Conventionally, there are known technologies of encrypting information to be kept secret when the information is stored in a non-volatile memory, such as a flash memory, and storing the encrypted information, thereby making malicious analysis of the information stored in the non-volatile memory difficult. As an example of such technologies, a management unit for AV (Audio Video) data, such as a moving image, protected by copyright is known; the management unit encrypts management information, such as a cipher key and the copyable number of times, and stores the encrypted management information in a non-volatile memory.
FIG. 10 is a diagram for explaining an conventional MPU that stores encrypted management information in a non-volatile memory. In an example illustrated in FIG. 10, the MPU in a management unit includes an encrypting unit and a decrypting unit. The encrypting unit encrypts information with a cipher key unique to the management unit. The decrypting unit decrypts the encrypted information. Incidentally, the encrypting unit and the decrypting unit are composed of a logic circuit or a program, and embedded in the MPU. The MPU is connected to a flash memory in which management information is stored.
When the MPU stores management information in the flash memory, the MPU causes the encrypting unit to encrypt the management information and stores the encrypted management information in the flash memory. Furthermore, the MPU causes the decrypting unit to decrypt management information stored in the flash memory. The MPU acquires a cipher key (a decryption key) from the decrypted management information, and decrypts separately-acquired encrypted AV data with this key. After that, the MPU transmits the decrypted AV data to a main body, such as a personal computer (PC) or a set-top box (STB), via a communication interface (I/F).    [Patent document 1] Japanese Laid-open Patent Publication No. 2000-341632    [Patent document 2] Japanese Laid-open Patent Publication No. 07-225551
However, in the above-described technology of storing encrypted management information in a non-volatile memory such as a flash memory, the encrypted management information is directly stored in the non-volatile memory. Therefore, if pre-encryption management information can be easily estimated, an attacker can acquire a cipher key by making an exhaustive attack using the pre- and post-encryption management information. As a result, there is a problem of not satisfying tamper resistance.
FIG. 11 is a diagram for explaining an example of management information of AV data. In the example illustrated in FIG. 11, the management information includes multiple storage areas; 2 bytes of management number, 4 bytes of management ID, 2 bytes of permission flag, 1 byte of the number of copyings, 3 bytes of expiration date, 36 bytes of name, and 16 bytes of cipher key are stored in the respective storage areas. A cipher key stored in management information here is a decryption (cipher) key for decrypting AV data to be managed.
For example, when data of a non-volatile memory is initialized, an MPU generates an initial value that “0” is stored in each storage area of management information. Then, the MPU encrypts the generated initial data, and directly stores the encrypted initial data in the non-volatile memory. Therefore, when an attacker, who is trying to analyze the management information stored in the non-volatile memory, has initialized and analyzed data of the non-volatile memory, the attacker can acquire an encrypted value of the initial value that “0” has been stored in all the storage areas.
Here, the attacker can easily estimate that management information that “0” has been stored in storage areas thereof is generated as an initial value at the time of initialization of data of the non-volatile memory. Therefore, using the estimated initial value and the encrypted value of the initial value, the attacker can make an exhaustive attack for analyzing a cipher key. Namely, when an encrypted value of easy-to-estimate management information, such as an initial value, has been stored in the non-volatile memory, the attacker can easily analyze a cipher key for encrypting the management information.
In this manner, when the MPU directly stores encrypted management information in the non-volatile memory, it is easy to analyze a cipher key for encrypting the management information, and therefore tamper resistance becomes worse. As a result, the cipher key for encrypting the management information is easily analyzed, and the tamper resistance is worsened.