US 20050078825A1 (19) United States (12) Patent Application Publication (10) Pub. N0.: US 2005/0078825 A1 (43) Pub. Date: Ohmori ct al. (54) ENCRYPTION APPARATUS, DECRYPTION APPARATUS, SECRET KEY GENERATION Apr. 14, 2005 Publication Classi?cation APPARATUS, AND COPYRIGHT (51) Int. Cl.7 ................................................... .. H04N 7/167 PROTECTION SYSTEM (52) US. Cl. ............................................................ .. 380/255 (76) Inventors: Motoji Ohmori, Hirakata-shi (JP); Makoto Tatebayashi, TakararaZuka-shi (57) (JP); Hideshi Ishihara, Katano-shi (JP); Toshlhlsa Nakano’ Neyagawa_shl (JP) ABSTRACT An encryption apparatus 100a is comprised of the following: Correspondence Address: a CRL storage unit 111 that stores a CRL; a device key ring WENDEROTH’ LIND & PONACK, L_L_P_ 2033 K STREET N_ W_ storage unit 112 that stores a device key KD_A speci?c to each copyright protection module 210a used by a decryption SUITE 800 WASHINGTON’ DC 200064021 (Us) apparatus 200a; a content key storage unit 113 that stores a content key Kc that is a secret key for encrypting a content; a hashing function processing unit 114 that calculates a hash value of the CRL stored in the CRL storage unit 111 according to a hashing function; an EX-OR unit 115 that obtains an exclusive OR value betWeen the hash value and the device key KD_A; and an Enc unit 116 that encrypts the (21) APPL NO; 10/958,551 (22) ()CL 6, 2004 Filed; (30) Foreign Application Priority Data content key Kc using an output value from the EX-OR unit, and stores the hash value, the encrypted content key and the Oct. 10, 2003 (JP) .................................... .. 2003-352801 )1 00a 1110a Encr tion a aratus 300 ?r‘n%f?ge_‘ l""| W device ' .I i . ! 112 KD_A Hash ice key ring storage unit { Content key storage unit / __] -_______gi6_°J |—Terminal device . (Content l i manufacturer) Content storage unit 1 161 28 114, i111 Hashing function ‘ , processing unit 0 Decryption apparatus (HD-DVD player) _1 f___‘_____‘___-____ . Copynght protection module CRL I un't K111 )zooa Terminal ‘ (Copyright protection .licensor) i encrypted content in a DVDZa. I CRL saRh'l'ehash ' 210a . DVDdm/e l (Til£)___,________ T I J l ' I i l i Content key decryption unit l Device key 1 storage unit i I ' Patent Application Publication Apr. 14, 2005 Sheet 2 0f 17 03cmoHz9uE>tCom .2:Q&U02O m:?zwmL2Eumwc .56 US 2005/0078825 A1 32mto\wgmu:o cF>2 m> GBU5420 E2w8xm69ugz: Ec6oz2mu>oEg E9<w3mcov5QE xD5Q0EO:X E>rmz6ow5B=uRmo> 5:cozmuo0>SDXOmxOa.2w. /\ Patent Application Publication Apr. 14, 2005 Sheet 3 0f 17 FIG. 3 US 2005/0078825 A1 Patent Application Publication Apr. 14, 2005 Sheet 4 0f 17 1 C) _—_ f2 —___— (\l US 2005/0078825 A1 (U 3 O °m\ > m D. Q O H \ v S2 u. \\ a \\ \j a $3 290 Patent Application Publication Apr. 14, 2005 Sheet 6 0f 17 FIG. 6 /233 Public key certi?cate for drive Cert_A Drive ID Public key for drive PK_A Signature of the CA for public key for drive PK_A Expiring date FIG. 7 /273 Public key certi?cate for program Cert_i Program ID Public key for program PK_i Signature of the CA for public key for program PK_i Expiring date US 2005/0078825 A1 Patent Application Publication Apr. 14, 2005 Sheet 7 0f 17 US 2005/0078825 A1 FIG. 8 DVD drive 290a Application program 260 Generate y y,Cert_| | Check/CRL I| Verify Generate Certii x PS1 PS3 \sz Cert-A \SG \ | Check CRL {/57 F Verify bert=A [/88 [ Generlate y' [/89 [ GeneraLte y'G P310 [Generate S1:='Sig(Sk_i,y'G||x)|"’S1 1 I | Verify S1 I | Generate x' Generate x'G y'G, s1 - r1313 \S12 ["814 1815 [Generate S0:=Si§(SK=A, x‘G l x?zléso \s17 F | ?n’ so F818 Generate IK':=y'(x'G) r319 Generate K:=x'(y'G) F820 [ Encrypted communication using session key K(=K') P321 | Calculalte Hash F822 Calculate exclllisive OR value “823 between KD__A and Hash [Obtain encrypted content key P324 lEncrypt encrypted content key [V825 Encrypted content key [Decrypt encrypted content key|~’$27 | Obtain conltent key Kc F528 | DecryptI content l [#329 Apr. 14, 2005 US 2005/0078825 A1 ENCRYPTION APPARATUS, DECRYPTION APPARATUS, SECRET KEY GENERATION APPARATUS, AND COPYRIGHT PROTECTION key certi?cate possessed by the user Who has illegally acted SYSTEM a proper CRL so as to check the validity of the public key certi?cate issued for the person at the other end of the communication. This is a defect in the authentication based on the CRL and illegal conducts are enacted by taking BACKGROUND OF THE INVENTION [0001] (1) Field of the Invention or the user Who has had his/her oWn secret key stolen. [0009] HoWever, not all the computers can alWays obtain advantage of the defect. [0002] The present invention relates to an encryption apparatus, a decryption apparatus, a secret key generation [0010] apparatus and a copyright protection system for protecting copyright for transmitting a digital Work via a recording Which a digital Work such as a movie is recorded, obtains the medium or a transmission medium. In particular, the present invention relates to a protection technique against an attack enacted by replacing a Certi?cate Revocation List for speci fying revoked public key certi?cates. [0003] (2) Description of the Related Art [0004] When a ?rst device transmits a digital Work to a second device, the ?rst device authenticates the second device (or the ?rst and second devices mutually authenti cate). The authentication is performed before the transmis sion so as to prevent a copyright infringement by unautho riZed obtainment. In other Words, the authentication is a means to make sure Whether the person on the other side of For eXample, in the case Where a device, such as a Digital Video/Versatile Disc (DVD) for replaying a DVD on latest CRL via the DVD (i.e., reads out the latest CRL recorded on the DVD) and employs the method of authen tication With reference to the CRL for a partner device (e.g., a computer that activates an integrated replay processing circuit or replay softWare), there is a possibility that the CRL may be replaced With the old one in the process of reading out the CRL. The problem therefore is that the digital Work may be obtained illegally With a revoked key that is not yet registered in the replaced and old CRL Whereas the public key Would have been registered as a revoked public key certi?cate in a proper (i.e., the latest) CRL. [0011] In order to overcome such problem, the encryption apparatus, the decryption apparatus, and the copyright pro the communication is a person intended to be there for tection system are invented for realiZing a prevention of the replacement of the CRL and a safe transmission of a digital communication. Work (see reference to Japanese Patent Application No. [0005] One of the examples in using a public key encryp 2002-259514). tion is as folloWs: the ?rst device sends a random number to [0012] On one hand, in the encryption apparatus according to this conception, the folloWing operations are performed: the second device, then, the second device encrypts the random number using its oWn secret key (e.g., digital signature) and returns the encrypted teXt to the ?rst device, and ?nally, the ?rst device veri?es the returned encrypted teXt (or the digital signature) using the public key held by the second device. HoWever, in the authentication based on such public key encryption, it is presupposed that the public key is valid. an attribute value calculation unit calculates an attribute value Which depends on the information in the CRL that is a list of information for specifying revoked public key certi?cates; a modi?cation unit modi?es, using the attribute value calculated by the attribute value calculation unit, a second secret key associated With the decryption apparatus that decrypts an encrypted digital Work; a ?rst encryption unit encrypts a ?rst secret key used for the encryption of the In recent years, an organiZation or a company digital Work using the second secret key modi?ed by the called “certi?cate authority” issues a “public key certi?cate” indicating that a public key is authoriZed for each user (a modi?cation unit; a second encryption unit encrypts the digital Work using a ?rst secret key; and an output unit outputs, to the storage medium or the transmission medium, [0006] “guarantee” for a public key). Among the issued public key certi?cates, for those With eXpired validity or those pos sessed by the user Who has illegally conducted or Who has the CRL, the ?rst secret key encrypted by the ?rst encryption unit and the digital Work encrypted by the second encryption his/her secret key stolen, Certi?cate Revocation List (here unit. inafter to be referred to as “CRL”, “public key certi?cate revocation list” or “revocation list”) indicating a list of [0013] On the other hand, in the decryption apparatus information for specifying revoked public key certi?cates is issued in order to nullify such certi?cates (in order to inform other users of the revoked public key certi?cates). [0007] It is possible to prevent an error of transmitting an according to this conception, an obtainment unit obtains, via a storage medium or a transmission medium, an encrypted digital Work, an encrypted ?rst secret key generated by encrypting the ?rst secret key used for the encryption of the digital Work, and an CRL that is a list of information for important digital Work to an unauthoriZed person by obtain specifying revoked public key certi?cates; the attribute ing a public key certi?cate from a person on the other side of communication so as to authenticate the person using the value calculation unit calculates, based on the obtained CRL, an attribute value that depends on the contents of the public key possessed by the person, and performing the authentication as described above after con?rming that the obtained public key certi?cate is not registered in the CRL (i.e., nulli?ed). [0008] It should be noted that, in some cases, the veri? cation of a public key is performed using only a public key certi?cate (see reference to Japanese Patent Publication No. 3199119 (pp.2), hoWever, this does not Work for the public CRL; the modi?cation unit modi?es, using the attribute value calculated by the attribute value calculation unit, a second secret key Which is speci?c to the decryption appa ratus and is already held by said apparatus; a ?rst decryption unit decrypts the obtained encrypted ?rst secret key using the second secret key modi?ed by the modi?cation unit; and a second decryption unit decrypts the encrypted digital Work obtained by the obtainment unit using the ?rst secret key decrypted by the ?rst decryption unit. Apr. 14, 2005 US 2005/0078825 A1 [0014] Thus, the encryption apparatus outputs the encrypted digital Work, the encrypted ?rst secret key gen erated by encrypting the ?rst secret key used for the encryp tion of the digital Work, and the CRL. However, the encrypted ?rst secret key is the ?rst secret key encrypted by the second secret key being a key Which is not only associated With the decryption apparatus, but also in Which the CRL is involved. In the case Where the CRL is replaced With the old one, the information related to the CRL for the pre-held second secret key is changed. Therefore, the decryption apparatus Which has received the encrypted digital Work, the encrypted ?rst secret key and the CRL cannot decrypt the encrypted ?rst secret key into the original ?rst secret key With the use of the second secret key thus transformed. Consequently, the decryption apparatus cannot properly decrypt the encrypted digital Work, and it is pos sible to safely transmit a digital Work alloWed by the function to prevent the attack enacted by replacing the CRL. SUMMARY OF THE INVENTION [0015] Along With a ?erce competition in the market of decryption apparatuses, an arrival of a decryption apparatus With a higher cost performance is desired. [0016] An object of the present invention therefore is to provide the encryption apparatus, the decryption apparatus and the copyright protection system Which realiZe a higher cost performance and a safe transmission of a digital Work. [0017] In order to achieve the above object, the inventors case Where the decryption apparatus is realiZed With a DVD drive and an application program for replaying a content in a Personal Computer (PC), it is particularly required that the SAC be formed betWeen the DVD drive and the application program. [0020] HoWever, in the case of realiZing the decryption apparatus in a consumer DVD player, it is general that the second secret key storage unit, the attribute value calculation unit, the modi?cation unit, the ?rst decryption unit in the content key decryption unit and the second decryption unit in the descrambler are composed as hardWare. This facili tates the incorporation of the second decryption unit of the descrambler into the copyright protection module. The incorporation does not necessitate the formation of the SAC betWeen the content key decryption unit and the descrambler as long as a copyright protection module is manufactured under the control of a copyright holder. It is therefore possible to omit an encryption communication apparatus so that decryption apparatuses are produced With a loW cost. The calculation of the attribute value (i.e., a hash value) made by the attribute value calculation unit based on the CRL Without the formation of SAC in the DVD player is unreasonable and Wasteful Whereas an attribute value (a hash value) is necessary for decrypting an encrypted content key. The structure of the decryption apparatus Without the attribute value calculation unit is developed by alloWing a storage medium to bind the attribute value (a hash value) calculated by the attribute value calculation unit in the encryption apparatus or outputting the attribute value to a have conducted a detailed analysis on the operation of the transmission medium so as to use the attribute value decryption apparatus according to the above conception. obtained via the storage medium or the transmission They found out that it takes so much time for the attribute medium in the decryption apparatus. Thus, by using the late, based on the CRL, an attribute value that depends on the contents of the CRL, Which causes a loW performance, and that the attribute value calculation unit is a cause of the increase in cost. This resulted in the structures of the attribute value instead of the CRL, a high performance is achieved in the decryption of the secret key since the time for calculating an attribute value is no longer required, and the loW cost can be achieved for the decryption apparatus because of the omission of the attribute value calculation encryption apparatus, the decryption apparatus and the copyright protection system Which realiZe the safe transmis decryption of a content since the time taken for a mutual value calculation unit in the decryption apparatus to calcu sion of a digital Work, even Without calculating, based on the CRL, the attribute value that depends on the contents of the CRL. [0018] The second secret key storage unit, the attribute value calculation unit, the modi?cation unit, and the ?rst decryption unit in the decryption apparatus are composed as a content key decryption unit Within a copyright protection module (e.g., an IC card or an IC chip) With tamper-resistant nature, While the second decryption unit is composed as a descrambler. The respective copyright protection module and descrambler are respectively equipped With an encryp tion apparatus that judges the validity of a partner device’s public key With reference to the CRL and performs encrypted communication With the partner device using the public key in the case of judging that the partner device’s public key is valid. In this Way, in the case Where the partner device (i.e., the copyright protection module or the descram bler) is unauthoriZed, Secure Authentication Channel (SAC) may be formed betWeen the device per se and the partner device so that the copyright protection module can send the ?rst secret key to the descrambler via encrypted communi cation. [0019] As it is conceivable that an illegal conduct may be carried out using an application program or the like, in the unit. The high performance is greatly achieved in the authentication is no longer required, and the cost of the decryption apparatus is greatly reduced because of the omission of the encryption communication apparatus for forming the SAC, by not using the CRL despite that it is no longer possible to perform mutual authentication. That is to say, the encryption apparatus, the decryption apparatus and the copyright protection system that realiZe a higher cost performance as Well as a safe transmission of a digital Work is realiZed. [0021] In other Words, the encryption apparatus according to the present invention is an encryption apparatus that encrypts a digital Work and outputs the encrypted digital Work to a storage medium or a transmission medium, the apparatus comprising: a digital Work storage unit operable to store a digital Work; a ?rst secret key storage unit operable to store a ?rst secret key to be used for encrypting a digital Work; a second secret key storage unit operable to store a second secret key associated With a decryption apparatus that decrypts an encrypted digital Work; a certi?cate revo cation list (CRL) storage unit operable to store a CRL that is a list of information for specifying revoked public key certi?cates; an attribute value calculation unit operable to calculate an attribute value that depends on the information in the CRL, based on the CRL stored in the CRL storage unit; a modi?cation unit operable to modify the second