The invention relates to a method of generating a key for controlling the access to information on an information carrier, which key comprises an M-bit master key originating from a read and/or write apparatus which cooperates with the information carrier and an information carrier key originating from the information carrier.
The invention further relates to a read and/or write apparatus including means for cooperating with an information carrier, further including means adapted to generate an M-bit master key for generating a key for controlling the access to information on an information carrier.
The invention further relates to an information carrier having a information carrier key for controlling the access to information on the information carrier.
The method in accordance with the invention can be used in a copy-protection system aimed at preventing illegal copying of information by storing this information on an information carrier in encrypted form.
A method of the type defined in the opening paragraph is known from, inter alia, European Patent Application EP-A 0 644 474. Said document describes a method of preventing illegal copying of information from one information carrier to another. This method can be used in systems where, for example for reasons of confidentiality, the information to be transmitted is encrypted and can subsequently be decrypted with the aid of the key to be generated. Said method can also be utilized in so-called access systems, where the presence of the correct key is required in order to gain access to given information systems, such as for example data bases.
To this end, a key comprising an M-bit master key originating from a device and an information carrier key originating from the information carrier is generated in order to control the access to the information on the information carrier. This M-bit master key forms part of the so-called shared secret, which must remain a secret in order to assure that access to the information on the information carrier is restricted to users who copy information from the one information carrier to the other in a legal manner.
When the information is copied from the one information carrier which carries the key to another information carrier, this information carrier key is not passed on. As a result of this, it is not possible to generate a correct key by means of the last-mentioned information carrier. Consequently, this information carrier cannot be played back on a device requiring this key.
If a recording of information is to be read from an illegally copied information carrier the key, required to allow this, cannot be generated because the relevant information carrier key will not be found on the information carrier. This is in contradistinction to the so-called identifiers R associated with the relevant information recordings, which can usually be found on the illegally copied information carrier.
On account of statutory restrictions or limitations imposed on the computing time a comparatively small M-bit master key is used. A comparatively small M-bit master key has the drawback that in general it is readily compromised. Compromising is to be understood to means the disclosure of the content of the key in that a given information carrier is hacked. As a result of this hacking, the M-bit master key becomes known. With the knowledge of this M-bit master key it is then possible to make illegal copies if the information carrier key has also been compromised.
In the case that the M-bit master key, which is part of the shared secret, is no longer a secret, it could be necessary to replace the compromised key, which may entail substantial cost and inconvenience for the user of the information. In existing cryptographic systems for secure communication the key material is replaced regularly. In such systems (for example broadcast systems) the key material is replaced at the instant that the key material used until then has been or is likely to be compromised. When the invention is applied to copy protection of stored information the replacement of the key material poses a problem because material encrypted with the old key material is to be played back. This is in contradistinction to, for example, broadcast systems in which the data broadcast in the past need no longer be protected against illegal decryption.
It is another object of the invention to preclude illegal copying of information from the one information carrier to the other using a comparatively small M-bit master key and to achieve that if the key material of a protected information carrier is compromised the copy protection system remains intact with an acceptable probability.
To this end, the method in accordance with the invention is characterized in that the M-bit master key is selected from an N-bit string by determining a number p, in dependence upon an identifier R, the identifier R being associated with a recording of information on the information carrier, and by reading the N-bit string from a position defined by the number p, N being substantially greater than M.
By selecting the M-bit master key from a comparatively large shared secret, the N-bit string, in dependence on an identifier R, which is associated with a recording of information on an information carrier, a large number of unique M-bit master keys can be generated.
This has the advantage that compromising of one or a small number of the selected M-bit master keys will not result in immediate loss of the copy protection. If one or a small number of the selected M-bit master keys is/are compromised it is possible that previous recordings made with those keys and future recordings which will be made are copied illegally by means of these M-bit master keys.
It is not possible to determine in advance whether the next recording can be copied because it is not possible to predict whether a compromised M-bit master key or a non-compromised M-bit master key will be used. This is not possible because the number p is derived from the identifier R via cryptographic techniques such as hash functions. As a result of this, compromising of one or a large number of the selected M-bit master keys will be even less harmful for the copy protection.
The present invention enables the use of a large shared secret and enables this large shared secret to be used for the generation of keys of limited key length. The computing time required for generating the key and subsequently encrypting or decrypting the information can thus be limited. As a result of the size of the shared secret it will take a longer time before it can be compromised completely. Compromising of a single M-bit master key will then only result in a gradual degradation of the copy protection in the copy protection system rather than in an abrupt loss of the copy protection.
The invention is inter alia based on the recognition of the fact that use can be made of a large shared secret, namely the N-bit string from which the M-bit master key is selected for each recording of information to be protected against illegal copying. Thus, it is possible to have a large shared secret and yet to comply with restraints imposed on the permissible size of the M-bit master key.
Another variant is characterized in that, in addition, said number p is dependent upon the information carrier key.
Since the number p depends both upon the identifier R and on the information carrier key it is possible to generate a large number of unique M-bit master keys.
Another variant is characterized in that said identifier R is associated with a recording sequence number.
By associating the identifier R with a recording sequence number it is possible to generate another M-bit master key for each recording of information. As a rule, only the information of one recording can be copied illegally in the case that one M-bit master key is compromised, without enabling recordings made shortly before or shortly after this to be copied illegally.
Possible examples of relationships between the identifier R and the recording sequence number are: R is a pseudo-random number, R is a date/time field, R is related to other information associated with the recording.
A further variant is characterized in that said identifier R is present on the information carrier.
By storing the identifiers R on the information carrier it is possible to copy also the respective identifiers R when the information carrier is wholly or partly copied. In this case the information carrier usually stores a large number of identifiers each related to an information recording. For example in the case of a CD-R or CD-RW information carrier, an identifier R can be related to a recording sequence number. In that case it is possible to generate another M-bit master key for each information recording. Alternatively, for example in the case of prerecorded CD-ROM or CD-Audio information carrier, an identifier R can be related to a part of the information on the information carrier.
A further variant is characterized in that said identifier R is present in the read and/or write apparatus which cooperates with the information carrier.
If the identifier R is present in the read and/or write apparatus which cooperates with the information carrier the apparatus can be related to the information carrier. The relevant information carriers can then be read and inscribed only in this apparatus.
A further variant is characterized in that the number p is derived unambiguously by applying said identifier R to a hash function.
The number p can be obtained by performing a so-called hash function, which preferably forms part of the shared secret, upon an identifier R associated with a recording sequence number and present on the information carrier. The use of a hash function makes it impossible to relate the M-bit key to the visible identifier R. As long as the operation of the one-way hash function remains a secret it is impossible to relate the input of a hash function to the output.
A further variant is characterized in that i numbers p are determined, namely a first number P1 through an ith number pi, in that i substrings are determined, namely an M1-bit substring, determined by reading out the N-bit string from a position q1 defined by the first number p1, through an Mi-bit substring, determined by reading out the N-bit string from a position qi defined by the ith number pi, after which the M-bit master key is formed by combining the i substrings.
When the M-bit master key is determined by combining the substrings read from the N-bit string the number of different M-bit master keys that are possible is increased. Owing to this, compromising of one or a small number of the selected M-bit master keys will hardly result in the abrupt loss of the copy protection. This combination can be effected by concatenating the i substrings. Besides, it is also possible to exor the i substrings in order to generate the M-bit master key.
The read and/or write apparatus in accordance with the invention is characterized in that the apparatus further includes means for selecting the M-bit master key from an N-bit string, the M-bit master key being selected in dependence upon an identifier R, which is associated with a recording of information on the information carrier, by determining a number p depending on the identifier R and by reading the N-bit string from a position defined by the number p, N being substantially greater than M.
Another variant of the read and/or write apparatus is characterized in that, in addition, said number p is dependent on the information carrier key.
The information carrier in accordance with the invention is characterized in that the information carrier carries an identifier R associated with a recording of information on the information carrier.