This application is based on Japanese Patent Application No. 10-169042, filed Jun. 16, 1998, the contents of which are incorporated herein by reference.
The present invention relates to a data processing apparatus such as a personal computer or the like, and an authentication method applied to the apparatus and, more particularly, to a data processing apparatus which exchanges digital contents via an interface for an external bus such as an IEEE1394 serial bus, and an authentication method for exchanging digital contents.
In recent years, along with advance of the computer technology, various kinds of multimedia compatible electronic devices such as digital video players, set-top boxes, TVs, personal computers, and the like have been developed.
Such electronic device can play back digital contents such as a movie stored in a DVD (Digital Versatile Disk), a TV program transmitted by a digital satellite broadcast, and the like.
Digital contents are normally encoded by moving image high-efficiency coding called MPEG2, and are then sent to homes via recording media or transmission media. MPEG2 coding is based on the principle of variable rate coding to assure both high image quality and a short recording time in relation to the capacity. The volume of data encoded by variable rate coding depends on the image quality of a source image, and increases as the scene includes faster motions. Hence, digital contents can provide a video with image quality as high as an original video.
Recently, in view of protection of the copyrights of such digital contents, the need for copy protection techniques for preventing their illicit copies has been advocated, but no effective schemes have been configured yet.
For this reason, a new copy protection scheme designed for an IEEE1394 serial bus as the next-generation bus interface suitable for multimedia data transmission must be examined.
The IEEE1394 serial bus is the next-generation bus interface, which connects a digital video player, set-top box, TV, personal computer, and the like, and supports two different transfer modes, i.e., an asynchronous subaction and isochronous subaction. The former mode is used upon transferring normal data that does not require real-time processing. The latter mode guarantees a broad transfer band, and is used upon transferring digital contents represented by video data and audio data in real time.
As an IEEE1394 copy protection technique, digital contents which are exchanged among devices such as a digital video player, set-top box, TV, personal computer, and the like via the IEEE1394 serial buses may be enciphered or encrypted using known enciphering techniques such as a public key system, common key system, and the like so as to prevent their illicit copies.
However, since a personal computer is by nature an open system, satisfactory protection against illicit copies cannot be expected by merely enciphering data that flow on the IEEE1394 serial bus.
More specifically, if an enciphering/deciphering function is provided to a 1394 bridge in a personal computer, the open architecture of a PCI bus can be maintained, but deciphered data (plain contents) flow on the PCI bus and can be easily copied.
In a personal computer which has an enciphering/deciphering function in the 1394 bridge, limitations of the types of contents (copy once, copy never, and copy freely) that function modules can deal with can hardly be controlled in units of function modules. For example, an MPEG2 decoder must deal with all the types of contents (copy once, copy never, and copy freely), while the types of contents that a storage device such as a DVD-RAM, HDD, or the like can deal with must be limited to copy once and copy freely contents. However, once plain contents flow on the PCI bus, it is difficult to limit the types of contents that function modules can deal with in units of function modules. This is because such limitation of contents is normally imposed by authentication among devices. More specifically, when an enciphering/deciphering function is provided to the 1394 bridge, the personal computer is also considered as one of devices on the IEEE1394 serial bus. For this reason, it is possible to limit the types of contents that the personal computer can deal with by authentication between the personal computer and another device on the IEEE1394 serial bus, but is impossible to limit the types of contents in units of individual modules in the personal computer.
In general, devices on the IEEE1394 serial bus are identified by node IDs assigned to them. For this reason, the devices communicate with each other via the IEEE1394 serial bus by specifying each other""s devices using the node IDs.
The personal computer itself is one device on the IEEE1394 serial bus. Hence, in a system that specifies a communication partner by only the node ID, a device such as a digital video camera (DVC), set-top box (STB), or the like can specify the personal computer itself as a communication partner using the node ID of the personal computer, but cannot specify individual modules in the personal computer as a communication partner. For this reason, authentication between the personal computer and other devices on the IEEE1394 serial bus can be done, but cannot be done in units of individual modules of the personal computer.
It is an object of the present invention to provide a data processing apparatus which can authenticate in units of function modules that construct a data processing apparatus such as a personal computer, and can efficiently copy-protect digital contents, and an authentication method applied to the apparatus.
In order to achieve the above object, according to the present invention, a data processing apparatus having an interface for an external bus which is capable of connecting an external device having an authentication function for exchanging data to be copy-protected, comprises an internal bus, a plurality of function modules which are coupled to the internal bus and transmit or receive data to be copy-protected via the internal bus, each of the function modules holding authentication data required for proving authenticity of that function module with respect to the function module or the external device with which the function module wants to exchange the data to be copy-protected, and authentication means for performing authentication in which two out of the plurality of function modules or one function module and the external device authenticate each other to confirm if they are authentic devices that can deal with the data to be copy-protected, by exchanging the authentication data corresponding to the devices therebetween.
In this data processing apparatus, authentication data required for authentication is held in units of a plurality of function modules that deal with data to be copy-protected such as digital contents or the like, and authentication can be done using the authentication data in units of function modules, e.g., between two function modules or between a given function module and external device. In this way, since authentication is done in units of function modules, whether or not a function module of interest is an authentic device having a copy protection function can be confirmed in units of function modules, and the types (copy once, copy never, and copy freely) of digital contents that the function module can deal with can be determined.
Also, the authentication data held in each of the function modules contains device identification data for specifying the function module, and the authentication means uses each other""s device identification data as addresses for specifying devices that are to authenticate each other, so as to exchange the authentication data corresponding to the devices with a destination function module or the external device. In this manner, each module in the data processing apparatus can be specified as a device which authenticates an external device and which is authenticated by the external device.
In this case, when a protocol that uses the node IDs assigned to the data processing apparatus and external device as destination addresses is used in a communication between the data processing apparatus and external device, the device identification data is preferably used as a sub-address for specifying a function module in the data processing apparatus as a device which authenticates the external device and which is authenticated by the external device by embedding the device identification data in a given field of a data area.
Additional objects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out hereinafter.