Patent Document 1 (Japanese Laid-Open Patent Publication No. 2006-74421) describes a technique of verifying the authenticity of program data stored in an information storage medium. In this technique, the information storage medium stores content data and a content hash table. The content hash table is data including hash values (digest values) corresponding to respective pieces of data (subdivided content data) which are obtained by subdividing the content data. An information processing apparatus which reads the content data reads the subdivided content data and the digest value, and checks a hash value calculated from the subdivided content data against the read hash value. Thereby, the information processing apparatus can execute the hash value calculating process and the hash value checking process for each piece of subdivided content data. Therefore, the information processing apparatus, when reading a part of the content data, needs to perform the checking process only with respect to a part which is to be actually read out, whereby the authenticity of the content data can be efficiently verified.
Note that the information storage medium stores a content certificate which is obtained by using a digital signature to encrypt content hash values calculated from the content hash table. By performing the checking process using the content certificate, even when the content data and the corresponding hash values are tampered, the authenticity of the content data can be correctly verified. Specifically, by checking a content hash value obtained by decrypting the content certificate against a content hash value obtained from the content hash table read from the information storage medium, the authenticity of the content data can be verified.
In Patent Document 1, the information processing apparatus, when verifying the authenticity of data in the information storage medium using the content certificate, calculates content hash values from the content hash table. Therefore, the information processing apparatus needs to read the whole content hash table into a memory. Therefore, as the data size of the content hash table increases, the capacity of the memory which should be provided in the information processing apparatus needs to be increased. Therefore, when it is difficult to provide a memory having a sufficiently large capacity (e.g., when the information processing apparatus is a mobile apparatus or the like), a memory capacity required for authentication may be insufficient. Note that it is contemplated that content data may be subdivided into larger data units so as to reduce the number of hash values, thereby reducing the data size of the content hash table. In this method, however, the efficiency of the checking process when a part of the content data is read is poor.
Therefore, example embodiments provide a data authentication method capable of efficiently performing the checking process and reducing a memory capacity required for authentication.
Certain example embodiments may have the following features. Note that reference numerals, additional descriptions and the like inside parentheses in this section indicate correspondence to embodiments described below for the sake of easy understanding, and are not limiting.
A first aspect of certain example embodiments is directed to a method for use in an authentication apparatus (a game apparatus 10) for authenticating content data (1). The authentication apparatus can access a storage means storing the content data, a first digest table (2), a second digest table (3), and a digital signature (4). The first digest table includes primary digest values which are digest values corresponding to content data portions constituting the content data. The second digest table includes secondary digest values which are digest values corresponding to portions constituting the first digest table. The digital signature is generated from a secondary digest value included in the second digest table. The authentication method comprises a first reading step (S11) and a first authentication step (S12 to S14). The first reading step reads out the second digest table and the digital signature from the storage means into a memory (RAM 24) of the authentication apparatus. The first authentication step verifies the authenticity of the content data using the digital signature read out into the memory and a secondary digest value included in the second digest table read out into the memory.
Note that, in the first aspect, the content data includes a plurality of content data portions. A primary digest value is calculated for each content data portion. The first digest table may include primary digest values corresponding to all the content data portions. When the digital signature is generated, data included in the second digest table (e.g., all data included in the second digest table) is subjected to a predetermined operation (a hash function is applied, etc.), for example. For example, the digital signature may be data which is obtained by encrypting, using a predetermined private key, a digest value which has been obtained by applying a predetermined hash function to the data in the second digest table. In this case, in the first authentication step, it may be determined whether or not the data generated by performing the predetermined operation with respect to the data included in the second digest table, matches data obtained by decrypting the digital signature using a public key corresponding to the private key.
In a second aspect based on the first aspect, the secondary digest values are calculated for respective groups each including a plurality of primary digest values. The authentication method further comprises a designation step (S21), a first calculation step (S24), a second authentication step (S25), a second calculation step (S27), and a third authentication step (S28). The designation step designates a content data portion to be read out of the content data portions. The first calculation step calculates, from a group including a primary digest value corresponding to the designated content data portion, a secondary digest value corresponding to the group. The second authentication step verifies the authenticity of the content data by checking the secondary digest value calculated in the first calculation step against a secondary digest value corresponding to the group including the primary digest values corresponding to the designated content data portion. The second calculation step calculates, from the designated content data portion, a digest value of the content data portion, when authentication is successful in the second authentication step. The third authentication step verifies the authenticity of the content data by checking the digest value calculated in the second calculation step against the primary digest value corresponding to the designated content data portion.
Note that, in the second aspect, in the designation step, in response to determination of data to be read out of the data included in the content data (by a technique, such as random access or the like), the authentication apparatus may designate a content data portion including the data to be read out.
A third aspect based on the second aspect, the first authentication step may be executed after the authentication apparatus and the storage means become accessible and before the second authentication step is executed.
A fourth aspect based on the second aspect, a hash function for calculating a primary digest value from the content data portion may be the same as a hash function for calculating a secondary digest value from the first digest table portion.
A fifth aspect based on the fourth aspect, the digital signature may be generated based on a digest value corresponding to a plurality of secondary digest values included in the second digest table. In this case, a hash function for calculating the digest value has a higher security level than that of the hash function for calculating a primary digest value from the content data portion.
Note that, in the fifth aspect, a hash function has a high security level in the following cases:
(a) the number of bits in a process of calculating a hash value in the hash function is relatively large;
(b) the number of bits of a hash value as a calculation of the hash function is relatively large; and
(c) the hash function includes encryption (as compared to the hash function without encryption).
A sixth aspect based on the second aspect, a hash function for calculating a secondary digest value from a data portion of the first digest table may have a smaller processing amount for calculation of a digest value than that of a hash function for calculating a primary digest value from a data portion of the content data.
Note that, in the sixth aspect, the processing amount of calculation of a digest value is small in the following cases:
(a) the number of bits in a process of calculating a hash value in the hash function is relatively large;
(b) the number of bits of a hash value as a calculation of the hash function is relatively large; and
(c) the hash function includes encryption (as compared to the hash function without encryption).
A seventh aspect based on the first aspect, a hash function used in the first authentication step may have a higher security level than those of a hash function for calculating a secondary digest value from the first digest table portion and a hash function for calculating a primary digest value from the content data portion.
An eighth aspect of certain example embodiments is directed to an authentication apparatus (game apparatus 10) for authenticating content data. The authentication apparatus can access a storage means (memory card 17) storing the content data, a first digest table including primary digest values which are digest values corresponding to content data portions constituting the content data, a second digest table including secondary digest values which are digest values corresponding to first digest table portions constituting the first digest table, and a digital signature generated from a secondary digest value included in the second digest table. The authentication apparatus comprises a reading means (a CPU core 21 for executing step S11, etc.; only step numbers are described in similar cases in this paragraph) and an authentication means (S12 to S14). The reading means reads out the second digest table and the digital signature from the storage means into a memory (RAM 24) of the authentication apparatus. The authentication means verifies the authenticity of the content data using the digital signature read out into the memory and a secondary digest value included in the second digest table read out into the memory.
A ninth aspect of certain example embodiments is directed to a computer readable storage medium storing an authentication process program executed by a computer (CPU core 21, etc.) of an authentication apparatus (game apparatus 10) for authenticating content data. The authentication apparatus can access a storage means storing the content data, a first digest table including primary digest values which are digest values corresponding to content data portions constituting the content data, a second digest table including secondary digest values which are digest values corresponding to first digest table portions constituting the first digest table, and a digital signature generated from a secondary digest value included in the second digest table. The authentication process program causes the computer to execute a reading step (S11) and an authentication step (S12 to S14). The reading step reads out the second digest table and the digital signature from the storage means into a memory of the authentication apparatus. The authentication step verifies the authenticity of the content data using the digital signature read out into the memory and a secondary digest value included in the second digest table read out into the memory.
A tenth aspect of certain example embodiments is directed to a data processing method for generating data to be stored into a storage means. The data processing method comprises a first calculation step (S1), a second calculation step (S2), a digital signature generating step (S3), and a setting step (S4). The first calculation step calculates primary digest values which are digest values corresponding to content data portions constituting content data. The second calculation step calculates secondary digest values which are digest values corresponding to first digest table portions constituting a first digest table including the primary digest values calculated in the first calculation step. The digital signature generating step generates a digital signature from a second digest table including the secondary digest values calculated in the second calculation step. The setting step sets the content data, the first digest table, the second digest table, and the digital signature as data to be stored into the storage means.
An eleventh aspect of certain example embodiments is directed to a computer readable storage medium. The storage medium stores content data, a first digest table including primary digest values which are digest values corresponding to content data portions constituting the content data, a second digest table including secondary digest values which are digest values corresponding to first digest table portions constituting the first digest table, and a digital signature generated from the second digest table.
According to the first and eighth to eleventh aspects, authentication employing a digital signature is performed using the second digest table including digest values of the first digest table, but not the first digest table including digest values of content data. In other words, data to be read out in an authentication process using a digital signature is the second digest table which has a smaller data size than that of the first digest table. Therefore, a memory capacity required for authentication can be reduced as compared to the conventional art. Also, according to the tenth and eleventh aspects, the data structure used in the above-described aspects can be provided.
According to the second aspect, the authentication apparatus confirms not only whether or not the second digest table is tampered, but also whether or not the first digest table and content data are tampered. Therefore, the authenticity of contents can be more correctly verified.
According to the third aspect, after the authenticity of the second digest table is authenticated in the first authentication step, the second and third authentication steps are executed. The second and third authentication steps are authentication processes which are performed based on the assumption that the second digest table is authentic. Therefore, by executing the second and third authentication steps after the first authentication step, authentication in the second and third authentication steps can be correctly performed.
According to the fourth aspect, by causing a hash function for calculating a primary digest value and a hash function for calculating a secondary digest value to be the same, the possibility that the hash function is broken, so that content data is freely tampered, can be reduced as compared to the sixth aspect.
According to the fifth and seventh aspects, by increasing the security level of a hash function used for a digital signature, the possibility that the hash function is broken, so that content data is freely tampered, can be reduced.
According to the sixth aspect, it is possible to reduce a processing amount of the second authentication step as compared to the fourth aspect.
These and other objects, features, aspects and advantages of certain example embodiments will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings.