The present invention relates to cryptographic communication. In particular, the present invention relates to a method for managing and generating a device key in cryptographic communication.
Broadcast encryption is used as a method for allowing a broadcasted encrypted content to be decrypted only by a certain group of users. In the case of the broadcast encryption, a communication apparatus of each user stores a set of device keys that is different from those of the other users, and these device keys are managed so as not to be read from the outside. The key storing section of the managing apparatus stores the device keys of all the users. In a case where a content creator desires to deliver an encrypted content, he/she firstly encrypts the content with an arbitrary encryption key (referred to as a title key below), and then transmits the encrypted content and the title key to the managing apparatus, thereby making a request to the managing apparatus to deliver the encrypted content.
The managing apparatus encrypts the received title key with each of device keys owned only by the users who are permitted to decrypt, and generates a set of encrypted title keys (called media key block (MKB)). Then, the managing apparatus broadcasts the encrypted content to the users in association with the set of encrypted title keys. As such, the broadcast encryption has a feature that users permitted for decryption can be arbitrarily selected without limiting destinations for content delivery. Moreover, since the broadcast encryption is based on common key cryptosystem, the broadcast encryption has advantages that encryption requires only a slight increase in data size, and that a processing load for encryption and decryption is small. In fact, this encryption method has already been put into practical use for content protection for prerecorded media (CPPM), content protection for recordable media (CPRM) and the like.
“Japanese Patent Application Laid-open Publication No. 2005-051727” and “Japanese Patent Translation Publication No. 2005-539423” are examples of a reference technique of the present invention. In the case of the technique described in “Japanese Patent Application Laid-open Publication No. 2005-051727” and “Japanese Patent Translation Publication No. 2005-539423”, when generating device keys corresponding to the respective nodes in a hierarchical structure, such as a tree structure, a device key corresponding to a node in a lower level is generated by using a device key corresponding to a node in a higher level. This realizes a function of enabling only certain users to decrypt an encrypted content by selecting an arbitrary subtree in a tree structure of data, and the equivalent function, while reducing the number of pre-prepared device keys.
In the case of the broadcast encryption, an encrypted content usually can be delivered only by a managing apparatus that manages device keys of all users. Accordingly, when a content creator desires to deliver a content, the creator has to make a request to the managing apparatus to execute encryption processing on the content by transmitting the content to the managing apparatus. Moreover, since a plurality of content creators may possibly exist, a processing load for encryption is likely to be centralized to the managing apparatus. In addition, when the managing apparatus is out of operation due to maintenance, the encryption is delayed until the managing apparatus restarts operation.
These problems may be solved by decentralizing the processing in a way that the managing apparatus provides replicas of device keys to other apparatus. However, sharing of device keys replicas by the plurality of apparatus is likely to increase the risk of leakage of device keys, and also is likely to make it difficult to identify a leaking apparatus. For example, suppose a case where device keys stored in a managing apparatus of a parent company are replicated in an apparatus of a subsidiary company, and where the replicated device keys are further replicated in an apparatus of a sub-subsidiary company. In this case, when one device key is leaked, it is difficult to specify whether the device key is leaked from the subsidiary company or from the sub-subsidiary company. Moreover, stopping use of the leaked device keys may cause normal cryptographic communication to become impossible, since it is difficult to change the device keys stored in communication apparatus of users.
The foregoing reference technique is used for generating a set of device keys managed in a tree structure, and this is applied to processing of generating device keys that should be stored in communication apparatus of users in the broadcast encryption. Accordingly, the reference technique cannot achieve reduction in a load centralized to a managing apparatus, or in the risk of key leakage.