(1) Field of the Invention
The present invention relates to an authentication communication technique for authenticating the legality of an opposite party before beginning communication.
(2) Related Art
The rapid spread of digital techniques in recent years has seen an increase in systems in which video content is digitized and provided to users, recorded on large capacity digital devices such as optical disks.
The fact that copies of digitized content do not exhibit deterioration in quality means that in order to protect the copyright of the digital content it is necessary to prevent unauthorized copying by a party holding the content. To this purpose, a device that transmits the content and a device that receives and plays back the content first confirm each other as being a device that protects copyrights before distributing the content. This enables devices which use the content to be limited to legal devices, and consequently protects the copyright of the content.
In this way, it is essential for a digital content processing device that receives, records or plays back digital content to confirm that a device with which communication is being performed (hereinafter referred to as an “opposite party”) is a legal participant in the system. Such confirmation is called authentication. Authentication of the opposite party is called device authentication. Note that “certify” denotes a device showing that it is legal, in other words that the device is a legal participant in the system, and “validate” denotes confirming the legality of the opposite party. The concept of authentication includes both certification and validation.
An encryption technique is usually used in device authentication. Specifically, the certifying party has secret data showing that it is a legal participant in the system, and certifies its legality by showing the validating party that it (the certifying party) has the secret data. On the other hand, the validating party validates the legitimacy of the certifying party by confirming that the certifying party has the secret data. In a communication path, such as between a PC (personal computer) and peripheral devices, by which anyone can obtain communication data, it is imperative that secret data (authentication data) used in the above-described authentication is not leaked to a third party that is not associated with the authentication. This is because if the secret data is leaked to a third party, the device that has obtained the secret data can masquerade as the original device. For this reason, authentication data is transmitted in an encrypted state, only to the verifying party.
Types of encryption techniques include a common key encryption technique and a public key encryption technique. In the common key encryption technique the key for encryption and the key for decryption have the same value. On the other hand, in the public key encryption technique the key for encryption and the key for decryption have different values.
The fact that the validating party has the same secret as the certifying party for authentication in the common key encryption technique means that there is a danger that the verifying party may masquerade as the certifying party. The so-called password method is equivalent to this technique. On the other hand, in authentication in the public key encryption technique the certifying party certifies using a public key encryption technique secret key, and the verifying party verifies using a public key that corresponds to the secret key. Since the secret key cannot be made from the public key, the verifying party is unable to masquerade as the certifying party after authentication has finished. Consequently, the public key encryption method is preferable for performing the above-described authentication.
Note that in authentication that uses the public key encryption method, “sign” denotes performing processing using the secret key, and “verify” denotes confirming legality of the signature using a public key that corresponds to the secret key.
When transferring a digital work from a first device to a second device, the first device authenticates the second device (alternatively, the first and second devices perform mutual authentication) before transferring the digital work, in order to prevent illegal acts such as an illegal third party obtaining digital data over the communication path.
One example of opposite party authentication processing using a public key encryption technique is as follows. The first device transmits random number data to the second device, and the second device then applies a signature to the received random number data using its (the second device's) own secret key, to generate a signature text, and transmits the signature text back to the first device. Finally, the first device verifies the received signature data using the second device's public key.
However, it is a prerequisite in authentication that uses this kind of public key encryption technique that the public key is valid.
For this reason, usually a “public key certificate” that is “approval” to have a public key and that shows that the public key is a legal public key corresponding to the device is issued by an organization or a company called a certificate authority (hereinafter referred to as a “CA”). Furthermore, a certificate revocation list (hereinafter referred to as a “CRL”) is issued. The CRL shows a list of information that specifies one or more revoked public key certificates, and has a purpose of notifying devices of public key certificates of devices that have been used illegally or whose secret key has been stolen, in order to revoked such public key certificates.
Consequently, a valuable digital work can be prevented from being given to an illegal communication party by, when authenticating an opposite party using the opposite party's public key, obtaining the public key certificate from the communication party and confirming that the obtained public key certificate is not registered in the CRL (is not revoked), before performing the above-described processing.
Note that public key certificates are described in detail in Document 2.
Document 2 discloses the following technique.
A method for protecting digital content from copying and/or other misuse as it is transferred between devices over insecure links, includes authenticating that both a content source and a content sink are compliant devices, establishing a secure control channel between the content source and the content sink, establishing a secure content channel, providing content keys, and transferring content. In a further aspect of the present invention, at least one certificate revocation list version identifier is exchanged between the content source and the content sink, and if the received certificate revocation list version identifier is more recent than the certificate revocation list version identifier stored in the receiving device, then the certificate revocation list of the receiving device is updated.
<Document 1>
W. Ford and M. Baum, Digitaru Shomei to Ango Gijutsu (Digital Signatures and Encryption Techniques), trans. S. Yamada, Pearson Education Japan, 2000.
<Document 2>
U.S. Pat. No. 5,949,877 (Sep. 7, 1999), Content protection for transmission systems.
However, when the number of revoked users or devices increases, the size of the data of the CRL also increases. A problem arises that although devices that treat digital content have to store the CRL, such devices have limited area for storing data.
Furthermore, when digital content such as a movie is distributed recorded on a recording medium such as a DVD (digital versatile disk), a device such as a DVD driver obtains a legal CRL by reading a CRL stored on the DVD and uses the obtained CRL to authenticate the opposite device (computers and the like that work according to playback software for playback circuits in the device). However, this gives rise to a problem that the CRL stored on the DVD is not necessarily the newest CRL, and therefore the device may mistakenly authenticate a revoked opposite device as being a valid device.