With transfer rates of communication lines being increased and large capacity recording media such as DVDs being used, more and more digital contents including documents or image data are being communicated these days. The digital contents delivery service is a service for distributing contents among particular users. It is a matter of course that the service needs a system for preventing the contents from being leaked to entities other than the authorized users. For the contents delivery service using a large capacity medium, similar mechanisms for controlling access by users are also being developed. For such a mechanism, a system is provided for a situation where contents data is encrypted or scrambled to allow only authenticated users who have correct contents information or know a way for descrambling the contents to decrypt the contents data and to enjoy the authorized contents including a document and image data.
Such a contents delivery service has contents providers to deliver contents. The contents providers have to set different access control information for each of the contents and are expected to perform encryption with different key on each of the contents, each user and each action of the users (for example, viewing or copying the contents). The contents providers suffer significant loads in managing key information such as generating, holding or delivering keys. To solve this problem, key management methods that are more efficient without degrading the level of security have been studied. Some of the conventional management methods will be described below.
[Tree Structure Management Method]
The tree structure management method is suitable for rejecting a user and is used in offline contents replaying appliances such as a DVD player. In this method, key information used for encryption and the encrypted contents are concurrently delivered or stored in a medium so that only an authenticated user can decrypt the encrypted data. The key information has to be delivered in an appropriate combination to each user. A tremendous amount of user key information can be efficiently managed with the tree structure.
The three indicators below determine the efficiency of a method of the tree structure management methods:
1) a data size of key information to be delivered concurrently with the contents
2) a data size of previously delivered key information, which holds a user
3) a data size of key information required to be managed by a contents provider
In an online delivery service, 1) counts most as 1) determines the network traffic. From the view of contents providers, however, 3) counts most as 3) refers to its management cost. It should be noticed that the indicators' weights vary among situations.
A typical tree structure management method is a contents delivery model described in the document “Management methods for protecting digital contents” encryption and information security symposium SCIS2001, pp. 213-218 (hereinafter called Document 1). In this model, a tree structure for delivering keys as shown in FIG. 14 is used, with different keys being placed at respective nodes. A user key (in the above paper, a key held by a player such as a DVD is considered) is considered as the same as a terminal node (leaf node) and is assumed to hold key data for all the nodes from the root to the terminal node. In this model, the contents are assumed to be updated frequently and keys are thus placed so as to improve efficiency of key revocation.
[Hierarchical Key Management Method]
Key management considered in the hierarchical key management method is the same as that in the tree structure management method in that keys are placed at respective nodes but quite different in that a user is provided with not only a key placed at a terminal node but also keys placed at all the nodes including the root. Documents disclosing this technique include C. H. Lin. “Dynamic key management schemes for access control in a hierarchy” Computer Communications, 20:1381-1385, 1997 (hereinafter called Document 2) and J.-C. Birget, X. Zou, G. Noubir, B. Ramamurthy, “Hierarchy-Based Access Control in Distributed Environments” in the Proceedings of IEEE ICC, June 2001 (hereinafter called Document 3).
In this method, instead of a structure of n-ary trees as shown in FIG. 14, an access structure as shown in FIGS. 15 and 16 is used with some local places having a relationship such as shown in FIG. 17. In this case, the method must have a system for allowing a key for the node n3 to be generated from both a key placed at the node n1 and a key placed at the node n2. The abovementioned paper by Birget and others (Document 3) proposes two methods shown below as a method for providing such a system.
[(1) User Multiple Keying]
This is a method for making each node hold a plurality of keys with a parent node being adapted to hold all the keys for children nodes. FIG. 18 shows an example of this method, describing a set of key data to be delivered to each node. For example, the figure shows that key data k5 is included in the parent node of a node, to which {k5} is delivered. The figure also shows that it is the same in the other nodes that parent nodes include key data of their children nodes.
[(2) One-Way Function Based Keying Schemes]
This is a method in which what was proposed by Lin and the others (Document 2) is extended. This method uses a one-way hash function to reduce key information held by each node. When key data of a child node is generated from key data of a plurality of parent nodes as shown in FIG. 17, the operations shown below are required. The operations will be described with reference to FIG. 19.
In FIG. 19, in order to generate key data k3 from key data k1 or k2, computations below are performed:k3:=F(k1,n3)XOR r13k3:=F(k2,n3)XOR r23Here, XOR refers to an exclusive OR for each bit. F ( ) is a one-way hash function to be described later in detail. n3 is an identifier of a node, to which key data k3 is associated, and r13 and r23, both of which are public data, are random data which is associated with node n1 (key data k1) via node n3 and which is associated with node n2 (key data k2) via node n3, respectively.
The function f ( ) is configured by F (k_i, n_j)=g^{k_i+n_j} mod p (p is a prime and g is a generator). The abovementioned r12 and r13 are generated to satisfyF(k1,n3)XOR r13=F(k2,n3)XOR r23.[Delivery of Time Sequential Image Contents]
As an application of the abovementioned key generating method, an image encrypting/decrypting system for encrypting and sending contents data such as an image configured by a plurality of frame images in a series in chronological order at a contents creating side and decrypting and replaying the sent contents data at a user's side is considered (for example, Japanese Patent Laid-Open No. 2002-156905 (Document 4)).
FIG. 7 is a schematic diagram for illustrating a case where time sequential contents are encrypted for each unit. At a contents creating side, object contents 701 is encrypted into encrypted contents 702. The contents 701 are divided into parts from M1 to M4, which are encrypted by contents keys 703 (k1)-706 (k4) respectively resulting in the encrypted data c1-c4. At a user's side, all or a part of the contents keys from k1 to k4 are secretly received and the encrypted part of the contents keys is decrypted. The contents keys 703-706 may be delivered concurrently with the encrypted contents 702, or may be separately delivered in an asynchronous manner from a license server, which is a third party, different from the deliverer.
Here, the creator of the time sequential contents has to determine the minimum unit of the contents to be encrypted by the same key and generate a key for each of the atomic contents separated by the unit. The creator also has to determine the range to be disclosed to the receiver and deliver a key for the range. If the atomic contents are set for a kind of contents by mesh, both the key information to be managed and the key delivery cost will be tremendous.
It should be noticed that the key management method described in Document 4 encrypts each of the atomic contents with a different key not for the purpose of controlling delivery so that a different range will be shown for each user. In other words, whether the user has a correct key or not depends on whether the user wants to enjoy all the contents or not and the use of different keys does not control partial accessing.
As mentioned above, a creator of time sequential contents can control delivering the contents in further segmented units by determining the minimum unit of contents to be encrypted with the same key, generating a key for each of the atomic contents separated by the unit and encrypting the contents with the respective keys. If the atomic contents are set by segmented mesh, however, both key information to be managed and key delivery cost is tremendous.