Encrypted communication using a public key encryption is one of a plurality of methods utilized to realize confidential communications between a transmission apparatus and a receiving apparatus. In the public key cryptosystem, the transmission apparatus encrypts the contents of the communications using a public key possessed by the receiving apparatus and transmits it to the receiving apparatus, and the receiving apparatus then receives the encrypted contents and obtains the original contents by decrypting it with the use of its own private key. This method is published in detail, for example, in Modern Cryptography. Mathematics in Information Science. Ser. Tatsuaki Okamoto, and Hirosuke Yamamoto, Sangyo Tosyo, 1997.
Under the common encryption system using this method, plural transmission apparatuses and receiving apparatuses exist. The transmission apparatus firstly acquires a public key possessed by the destination receiving apparatus. The public key makes a pair with the private key possessed by the destination receiving apparatus and is released in the encryption system. Then, the transmission apparatus encrypts and transmits the data to be communicated using the public key obtained as above whereas the receiving apparatus receives the telecommunication data encrypted by the transmission apparatus, decrypts the data using its own private key and obtains the original data.
Here, if the private key possessed by the destination receiving apparatus is disclosed, the encryption system is not secure any more because the contents of communications encrypted using the public key possessed by the destination receiving apparatus can be decrypted by an outsider who has the disclosed private key. Therefore, it is required that the private key possessed by the receiving apparatus be placed under strict control so that it is not leaked to outsiders.
However, there is a possibility that the private key could be disclosed by an accident of some sort. It is necessary, therefore, to stop the usage of the public key paired with the disclosed private key in the case in which the private key possessed by the receiving apparatus is disclosed or any such doubt arises.
As an example of such a method, a method to stop the usage of the public key paired with the disclosed private key, using a data structure called Certificate Revocation List (CRL), when the private key possessed by the receiving apparatus is disclosed, is suggested. This method is published, for example, in Digital Signature and Cryptographic Technology. Shinichiro Yamada. Trans. Pearson Education Inc., 1997: pp. 159-214.
As another example, a method to use SRM (System Renewability Messages) is suggested in DTCP (Digital Transmission Content Protection Messages) for protecting the digital contents transmitted on a serial bus complying with the IEEE (Institute of Electrical and Electronics Engineers) 1394 Standard. With the use of the SRM, it is possible to stop the usage of the public key possessed by the receiving apparatus when the private key possessed by the receiving apparatus is disclosed. This method is published, for example, in “Digital Transmission Content Protection Specification Revision 1.2 (Informational Version) Jul. 11, 2002.
The following describes these methods briefly.
The public key is associated with identification information to identify a person or an object that possesses it and is converted into a format to which a serial number or the like is attached by a reliable third party. Moreover, the digital signature of the third party is attached to the public key in order to prevent falsification attempted by others. This digital signature is called a public key certificate. In the CRL and the SRM issued by the third party, the serial number of the public key certificate of the public key whose usage has to be stopped for the reason such as the disclosure of the private key or the like is described. Therefore, it is possible to stop the usage of the public key paired with the disclosed private key by examining the serial number described in the CRL and the SRM.
Here, the application of this method to the encryption system for encrypted communications between the transmission apparatus and the receiving apparatus is considered. The transmission apparatus confirms the digital signature for the public key certificate of the destination receiving apparatus, obtains the public key and the serial number based on the public key certificate and also acquires the CRL and the SRM issued by the third party. The transmission apparatus then stops the usage of the public key when the serial number of the obtained public key certificate is contained in the CRL and the SRM. Thus, the usage of the public key paired with the disclosed private key is ceased when the private key possessed by the receiving apparatus is disclosed. Consequently, safe encrypted communications can be realized between the transmission apparatus and the receiving apparatus.
However, the method using the CRL and the SRM described above contains the following problems.
(1) Even though the private key possessed by the receiving apparatus is disclosed, the transmission apparatus cannot always stop the usage of the public key possessed by the receiving apparatus when the updated CRL and SRM cannot be obtained. Therefore, with the conventional art, there is a risk that the content of the encrypted communications transmitted by the transmission apparatus continues to be decrypted by the receiving apparatus operated by an outsider having the disclosed private key. Namely, there is a risk that the disadvantage on the sender's side cannot be prevented when the private key is disclosed in a case of transmitting digital works such as music.
(2) It is desirable to regularly renew the key in order to assure the security for the encrypted communications. However, with the conventional art, it is difficult to urge the user operating the receiving apparatus to update the key since the receiving apparatus functions normally without the regular updating of the key.
(3) The CRL and the SRM issued by the reliable third party is required.
The following describes in detail the problems (1), (2) and (3), mentioned above.
Firstly, with the method using the CRL and the SRM, there is a case in which the usage of the public key possessed by the receiving apparatus cannot be stopped even if the private key possessed by the receiving apparatus is disclosed, since the transmission apparatus cannot obtain the updated CRL and SRM. For example, a system in which digitalized movie content data is recorded on a storage medium such as a DVD (Digital Versatile Disc) is considered here. The movie content data is encrypted with an encryption key possessed by each player, namely, a receiving apparatus, and is recorded onto a disk. The player, having a decryption key corresponding to the encryption key, decrypts the encrypted movie content data recorded on the disk and replays the movie. A certain player is an unauthenticated apparatus aiming to prevent the replay operated by the player and the CRL or the SRM in which the player's public key is described are recorded on the storage medium like DVD and then issued.
Assume that it is proved that the private key of the receiving apparatus is disclosed. From now on, the updated CRL and SRM in which the serial number of the public key certificate of the receiving apparatus is additionally described are recorded on the DVD and then issued. However, on the DVD distributed before, only the old versions of the CRL and the SRM are recorded and thereby the serial numbers of the latest public key certificates are not recorded. Consequently, the transmission apparatus cannot necessarily stop the usage of the public key used by the unauthenticated receiving apparatus since the former can obtain only the old versions of the CRL and the SRM as far as it uses the DVD with old information.
Also, in the DTCP standard using the SRM, the old version of SRM possessed by the apparatus is updated to the new version possessed by other apparatuses between the apparatuses connected via the IEEE 1394 serial bus. Namely, due to this system, a new version of the SRM can be obtained not only from the storage medium like DVD but also from other apparatuses. This system, however, does not assure completely in obtaining the latest version of the SRM. Thus, the transmission apparatus cannot necessarily stop the usage of the public key possessed by the receiving apparatus. Therefore, the content of the encrypted communications transmitted by the transmission apparatus risk being decrypted continuously by the outsider having the disclosed private key. Namely, there is a risk that the disadvantage on the sender's side cannot be prevented when the private key is disclosed in a case of transmitting digital works such as music.
Secondly, with the method using the CRL and the SRM, it is hard to urge a person operating the receiving apparatus to update its own public key or private key. This attributes to the fact that the receiving apparatus can continue to decrypt the encrypted communications completely until the transmission apparatus stops using the public key possessed by the receiving apparatus, using the CRL and the SRM.
With the conventional art, it has been required to obtain the latest version of the CRL and the SRM from the third party for stopping the usage of the public key paired with the disclosed private key and check the serial numbers described in the CRL and the SRM. However, in general, there are many cases in which a person operating the transmission apparatus performs encrypted communications either without the knowledge to check the CRL and the SRM or ignoring the checking since it is a hassle to obtain the latest versions of the CRL and the SRM from the server. This is because both of the transmission apparatus and the receiving apparatus operate normally without regular updating of the key and perform encrypted communications without checking through the CRL and the SRM, when the transmission apparatus obtains the public key used by the receiving apparatus. When the transmission apparatus performs encrypted communications without checking the CRL and the SRM, the person operating the receiving apparatus will not update its own public key/private key since the receiving apparatus operates normally without regularly updating the key. It is also conceivable to use a method to set an effective period for the public key certificate so that the transmission apparatus stops the usage of the public key whose effective period is not valid and the transmission apparatus does not perform encrypted communications towards the receiving apparatus as long as the receiving apparatus does not update the key. However, in this case, there are many cases in which the person operating the transmission apparatus performs encrypted communications either without knowing the checking of the effective period or ignoring the checking as is the case of the method using the CRL and the SRM. As a result, the person operating the receiving apparatus will not update regularly its own public key/private key since the receiving apparatus operates normally without the regular updating of the key.
Lastly, with the method using the CRL and the SRM, it is presupposed that the CRL and the SRM are issued by the reliable third party. The problem is that the presence of such CRL and SRM has to be presumed.