1. Field of the Invention
The present invention relates to a system, device, method, and computer program for transferring content such as digital audio-visual data between devices and, in particular, to a system, device, method, and computer program for encrypting and transferring the content between the devices in a copy controlled manner for copyright protection and any other purposes.
The present invention relates particularly to a system, device, method, and computer program for performing content transfer procedure of a encrypted content between information devices meeting the digital transmission content protection (DTCP) specification and, more particularly to a system, device, method, and computer program for moving content from a source device to a sink device using DTCP move function.
2. Description of the Related Art
With information technology in widespread use, most of audio-visual (AV) contents become digital, and recording media such compact disks (CDs) and digital versatile disks (DVDs) for recording and reproducing digital contents are widely used. Recently, various devices for digitally recording contents, such as a hard disk drive (HDD) recorder and an HDD mounted DVD recorder are commercially available for home use. Distribution and delivery service of contents such as video and music via networks become active. Content delivery is performed between remote places via a network without actually transferring media such as CD and DVD.
Digital content data is subject to unauthorized manipulation, for example, can be relatively easily copied or tampered. Protection of the content from unauthorized use is necessary while permitting the content to be used personally or at home. In the Japanese domestic market, analog broadcast TV receivers are currently rapidly replaced with digital broadcast TV receivers in view of the decommissioning of the terrestrial analog TV broadcasting service expected in 2011. It is thus vitally important to technically protect digital AV contents in home applications.
In Japan, digital broadcast technical standards have been formulated chiefly by the Association of Radio Industries and Businesses (ARIB) in Japan. The ARIB has adopted MPEG 2 system (ISO/IEC 13818-1 Generic Coding of Moving Pictures and Associated Audio: Systems Recommendation H.222.0) for digital satellite broadcast, digital terrestrial broadcast, and digital cable-television broadcast service. The ARIB has required that a “one-generation copy control function” (such as copy once) be introduced to protect contents and has formulated strict copyright protection clauses in standards (Operational Guide-lines for Terrestrial Digital Broadcasting System ARIB TR-B14, and Operation Guide-lines for BS (Broadcasting Satellite)/Broadband CS (Communications Satellite) Digital Broadcasting System ARIB TR-B15).
Available as world standards for protection of digital content is the digital transmission content protection (DTCP) specification standardized by the digital transmission licensing administrator (DTLA), for example. That specification formulates a mechanism that allows content to be transmitted in a manner such that the copyright of the content is protected with copying controlled (DTCP Specification Volume 1 (Informational Version) Revision 1.4 (http://www.dtcp.com/).
The DTCP specification defines an authentication protocol for content transmission between devices, and a transmission protocol of encrypted content. The DTCP specification satisfied devices prevents a compressed content easy to handle, such as a moving picture experts group (MPEG) content, from being output in an decrypted state thereof, performs key exchange required to decrypt the encrypted content in accordance with an authentication and key exchange (AKE) algorithm, and limits a range of devices performing key exchange in accordance with an AKE command.
A server (source device) as a content supplier and a client (sink device) as a content receiver shares a key through an authentication procedure in response to the transmission and reception of an AKE command, and encrypts a transmission path using that key, and transmits the content. An unauthorized client cannot acquire a encrypt key and thus cannot enjoy the content without successfully being authenticated by the server.
The DTCP defines the transmission of digital contents over a home network using an IEEE 1394 transmission path. Recently, a movement to distribute digital AV contents via an IP network in home applications, such as digital living network alliance (DLNA), shifts into high gear. DTCP-IP technology coping with the IP network (DTCP mapping to IP) is actively developed.
The DTCP-IP is a standard in which the DTCP is applied to the IP network. The DTCP-IP is different from the original DTCP defined based on IEEE 1394 standards in that the IP network is used in the transmission path, and that content transmission protocols used over the IP network, such as the hyper text transfer protocol (HTTP) or the real-time transfer protocol (RTP), are used to transmit encrypted contents. For example, when content is transmitted in accordance with the HTTP algorithm, a source device becomes an HTTP server and a sink device becomes an HTTP client. A TCP/IP connection is produced for HTTP, and an encrypted content is downloaded (for uploading, the source device becomes an HTTP client and the sink device becomes an HTTP server).
When a home network is connected to an external IP network such as the Internet via a router, data can be eavesdropped, tampered, or illegally copied. The data can be easily used in an unauthorized manner by setting up an unauthorized proxy composed of a personal computer over a transmission path between the source device and the sink device. For this reason, a further method is provided in the DTCP-IP technology to transmit contents over the network while protecting the contents, for example, the range of use of contents may be limited to a given individual or a given home by setting a limit on the time to live (TTL) of AKE commands, namely, the number of hops of an IP router (DTCP Volume 1 Supplement E (VISE) Mappings DTCP to IP (Informational Version) Revision 1.1 (http://www.dtcp.com/).
To transmit contents in a copyright protected manner, content attributes related to content protection need to be specified. The DTCP-IP provides two mechanisms to allow copy control information incidental to the content to be transmitted, namely, extended encryption mode indicator (E-EMI) described in a header portion of a packet for content transmission (PCP) and embedded copy control information (CCI).
The embedded CCI is copy control information transmitted as part of content stream to be encrypted (i.e., embedded in a payload of the packet). If the content stream is tampered, erroneous decryption results. The integrity of the embedded CCI is thus assured. On the other hand, E-EMI is described in a header portion of a plain text and provides copy control information related to the content stream. E-EMI permits easy access while maintaining security. E-EMI is composed of a 4-bit field describing encrypt mode, and the value of E-EMI shows seven types of copy control information. The definitions of bit values are listed in the following Table 1. Unused nine E-EMI values are reserved for future use.
TABLE 1EncryptE-EMI valuesmodeCopy Control Information1100A0Copy never (CN)1010B1Copy-one-generation (COG)(recordable on cognizant device)1000B0Copy-one-generation (COG)(recordable on non-cognizantdevice)0110C1Move mode (audio visual)0100C0No-more-copies (NMC)0010D0Copy-free with EPN asserted(CF/EPN)0000N.A.Copy-free (CF)
A device operating as a source device selects a correct encrypt mode in accordance with characteristics of a content stream, and sets up E-EMI based on the encrypt mode. A device operating as a sink device selects the correct encrypt mode specified by E-EMI in the header of the packet of the transmitted content. Furthermore, the device as the sink device encrypts the received content as specified by one of E-EMI and embedded CCI and temporarily stores the encrypted content. When the device as the sink device operates as a source device, the device controls secondary content transfer operation in accordance with the copy control information. The types of copy control are listed below:
Copy free: the copyright is reserved but copy control using DTCP is not performed;
Copy never: Any contents are never copied;
Copy one generation: Copying is performed once (for one generation); and
No more copies: Copying is permitted no longer.
The no more copies state results when a content set in the copy one generation is copied (in a first generation). The DTCP-IP provides a move function as means for transferring a encrypted content with no more copies state set therein (DTCP Specification Volume 1 Supplement E(VISE) Mapping DTCP to IP (Informational Version) Revision 1.1 (http://www.dtcp.com/), and Digital Transmission Protection License Agreement, Adopter Agreement—May 2005). The move function in network communication means movement of data between devices, and generally no original data is left at the source device. With the move function in DTCP-IP, a sink device handles a received content by encrypting the received content with no more copies state set therewithin, and a source device has transmitted the content to the sink device on condition that the original content is deleted or the use of the original content is inhibited subsequent to transmission thereof. For example, if content of copy one generation is encrypted and recorded as a no more copies content in a source device as a personal video recorder (PVR), the move function allows the content to be encrypted in the copy one generation and then transmitted to a single sink device with the above condition satisfied.
In accordance with the current standards, the move transmission may be permitted using one of the C1 mode and the B1 mode in E-EMI. The sink device decrypts the content in accordance with the AKE algorithm using one of these modes, and records the decrypted content. The source device needs to invalidate the data at the moment of the transmission.
The number of entities of contents that are moved using the move function remains unchanged as the number of physical objects that are physically moved. In other words, it must be guaranteed that an identical content is not present in both the source device and the sink device at the same time (or that an identical content is not usable in both the source device and the sink device at the same time). When content is transmitted from the source device to the sink device in accordance with a plurality of message transfer procedures, the requirement that the source device delete the content or inhibit the use of the content must be consistently satisfied throughout all the message transfer procedures. In the transmission of the content, an “incremental move” needs to be performed in which the source device needs to successively make the data subsequent to transmission thereof unusable while the sink device needs to make successively the received data usable.
For example, Japanese Unexamined Patent Application Publication No. 2003-101529 discloses a content management device. The device divides content into a plurality of segments, encrypts the segments with different title keys, extracts a time varying key for use in decrypting the content, and successively overwrites the original title key in a title key area with the extracted time varying key, thereby making the decrypting of the content impossible. The original content with the copy thereof moved is safely and efficiently deleted.
When the incremental move sequence is interrupted between the source device and the sink device due to a failure during content transmission, the content can be fragmented at each of the source device and the sink device. The right of the content is safely assigned between the source device and the sink device if the transmission of the entire content is successfully completed. If any failure takes place in the middle of the transmission process, a portion of data already transmitted is present at the sink device with a portion of untransmitted data remaining at the source device. The content is thus fragmented. The failures that could happen in the incremental move transfer process include a connection error, a power failure in one device, a removal of a medium having the content stored thereon (a failure in a storage), a storage storing the content at the sink device becoming full, etc. The content fragmentation is not a rare happening.
If the movement of one content is performed through a plurality of message transfer procedures, a portion of data is incrementally deleted each time the source device has transmitted that portion to the sink device. In the event of an interruption of content transmission, neither the source device nor the sink device can restore the content. There may be no need for the user to worry about the content missing if the content is deleted or the use of the content is inhibited collectively after the end of the content transmission from the source device to the sink device. However, this arrangement fails to satisfy the requirement of DTCP-IP that the condition of the move function be consistently followed, and can expose the content to copyright violation.
Japanese Unexamined Patent Application Publication No. 2005-158056 discloses a content transfer system. In the disclosed content transfer system, a content move controller is arranged between a source device and a sink device, both performing content transfer via a general-purpose bus. The DTCP specification requires that an amount of reproducible content present in duplication in both the source device and the sink device during the move transfer process should not exceed a reproduction time of 1 minute. Upon detecting a failure in one of the source device and the sink device, the content move controller interrupts the move transfer process within one minute, and resumes the move transfer process on a portion remaining in a reproducible state at the source device. The disclosed content transfer system thus avoids content missing. In this case, however, the use of the content move controller leads to an increase in device costs. Any DTCP-IP device may operate as each of the source device and the sink device over a wireless local-area network (LAN), and the move transfer process may be initiated in an adhoc manner between the source device and sink device. In such a case, the content move controller cannot be installed, or the content move controller, if installed, presents a bottle neck in the transfer sequence.
Japanese Unexamined Patent Application Publication No. 2005-293731 discloses a content recording system. In the disclosed content recording system, a source device deletes an original content corresponding to a content transmitted to a sink device with reference to content recording status information returned from the sink device that has completed the reception of the content. The content recording system thus prevents the content at the source device from missing when the sink device fails to record the content normally. However, this system provides no sufficient preventive step to the fragmentation of the content taking place between the source device and the sink device in response to an interruption of the content transfer.
Japanese Unexamined Patent Application Publication No. 2005-250567 discloses a content data handling device. The content data handling device encrypts copy data with the copy encrypt key thereof and stores the encrypted copy data when the copyright protected data is moved to another device. If the moved data becomes destroyed in the event of a failure in the data transfer, the content data handling device invalidates the moved data while restoring the original data from the copy data. The missing of the original data is thus prevented while the copyright is protected. The content data handling device deletes the original data after the data is recorded on the destination or in parallel with the recording of the moved data on the destination. However, the content handling device pays little attention to the fragmentation of the content between the source device and the sink device in response to an interruption of the content transfer.