1. Field of the Invention
The present invention relates to a data protection system that encrypts data and distributes the encrypted data to a plurality of terminals, and in particular, to a technique for determining keys for use in encryption and decryption of data.
2. Description of the Background Art
Against a background in recent years of developments in multimedia-related technology, the emergence of large-capacity recording mediums, and so on, systems have been developed that generate digital content of moving images, audio, and the like, store the digital content on large-capacity recording mediums such as optical disks, and distribute the recording mediums.
Digital content recorded on a distributed optical disk or the like is read by a terminal such as computer or a reproduction device, and becomes a target for reproduction, copying, etc.
In such a system, encryption techniques are typically used to protect the so-called copyright of the digital content, in other words, to prevent the illegal use of the digital content such as illegal copying.
Specifically, the system encrypts the digital content by using a particular encryption key, records the encrypted digital content on an optical disk or the like, and distributes the optical disk. Only a terminal that holds a decryption key that corresponds to the encryption key can obtain the original digital content by using the decryption key to decrypt data read from the optical disk, and perform reproduction and the like of the digital content.
Note that methods for encrypting digital content and recording the encrypted digital content on a recording medium include a method such as encrypting the digital content itself with an encryption key that corresponds to the decryption key held by the terminal. In another method, after digital content is encrypted with a particular key and recorded on a recording medium, and a decryption key that corresponds to the encryption key is encrypted with an encryption key that corresponds to the decryption key held by the terminal.
As one example of such a system, National Technical Report Vol. 43, No. 3, pp. 118-122, Engineering Administration Center, Matsushita Electric Industrial Company, Jun. 18, 1997 discloses a DVD (Digital Versatile Disk) right protection system. In this DVD right protection system, each DVD reproduction terminal for reproducing digital content recorded on a distributed DVD pre-stores a master key. The master key is determined by the manufacturer of the particular reproduction terminal. The reproduction terminal, which uses this master key in the decryption process, has a function of ultimately decrypting and reproducing the digital content recorded on the DVD. Note that a key group that has been encrypted with each manufacturer's master key and that is necessary for decrypting the digital content is recorded on the DVD.
Usually, the decryption key held by the terminal is kept secret. However, it is possible that analysis of the terminal by a dishonest party will lead to the decryption key being recognized and exposed.
There is a danger that once a decryption key held by a particular terminal is exposed, the dishonest party may create a terminal, software, or the like for decrypting digital content by using the exposed key, and make illegal copies of the digital content. Consequently, to protect the copyright of digital content, it will no longer be possible to encrypt and distribute digital content using an encryption key that corresponds to the exposed decryption key.
For example, taking into consideration a DVD reproduction terminal in the above-described DVD right protection system, it will no longer be possible to distribute digital content that has been encrypted by using a particular master key once that master key has been exposed.
As a result, after the master key is exposed, DVD manufacturers must use a different master key to encrypt digital content for distribution. However, a problem arises that since the DVD reproduction terminal that has been analyzed and numerous other DVD reproduction terminals made by the same manufacturer all hold the same master key, these DVD reproduction terminals are unable to reproduce digital content that is newly generated, recorded, and distributed on DVD after the exposure of the master key. In other words, if one DVD reproduction terminal is analyzed by a dishonest party, there will be numerous DVD reproduction terminals that in the future will not be able to use newly generated DVDs.
One method for solving this problem is to provide a separate decryption key for each DVD reproduction terminal, encrypt digital content or the key needed for decrypting the digital content with encryption keys that correspond to the decryption key held by all the DVD reproduction terminals, and record all the encrypted data obtained as a result on the DVD. According to this method, since it is possible to record, on the DVD, all encrypted data that is obtained by encrypting digital content by using each encryption key that corresponds to each unexposed decryption key that is held in the group of DVD reproduction terminals, even if the decryption keys of some DVD reproduction terminals are exposed, all DVD reproduction terminals except those whose keys have been exposed will still be able to use DVDs that are newly generated in the future.
However, there is a problem with this method in that when an enormous amount of DVD reproduction terminals are expected to be a target for the distribution of a DVD, an enormous amount of data must be recorded on the DVD.