license data is not read (N in S386), the controller 303 normally ends this process.

  Also, in S394, if the playback is less than T seconds or no playback is performed (N in S394), the controller 301 determines that the license data is not consumed, and the license recorded in the storage device 200. The restoration process of the data LIC is started.

  The controller 301 of the playback device 300 sends a status information transmission request to the cryptographic engine 303 (S410).

  Upon receiving the status information transmission request (S412), the control unit 332 of the cryptographic engine 303 instructs the log signature unit 331. The log signature unit 331 extracts the session key Ks3, the identification information LicID, and the information ST3 included in the history information stored in the log storage unit 330 and concatenates them with the challenge key Kc2 held in step S344, Kc2 // Ks3 // LicID // ST3 is generated. Then, a hash calculation is performed to calculate H (Kc2 // Ks3 // LicID // ST3), and the calculation result, identification information LicID, and state information ST3 are connected to obtain status information LicID // ST3 // H ( Kc2 // Ks3 // LicID // ST3) is generated and output to the controller 301 of the playback device 300 (S416).

  When receiving the status information LicID // ST3 // H (Kc2 // Ks3 // LicID // ST3) from the cryptographic engine 303 (S418), the controller 301 of the playback device 300 receives a status information processing command from the storage device 200. Is issued (S420).

  When the storage device 200 receives the status information processing command issued from the playback device 300 (S422), it requests status information from the playback device 300.

  In response to this request, the controller 301 of the playback device 300 outputs the status information LicID // ST3 // H (Kc2 // Ks3 // LicID // ST3) output from the cryptographic engine 303 to the storage device 200 ( S424).

  When the storage device 200 receives the status information LicID // ST3 // H (Kc2 // Ks3 // LicID // ST3) (S426), the storage device 200 transmits the status information to the internal cryptographic engine 203.

  In the cryptographic engine 203, the log verification unit 236 verifies the status information transmitted according to the instruction of the control unit 220, and recovers the license data by determining whether the status information is reliable, that is, the state before the license data is output. It is determined whether or not to return to (S428).

  In the verification of the status information in S428, the following two items are confirmed. 1) Whether the identification information LicID in the status information matches the identification information LicID stored in the log storage unit 234. 2) The identification information LicID in the status information, the status information ST3, the session key Ks3 held in the log storage unit 234, and the challenge key Kc2 held in step S414 are linked, and a hash function operation is performed on the linked data. Whether H (Kc2 // Ks3 // LicID // ST3) as a result of performing the search matches the hash value H (Kc2 // Ks3 // LicID // ST3) in the status information.

  In the confirmation of the above two items, if any one of them does not match, it is determined that the status information is unreliable information and is not subject to recovery (N in S428).

  On the other hand, if the two items match in the confirmation of the two items, the status information is approved as reliable data, and further, based on the information ST3 and the information ST2 stored in the log storage unit 234, It is determined whether the license data is license data to be restored. This is because, from the standpoint of protecting the rights of the content right holder, the license data to be recovered is limited to data that is output from the storage device 200 and is not consumed by the playback device 200. It is. Specifically, the information ST2 is “state SL” and the information ST3 is “state RP” or “state” RL.

  In the above determination, if it is determined that it is a recovery target (Y in S428), if the control information PC of the license data stored in the tamper resistant storage unit 204 is not 255, this control information PC is incremented by one. The value is changed (S430). Then, the control unit 220 transmits a recovery notification to the controller 301 of the playback device 300 via the controller 201 and the storage interface 202 (S432).

  When the controller 301 of the playback apparatus 300 receives the error notification output from the storage device 200 (S434), the controller 301 proceeds to S396 and continues this processing.

  On the other hand, if it is determined in S428 that the target is not a recovery target (N in S428), the control unit 220 transmits a recovery error notification to the controller 301 of the playback device 300 via the controller 201 and the storage interface 202 (S450). .

  When the controller 301 of the playback device 300 receives the error notification output from the storage device 200 (S452), the controller 301 proceeds to S396 and continues this processing.

  Note that the procedure of using the license data recorded on the storage device 200 by the playback apparatus 300 shown in FIGS. 11 to 14 is an example in the case where the process has changed normally.

  As for the measurement of the reproduction time in the determination of license data consumption, in this embodiment, the elapsed time until the decryption process in the decryption unit 304 is measured, but the decryption result from the decryption unit 304 to the content decoder 305 It is good also as what measures the elapsed time until provision of. In addition, the elapsed time until the decoding process in the content decoder 305 or the elapsed time until the reproduction signal output from the content decoder 305 is provided may be measured.

  In the present embodiment, the boundary time T for “not consumption” of license data is determined in advance for each content type, for example, music or video, but the license data LIC is used as a usage rule. These can also be included, and these can also be used together. For example, when the boundary time T is not set as a usage rule, a predetermined boundary time can be used.

  In the present embodiment, in the measurement of the elapsed time after the start of reproduction in the determination of license data consumption, the elapsed time measurement unit 329 includes a timer, measures the time using the timer, and elapses of the boundary time T seconds. However, it is also possible to determine the consumption of the license by deriving the elapsed time after the start of reproduction based on the processed data amount (decryption or reproduction). This is because the reproduction time can be predicted from the processing data amount of the content data based on the characteristics of the encoding method in which the content data is encoded. Further, when the content is video content, the elapsed time can be derived from the number of frames of the decoded or reproduced video data to determine the license consumption.

  Furthermore, the license data consumption is determined based on the playback time. However, the consumption may be determined by setting the boundary data amount of the content data to be “consumed” and measuring the amount of the reproduced data. .

  In the above description, the case where license data is stored in the storage device 200 and the case where license data is transmitted from the storage device 200 to the playback device 300 for the purpose of decrypting and playing back the encrypted content data have been described. However, similar processing can be realized when license data is transmitted from the storage device 200 for the purpose of recording in the storage device. The usage rule includes control related to copying or moving of license data that is only used (reproduced). When recording license data or content decrypted using license data in another storage device, the concept of copy or move is applied. In this case, instead of the process for the control information PC (steps S376, S378, S38), the control data such as the number of copies and the number of moves described in the license data as the usage rule of the license data and the post-processing thereof are used. Replaced.

  For example, when the control information is the number of copies (hereinafter referred to as CC), the output is not determined by the control information CP. After outputting the license data, it can be realized by subtracting CC as necessary as post processing. The process is the same as the control information PC described above, although the output information and the target control information are different. The recovery process is a process of adding and returning the value before the subtraction when the control information CC is subtracted.

  When the control information is the number of moves (referred to as MC), after determining whether or not output is possible based on the control information MC, if output is possible, the control information MC of the license data to be output is subtracted and output, and the license data is output. Thereafter, the license data stored in the storage device 200 is invalidated as post-processing, and the license data is in a state equivalent to being erased. Here, the recovery process is a process for returning the invalidated license data to a valid state.

  In addition, when license data is transmitted for the purpose of reproduction, copying, and moving, considering that the target to be restored by the recovery process is different, it is efficient to subdivide and operate the “state SL” for each purpose. For example, the state in which license data has been transmitted for reproduction purposes can be identified as “state SP”, the state in which license data has been transmitted for copy purposes can be identified as “state CP”, and the state in which license data has been transmitted for purposes of movement can be distinguished as “state MP”. .

  Further, when the license data is transmitted from the storage device 200 to another storage device having the same function for the purpose of recording, the other storage device that receives the license data is the storage device in the flowcharts shown in FIGS. It is clear that the same processing as 200 is performed.

  In the above description, the encryption license data E (Ksx, E (KPpx, LIC)) and session information E (Kcy, E (KPdy, Ksx) // KPpx) are used, but the encryption order of double encryption is limited. It is not a thing. That is, encrypted license data E (Kpx, E (Ksx, LIC)) and session information E (KPdy, E (KPcy, Ksx) // KPpx) may be used.

  Furthermore, in the above, in the session information, the target of double encryption is Ksx, but the target of double encryption is not limited, and may be Kppx or both Ksx and KPpx. In this case, the session information is E (KPdy, E (KPcy, KPpx) // KPsx) or E (KPdy, E (KPcy, Ksx // Ppx). In either case, similar security is provided. Here, the license data providing destination is expressed as “x”, and the license data providing source is expressed as “y”.

(Second Embodiment)
FIG. 15 shows a configuration of a content distribution system according to the second embodiment. As in the first embodiment, the content distribution system according to the present embodiment is a distribution server 100 that distributes content, a terminal device 150 that receives the content, and a storage in which the content provided to the terminal device 150 is recorded. The distribution server 100 and the terminal device 150 including the device 200 are connected by the Internet 20 as an example of a network via the communication devices 104 and 153, respectively.

  The difference from the first embodiment is that the encryption device 102 and the encryption engine 103 of the distribution server 100 are provided in the terminal device 150.

  In addition, in order to ensure the safety of data in communication between the distribution server 100 and the user terminal device 150, an original digital defined by the SLL or the distribution company is provided between the distribution server 100 and the user terminal device 150. Safely protected according to the content management system. Thereby, it functions similarly to the first embodiment.

  As mentioned above, although embodiment which concerns on this invention was described, this embodiment is an illustration, this invention is not limited to this embodiment, The combination of each of those component and each processing process is carried out. It will be appreciated by those skilled in the art that various modifications are possible and that such modifications are within the scope of the present invention.

  For example, in the above-described embodiment, the functional block for performing encryption and the functional block for performing decryption are separately provided in the cryptographic engine, but the circuit may be shared by these components. As a result, the circuit scale can be reduced, contributing to downsizing and low power consumption.

  In the above description, the storage device 200 is mounted on the terminal device 150 and receives license data from the distribution server 100. However, the storage device 200 is mounted on a recorder having a function of generating license data and records license data. It is also possible to configure. In this case, the recorder includes a cryptographic engine 103 and a storage device interface 152 in addition to a generation unit that generates license data.

  The embodiments of the present invention can be appropriately modified in various ways within the scope of the technical idea shown in the claims.

It is a figure which shows the structure of the data management system which concerns on 1st Embodiment. It is a figure which shows the structure of the delivery system which concerns on 1st Embodiment. It is a figure which shows the structure of the reproducing | regenerating apparatus concerning 1st Embodiment. It is a figure which shows the structure of the storage device which concerns on 1st Embodiment. It is a figure which shows the structure of the encryption engine shown in FIG. It is a figure which shows the structure of the encryption engine shown in FIG. It is a figure which shows the structure of the encryption engine shown in FIG. It is a figure explaining the recording process of license data. It is a figure explaining the recording process of license data. It is a figure explaining the recording process of license data. It is a figure explaining the utilization process of license data. It is a figure explaining the utilization process of license data. It is a figure explaining the utilization process of license data. It is a figure explaining the utilization process of license data It is a figure which shows the structure of the delivery system which concerns on 2nd Embodiment.

Explanation of symbols

100 distribution server 150 terminal device 200 storage device 300 playback device

Claims (3)

A content usage information storage device that records content usage information including a content key for decrypting encrypted content data and provides the content usage information to the outside,
And control Gosuru interface to exchange data with the outside,
A storage unit for storing the content usage information;
A first cryptographic processing unit that shares the first symmetric key with the content usage information provider via the interface;
A second encryption process in which a second symmetric key that is temporally generated every time content usage information is output using the first symmetric key is shared with the content usage information provider via the interface. And
A third cryptographic processing unit that encrypts the content usage information with the second symmetric key and outputs the encrypted content usage information via the interface;
A log storage unit for storing processing history information including the second symmetric key and first state information indicating a progress state related to the output of the content usage information;
Data obtained by concatenating provision destination state information including second state information indicating a progress state of processing at the content use information provision destination after receiving the content use information and an electronic signature for the provision destination state information is stored in the interface. And the first symmetric key shared by the first cryptographic processing unit, and shared by the second cryptographic processing unit when the content usage information is output, and stored in the log storage unit A verification unit that verifies the validity with the second symmetric key, and determines whether to permit the restoration of the content usage information that is the target of the provision destination state information stored in the storage unit, if it is valid. When,
A control unit that controls the output of the content usage information stored in the storage unit,
The controller is
When outputting the content usage information, the control information related to the output of the content usage information included in the content usage information to be output is interpreted, and the license usage information for output or the license usage information is provided to the third encryption processing unit. , Changing the control information of the license usage information stored in the storage unit or prohibiting the output of the content usage information,
The provision destination status information is received from a content usage information provision destination, and the verification unit confirms that the content usage information is not consumed at the content usage information provision destination by the provision destination state information, and the target When restoration of content usage information is permitted, the control information of this content usage information is returned to the state before output, or the output of this content usage information is permitted,
Content usage information storage device. A content utilization device that receives or provides content usage information including a content key for decrypting encrypted content data and decrypts or reproduces encrypted content data,
An interface for controlling the exchange of data with the outside;
A first cryptographic processing unit that shares the first symmetric key with the content usage information provider via the interface;
A second cryptographic processing unit that is temporally generated every time content usage information is received using the first symmetric key via the interface and shares the second symmetric key with the content usage information provider. When,
A third encryption processing unit for decrypting the encrypted content usage information received via the interface with the second symmetric key and extracting the content usage information;
A storage unit for storing the content usage information extracted by the third cryptographic processing unit;
A log storage unit for storing processing history information including the second symmetric key and state information indicating a progress state of processing after receiving the content usage information;
If it is determined that the content usage information is not consumed in the device, provision destination state information including the state information stored in the log storage unit is generated, and the first encryption for the provision destination state information is generated. When receiving the first symmetric key shared by the processing unit and the content usage information, the digital signature data is calculated by the second symmetric key shared by the second encryption processing unit and stored in the log storage unit And providing a destination information with a signature concatenating the two via the interface, and requesting the content usage information provider to restore the content usage information ,
A content utilization apparatus comprising: A content utilization device that receives or provides content usage information including a content key for decrypting encrypted content data and decrypts or reproduces encrypted content data,
An interface for controlling the exchange of data with the outside;
A first cryptographic processing unit that shares the first symmetric key with the content usage information provider via the interface;
A second cryptographic process in which a second symmetric key that is temporally generated every time content usage information is received using the first symmetric key via the interface is shared with the content usage information provider. And
A third encryption processing unit for decrypting the encrypted content usage information received via the interface with the second symmetric key and extracting the content usage information;
A content decryption unit for decrypting the encrypted content data with a content key included in the content usage information extracted by the third encryption processing unit;
A log storage unit for storing processing history information including the second symmetric key and state information indicating a progress state of processing after receiving the content usage information;
If it is determined that the content usage information is not consumed in the device, provision destination state information including the state information stored in the log storage unit is generated, and the first encryption for the provision destination state information is generated. When receiving the first symmetric key shared by the processing unit and the content usage information, the digital signature data is calculated by the second symmetric key shared by the second encryption processing unit and stored in the log storage unit And providing a destination information with a signature concatenating the two via the interface, and requesting the content usage information provider to restore the content usage information ,
A content utilization apparatus comprising:

Images