1. Field of the Invention
The present invention relates to a storage medium used to store digital contents, such as programs and digitized text, audio and video, and to a method for updating revocation information that is used to prevent unauthorized electronic appliances from recording and reproducing digital contents.
2. Description of the Related Art
The advancements in digital and microprocessor technologies in recent years have enabled the development of a great variety of electronic appliances. Examples of such are personal computers with multimedia capabilities, set-top boxes, reproduction devices and game consoles. In addition to reproducing image data, audio data and other types of digital contents from recording media, such appliances can also download digital contents from networks like the Internet.
Digital contents are generally copyrighted material that has been digitally encoded according to a technique such as MPEG 2 (Moving Pictures Experts Group 2) or MP3 (Moving Pictures Experts Groupxe2x80x94Audio Layer 3). Such contents can be copied and transmitted on networks with no loss in quality. This means there is a growing need for technologies to stop improper acts that violate the copyrights over such material.
Current electronic appliances such as personal computers, set-top boxes, and reproduction devices tend to use xe2x80x9creversiblexe2x80x9d recording media, which here refers to recording media that are not player-dependent. Such media operate according to specifications that are usually made public. This makes it possible for users to transfer or copy digital contents onto other media at will, so that there is no effective way of protecting a digital content recorded on a recording medium.
Memory cards, where a recording medium and a controller are integrated, have recently appeared on the market. Such cards can be provided with a protected region (hereinafter called a xe2x80x9cconcealed regionxe2x80x9d) that can be accessed by an access control function of the controller according to a special procedure, but otherwise cannot be accessed by users. It is believed that digital contents can be protected more securely by using a concealed region to store important information (such as copy control information and transfer control information) that relates to the way in which digital contents can be used.
The following describes one conceivable way to protect the copyright of a digital content. Whenever a digital content is transferred between any of the electronic devices mentioned above and a recording medium, both devices first perform mutual authentication. This means that each device checks that the other is an authentic device equipped with the same copyright (content) protection mechanism (i.e., a predetermined content protection function). When both devices are authentic, they then exchange keys according to a key generation algorithm provided in both devices. Both devices thus obtain an authentication key, and use this key to respectively encrypt and decrypt either a content key (a different key used to encrypt the digital content), or the digital content itself.
The above technique has the following problem. The content protection mechanism (such as the information and/or program used for mutual authentication) has to be set in the electronic appliance before it is shipped from the factory. After purchase, the electronic appliance (or more specifically the programs that run on an electronic appliance) may be subjected to tampering which renders the content protection mechanism inoperative. Such a modified electronic appliance cannot be detected and stopped by mutual authentication alone, so that improper use of the contents becomes possible.
Digital contents could conceivably be afforded better protection by pre-recording revocation information in a special region on a recording medium. Revocation information shows invalid electronic appliances that should be prohibited from accessing contents stored on a recording medium. Such revocation information can be in the form of a list of identification information for such invalid electronic appliances. When the recording medium is loaded into an electronic appliance registered in the revocation information, the electronic appliance is prohibited from accessing the recording medium. In other words, the contents on the recording medium are protected by invalidating the electronic appliance""s right to access the recording medium.
This method has a drawback in that it is still necessary to set such revocation information in a non-rewritable region before the recording medium is shipped from the factory. This means that if tampering with electronic appliances (or programs of such appliances) results in the appearance of new types of invalid electronic appliances after a recording medium has been produced, such appliances cannot be added to the revocation information on the medium. Illegal access by such appliances cannot be prevented.
The present invention was conceived in view of the above problem, and has an object of providing a storage medium that can refer to revocation information and prohibit access to a content by an unauthorized electronic appliance, even when the unauthorized electronic appliance appears after the storage medium has been manufactured. The invention also aims to provide a suitable revocation information updating apparatus and method for such medium.
The stated object can be achieved by a storage medium that is used having been loaded into an electronic appliance, the storage medium including: a content storage area for storing a digital content; a revocation information storage area for storing, as revocation information, information that corresponds to identification information of an electronic appliance that is prohibited from accessing the digital content stored in the content storage area; and a master revocation information storage area storing, as master revocation information, information that corresponds to identification information of an electronic appliance that is prohibited from updating the revocation information stored in the revocation information storage area.
With the stated construction, information corresponding to the identification information of unauthorized electronic appliances that should not be allowed to update the revocation information can be registered in advance in the master revocation information storage area of the storage medium. By referring to this information, the storage medium can know whether an electronic appliance that is trying to access the revocation information is an authorized appliance or an unauthorized appliance.
The revocation information is stored in a secure rewritable storage region, so that even when an unauthorized electronic appliance appears after the storage medium is manufactured, information corresponding to the identification information of the electronic appliance can be additionally registered in the revocation information storage region. In this way, the unauthorized electronic appliance can be prevented from accessing digital productions stored on the storage medium.
Here, the storage medium may further include: a content protecting unit for performing a first judgment as to whether an electronic appliance into which the storage medium has been loaded has identification information that corresponds to the revocation information stored in the revocation information storage region, and allowing the electronic appliance to access the digital content stored in the content storage region only if the first judgment is negative; and a revocation information updating unit for performing a second judgment as to whether the electronic appliance into which the storage medium has been loaded has identification information that corresponds to the master revocation information stored in the master revocation information storage region, and allowing the electronic appliance to update the revocation information stored in the revocation information storage region only if the second judgment is negative.
With the stated construction, only electronic appliances with identification information that does not correspond to the content of the master revocation information storage region are allowed to update the revocation information stored on the storage medium. This means that unauthorized electronic appliances can be prevented from tampering with the revocation information.
Here, the master revocation information storage region may be provided in a ROM (read only memory) in which the master revocation information is stored in advance.
This protects the storage medium from attacks that try to tamper with the master revocation information after the storage medium has been manufactured.
Here, the storage medium may further include: a mutual authentication unit for performing mutual authentication with the electronic appliance into which the storage medium has been loaded before the revocation information updating means performs the second judgment and, if the mutual authentication succeeds, for generating a secret key that can be shared with the electronic appliance, wherein the revocation information updating unit updates the revocation information using the secret key generated by .the mutual authentication unit
With the stated construction, the crucial identification information relating to which devices have authorization to update the revocation information is transferred between the storage medium and an electronic appliance in a secure manner. This increases the security with which the revocation information is protected.
Here, the revocation information updating unit may transmit a secret key, which the electronic appliance needs to update the revocation information, to the electronic appliance only if the second judgment is negative.
As a result, the result of the judgment as to whether an electronic appliance has authority to update the revocation information is kept secret. This thwarts third parties that try to intercept the communication between the storage medium and an electronic appliance.
Here, the revocation information may be sorted into a plurality of groups, the revocation information storage region may include a plurality of storage areas, and each group may be stored in a different storage area, and
as the second judgment, the revocation information updating means may judge (1) whether the electronic appliance into which the storage medium has been loaded has identification information that does not correspond to the master revocation information stored in the master revocation information storage region, and (2) whether the electronic appliance has identification information that does not correspond to the revocation information in a specified group of revocation information that the electronic appliance wishes to update, the second judgment being negative only when both (1) and (2) are affirmative, and the revocation information updating means allowing the electronic appliance to update only the revocation information in the specified group.
As a result, even when an unauthorized third party manages to tamper with the revocation information, the damage will be limited to one group of revocation information. Other groups of revocation information are unaffected.
The stated object can also be achieved by a method for updating revocation information on a storage medium, the method including: a detection step for detecting whether the storage medium has been loaded into an electronic appliance; a judgment step for performing a first judgment as to whether first identification information of the electronic appliance does not correspond to the master revocation information stored in the master revocation information storage region of the storage medium; and an updating step for updating the revocation information stored in the revocation information storage region only when the first judgment is affirmative.
The stated object can also be achieved by a revocation information updating apparatus for updating revocation information on a storage medium, the apparatus including: a first identification information storage unit for storing first identification information that does not correspond to the master restricted region stored in the master revocation information storage region of the storage medium; a permission obtaining unit for obtaining, using information corresponding to the first identification information stored in the first identification information storage means, permission from the storage medium to update the revocation information stored on the storage medium; and an updating unit for updating the revocation information stored on the storage medium in accordance with the permission obtained by the permission obtaining unit.