gi6_°J 1 161
advertisement
US 20050078825A1
(19) United States
(12) Patent Application Publication (10) Pub. N0.: US 2005/0078825 A1
(43) Pub. Date:
Ohmori ct al.
(54) ENCRYPTION APPARATUS, DECRYPTION
APPARATUS, SECRET KEY GENERATION
Apr. 14, 2005
Publication Classi?cation
APPARATUS, AND COPYRIGHT
(51)
Int. Cl.7 ................................................... .. H04N 7/167
PROTECTION SYSTEM
(52)
US. Cl. ............................................................ .. 380/255
(76) Inventors: Motoji Ohmori, Hirakata-shi (JP);
Makoto Tatebayashi, TakararaZuka-shi
(57)
(JP); Hideshi Ishihara, Katano-shi (JP);
Toshlhlsa Nakano’ Neyagawa_shl (JP)
ABSTRACT
An encryption apparatus 100a is comprised of the following:
Correspondence Address:
a CRL storage unit 111 that stores a CRL; a device key ring
WENDEROTH’ LIND & PONACK, L_L_P_
2033 K STREET N_ W_
storage unit 112 that stores a device key KD_A speci?c to
each copyright protection module 210a used by a decryption
SUITE 800
WASHINGTON’ DC 200064021 (Us)
apparatus 200a; a content key storage unit 113 that stores a
content key Kc that is a secret key for encrypting a content;
a hashing function processing unit 114 that calculates a hash
value of the CRL stored in the CRL storage unit 111
according to a hashing function; an EX-OR unit 115 that
obtains an exclusive OR value betWeen the hash value and
the device key KD_A; and an Enc unit 116 that encrypts the
(21) APPL NO;
10/958,551
(22)
()CL 6, 2004
Filed;
(30)
Foreign Application Priority Data
content key Kc using an output value from the EX-OR unit,
and stores the hash value, the encrypted content key and the
Oct. 10, 2003
(JP) .................................... .. 2003-352801
)1 00a 1110a
Encr
tion a
aratus
300
?r‘n%f?ge_‘
l""| W device
'
.I i
.
!
112 KD_A Hash
ice key
ring storage
unit
{ Content key
storage unit
/ __]
-_______gi6_°J
|—Terminal device
. (Content
l
i
manufacturer)
Content
storage unit
1 161
28
114,
i111 Hashing function ‘
,
processing unit
0
Decryption apparatus (HD-DVD player)
_1 f___‘_____‘___-____
. Copynght protection module
CRL I
un't
K111 )zooa
Terminal
‘ (Copyright protection
.licensor)
i
encrypted content in a DVDZa.
I
CRL
saRh'l'ehash
' 210a
. DVDdm/e l (Til£)___,________ T
I
J l
'
I
i
l
i Content key decryption unit
l Device key
1 storage
unit
i
I
'
Patent Application Publication Apr. 14, 2005 Sheet 2 0f 17
03cmoHz9uE>tCom
.2:Q&U02O
m:?zwmL2Eumwc
.56
US 2005/0078825 A1
32mto\wgmu:o cF>2 m> GBU5420 E2w8xm69ugz: Ec6oz2mu>oEg
E9<w3mcov5QE xD5Q0EO:X
E>rmz6ow5B=uRmo>
5:cozmuo0>SDXOmxOa.2w.
/\
Patent Application Publication Apr. 14, 2005 Sheet 3 0f 17
FIG. 3
US 2005/0078825 A1
Patent Application Publication Apr. 14, 2005 Sheet 4 0f 17
1
C)
_—_
f2
—___—
(\l
US 2005/0078825 A1
(U
3
O
°m\
>
m
D. Q
O
H
\
v
S2
u.
\\
a
\\
\j
a
$3
290
Patent Application Publication Apr. 14, 2005 Sheet 6 0f 17
FIG. 6
/233
Public key certi?cate for drive Cert_A
Drive ID
Public key for drive PK_A
Signature of the
CA for public key for drive PK_A
Expiring date
FIG. 7
/273
Public key certi?cate for program Cert_i
Program ID
Public key for program PK_i
Signature of the CA
for public key for program PK_i
Expiring date
US 2005/0078825 A1
Patent Application Publication Apr. 14, 2005 Sheet 7 0f 17
US 2005/0078825 A1
FIG. 8
DVD drive 290a
Application program 260
Generate y
y,Cert_|
|
Check/CRL
I|
Verify
Generate
Certii
x
PS1
PS3 \sz
Cert-A
\SG
\
|
Check CRL
{/57
F
Verify bert=A
[/88
[
Generlate y'
[/89
[
GeneraLte y'G
P310
[Generate S1:='Sig(Sk_i,y'G||x)|"’S1 1
I
|
Verify S1
I
|
Generate x'
Generate x'G
y'G, s1
-
r1313 \S12
["814
1815
[Generate S0:=Si§(SK=A, x‘G l x?zléso
\s17 F
|
?n’ so
F818
Generate IK':=y'(x'G)
r319
Generate K:=x'(y'G)
F820
[ Encrypted communication using session key K(=K') P321
|
Calculalte Hash
F822
Calculate exclllisive OR value “823
between KD__A and Hash
[Obtain encrypted content key P324
lEncrypt encrypted content key [V825
Encrypted content key
[Decrypt encrypted content key|~’$27
| Obtain conltent key Kc F528
|
DecryptI content
l
[#329
Apr. 14, 2005
US 2005/0078825 A1
ENCRYPTION APPARATUS, DECRYPTION
APPARATUS, SECRET KEY GENERATION
APPARATUS, AND COPYRIGHT PROTECTION
key certi?cate possessed by the user Who has illegally acted
SYSTEM
a proper CRL so as to check the validity of the public key
certi?cate issued for the person at the other end of the
communication. This is a defect in the authentication based
on the CRL and illegal conducts are enacted by taking
BACKGROUND OF THE INVENTION
[0001] (1) Field of the Invention
or the user Who has had his/her oWn secret key stolen.
[0009]
HoWever, not all the computers can alWays obtain
advantage of the defect.
[0002] The present invention relates to an encryption
apparatus, a decryption apparatus, a secret key generation
[0010]
apparatus and a copyright protection system for protecting
copyright for transmitting a digital Work via a recording
Which a digital Work such as a movie is recorded, obtains the
medium or a transmission medium. In particular, the present
invention relates to a protection technique against an attack
enacted by replacing a Certi?cate Revocation List for speci
fying revoked public key certi?cates.
[0003] (2) Description of the Related Art
[0004]
When a ?rst device transmits a digital Work to a
second device, the ?rst device authenticates the second
device (or the ?rst and second devices mutually authenti
cate). The authentication is performed before the transmis
sion so as to prevent a copyright infringement by unautho
riZed obtainment. In other Words, the authentication is a
means to make sure Whether the person on the other side of
For eXample, in the case Where a device, such as a
Digital Video/Versatile Disc (DVD) for replaying a DVD on
latest CRL via the DVD (i.e., reads out the latest CRL
recorded on the DVD) and employs the method of authen
tication With reference to the CRL for a partner device (e.g.,
a computer that activates an integrated replay processing
circuit or replay softWare), there is a possibility that the CRL
may be replaced With the old one in the process of reading
out the CRL. The problem therefore is that the digital Work
may be obtained illegally With a revoked key that is not yet
registered in the replaced and old CRL Whereas the public
key Would have been registered as a revoked public key
certi?cate in a proper (i.e., the latest) CRL.
[0011] In order to overcome such problem, the encryption
apparatus, the decryption apparatus, and the copyright pro
the communication is a person intended to be there for
tection system are invented for realiZing a prevention of the
replacement of the CRL and a safe transmission of a digital
communication.
Work (see reference to Japanese Patent Application No.
[0005] One of the examples in using a public key encryp
2002-259514).
tion is as folloWs: the ?rst device sends a random number to
[0012] On one hand, in the encryption apparatus according
to this conception, the folloWing operations are performed:
the second device, then, the second device encrypts the
random number using its oWn secret key (e.g., digital
signature) and returns the encrypted teXt to the ?rst device,
and ?nally, the ?rst device veri?es the returned encrypted
teXt (or the digital signature) using the public key held by the
second device. HoWever, in the authentication based on such
public key encryption, it is presupposed that the public key
is valid.
an attribute value calculation unit calculates an attribute
value Which depends on the information in the CRL that is
a list of information for specifying revoked public key
certi?cates; a modi?cation unit modi?es, using the attribute
value calculated by the attribute value calculation unit, a
second secret key associated With the decryption apparatus
that decrypts an encrypted digital Work; a ?rst encryption
unit encrypts a ?rst secret key used for the encryption of the
In recent years, an organiZation or a company
digital Work using the second secret key modi?ed by the
called “certi?cate authority” issues a “public key certi?cate”
indicating that a public key is authoriZed for each user (a
modi?cation unit; a second encryption unit encrypts the
digital Work using a ?rst secret key; and an output unit
outputs, to the storage medium or the transmission medium,
[0006]
“guarantee” for a public key). Among the issued public key
certi?cates, for those With eXpired validity or those pos
sessed by the user Who has illegally conducted or Who has
the CRL, the ?rst secret key encrypted by the ?rst encryption
unit and the digital Work encrypted by the second encryption
his/her secret key stolen, Certi?cate Revocation List (here
unit.
inafter to be referred to as “CRL”, “public key certi?cate
revocation list” or “revocation list”) indicating a list of
[0013] On the other hand, in the decryption apparatus
information for specifying revoked public key certi?cates is
issued in order to nullify such certi?cates (in order to inform
other users of the revoked public key certi?cates).
[0007]
It is possible to prevent an error of transmitting an
according to this conception, an obtainment unit obtains, via
a storage medium or a transmission medium, an encrypted
digital Work, an encrypted ?rst secret key generated by
encrypting the ?rst secret key used for the encryption of the
digital Work, and an CRL that is a list of information for
important digital Work to an unauthoriZed person by obtain
specifying revoked public key certi?cates; the attribute
ing a public key certi?cate from a person on the other side
of communication so as to authenticate the person using the
value calculation unit calculates, based on the obtained
CRL, an attribute value that depends on the contents of the
public key possessed by the person, and performing the
authentication as described above after con?rming that the
obtained public key certi?cate is not registered in the CRL
(i.e., nulli?ed).
[0008]
It should be noted that, in some cases, the veri?
cation of a public key is performed using only a public key
certi?cate (see reference to Japanese Patent Publication No.
3199119 (pp.2), hoWever, this does not Work for the public
CRL; the modi?cation unit modi?es, using the attribute
value calculated by the attribute value calculation unit, a
second secret key Which is speci?c to the decryption appa
ratus and is already held by said apparatus; a ?rst decryption
unit decrypts the obtained encrypted ?rst secret key using
the second secret key modi?ed by the modi?cation unit; and
a second decryption unit decrypts the encrypted digital Work
obtained by the obtainment unit using the ?rst secret key
decrypted by the ?rst decryption unit.
Apr. 14, 2005
US 2005/0078825 A1
[0014] Thus, the encryption apparatus outputs the
encrypted digital Work, the encrypted ?rst secret key gen
erated by encrypting the ?rst secret key used for the encryp
tion of the digital Work, and the CRL. However, the
encrypted ?rst secret key is the ?rst secret key encrypted by
the second secret key being a key Which is not only
associated With the decryption apparatus, but also in Which
the CRL is involved. In the case Where the CRL is replaced
With the old one, the information related to the CRL for the
pre-held second secret key is changed. Therefore, the
decryption apparatus Which has received the encrypted
digital Work, the encrypted ?rst secret key and the CRL
cannot decrypt the encrypted ?rst secret key into the original
?rst secret key With the use of the second secret key thus
transformed. Consequently, the decryption apparatus cannot
properly decrypt the encrypted digital Work, and it is pos
sible to safely transmit a digital Work alloWed by the
function to prevent the attack enacted by replacing the CRL.
SUMMARY OF THE INVENTION
[0015] Along With a ?erce competition in the market of
decryption apparatuses, an arrival of a decryption apparatus
With a higher cost performance is desired.
[0016] An object of the present invention therefore is to
provide the encryption apparatus, the decryption apparatus
and the copyright protection system Which realiZe a higher
cost performance and a safe transmission of a digital Work.
[0017] In order to achieve the above object, the inventors
case Where the decryption apparatus is realiZed With a DVD
drive and an application program for replaying a content in
a Personal Computer (PC), it is particularly required that the
SAC be formed betWeen the DVD drive and the application
program.
[0020] HoWever, in the case of realiZing the decryption
apparatus in a consumer DVD player, it is general that the
second secret key storage unit, the attribute value calculation
unit, the modi?cation unit, the ?rst decryption unit in the
content key decryption unit and the second decryption unit
in the descrambler are composed as hardWare. This facili
tates the incorporation of the second decryption unit of the
descrambler into the copyright protection module. The
incorporation does not necessitate the formation of the SAC
betWeen the content key decryption unit and the descrambler
as long as a copyright protection module is manufactured
under the control of a copyright holder. It is therefore
possible to omit an encryption communication apparatus so
that decryption apparatuses are produced With a loW cost.
The calculation of the attribute value (i.e., a hash value)
made by the attribute value calculation unit based on the
CRL Without the formation of SAC in the DVD player is
unreasonable and Wasteful Whereas an attribute value (a
hash value) is necessary for decrypting an encrypted content
key. The structure of the decryption apparatus Without the
attribute value calculation unit is developed by alloWing a
storage medium to bind the attribute value (a hash value)
calculated by the attribute value calculation unit in the
encryption apparatus or outputting the attribute value to a
have conducted a detailed analysis on the operation of the
transmission medium so as to use the attribute value
decryption apparatus according to the above conception.
obtained via the storage medium or the transmission
They found out that it takes so much time for the attribute
medium in the decryption apparatus. Thus, by using the
late, based on the CRL, an attribute value that depends on
the contents of the CRL, Which causes a loW performance,
and that the attribute value calculation unit is a cause of the
increase in cost. This resulted in the structures of the
attribute value instead of the CRL, a high performance is
achieved in the decryption of the secret key since the time
for calculating an attribute value is no longer required, and
the loW cost can be achieved for the decryption apparatus
because of the omission of the attribute value calculation
encryption apparatus, the decryption apparatus and the
copyright protection system Which realiZe the safe transmis
decryption of a content since the time taken for a mutual
value calculation unit in the decryption apparatus to calcu
sion of a digital Work, even Without calculating, based on the
CRL, the attribute value that depends on the contents of the
CRL.
[0018] The second secret key storage unit, the attribute
value calculation unit, the modi?cation unit, and the ?rst
decryption unit in the decryption apparatus are composed as
a content key decryption unit Within a copyright protection
module (e.g., an IC card or an IC chip) With tamper-resistant
nature, While the second decryption unit is composed as a
descrambler. The respective copyright protection module
and descrambler are respectively equipped With an encryp
tion apparatus that judges the validity of a partner device’s
public key With reference to the CRL and performs
encrypted communication With the partner device using the
public key in the case of judging that the partner device’s
public key is valid. In this Way, in the case Where the partner
device (i.e., the copyright protection module or the descram
bler) is unauthoriZed, Secure Authentication Channel (SAC)
may be formed betWeen the device per se and the partner
device so that the copyright protection module can send the
?rst secret key to the descrambler via encrypted communi
cation.
[0019] As it is conceivable that an illegal conduct may be
carried out using an application program or the like, in the
unit. The high performance is greatly achieved in the
authentication is no longer required, and the cost of the
decryption apparatus is greatly reduced because of the
omission of the encryption communication apparatus for
forming the SAC, by not using the CRL despite that it is no
longer possible to perform mutual authentication. That is to
say, the encryption apparatus, the decryption apparatus and
the copyright protection system that realiZe a higher cost
performance as Well as a safe transmission of a digital Work
is realiZed.
[0021] In other Words, the encryption apparatus according
to the present invention is an encryption apparatus that
encrypts a digital Work and outputs the encrypted digital
Work to a storage medium or a transmission medium, the
apparatus comprising: a digital Work storage unit operable to
store a digital Work; a ?rst secret key storage unit operable
to store a ?rst secret key to be used for encrypting a digital
Work; a second secret key storage unit operable to store a
second secret key associated With a decryption apparatus
that decrypts an encrypted digital Work; a certi?cate revo
cation list (CRL) storage unit operable to store a CRL that
is a list of information for specifying revoked public key
certi?cates; an attribute value calculation unit operable to
calculate an attribute value that depends on the information
in the CRL, based on the CRL stored in the CRL storage
unit; a modi?cation unit operable to modify the second
