1. Field of the Invention
The present invention relates to technology for encrypting and distributing data.
2. Related Art
In recent years, there has been an expansion in the use of broadcasting, communications, package media (e.g. digital versatile disk or “DVD”) and the like to distribute digital contents such as movies and music to specified apparatuses.
To protect copyright, contents are distributed to specified apparatuses in encrypted form. Only under conditions permissible to the copyright holder is a specified apparatus able to decrypt an encrypted content for playback or duplication using an apparatus key embedded in the apparatus.
The distribution of a voluminous content is generally carried out by employing a two-stage encryption method, involving the content being encrypted using a single group key, and the group key then being encrypted, so as to only be shareable with specified apparatuses. In the present description, this method involving the use of a unique apparatus key to share of a single group key is referred to as a “group key management method”.
In the simplest example of a group key management method, a contents supplier generates encrypted key information by encrypting the group key using the unique apparatus key held by each apparatus, and distributes the encrypted key information after corresponding the encrypted key information with the encrypted content. A specified apparatus obtains the group key from the encrypted key information using its apparatus key, and decrypts the encrypted content using the group key.
However, with this simple method, the data volume of the encrypted key information becomes substantial when the group includes many members. Finding ways of distributing the group key efficiently while at the same time reducing this data volume has been the subject of much research.
The IETF (The Internet Engineering Task Force), for example, which is involved in the standardization of new technology relating to the Internet, has conducted extensive research with great success into a tree key-management method involving each apparatus holding a plurality of apparatus keys and the share relationship being expressed by a tree structure.
According to this method, each joint in a tree structure is known as a “node”, and each apparatus is allotted to a “leaf” (i.e. most subordinate node in the tree structure) Each apparatus stores node keys corresponding to all nodes existing on a route from a leaf to a “root” (i.e. most superordinate node in the tree structure). A route connecting any two nodes is known as a “path”. A key manager reduces the volume of encrypted key information by encrypting the group key using a node key shared by a plurality of apparatuses.
Much research is being conducted into this key management method because it allows, for example, (i) for the group key to be circulated using encrypted key information having a low data volume, even when the key manager adds new apparatuses to the group or has to expel specified apparatuses from the group for some reason, and (ii) for addition or removal of whole systems by corresponding a sub-tree, in which one of the nodes has been set as a root, with an existing system.
A group key management method that uses a tree structure will now be described as an example of a representative tree division method. For a detailed description, please refer to Reference 1: Toshihisa Nakano, Motoji Omori and Makato Tatebayashi, “Key Management System for Digital Content Protection”, A5-5, The 2001 Symposium on Cryptography and Information Security (SCIS2001), Jan. 23-26, 2001, Oiso, Japan, The Institute of Electronics, Information and Communication Engineers (IEICE).
According to the tree division method disclosed in Reference 1, each apparatus is positioned at a leaf of the tree, and stores node keys corresponding to all of the nodes from the leaf to the root. As shown in FIG. 54, an apparatus 1 stores a key kd1 (unique to apparatus 1), a KeyD, a KeyB and a KeyA. KeyD is shared by apparatuses 1 and 2, KeyB is shared by apparatuses 1 to 4, and KeyA is shared by all of the apparatuses.
When operation of the system is commenced, the system manager generates encrypted key information by encrypting the group key using KeyA. If, for some reason, it becomes necessary to eliminate one of the apparatuses from the group, the system manager removes the key stored by the apparatus from the tree structure, and generates the encrypted key information by encrypting the group key using the key corresponding to the root of each of the plurality of smaller tree structures.
For example, if apparatus 1 is expelled from the group, the group key is encrypted using a KeyC, a KeyE, and a key kd2, respectively. Here, each piece of encrypted key information is referred to as a ciphertext. The encrypted key information is distributed by a contents supplier together with a content encrypted using the group key.
An apparatus (i.e. other than the expelled apparatus) that receives the encrypted content and the encrypted key information, derives the group key from the encrypted key information corresponding to the apparatus key stored by the apparatus, and decrypts the content.
Reference 2 discloses a tree pattern division method that allows for key information stored on a storage medium to be reduced in size, while at the same time suppressing any increase in the number of apparatus keys already held by an apparatus.
Reference 2: Toshihisa Nakano, Motoji Omori, Natsume Matsusaki and Makato Tatebayashi, “Key Management System for Digital Content Protection—Tree pattern Division Method”, The 2002 Symposium on Cryptography and Information Security (SCIS2002), Jan. 29-Feb. 1, 2002, Shirahama, Japan, The Institute of Electronics, Information and Communication Engineers (IEICE).
At present, however, contents supply systems that differ in terms of administrative bodies, distributed contents, communication routes and media (i.e. package media, broadcasting, Internet), services provided, and the like, are administered using independent key management methods.