1. Field of the Invention
The present invention relates to utilization of digital contents. In particular, the present invention relates to a control data generating device or method for generating control data that controls utilization of electronic contents; a device information generating device or method for generating device information assigned to a utilizing device, and a content utilizing device or method in which utilization of contents is controlled according to the control data and the device information.
2. Description of the Related Art
In recent years, distribution of digital contents becomes more popular. Contents are distributed with being encrypted in order to protect a copyright of the contents. Only an authorized user who has a decryption key can reproduce and utilize contents. In general, the decryption key is strictly managed in an internal memory or the like in a utilizing device so as not to be identified by the user. However, the decryption key is sometimes known due to any accident or attack. In this case, it is desirable that the copyright owner inhibits the utilizing device from utilizing the contents (hereinafter, referred to as “revoke”). A concept of such revoke will be described below.
The utilizing device has its own specific information (device information) assigned in advance thereto, and the specific information is contained in the device. Device information is different depending on individual devices. Alternatively, a group of devices may have the same device information assigned thereto. For example, all the CD player devices manufactured by company “A” may have the same device information.
Now, it is assumed that illegal use of contents occurs for a reason such as insufficient security in a certain utilizing device, In this case, it is important to restrict/inhibit contents in the utilizing device with which such illegal use occurs, thereby prevent expansion of damage.
In distributing contents, control data is added to content data. The utilizing device reads the control data in advance, and determines whether or not the contents can be utilized based on the content data and the device information possessed by the utilizing device. In this manner, in a group of devices including at least the utilizing device with which illegal use occurs, utilization of contents is restricted/inhibited. For control data, for example, where contents are distributed through a broadcast or network, the contents are supplied to a user's terminal to be associated with content data. Where contents are distributed through package media such as CD-ROM or DVD-ROM, the contents are distributed after being recorded in package medium.
Utilization of contents in the utilizing device can be restricted/inhibited (revoked) by a series of processes in which:
1) control data as supplied to the utilizing device;
2) the utilizing device reads the control data; and
3) the utilizing device determines whether or not contents can be utilized based on the device information and control data. When the utilization of contents in the utilizing device is restricted/inhibited, the utilizing device is defined to have been revoked. The control data is distributed by an entity (in general, body corporate) that manages revoke. This is called a revoke entity.
In revoke, a utilizing device targeted for restriction/inhibition of utilizing contents is referred to as a device targeted for revoke. Revoke is carried out based on device information. If there exists a plurality of devices having the same device information, the targeted device cannot be discriminated from other devices having the same device information.
Moreover, as is evident in a media key block technique described later, even in a utilizing device having device information different from that of the targeted device, there may occur a phenomenon in which the utilization of contents is restricted/inhibited. This phenomenon is referred to as a revoke mistake. This is a side effect of revoke, and significantly degrades convenience of a consumer using the utilizing device. Avoiding an occurrence of such kind of side effect to the maximum is very important for a revoke technique.
As one of the revoke techniques which solve the above described security problems, a revoke list technique is designed. This revoke list comprises control data, and is generally supplied to the utilizing device in association with contents data. The revoke list comprises device information on devices that inhibit utilization of the contents. The utilizing device reads the revoke list prior to utilization of contents, and determines whether or not its own device information is contained in the revoke list. Where the device information is not contained in the revoke list, the utilizing device utilizes data. On the other hand, where the device information is contained in the revoke list, the utilizing device does not utilize contents. In order to prevent interpolation of the revoke list, the revoke list is often encrypted.
In the revoke list technique, the revoke entity can specify device information on the targeted device individually. In addition, no revoke mistake occurs. However, the revoke list technique has a problem that cannot be ignored in view of security. The device targeted for revoke cancels utilization of contents because the utilizing device has found out its own device information in the revoke list, and therefore, the utilization of contents is so called “refrained”. Information required for utilizing contents is obtained independent of determination of revoke. In essential, the device targeted for revoke is defined as an “unreliable” utilizing device in which modification or the like is applied. As long as the device targeted for revoke is modified so as not to “refrain” utilization of contents, revoke using the revoke list technique has no effect.
A media key block technique is one of the revoke techniques that solves the above described security problems which the revoke list technique has. In the media key block technique, first, a device key matrix KD is provided. The number of rows and the number of columns in the device key matrix KD are defined as “m” and “n”, respectively. In addition, a component of “i” rows and “j” columns in the device key matrix KD is expressed as kij (where 0≦i<n and 0≦j<n). Respective components of the device key matrix KD are obtained as random numbers generated by a random generator, for example. A master key is defined as K. The master key K is one of the items of information required for utilization of contents. For example, data is encrypted by a data key, and the data key encrypted by the master key K is supplied to the utilizing device together with data. The utilizing device having obtained the master key K can decrypt a data key using the master key K, and then, decrypt data by using the data key.
A device key is defined as a pair of (p, KDp), p is a mapping from (0, 1, . . . , n−1) to (0, 1, . . . , m−1) and a set of elements of the device key matrix KDp=kp(0),0, kp(1),1, . . . , kp(n−1),n−1. Control data is obtained as matrix M of “m” rows and “n” columns. M denotes a media key block. A component of “i” rows and “j” columns of the media key block M is expressed as Mij. The initial value of the media key block M (that is, a value when no revoke exists) is assigned by Mij=Enc(kij, K). “Enc” denotes an encrypting function using a proper encrypting algorithm. The result obtained when data “x” has been encrypted by a key “w” is expressed as Enc(w, x).
A utilizing device having device information (p, KDp) reads the media key block M, and carries out processing shown in FIG. 1. This processing is referred to as media key block processing. In the media key block processing, “Dec” is a decrypting function that corresponds to the encrypting function “Enc”. Dec(w, x) denotes a result obtained by decrypting the data “x” by the key “w”. As is evident from definition, Dec(w, Enc(w, x))=x is obtained.
In addition, “null” is a reserved special numeric value. “null” must not be equal to K, p and KDp are assumed to have been stored in matrix P and KDP, respectively. In FIG. 1, P[J]=pj, KDP[J]=kp(j),j.
“NNum” is a class of a multiple length integer. It is possible to easily read that a revoking process assigns “Result=K” to the initial value of the media key block M irrespective of the device information (p, KDp).
Now, it is assumed that a utilizing device D having device information (a, KDa) is revoked. At this time, the revoke entity supplies a next media key block M′ to the utilizing device.
M′a(j),j=Enc(Ka(j),j, null)
M′ij=Enc(kij, K) if i≠a(j)
Evidently, a result obtained by the utilizing device D processing the media key block M′ is “null”, and the master key K cannot be obtained. On the other hand, if a utilizing device D′ other than D processes the media key block M′, the master key K is obtained. Only the utilizing device D cannot obtain the master key K. As a result, the utilizing device D cannot proceed to processing such as data decrypting, and is defined to have been revoked.
In the media key block technique, a utilizing device executes media key block processing. However, unlike a case of the revoke list technique, determination of whether or nor to carry out a revoking process does not depend on the utilizing device. Where one utilizing device is revoked by a media key block, even how well device information assigned to the utilizing device is utilized, the master key K cannot be obtained. Therefore, the media key block technique solves the above described security problem that the revoke list has.
In the media key block technique, however, an essential defect exists. That is, where a plurality of utilizing devices are revoked, there is a possibility that a revoke mistake occurs. A description thereof will be given by using a small media key block for clarity. Assume that the size of a device key matrix is 4 rows and 4 columns, and components of the media key block M are assigned as follows.
M20=Enc(k20, null)
M21=Enc(k21, null)
M12=Enc(k12, null)
M33=Enc(k33, null)
Mij=Enc(kij, K) (other than the above components)
In the above media key block, a utilizing device D2 having device information (p, KDp) (only D2) is revoked, provided that p=2213.
Furthermore, assume that there occurs a need to revoke a utilizing device D3 specified by device information (p′, KDp′), provided that p′=1312. The media key block M is updated to obtain a media key block M′. Components of the media key block M′ are assigned as follows.
M′20=M20 
M′10=Enc(k10, null),
M′21=M21 
M′31=Enc(k31, null),
M′12=M12 
M′33=M33 
M′23=Enc(k23, null),
M′ij=Enc(kij, null) (other than the above components)
The utilizing devices D2 and D3 are reliably removed by the media key block M′. However, a utilizing device having device information (p″, KDp″), for example, may be revoked at the same time, provided that p″=2313. Apart from D2 and D3, a total of six utilizing devices may be accidentally revoked.
In the media key block technique, in general, where “s” utilizing devices (“s” items of device information) are revoked, a maximum of “sn-s” utilizing devices are revoked by a revoke mistake. Thus, a user of an “innocent” utilizing device as well will suffer from inconvenience in which the utilization of contents is restricted together with a user of a device targeted for revoke. In saome cases, it is undeniable that the above fact can lead to a serious economical loss or the like. Where a media key block is employed as a revoke technique, suppliers or a manufacturers of the utilizing devices will suffer from potential product faults such as complaint from users or request for damage.
In the media key block technique, the probability that one utilizing device is removed by a revoke mistake increases exponentially relevant to the number of devices targeted for revoke under a general assumption. This denotes that an only small amount of device information can actually be revoked in the entire device information. The suppliers or manufacturers of utilizing devices can perform troubleshooting procedures that individually correspond to complaint while a small number of mistakes occur.
Devices required for revoke using a media key block technique and a configuration and operation of these devices will be described below in more detail. This is because a different between a media key block technique and the present invention is clearly described. A configuration of a device information generating device 50 (which assigns device information to a utilizing device) in the media key block technique is shown in FIG. 2. A device key matrix KD is stored as a two-dimensional arrangement in a device key storage unit 509.
k00, k01, k02 
k10, k11, k12 
The device key arrangement is assumed to have been generated by a proper method such as a method of using a random number generator. A random number generator 504 having received an instruction for generating random numbers generates three random numbers whose values are obtained as 0 or 1. A key reading unit 508 receives random numbers, regards the random numbers as row numbers, and reads an element specified by the row numbers in turn from each column of the device key matrix.
A device information storage unit 506 stores the following two items of information.    Arrangement of column positions: R0, R1, R2    Arrangement of keys: kR0,0, kR1,1, kR2,2 
These items of information configure device information. An outputted information storage unit 507 has arrangement of column positions recorded therein in an additionally writing manner. Therefore, the outputted information storage unit 507 has all arrangements of the outputted column positions recorded therein.
Now, a configuration of a media key block generating device 60 is shown in FIG. 3. The device key matrix storage device 509 in the device information device 50 and a device key matrix storage device 612 in the media key block generating device 60 store the same device key matrix as follows.
k00, k01, k02 
k10, k11, k12 
A key reading unit 611 receives two arguments. These two arguments are obtained as numbers of rows and columns in device key matrix. The key reading unit 611 returns an element of a device key matrix specified by these numbers. A media key block is stored as a two-dimensional arrangement in a media key block storage unit 610.
M00, M01, M02 
M10, M11, M12 
During media key block update, the media key block generating device 60 needs to specify device information on a utilizing device to be revoked. This device information is specified by row numbers of each column in media key block. For example, assume that device information on a utilizing device to be removed is (100, KD100). In this case, the following data is specified by being inputted to a revoke information input unit 602 of the media key block generating device 60.
(10, 1b, 12)=(1, 0, 0)
A CPU 605 regards these data as row numbers in columns 0, 1, and 2. Then, the CPU 605 specifies the respective numbers as arrangement elements of the media key block, i.e., converts the respective ones into a pair of row number and column number, and inputs them sequentially to an update unit 609. The update unit 609 invalidates elements of the media key block which is inputted and specified by a pair of the row number and column number.
A configuration of a utilizing device 70 that conforms to a revoke scheme based on a media key block is shown in FIG. 4. A media key block input unit 701 of the utilizing device 70 reads the following media key block.
M00, M01, M02 
M10, M11, M12 
The read media key block is stored in a media key block storage unit 702. A device information storage unit 705 stores device information (1, KD1), for example. Components of KD1 are expressed as KD1=k0, k1, k2.
A CPU 703 reads data sequentially from the device information storage unit 705, and applies the read data to a media key block. That is, first, with a value of variable “j” being 1, 1j is read from the device information storage unit 705, and a pair of numerals (1j, j) is supplied to an arrangement element reading unit 707. The arrangement element reading unit 707 reads out an element M1j,j from the media key block storage unit 702, and then, returns it to the CPU 703. The CPU 703 supplies M1j,j to a decrypting unit 708.
Next, kj is read from device information, and is supplied to the decrypting unit 708. the decrypting unit 708 decrypts M1j,j by a key kj, and the result is returned to the CPU 703. The CPU 703 temporarily stores the decrypting result in variable “Result”. If a value of the variable “Result” is equal to null, the CPU 703 increases “j” by 1. If j<3, the CPU 703 repeats the above operation. Otherwise, the PUP 703 stops a media key block processing action.
Where the value of the variable “Result” is different from null relevant to any of j=0, 1, 2, the CPU supplies the value of “Result” as a master key K to a content utilization unit 709. Then, the CPU 703 reads data from a data input unit 706, and supplies the data to the content utilization unit 709. The content utilization unit 709 decrypts the data by using the master key K, for example, and utilizes the decrypting result. It is assumed that a proper algorithm for utilizing data is stored in advance in the utilization unit 709.