(1) Field of the Invention
The present invention relates to an information input/output system in which a user device inputs and outputs information to and from external sources.
(2) Description of the Related Art
Significant advancements in the area of multimedia-related technologies have been made in recent years, enabling the advent of large-capacity recording media, etc. With this as a background, systems have emerged for generating digital content composed of video, audio, and the like, and recording the digital content (hereafter, “content”) on large-capacity recording media such as optical discs. In such systems, cryptographic technologies are employed to protect digital works, i.e, content. Also, one technique called “media bind”, i.e., a technique for binding content to certain media, has been developed to prevent unauthorized copying of content.
As one specific example of this, a technique relating to a digital data protection system, a user approving device and a user device, is disclosed in the Japanese Patent No. 3073590. According to the disclosed technique, a digital data decryption key “A” is encrypted by using a media unique key “A” generated from unique information “A” recorded in a read-only area of a recording medium “A”, and the encrypted digital data decryption key “A” is written to the recording medium “A” as approval information “A”.
When the user intends to play back content on a device such as a personal computer (PC), the device is to first read the unique information “A” of the recording medium “A”, generate the media unique key “A” from the read unique information “A”, decrypt the approval information “A” by using the generated media unique key “A”, and then decrypt encrypted content by using the digital data decryption key “A”.
According to this technique, even if data recorded on the recording medium “A” is copied to another recording medium “B” using a PC or the like, unique information “B” recorded in a read-only area of the recording medium “B” cannot be rewritten to the unique information “A”. Therefore, even if a media unique key “B” is generated from the unique information “B”, the media unique key “B” fails to decrypt the approval information that has been generated by encryption using the media unique key “A”, thereby failing to decrypt the encrypted content recorded on the recording medium “B”.
According to the media bind technique, content to be recorded onto recording media can be bound to a certain medium in this way, and unauthorized copying of the content can be prevented.
Here, the following further describes the media bind technique by assuming the above device such as a PC to be made up of a drive (a read/write device) and a host (an encryption/decryption device).
According to the media bind technique, the host needs to be a licensed device as it encrypts and decrypts content, whereas the drive does not need to be a licensed device as it does not directly handle content.
The host and the drive are usually connected via a general-purpose bus whose specification is made public. The host and the drive are therefore susceptible to the following attack of “information replacement” by an unauthorized user.
As described above, the unique information “A”, the encrypted content key “A” that has been encrypted by using the unique information “A”, and the encrypted content “A” that has been encrypted by using the content key “A” are stored in the read-only area of the recording medium “A”. As stated above, the encrypted content key “A” cannot be rewritten here. To decrypt the encrypted content “A”, the content key “A” needs to be used. The content key “A” can be obtained only by decrypting the encrypted content key “A” by using the unique information “A”.
Here, the unauthorized user may use his or her device (unauthorized device) to read the unique information “A”, the encrypted content key “A”, and the encrypted content “A” from the recording medium “A”. The unauthorized device once internally stores the unique information “A” and the encrypted content key “A”, and writes the encrypted content “A” to the other recording medium “B”. The unique information “B” and the encrypted content key “B” encrypted by using the unique information “B” have been stored in the read-only area of this recording medium “B”. The content key “B” can be obtained by decrypting the encrypted content key “B”, but the content key “B” cannot be used to decrypt the encrypted content “A”. At this point, the encrypted content “A” cannot be decrypted, and therefore cannot be played back.
Then, the unauthorized user connects the unauthorized device between the drive and the host. The unauthorized device receives the unique information “B”, the encrypted content key “B”, and the encrypted content “A” that the drive reads from the recording medium “B”. Then, the unauthorized device replaces the received unique information “B” and the received encrypted content key “B” with the unique information “A” and the encrypted content key “A” that have been stored in the unauthorized device. Finally, the unauthorized device transmits the unique information “A” and the encrypted content key “A”, together with the encrypted content “A” read from the recording medium “B”, to the host. The host, which has received the unique information “A”, the encrypted content key “A”, and the encrypted content “A”, can decrypt and play back the encrypted content “A” without any problems. This means that the unauthorized user has virtually succeeded in copying the content.
To prevent the above-described attack of information replacement, the host is required to verify the validity of a device transferring information thereto, by using a public key encryption method and the like. The essential condition for such verification using a public key is that the public key is a valid one.
To this end, it is common that an agency called a “certification authority” issues, for each device belonging to the system, a “public key certificate” asserting that a public key corresponding to the device is valid.
If a device for which a public key certificate has been issued is engaged in an unauthorized conduct, or if a secret key corresponding to the device is stolen, the certification authority revokes the corresponding public key certificate. To inform other devices belonging to the same system about devices whose certificates have been revoked, the certification authority issues a public key certificate revocation list (hereafter, a “CRL”) with its digital signature being attached thereto. The CRL lists pieces of information specifying public key certificates that have been revoked. Based on the CRL, the host can judge whether or not a device transferring information thereto is valid. As one example, document (1)—“Secure Electronic Commerce: Building the Infra structure for Digital Signatures and Encryption” translated in Japanese by Shinichiro Yamada, published by PEARSON EDUCATION—discloses the construction of a CRL defined by X. 509 standard determined by the ISO/IEC/ITU. A problem, however, lies in the drive-host construction where the drive receives the CRL before the host receives the CRL. This means that even if the drive has been made invalid, the drive may transfer to the host an old CRL issued before the drive was made invalid, instead of the correct CRL to be used by the host to judge the validity of the drive. If this happens, the host may fail to correctly judge the validity of the drive.