1. Field of the Invention
The present invention relates to a security information packaging system, an LSI used to implement this system, a memory portion, and a security information packaging method.
2. Description of the Related Art
The key information necessary to decrypt the encrypted information are embedded in the storage device such as DVD (Digital Versatile Disk), SD card (Secure Digital memory card), etc. which store the contents a copyright of which should be protected therein, the system LSI of the terminal device for playing or demodulating the storage device, and so forth.
By way of the copyright protection and the illegal use prevention, the key information is the strict confidential matter to the user as well as the manufacturer of the terminal device. In other words, such key information is strictly managed in the development stage of the system LSI in which the key information is embedded, the fuse packaging stage as one of steps of manufacturing the system LSI, and the set packaging stage in which the system LSI is combined with the memory, etc. to manufacture the terminal device.
The applicant of this application disclosed previously the key packaging system that is capable of improving the confidentiality and the concealability of the key by distributing the security information into the system in which the key is packaged and the LSIs used therein, and capable of packaging easily various security keys, and also capable of testing the packaged value without an increase of the circuit scale (see JP-A-2003-101527, FIG. 14, for example).
FIG. 19 is a block diagram showing a schematic configuration to explain a key packaging system 7 disclosed in the above Literature. Here, in the following description, explanation will be made of encrypting and decrypting processes on the premise of the symmetric cryptosystem. The “symmetric cryptosystem” has such a characteristic that, as shown in FIG. 20, an output C is derived when an input A is encrypted by an encrypting circuit 50 while using an input B as a key and then an output A is derived when an input C is decrypted by a decrypting circuit 51 while using the input B as the key. Also, the encrypted information obtained by encrypting X using a key Y is expresses as EX(Y).
As shown in FIG. 19, the key packaging system 7 includes a memory portion 6a and an LSI 70. The memory portion 6a stores therein a first encrypted key EDK(MK) obtained by encrypting a final key DK using an internal key MK, a second encrypted key EMK(CK) obtained by encrypting the internal key MK using a conversion key CK derived based on the conversion using the one-way function, and a third encrypted key EMKtst(CKtst) obtained by encrypting a testing internal key MKtst by using a testing conversion key CKtst as a key. The testing conversion key CKtst is converted by the one-way function that is equivalent to that used in generating the conversion key CK.
The LSI 70 has a first selector 64 that receives second and third inputs IN2, IN3 and then outputs selectively either input in response to a test signal TEST. A first decrypting circuit X 33 receives an output of this first selector 64 as an input. Also, a seed generating portion 71 consisting of a first constant storing portion 72, a second selector 73, a second constant storing circuit 74, and a second one-way function circuit B 75 is provided to the LSI 70.
The first constant storing portion 72 stores a first constant IDfuse serving as a source of a conversion seed IDfuse1, and a second constant IDtst serving as a source of a conversion seed for testing Idtst1. The first constant storing portion 72 is constructed such that any values can be packaged as the first constant IDfuse and the second constant IDtst by the fuse cutting by using the laser trimming, or the like.
The second selector 73 outputs selectively one of the first constant IDfuse and the second constant IDtst in response to the test signal TEST. The second constant storing circuit 74 stores a third constant Const therein. The second one-way function circuit B 75 converts the third constant Const serving as the conversion seed by the one-way function while using the output of the second selector 73.
The LSI 70 has a first one-way function circuit A 32 for converting the output of the second one-way function circuit B 75 serving as the conversion seed by the one-way function using the first input IN1 to generate the conversion key CK or the testing conversion key CKtst, the first decrypting circuit X 33 for decrypting the output of the first selector 64 by using the output of the first one-way function circuit A 32 as a key, and a second decrypting circuit Y 34 for decrypting the first input IN1 by using the output of the first decrypting circuit X 33 as a key.
A verifying circuit 65 for verifying the output of the second selector 73 is provided to the LSI 70. The verifying circuit 65 has a constant storing circuit 66 in which a constant CRCfuse equivalent to the result of the redundancy calculation of the constant IDfuse is fuse-packaged, and a comparator circuit 67 for executing the redundancy calculation of the output of the second selector 73 and then comparing the result with the constant CRCfuse stored in the constant storing circuit 66.
First, an operation of the LSI70 at the testing time will be explained hereunder. In this case, the test signal TEST is set to “1”. At this time, the first selector 64 receives “1” as the test signal TEST and then outputs selectively the input IN3, i.e., the third encrypted key EMKtst(CKtst). Also, the second selector 73 receives “1” as the test signal TEST and then outputs selectively the second constant IDtst stored in the first constant storing portion 72.
The second one-way function circuit B 75 converts the third constant Const stored in the second constant storing circuit 74 by the one-way function using the output of the second selector 73, i.e., the second constant IDtst. That is, the conversion seed for testing IDtst is output from the seed generating portion 71 as the conversion seed.
Then, the first one-way function circuit A 32 converts the conversion seed for testing IDtst1 output from the seed generating portion 71 by the one-way function that is equivalent to that used to generate the testing conversion key CKtst, while using the first input IN1, i.e., the first encrypted key EDK(MK). Accordingly, the testing conversion key CKtst is generated/output from the first one-way function circuit A 32.
The first decrypting circuit X 33 decrypts the output of the first selector 64, i.e., the third encrypted key EMKtst(CKtst) by using the output of the first one-way function circuit A 32, i.e., the testing conversion key CKtst as a key. Accordingly, the testing internal key MKtst is generated/output from the first decrypting circuit X 33. The second decrypting circuit Y 34 decrypts the first input IN1, i.e., the first encrypted key EDK(MK) by using the output of the first decrypting circuit X 33, i.e., the testing internal key MKtst as a key. Accordingly, the testing final key DKtst is generated from the second decrypting circuit Y 34.
Next, an operation of the LSI70 at the normal time will be explained hereunder. In this case, the test signal TEST is set to “0”. At this time, the first selector 64 receives “0” as the test signal TEST and then outputs selectively the input IN2, i.e., the second encrypted key EMK(CK). Also, the second selector 73 receives “0” as the test signal TEST and then outputs selectively the first constant IDfuse stored in the first constant storing portion 72.
The second one-way function circuit B 75 converts the third constant Const stored in the second constant storing circuit 74 by the one-way function using the output of the second selector 73, i.e., the first constant IDfuse. Accordingly, the conversion seed IDfuse1 is output from the seed generating portion 71.
Then, the first one-way function circuit A 32 converts the conversion seed IDfuse1 output from the seed generating portion 71 by the one-way function that is equivalent to that used to generate the conversion key CK, while using the first encrypted key EDK(MK). Accordingly, the conversion key CK is generated/output from the first one-way function circuit A 32.
The first decrypting circuit X 33 decrypts the output of the first selector 64, i.e., the second encrypted key EMK(CK) by using the output of the first one-way function circuit A 32, i.e., the conversion key CK as a key. Accordingly, the internal key MK is generated/output from the first decrypting circuit X 33. The second decrypting circuit Y 34 decrypts the first input IN1, i.e., the first encrypted key EDK(MK) by using the output of the first decrypting circuit X 33, i.e., the internal key MK as a key. Accordingly, the final key DK is generated from the second decrypting circuit Y 34.
At this time, the output of the second selector 73 is also input into the comparator circuit 67 in the verifying circuit 65. The comparator circuit 67 checks whether or not the result of the redundancy calculation of the output of the second selector 73 coincides with the constant CRCfuse that is fuse-packaged in the constant storing circuit 66. Accordingly, it is possible to verify the validity of the second constant IDfuse stored in the seed generating portion 71.
In the above key packaging system in the prior art, there exists the circumstance that it is unfeasible to specify the maker who manufactured the terminal device, the system LSI, or the memory portion by the illegally flown-out device, the system LSI, or the memory portion. Also, in the case where particular security information were run out, a great deal of terminal devices or system LSIs that are able to operate normally can be manufactured by copying such particular security information. Thus, there exists the circumstance that it is unfeasible to protect the copyright completely.