1) Field of the Invention
Techniques for protecting data from illegal accessing when data of music, videos or the like is transferred between a data recording apparatus for recording data to store it and an access apparatus which accesses the data recording apparatus. The data recording apparatus is, for example, a digital recording and playback apparatus for recording data of music, videos or the like, and the access apparatus is, for example, a personal computer, or a host unit (CPU) in a data recording apparatus.
In recent years, thanks to the improvement in performance of personal computers and the advent of the MPEG2-ISI, it has become easy to handle data of videos and music. Further, it has become possible to acquire a disk of a large capacity of several tens GB (gigabytes)at a moderate price, and also new digital recording and playback apparatus based on a hard disk drive (HDD) or an optical disk drive have appeared.
The key, when it is tried to widely popularize such less expensive data recording apparatus of high performances as described above, is the protection of the copyright of various data (contents) recorded by the data recording apparatus That is, necessary to prevent illegal copying, with high certainty, to guard the rights of the provider of the contents.
Embodiments herein provide techniques by which, when data is transferred between a host unit (access apparatus) and a drive (data recording apparatus), the data can be protected from illegal accessing, thereby protecting the copyright with high certainty and without imposing a burden of processing on the drive recording side.
2) Description of the Related Art
An HDD recorder, a storage-type set top box (STB), or the like, is presently available as a digital recording and playback apparatus presently. For the object of copyright protection, an HDD built in the apparatus is in most cases fixed mechanically so that it may not be removed from the apparatus. In contrast, from a standpoint of a user, there is strong to replace the HDD with a new HDD for a PC (Personal Computer), because HDD capacity has been and is increasing progressively in recent years. The apparatus (the other part than the HDD) may beleft as it is.
This gives rise to a subject of the protection of the copyright upon transfer of data between the host unit and the disk drive (in other words, protection of data from illegal accessing). As a copyright protection method (data protection method) which makes use of the standard interface e.g. ATA/ATAPI (Advances Technologies Attachment/ATA Packet Interface) for a PC, the CPPM (Content Protection for Prerecorded Media) and the CPRM (Content Protection for Recordable Media) are conventionally known.
In the CPRM, an ID (identification information; for example, a media ID of a medium) unique to a drive is set in the drive, and a writing process of writing content data from the host unit onto the disk is performed in accordance with the following procedure [steps (a1) to (a8)].
(a1) A request for transfer of session keys (a plurality of media key blocks, a plurality of secret keys) and a first drive ID (static ID) stored in a ROM area in the drive is issued from the host unit to the drive.
(a2) The session keys and the first drive ID are transferred from the drive to the host unit in accordance with the request in step (a1).
(a3) The session keys and the first drive ID from the drive are stored into a RAM area of the host unit.
(a4) A random number generated on the host unit side is transmitted to the drive, and a request for transfer of a raw second drive ID (dynamic ID) and an encrypted second drive ID is issued from the host unit to the drive.
(a5) The second drive ID is encrypted using the random number from the host unit and a drive key (secret key) written in advance in a hidden area, in accordance with the request in step (a4), and the raw second drive ID and the encrypted second drive ID are transferred from the drive to the host unit.
(a6) A drive key (equivalent) is generated from the session keys and first drive ID which have been stored in step (a3) by the host unit, and the raw second drive ID from the drive is encrypted using the drive key and the random number generated in step (a4). Thereafter, the second drive ID encrypted on the host unit side and the encrypted second drive ID from the drive are compared with each other to discriminate whether or not they are coincident.
(a7) If it is discriminated in step (a6) that the second drive ID encrypted on the host unit side and the encrypted second drive ID from the drive are coincident, then it is discriminated that the drive authentication results in success, and contents data to be written into the drive is encrypted using the contents key and the contents key is encrypted using the session keys and the drive key (equivalent) generated from the first drive ID. Thereafter, the encrypted contents data and the encrypted contents key are transferred from the host unit to the drive and written onto the disk.
(a8) If it is discriminated in step (a6) that the second drive ID encrypted on the host unit side and the encrypted second drive ID from the drive are not coincident, then it is discriminated that the drive authentication results in failure, and the processing is interrupted without transferring the contents data to the drive.
On the other hand, in the case of CPRM, when the contents data written on the disk as described above is read out from the disk to the host unit, after authentication of the drive is performed in accordance with a procedure [steps (a1) to (a6)] similar to the procedure described above, the contents data is read out in accordance with such a procedure [steps (b1) and (b2)] as described below.
(b1) If it is discriminated in step (a6) that the second drive ID encrypted on the host unit side and the encrypted second drive ID from the drive are coincident with each other, then it is discriminated that the drive authentication results in success, and the host unit reads out the encrypted contents key and the encrypted contents data from the drive (disk). Thereafter, the encrypted contents key is decrypted using the drive key (equivalent) generated from the session keys and the first drive ID, and then, the encrypted contents data is decrypted using the decrypted contents key.
(b2) If it is discriminated in step (a6) that the second drive ID encrypted on the host unit side and the encrypted second drive ID from the drive are not coincident, then it is discriminated that the drive authentication results in failure, and the processing is interrupted without reading out the contents data from the disk.
It is to be noted that the CPPM is a copyright protection system only for readout, and in the CPPM, the steps (a1) to (a6), (b1) and (b2) described above are executed.
The drive authentication procedure [steps (a1) to (a6)] described above is called a challenge/response method, and in the CPRM or the CPPM, authentication is executed only on the host unit side. In other words, unidirectional drive authentication is executed, and as a result, a burden of processing on the drive side is reduced.
Further, a contents key and contents data are recorded on a disk based on an ID unique to the drive. Consequently, even if data recorded on the disk of the drive is illegally copied (volume copy) onto another medium, since the ID is not coincident upon data readout, readout of the illegally copied data is impossible. Accordingly, the CPRM and the CPPM are effective for prevention of illegal copying.
As a representative copyright protection method other than the CPRM and the CPPM, the DTCP (Digital Transmission Content Protection) which utilizes the IEEE1394-IF is available. The DTCP assumes data transfer between different apparatuses and is based on mutual authentication. With the DTCP, two methods are available: a full authentication method; and a restrict authentication method. In the full authentication method, an electronic signature algorithm of a public-key/secret-key cipher technique and a DH (Diffie-Hellman) key exchanging algorithm are adopted, and the two algorithms are based on an elliptic curve cipher.
Following is a description of a mutual authentication procedure [steps (c1) to (c9)] where the DTCP of the full authentication method is used upon data transfer between the host unit and the disk drive.
(c1) A request for the host authentication is issued from the host unit to the drive. At the same time, the host unit transmits to the drive a random number and an ID unique to the host unit. The ID unique to the host unit is proof-information produced for every apparatus by the license organization of the DTCP (DTLA, a company of the United States), and includes a public-key and an electronic signature.
(c2) The drive receives the random number and the ID unique to the host unit from the host unit and confirms whether or not the ID unique to the host unit is information produced by the DTLA in accordance with a verification process of an electronic signature, and checks whether or not the ID unique to the host unit is reported on an illegal apparatus list stored on the drive side.
(c3) If it is confirmed in step (c2) that there is no problem, then a request for drive authentication is issued from the drive to the host unit. At the same time, the drive transmits the random number and an ID unique to the drive. Also the ID unique to the drive is, similarly to the ID unique to the host unit, proof information produced for every apparatus by the DTLA.
(c4) The host unit receives the random number and the ID unique to the drive from the drive and confirms, similarly as in step (c2), whether or not the ID unique to the drive is information produced by the DTLA in accordance with a verification process of an electronic signature, and confirms whether or not the ID unique to the drive is reported on an illegal apparatus list stored on the host unit side.
(c5) If it is confirmed in step (c4) that there is no problem, then each of the units (host unit/drive) calculates DH information of the unit itself in order to share an encryption key in accordance with a DH key exchanging method (delivery/sharing method).
(c6) The DH information of the host unit is transmitted from the host unit to the drive.
(c7) The drive confirms whether or not the DH information received from the host unit is data transmitted from the host unit correctly, in accordance with the verification of an electronic signature.
(c8) Conversely, the DH information of the drive is transmitted from the drive to the host unit.
(c9) The host unit confirms whether or not the DH information received from the drive is data transmitted from the drive correctly, in accordance with the verification of an electronic signature.
As described above, in the mutual authentication methods represented by the DTCP, since the host unit and the drive both have a facility (mutual authentication facility) which checks whether or not the drive and the host unit are correct opposite parties for performing data transmission, respectively, not only illegal copying on the drive side is prevented with certainty, but also an illegal action (impersonation or the like) on the host unit side can be prevented with certainty.
It is to be noted that, while the DTCP of the restrict authentication method performs authentication using a common secret key and a hash function, also in the DTCP of the restrict authentication method, basically the host unit and the drive have an equal relationship to each other, similar to the DTCP of the full authentication method described above, and execute similar authentication processes. Therefore, description of the same is omitted herein to avoid redundancy.
In the CPRM and the CPPM described above, however, because the drive authentication is executed only on the host unit side, although illegal copying on the drive side can be prevented with certainty, the authentication of the host unit cannot be executed on the drive side. Accordingly, if the authentication of the drive results in success, then it is possible for a plurality of irregular apparatus (host units) without rights to access the drive and play back the contents data recorded on the disk. Therefore, there is a problem in that the data of the drive cannot be protected from illegal accessing by an irregular host unit and an illegal action (impersonation or the like) on the host unit side cannot be prevented.
Thus, if the DTCP described above is adopted, then since not only the drive authentication on the host unit side but also the host authentication on the drive side are executed, both illegal copying on the drive side and illegal action on the host unit side can be prevented. However, the authentication process of the DTCP is very complicated and the host unit and the drive have an equal relationship as described above. Therefore, the drive side in particular is obliged to execute a complicated authentication process. Consequently, the processing load on the drive side is increased unfavorably.
Meanwhile, in recent years, there has been begun to develop a kind of business of renting a set top box (STB) at a moderate price. As the development of the business just described proceeds, an illegal user has appeared who not only illegally copies data recorded on the hard disk drive in the STB but also removes the hard disk drive itself and illegally diverts it as a drive of a personal computer.
As a countermeasure against such an illegal user as just described, there is demand to adopt a mutual authentication method such as the DTCP described above.
However, in the DTCP, the authentication process is very complicated and the load of the processing on the drive side is heavy as described above. Therefore, there is demand to prevent such illegal diversion as described above with certainty by simpler and easier processing without increasing the load on the drive side.
It is an aspect of embodiment(s) described herein to provide a technique which can protect data from illegal accessing without increasing the load of processing on the drive side, to prevent not only illegal copying on the data recording apparatus (drive) side but also to prevent an illegal action on the access apparatus (host unit) side, thereby protecting the copyright and further preventing illegal diversion of the data recording apparatus.
In order to attain the aspect described above, according to an aspect of embodiment(s) described herein, there is provided a data protection method for protecting, when data transfer is performed between a data recording apparatus for recording and storing data and an access apparatus which accesses the data recording apparatus, data of the data recording apparatus from illegal accessing, comprising a step by the access apparatus of executing authentication of the data recording apparatus, a step of encrypting, when the data recording apparatus is authenticated, a contents key with access apparatus identification information registered in advance in a storage area of the access apparatus and a session key and first identification information read out from a storage area of the data recording apparatus, a step of transferring the encrypted contents key from the access apparatus to the data recording apparatus in order to write the encrypted contents key into the data recording apparatus, a step by the access apparatus of encrypting contents data to be recorded and stored into the data recording apparatus with the contents key, and a step of transferring the encrypted contents data from the access apparatus to the data recording apparatus in order to write the encrypted contents data into the data recording apparatus.
According to another aspect of embodiment(s) described herein, there is provided a data protection method for protecting, when data transfer is performed between a data recording apparatus for recording and storing data and an access apparatus which accesses the data recording apparatus, data of the data recording apparatus from illegal accessing, comprising a step of writing contents data encrypted with a contents key into the data recording apparatus and writing the contents key, which is encrypted with predetermined access apparatus identification information and a session key and first identification information registered in advance in a storage area of the data recording apparatus, into the data recording apparatus, a step by the access apparatus of executing authentication of the data recording apparatus, a step of reading out, when the data recording apparatus is authenticated, the encrypted contents data and the encrypted contents key from the data recording apparatus and transferring the encrypted contents data and the encrypted contents key to the access apparatus, a step by the access apparatus of decrypting the encrypted contents key with the access apparatus identification information registered in advance in a storage area of the access apparatus and the session key and first identification information read out from the storage area of the data recording apparatus, and a step of decrypting the encrypted contents data with the decrypted contents key.
According to a further aspect of embodiment(s) described herein, there is provided a data protection method for protecting, when data transfer is performed between a data recording apparatus for recording and storing data and an access apparatus which accesses the data recording apparatus, data of the data recording apparatus from illegal accessing, comprising a step of transferring access apparatus identification information, which is registered in advance in a storage area of the access apparatus connected first to the data recording apparatus when the data recording apparatus is in an initial state, from the access apparatus to the data recording apparatus and writing the access apparatus identification information into a writable-once storage area, a step by the data recording apparatus of performing, every time the access apparatus thereafter accesses the data recording apparatus, authentication of the access apparatus based on the access apparatus identification information written in the writable-once storage area, a step by the access apparatus of performing authentication of the data recording apparatus when the access apparatus is authenticated, a step of encrypting, when the data recording apparatus is authenticated and contents data is to be recorded and stored into the data recording apparatus, a contents key with a session key and first identification information read out from the storage area of the data recording apparatus, a step of transferring the encrypted contents key from the access apparatus to the data recording apparatus in order to write the encrypted contents key into the data recording apparatus, a step by the access apparatus of encrypting the contents data to be recorded and stored into the data recording apparatus with the contents key, and a step of transferring the encrypted contents data from the access apparatus to the data recording apparatus in order to write the encrypted contents data into the recording apparatus.
The data protection method may further comprise a step of reading out and transferring, when both of the access apparatus and the data recording apparatus are authenticated and contents data is to be read out from the data recording apparatus, the encrypted contents data and the encrypted contents key from the data recording apparatus to the access apparatus, a step by the access apparatus of decrypting the encrypted contents key with the session key and first identification information read out from the storage area of the data recording apparatus, and a step of decrypting the encrypted contents data with the decrypted contents key.
Further, the step of performing authentication of the access apparatus may include a step by the data recording apparatus of generating a random number, a step of transferring the random number from the data recording apparatus to the access apparatus, a step by the data recording apparatus of encrypting the access apparatus identification information with the random number, a step by the access apparatus of encrypting the access apparatus identification information with the random number from the data recording apparatus, a step of transferring the encrypted access apparatus identification information from the access apparatus to the data recording apparatus, and a step of comparing the encrypted access apparatus identification information from the access apparatus and the access apparatus identification information encrypted by the data recording apparatus with each other to discriminate whether or not the encrypted access apparatus identification information and the access apparatus identification information encrypted by the data recording apparatus coincide with each other, the access apparatus being authenticated when it is discriminated that the encrypted access apparatus identification information and the access apparatus identification information encrypted by the data recording apparatus coincide with each other.
According to embodiment(s) described herein, when the access apparatus (host unit) writes contents data and a contents key into the data recording apparatus, since the contents key is encrypted with not only the identification information of the data recording but also a factor of the access apparatus identification information (host ID) added thereto, only the original access apparatus which has written the contents data and the contents key into the data recording apparatus can read out the contents data. In particular, even if an access apparatus other than the original access apparatus reads out the contents data from the data recording apparatus, since the identification information of this access apparatus is different from that of the original access apparatus, the contents key cannot be decrypted correctly. Consequently, the contents data cannot be decrypted correctly and cannot be read out. Accordingly, the data of the data recording apparatus can be protected from illegal accessing without increasing the load of processing on the data recording apparatus side by adopting the unidirectional authentication of the CPPM, the CPRM or the like. Consequently, not only illegal copying on the data recording apparatus side but also illegal readout or illegal copying of data by impersonation or the like on the access apparatus side can be prevented with certainty, and reliable protection of the copyright can be anticipated.
Further, identification information (a host ID) of the access apparatus (host unit) connected first to the data recording apparatus (drive) when the data recording apparatus is in an initial state is written into the writable-once storage area in the data recording apparatus. Thereafter, it is authenticated whether or not the access apparatus, which has accessed the data recording apparatus, is an access apparatus (original host) connected first to the data recording apparatus, based on the identification information written in the storage area. Then, only if it is authenticated that the access apparatus is the original access apparatus, then accessing (data writing/readout) to the data recording apparatus is authorized.
Consequently, if a very simple authentication process is executed on the data recording apparatus side, then an access apparatus other than the original access apparatus cannot access the data recording apparatus. Accordingly, the data of the data recording apparatus can be protected from illegal accessing without increasing the load of processing on the data recording apparatus side, and not only illegal copying on the data recording apparatus side but also illegal readout and illegal copying of data by impersonation or the like on the access apparatus side can be prevented with certainty, and reliable protection of the copyright can be anticipated.
Further, since the original access apparatus connected first to the data recording apparatus can access the data recording apparatus, such illegal diversion of the data recording apparatus that, for example, a hard disk drive (data recording apparatus) is dismounted from a set top box (STB) and is diverted in a system other than the STB can be prevented with certainty.
It is to be noted that, by combining the technique, wherein identification information of an access apparatus connected first is written into a write-once storage area of a data recording apparatus and the identification information is used to perform authentication of the access apparatus, with the technique, wherein a contents key to be written into the data recording apparatus is encrypted using the identification information of the data recording apparatus and the identification information of the access apparatus, even if some measures are taken to illegally pass the authentication of the access apparatus, any access apparatus other than the original access apparatus cannot decrypt the contents key read out from the data recording apparatus nor can read out the contents data. Accordingly, illegal readout and illegal copying of data by impersonation or the like on the access apparatus side can be prevented with more certainty.
The above and other aspects, features and advantages will become apparent from the following description and the appended claims, taken in conjunction with the accompanying drawings in which like parts or elements are denoted by like reference characters.