The currency plays a role in supplying the people with an award fairly in accordance with the property of the current as a material. The object called the currency is not a mere common oral concept, but a physical object, the essential conditions of which is portability and the difficulty to forge by other than the source. The physical property and the portability makes it possible to confirm the value of the currency among the users, while the difficulty of forging permits the source to control the fair chance of confirmation. With the recent development of the industry and technologies, however, the days are numbered before the difficulty to forge the currency is collapsed. A new object to confirm the value other than the currency is required. Such an object is also required to be physical, portable and difficult to forge. Further, it is required to be accessed and controlled by the source.
In addition to the security requirement described above, demand is rising for realization of “massive distribution” due to the multiplication of distribution and the increased capacity and speed of information. The environment that realizes the “massive distribution” satisfies the following conditions:    (1) The information users can acquire digital information substantially free of charge.    (2) The information suppliers can define the conditions for permitting the usage of the information (charge, change in conditions for usage, etc.) and forcibly execute the conditions agreed by the users.    (3) The additional operation required for the information users to use the service is at most “to confirm the access conditions”.
A system that can execute the access control of the massive distribution accurately and safely is expected to contribute to the correction of unfair collection of the royalty such as the license fees. In the current system, the supplier cannot gain a profit unless a copyrighted object sells in a considerable amount. However, a system is required for permitting the copyright holders to gain the profit accurately. It is also necessary that the consideration is fairly distributed in an amount according to the service fees offered by all the persons involved including the professional artists and designers creating parts.
Conventionally, in controlling the access to content such as copyrighted objects in a distribution system environment, and especially on an open network, it has been the practice to store the content in a server accessible by the users of the content, and to control the usage of the content by controlling the access to the server. The content are defined herein as digital content having a structure as a mass of bit strings recordable in a storage medium and include documents and texts, images, animation, program software, etc.
FIG. 17 is a diagram showing an example of the conventional model of access control. As shown in FIG. 17, content 204 can be operated from a user 205 only through an access control function 203. Further, a copyright holder 200 simply registers the content 204, for example, in a server protected by the access control function 203, so that the access to the access control function 203 is controlled by a person other than the copyright holder 200 such as a manager of the server.
Specifically, as shown in FIG. 18, a server system 212 for holding the content is managed by a server operator system 211 and further managed and operated by the manager 201. The server operator system 211 registers the copyright holder and the users in the server system 212, and for this purpose, produces a directory and gives a permission for the copyright holder to control the access. A copyright holder system 210 causes the content of the copyrighted objects of the copyright holder to be stored in the server system 212 and set the access control conditions (ACL) in the server system 212. In this case, the copyright holder is required to be granted a permission for controlling the access to the server system 212. The user system 213, on the other hand, when using the content, requests the server system 212 to send the content, and in the case where the ACL is satisfied, acquires the content stored in the server system 212.
When the content user is entirely authorized, however, a change of the user due to the relocation or copying (duplication) makes the authorization of the copyright holder fail to cover the content relocated or copied, as the case may be. Further, no forcible execution of the license for access to the objects has been defined between the server manager storing the content of the objects of the copyright and the copyright holder. For example, it has been considered a matter of course for the server manager to change the accessibility without permission of the copyright holder.
On the other hand, a distribution system environment has been promoted by price reduction of storage media, etc. to such an extent that the network traffic is not concentrated but content can be distributed to a plurality of servers in cache, thus making possible fast access to content objects. As a result, the access control model as shown in FIG. 17 requires the construction of a firm access control function only at the entrance to the operation of the content by the user 205, while an omnidirectional access control or security is required in the distributed system environment described above.
In view of this, an access control model as shown in FIG. 19 has been conceived. This access control model is divided into a copyright holder protection area where the copyright holder 200 can be protected by the conventional security technique, an open area where all external attacks are accepted, and a confidential protection area where the hardware and software are protected against alteration and duplication of digital data. The confidential protection area is protected by an omnidirectional access control function 221 in which the content 222 are stored.
The copyright holder 200 can register the content 222 and control the access to the access control function 221. The user 205 can acquire the content 222 through the access control function 221 from the open area. An inter-area protection interface 220 is for protecting the zone between the copyright holder protection area and the open area.
A specific example of the access control model in the distributed system environment shown in FIG. 19 is described in U.S. Pat. No. 5,339,403. Japanese Unexamined Patent Publication No. 9-134311 and U.S. Pat. Nos. 5,392,351, 5,555,304 and 5,796,824 disclose a technique for preventing the illegal use of content by checking the equipment of the users. The conventional content usage control system will be described below with reference to these patent publications.
FIG. 20 is a diagram showing a content distribution model of the conventional content usage control system. A decode protection area and a reproduction protection area of FIG. 20 correspond to the confidential protection area shown in FIG. 18. The decode protection area is where the hardware and software are protected against alteration and the output data against duplication, and the reproduction protection area is where the digital decoded data are protected against duplication. Usage environment specifying physical elements (PCSUE) 235-1 to 235-N are physical elements for specifying the usage environment of the content, and specifically include a CPU, peripheral equipment, a removable storage medium, an IC card and the like.
In the decode protection area, the content 234 constituting a copy of the content 233 encrypted by the copyright holder 200 based on the certificates 236-1 to 236-N of the physical element ID corresponding to the PCSUE 235-1 to 235-N and existing in the server of the open area are decoded. The resulting compound content are used by the users through the reproduction protection area. Thus, the content are encrypted (content 233) by a key corresponding to a physical element ID. For decoding the content 234 corresponding to the content 233, each physical element ID or a corresponding confidential key is required.
The content distribution model includes a license simultaneous model for distributing the license used for decoding the encrypted content and the encrypted content at the same time, a content cacheable model for storing the encrypted content in the cache of the server and acquiring them at a time separate from the license. FIG. 21 is a diagram showing the content cacheable model.
As shown in FIG. 21, first, the copyright holder 200 produces and encrypts the content in the copyright holder protection area, after which the content are duplicated and cached in the server of the open area. The certificates 241-1 to 241-N encrypted from the physical element IDs of the PCSUE 235-1 to 235-N, on the other hand, are output to the copyright holder protection area in encrypted form. A confidential key Kp is retrieved from a user physical object class corresponding to the PCSUE 235-1 to 235-N. Based on the confidential key Kp and the certificates 241-1 to 241-N, the physical element IDs 243-1 to 243-N are decoded and used for encrypting the content decode key Kc, which are output to the confidential protection area.
In the confidential protection area, the encrypted content decode key Kc is decoded with the physical element IDs 242-1 to 242-N thereby to obtain a content decode key Kc. The encrypted content 234 that can be acquired from the open area are decoded using the content decode key Kc, and offered as content 244 for use by the user 205.
FIG. 22 is a block diagram showing a general configuration of content usage control system corresponding to the content cacheable model shown in FIG. 21. As shown in FIG. 22, a copyright holder system 250 exists in the copyright holder protection area, a content server 251 exists in the open area, and a license server 252 and a user system 253 exist in the confidential protection area. The copyright holder system 250 encrypts the content thus produced, and the confidential content thus encrypted are stored in the content server 251.
Further, the content decode key Kc is sent to the license server 252, thus delegating the access control right to the license server 252. Further, an access control list (ACL) is set. The user system 253 sends a request to use the content to the license server 252. A group of the certificates of the physical element IDs, if not attached, are acquired upon designation by the license server 252 of the conditions for the physical elements. The certificates thus acquired are sent out to the license server 252.
The license server 252, as shown in FIG. 21, acquires the confidential key Kp of the physical object class of the user, and decodes the group of the certificates of the physical element IDs. The content decode key Kc encrypted by the decoded physical element ID is sent to the user system 253 as a license L. As a result, as far as the physical element ID of the user system 253 is coincident, the content decode key Kc is decoded, and the confidential content can be decoded by use of the content decode key Kc thus decoded.
In view of the fact that the confidential content are stored in the content server 251, the user system 253 is required to receive the distribution of the confidential content from the content server 251 by separately requesting the distribution thereof from the content server 251.
On the other hand, FIG. 23 is a block diagram showing a general configuration of a content usage control system for realizing a content simultaneous distribution model. In FIG. 23, the content server 251 is not existent, so that the confidential content are sent to the user system 253 simultaneously with the license. As shown in FIG. 22, the confidential content are transported to a server temporally in the vicinity of the user system 253, and therefore, for acquiring the confidential content through the content server 251, the user system 253 only requests the usage of the content whenever required.
Further, as compared with the content simultaneous distribution model, the proper selection of the distribution route of the content is made possible, and therefore the response time can be shortened for the user intending to acquire the content. Further, the content cacheable model has many advantages. For example, the content can be distributed in advance, separate from the license, by use of the base of the ROM medium, the broadcast or the caches in the proxy server.
In the conventional content usage control system described above, a device coincident with the physical element ID unique to the user system can basically decode the confidential content and use the content. In view of the fact that the license (conditions for permission of usage) is produced based only on the physical element ID, however, it is impossible to add the conditions for limiting the frequency of reading the content as determined by the intention of the copyright holder, to set a time limit, or to define the charging conditions. Thus, the versatile control of the content usage has been impossible.
Further, the usage environment specifying physical element is not always simplified in configuration. With a device having a complicated configuration, a specified section or part of such a device may be illegitimate. Then, even in the case where the license is produced from the usage environment specifying physical element constituting a simply large sized device, the illegitimacy may be overlooked for a deteriorated security.