(1) Field of the Invention
The present invention relates to group subordinate terminals, group managing terminals, servers, key updating systems, and key updating methods therefor. More particularly, the present invention relates to a group subordinate terminal, a group managing terminal, a server, a key updating system, and a key updating method therefor for enabling an update of a group key shared by two or more terminals.
(2) Description of the Related Art
Digital content such as digitalized audio, video, and novels can be easily copied or distributed.
This holds true not only for the case where the content is legitimately copied or distributed by copyright holders of the content, but also true for the case where the content is copied or distributed by an unauthorized person with no copyright. Therefore, such unauthorized copying and distribution need to be prevented in order to protect the rights and benefits of the copyright holders. Especially, it is important in protection of copyrights to prevent the unauthorized copying and distribution of digital content performed based on copyrighted content that has been digitalized and legitimately distributed by the copyright holders.
There have been known copyright protection technologies for preventing unauthorized copying and distribution of content using ciphers and the like. To be more specific, a different key (apparatus-unique key) is embedded in advance in each apparatus to which content is distributed. Then, the content is distributed after being encrypted using the apparatus-unique key held by a legitimate content purchaser's apparatus. For example, an apparatus-unique key 1 is embedded in advance in an apparatus 1, an apparatus-unique key 2 in an apparatus 2, . . . , and an apparatus-unique key N in an apparatus N, and when a user 1 having the apparatus 1 purchases content X, the content X is distributed to the user 1 by first encrypting the content X using the apparatus-unique key 1 and then transmitting the encrypted content X to the apparatus 1. With such a distribution method, even when the user 2 having the apparatus 2 obtains the content X encrypted using the apparatus-unique key 1, the user 2 cannot decrypt the content X because the user 2 only has the apparatus-unique key 2. This way, the copyright of the content X is protected.
However, if an unauthorized analyzer is able to analyze the apparatus-unique key 1 of the apparatus 1, he becomes able to decrypt the content X that has been encrypted using the apparatus-unique key 1. This enables the unauthorized analyzer to copy and distribute the decrypted content X in plain text without authorization. Therefore, the apparatus-unique keys held by respective apparatuses need to be implemented in such a manner that they cannot be analyzed without authorization.
In addition, when the unauthorized analyzer tampers and modifies the decryption process, for which the apparatus-unique key 1 is used, in a way that the content in plain text can be written to a Hard Drive Disk (HDD) and the like, unauthorized copying and distribution are made possible using the written content. Therefore, the function of decryption processing performed by the apparatuses needs to be implemented in such a manner that the processing cannot be tampered without authorization.
As described above, the processing using the apparatus-unique keys needs to be implemented in such a manner that it cannot be analyzed or tampered without authorization. Tamper-resistant technologies are developed to address such need.
Incidentally, there are various methods for unauthorized analysis. Therefore, when manufacturing apparatuses, tamper resistance needs to be provided for protection against attacks using the various unauthorized analysis methods. However, in some cases, a new method for unauthorized analysis is found after the tamper-resistant apparatuses are manufactured and released on the market. Presently, there is no tamper-resistant technology available that can fully prevent unauthorized analysis and tampering, and thus further finding of new unauthorized analysis methods is expected. Thus, it is desirable that the tamper resistance can be updated when a new unauthorized analysis method is found, even after the apparatuses are released on the market.
When a new method for unauthorized analysis is found, what happens in most cases is that attackability of the newly found method is theoretically confirmed, and after some period of time, unauthorized analysis is put into practice using the found method. Therefore, an update of the tamper resistance is desirable at an early stage of the confirmation of the found unauthorized analysis method's attackability. Furthermore, even when the tamper resistance is found to be vulnerable based on the fact that the unauthorized analysis is actually performed, the update of the tamper resistance is desirable before the unauthorized analysis spreads to numerous apparatuses.
The ability to disable the tamper resistance favors unauthorized analyzers, and thus not updating the tamper resistance is desirable from their viewpoint. Further, the vulnerable apparatuses with unupdated tamper resistance are sometimes purchased at a high price by the unauthorized analyzers. Thus, not updating the tamper resistance sometimes yields some profits even for general users who are unlikely to perform unauthorized analysis, which could indicate that the users may be less motivated to update the tamper resistance.
In order to address such situations, there is a method proposed which encourages the update of the tamper resistance by not allowing apparatuses with tamper resistance that needs to be but has not been updated, to receive new content. More specifically, there is a method proposed which encourages apparatus users wishing to receive new content to update the apparatus-unique key at an early stage, by not encrypting content using the unupdated apparatus-unique key for distribution.
Incidentally, although each apparatus is given a different apparatus-unique key, it is sometimes problematic that the content held by each apparatus cannot be used by other apparatuses. Such a problematic case exists when, for example, there is more than one apparatus in a single household. To be more specific, the problem exists when there is more than one apparatus in a single household but content purchased through a particular one of the apparatuses cannot be used by other apparatuses in the same household.
In view of the foregoing, there is a mechanism proposed which sets a group of two or more apparatuses in a household, thereby enabling mutual use of content between the apparatuses in the group. To achieve this mechanism, a group key unique to the group is used in addition to the apparatus-unique keys. More specifically, the apparatuses in the same household are provided with the same group key in addition to their respective apparatus-unique keys. For example, when one wishes to use content of an apparatus A with another apparatus in the same household (apparatus B), the content encrypted using the apparatus-unique key of the apparatus A is once decrypted using the same apparatus-unique key, and then again encrypted using a group key to be transmitted to the apparatus B. Having received the re-encrypted content, the apparatus B decrypts it with the group key before use. Such a configuration enables the apparatus B to use the content purchased through the apparatus A. For example, Patent Reference 1, Japanese Unexamined Patent Application Publication No. 2000-101566, discloses a system that uses group keys.
The tamper resistance is necessary, as described above, also for group keys and the encryption and decryption processing for which group keys are used (that is, processing of encryption and decryption using group keys, hereinafter also referred to as group key processing). Further, not only is it desirable to update the tamper resistance when found to be vulnerable, but it is also desirable to encourage the apparatus users to update the group key too.
However, with the processing using the apparatus-unique keys, the content distributor has the control not to distribute content to terminal apparatuses having an unupdated apparatus-unique key, because it is the content distributor who distributes the content encrypted with an apparatus-unique key. However, the content encrypted with a group key is distributed by a group terminal apparatus that is already in the possession of the user. For this reason, it is impossible to control the content not to be distributed to the terminal apparatus having an unupdated group key.
In view of the foregoing, Patent Reference 2, Japanese Unexamined Patent Application Publication No. 2003-273857, discloses a method for distributing, when a group key is uncovered, a new group key to group terminal apparatuses excluding the group terminal having the uncovered group key. In Patent Reference 2, a terminal apparatus list of terminal apparatuses making up a group is held by the server on the updating service provider side. When one of the terminal apparatuses on the user side is found to be vulnerable, the server side obtains the terminal apparatus list including the vulnerable terminal apparatus, and transmits a new group key to each of the terminal apparatuses on the list except for the vulnerable one.
However, with the method disclosed in Patent Reference 2, the updating service provider side needs to have the list of terminal apparatuses making up the group. Thus, the use of such a method requires complex processing when the service provider or the server that manages and updates what is to be updated is different from the service provider or the server that manages the group.
Furthermore, in Patent Reference 2, the terminal apparatuses receiving the new group key are terminal apparatuses which belong to the same group as the vulnerable terminal apparatus and which are already in possession of the user. Consequently, it is expected that when these terminal apparatuses do not receive a new group key, the group key is not updated, resulting in the continued use of the old group key.